TickYouOff
Sign in
Back
🔒

Windows 11 STIG (Ver 2, Rel 7)

Hard 21 items · 1 day
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps IT teams and system administrators implement the Microsoft Windows 11 STIG (Ver 2, Rel 7) published by DISA. It guides you from downloading official resources through scanning, applying policies (GPO/Intune), hardening controls, testing, and documentation.

Source: https://ncp.nist.gov/checklist/1028

Progress
0 / 21
  1. Download official STIG resources — Grab SCAP, XCCDF, GPOs, Intune policies and SCC content from DISA.
  2. Download SCAP 1.3 content — Use for automated scanning and benchmark checks.
  3. Download XCCDF standalone benchmarks — Get XCCDF files for your compliance tooling.
  4. Download Intune policies and GPO packages — Obtain the provided Intune templates and GPO exports for deployment.
  5. Review STIG requirements and change history — Read version notes, applicability, and control rationale.
  6. Identify target systems and environment — Document OS editions, domain status, and managed endpoints.
  7. Run a SCAP or compliance scan against targets — Use SCAP/XCCDF or your compliance tool to generate findings.
  8. Review scan results and prioritize findings — Rank fixes by risk and operational impact.
  9. Apply Group Policy Objects (GPOs) to domain-joined systems — Import provided GPOs and link to appropriate OUs.
  10. Test GPOs in a staging OU — Validate settings on a pilot group before broad rollout.
  11. Document GPO changes and rollback plan — Record settings, timestamps, and remediation steps.
  12. Deploy Intune policies to managed endpoints — Apply Intune templates for non-domain or cloud-managed devices.
  13. Enable and configure Windows Defender Antivirus — Verify definitions, real-time protection, and exclusions.
  14. Ensure BitLocker disk encryption is enabled — Confirm encryption status and recovery key escrow.
  15. Configure Windows Firewall and network profiles — Set appropriate inbound/outbound rules and domain/private/public profiles.
  16. Enforce least-privilege and remove unnecessary local admin rights — Limit admin accounts and use controlled elevation.
  17. Apply system patches and security updates — Install cumulative updates, drivers, and firmware fixes.
  18. Enable auditing and forward logs to SIEM — Configure event logging and central collection for monitoring.
  19. Test user workflows and critical applications — Confirm business apps function after hardening changes.
  20. Document changes, approvals, and exception waivers — Record deviations and submit change requests to the listed DISA contact if needed.
  21. Schedule periodic re-scans and STIG reviews — Plan updates aligned to DISA release and resource updates.
Sign in to save
📝 My Notes