Erick Cisneros
AboutExperienceProjectsSkillsContactResume
Back to Projects
Compliance / Automation

STIG Remediation Automation

A comprehensive collection of highly optimized PowerShell scripting designed to automate Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) compliance across enterprise Windows domains.

PowerShell
DISA STIG
Windows Server
Compliance
Visit Repository

Mission Objective

Manual application of DoD-mandated security configurations is notoriously error-prone and time-consuming. These scripts automate the implementation of hundreds of baseline security requirements, ensuring rapid, consistent, and repeatable hardening across mass enterprise Windows environments.

Each individual script module is strictly mapped to specific STIG IDs and enacts the required security controls through registry modifications, group policy enforcement, and core system configuration changes.

100+ Scripts
Registry Tweaks
CAT I, II, III
Server Hardened

Key Engineering Features

Automated Implementation

  • Individual scripts cleanly mapped to singular STIG IDs
  • Deep Registry and local policy enforcement logic
  • Clear, readable remediation actions with comment trails
  • Verbose error handling and outcome logging

Targeted Security Controls

  • Privileged account policies and strict restrictions
  • Advanced audit policy configuration for SOC visibility
  • Surface reduction via aggressive service hardening
  • Network security parameter tuning (SMB/RPC)

Enterprise Ready

  • Architected for highly repeatable pipeline use
  • Supports parallelized bulk deployment scenarios
  • Plug-and-play compatible with SCCM / Intune deployments
  • Requires minimal manual administrative intervention

Compliance Coverage

  • Coverage for Windows Server 2019 / 2022 Core STIGs
  • Coverage for Desktop Windows 10 / 11 STIGs
  • Formally mapped to specific CCI and SRG controls
  • Addresses CAT I (Critical), CAT II (High), and CAT III (Med) findings

Domain Categories Remediated

Account Policies

Password complexity matrices, lockout thresholds, and idle session timeouts.

Audit Policies

Granular logging vectors for logon events, object access, and privilege use.

Security Options

UAC enforcement settings, Admin approval modes, and explicit network access limitations.

User Rights

Explicit logon rights assignments, high-level privilege assignments, and explicit deny policies.

Windows Features

Complete discontinuation of SMBv1, forced PowerShell block logging, and WinRM crypto-security.

Registry Hardening

Autorun total disablement, LM hash storage zeroing, and complete null session blocks.

Execution & Usage

The framework is designed for flexible invocation. Administrators can target individual vulnerabilities by executing explicit scripts, or perform continuous mass-remediation by feeding entire baseline directories through looping execution structures.

Production Warning

Always deploy STIG remedies via iterative test rings in staging networks before applying mass configurations to production mainframes. Configurations heavily modify default identity routing.

PowerShell 7.0+
# Run a specific STIG remediation
.\V-12345-Password-Complexity.ps1

# Execute with explicit verbose tracking
.\V-12345-Password-Complexity.ps1 -Verbose

# Automatically loop all STIGs across target
Get-ChildItem .\*.ps1 | ForEach-Object { 
    & $_.FullName -Verbose 
}

# Verifying Application via standard output
Write-Host "STIG Baseline Applied Successfully."
Back to All Projects