TickYouOff
Sign in
Back
🔒

Windows Server 2019 STIG Implementation

Hard 19 items · 3 hours
testuser's avatar
testuser Published 3 weeks ago
Security

This checklist guides IT administrators and security teams through downloading, testing, and deploying the Microsoft Windows Server 2019 STIG baseline. It covers preparing target systems, obtaining SCAP/XCCDF/GPO/SCC resources, validating with scans, remediating findings, and maintaining updates.

Source: https://ncp.nist.gov/checklist/914

Progress
0 / 19
  1. Review STIG overview and scope — Read the STIG intro to confirm applicability to servers and domain roles.
  2. Identify target systems (domain controllers and member servers) — List hostnames, roles, and environment (test/prod) for the rollout.
  3. Download STIG content — Gather official STIG resources before testing and deployment.
  4. Download SCAP 1.3 content — Get Microsoft Windows Server 2019 STIG SCAP Benchmark (Ver 3, Rel 7).
  5. Download Standalone XCCDF content — Obtain XCCDF packages (STIG and Chef versions) for policy checks.
  6. Download Group Policy Objects (GPOs) — Download the latest GPO files (referenced GPOs include updates through 2026).
  7. Download Automated SCC content — Retrieve SCC/SCC tool content for automated scanning.
  8. Verify SHAs and file integrity for all downloads — Confirm checksums match published values before importing.
  9. Import GPOs into Active Directory — Load downloaded GPOs into a test/isolated AD OU for evaluation.
  10. Apply STIG baseline to a test server — Apply GPOs and configuration changes only in a controlled test VM first.
  11. Run SCAP/SCC scan against the test server — Perform automated checks to identify non-compliant settings and CVEs.
  12. Review scan findings and document exceptions — Record false positives, compensating controls, and required exceptions.
  13. Remediate high-priority findings on the test server — Fix critical vulnerabilities and misconfigurations found in testing.
  14. Create change request and schedule phased production deployment — Document planned changes, rollback steps, and maintenance windows.
  15. Deploy the STIG baseline to production in phases — Roll out to small groups, monitor, and expand after validation.
  16. Verify compliance on production servers and record results — Rescan production systems and store reports for audit evidence.
  17. Subscribe to DISA updates and track change history — Monitor STIG, GPO, SCC, and SHA updates from DISA and NIST records.
  18. Maintain STIG implementation log and contact DISA for issues — Keep an audit trail of changes and use the DISA contact in the STIG doc for comments.
  19. Schedule quarterly STIG review and re-scan — Plan periodic reviews and scans to detect drift and new findings.
Sign in to save
📝 My Notes