TickYouOff
Sign in
Back
🔒

Windows 10 STIG Checklist (v3, r7)

Hard 18 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps administrators and security-conscious users implement the DISA Windows 10 STIG baseline (Version 3, Release 7). It walks through downloading official resources, applying GPO/Intune baselines, hardening key settings, and running a compliance scan to verify posture.

Source: https://ncp.nist.gov/checklist/629

Progress
0 / 18
  1. Download STIG resources (SCAP, XCCDF, GPOs, Intune) — Get official DISA SCAP, XCCDF, GPO and Intune policy files and SHA checksums.
  2. Verify system edition and OS build — Confirm Windows 10 Enterprise or compatible build before applying Enterprise-only controls.
  3. Inventory existing Group Policy Objects and settings — Document current GPOs and deviations to plan rollbacks or merges.
  4. Backup current system state and GPOs — Create system restore points and export GPOs before changes.
  5. Apply baseline GPOs from the DISA package — Import and link the provided GPOs to target OUs per guidance.
  6. Import Intune policies for managed devices — Deploy Intune configurations provided in the STIG package for enrolled devices.
  7. Check TPM and Secure Boot support — Verify TPM presence and UEFI Secure Boot for BitLocker readiness.
  8. Enable BitLocker on system drives — Turn on BitLocker with TPM and recovery key backup to AD or M365.
  9. Enable Windows Firewall and verify outbound rules — Ensure firewall is active and restrictive outbound rules are configured.
  10. Configure Windows Defender and antivirus settings — Enable real-time protection, cloud-delivery, and periodic scanning per STIG.
  11. Configure account lockout and password policies — Set lockout thresholds, durations, and password complexity per guidance.
  12. Disable unnecessary services and legacy features — Remove or disable legacy protocols and unused services to reduce attack surface.
  13. Disable SMBv1 — Turn off SMBv1 protocol on all systems.
  14. Disable LLMNR — Disable Link-Local Multicast Name Resolution to prevent name spoofing.
  15. Uninstall Telnet and legacy remote tools — Remove telnet, outdated components and unused remote services.
  16. Configure Windows Update and automatic patching — Set update cadence, automatic install, and maintenance windows.
  17. Enable auditing and centralize log collection — Turn on recommended audit policies and forward logs to SIEM or collector.
  18. Run SCAP/compliance scan and remediate findings — Scan with DISA SCAP/XCCDF and address noncompliant items per STIG fixes.
Sign in to save
📝 My Notes