TickYouOff
Sign in
Back
🔒

Windows Server 2025 STIG

Hard 22 items · 1 week
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist converts the DISA Windows Server 2025 STIG guidance into a practical implementation checklist for administrators and security teams. It’s aimed at IT staff in government and enterprise environments who need to harden servers, apply STIG baselines, and maintain compliance.

Source: https://ncp.nist.gov/checklist/1324

Progress
0 / 22
  1. Download official Windows Server 2025 STIG from DoD Cyber Exchange — Grab XCCDF and STIG docs from cyber.mil or public.cyber.mil for non-CAC users.
  2. Inventory servers and classify as Domain Controller or Member Server — Record hostname, role, OS build, IP, and physical or virtual location.
  3. Backup system state and critical data before applying changes — Use verified backups and test restore points before remediation.
  4. Apply latest Windows Updates and security patches — Install cumulative updates and security patches, then reboot if required.
  5. Enable and configure Windows Firewall with least-privilege rules — Create explicit inbound rules scoped to services and source IPs.
  6. Set account policies: enforce password complexity and lockouts — Configure GPO password length, complexity, rotation, and lockout thresholds.
  7. Enable multi-factor authentication for privileged accounts — Require MFA for admin and remote access to reduce credential risk.
  8. Disable or remove unnecessary services and legacy protocols — Remove Telnet, SMBv1, and unused server roles and features.
  9. Secure Remote Desktop access: enforce NLA and restrict access — Disable RDP where not required; use jump hosts and firewall rules.
  10. Configure Audit Policy and enable advanced auditing — Log account changes, logon events, policy modifications, and retention.
  11. Apply baseline Group Policy settings per the STIG — Import STIG GPO templates and link them to appropriate OUs.
  12. Harden Domain Controllers
  13. Restrict domain controller administrative accounts and use dedicated workstations — Limit admin logins to jump/bastion systems and approve exceptions.
  14. Enable secure replication and protect recovery modes — Harden AD replication channels and secure Directory Services Restore Mode.
  15. Deploy Local Administrator Password Solution (LAPS) on DCs — Rotate local admin passwords and store them securely in AD.
  16. Enable BitLocker and Secure Boot on physical and supported virtual hosts — Protect OS volumes with TPM-backed BitLocker where feasible.
  17. Configure Endpoint Protection and enable tamper protection — Ensure antivirus/EDR is installed, updated, and tamper-protected.
  18. Disable legacy authentication protocols (SMBv1, NTLMv1) — Block or remove deprecated protocols across the estate.
  19. Run STIG compliance scan (XCCDF/SCAP) and generate remediation report — Use DISA STIG tools or SCAP Workbench to list and prioritize findings.
  20. Perform vulnerability scans and document exceptions — Scan with approved tools, log findings, and record approved exceptions.
  21. Document all changes, maintain a change log and contact information — Record who made changes, when, and why for auditability.
  22. Implement continuous monitoring and integrate logs into SIEM — Forward events, set alerting rules, and review dashboards regularly.
Sign in to save
📝 My Notes