Awesome
STIG Compliant Domain Prep
Import all the GPOs provided by SimeonOnSecurity to assist in making your domain compliant with all applicable STIGs and SRGs.
Note: This script should work for most, if not all, systems without issue. While @SimeonOnSecurity creates, reviews, and tests each repo intensivly, we can not test every possible configuration nor does @SimeonOnSecurity take any responsibility for breaking your system. If something goes wrong, be prepared to submit an issue. Do not run this script if you don't understand what it does.
Notes:
This script is designed for use in Enterprise environments
Ansible:
We now offer a playbook collection for this script. Please see the following:
Additional configurations were considered from:
- CERT - IE Scripting Engine Memory Corruption
- Dirteam - SSL Hardening
- Microsoft - Managing Windows 10 Telemetry and Callbacks
- Microsoft - Specture and Meltdown Mitigations
- Microsoft - Windows 10 Privacy
- Microsoft - Windows 10 VDI Recomendations
- Microsoft - Windows Defender Application Control
- NSACyber - Application Whitelisting Using Microsoft AppLocker
- NSACyber - Hardware-and-Firmware-Security-Guidance
- Whonix - Disable TCP Timestamps
STIGS/SRGs Applied:
- Adobe Acrobat Pro DC Continuous V2R1
- Adobe Acrobat Reader DC Continuous V2R1
- Firefox V5R2 - Requires Separate Script
- Google Chrome V2R4
- Internet Explorer 11 V1R19
- Microsoft Edge V1R2
- Microsoft .Net Framework 4 V1R9 - Requires Separate Script
- Microsoft Office 2013 V2R1
- Microsoft Office 2016 V2R1
- Microsoft Office 2019/Office 365 Pro Plus V2R3
- Microsoft OneDrive STIG V2R1
- Oracle JRE 8 V1R5 - Requires Separate Script
- Windows 10 V2R2
- Windows Defender Antivirus V2R2 - Requires Separate Script
- Windows Firewall V1R7
- Windows Server 2012(R2) V3R2
- Windows Server 2016 V2R2
- Windows Server 2019 V2R2
- VMWare Horizon Agent V1R1
- VMWare Horizon Client V1R1
How to run the script:
The script may be launched from the extracted GitHub download like this:
.\sos-stig-compliant-domain-prep.ps1
The script we will be using must be launched from the directory containing all the other files from the GitHub Repository