Back to Projects
Compliance

DISA STIG Implementation

A collection of PowerShell scripts that automate DISA STIG (Security Technical Implementation Guides) security hardening for Windows systems, simplifying compliance enforcement and reducing manual errors.

PowerShell
DISA STIG
Windows Server
Compliance
View on GitHub

Overview

DISA STIGs are the configuration standards for DoD information systems and applications. These PowerShell scripts automate the implementation of these security requirements, ensuring consistent and repeatable hardening across enterprise Windows environments.

Each script is mapped to specific STIG IDs and implements the required security controls through registry modifications, policy enforcement, and system configuration changes.

Key Features

Automated Implementation

  • Individual scripts mapped to STIG IDs
  • Registry and policy enforcement logic
  • Clear, readable remediation actions
  • Error handling and logging

Security Controls

  • Account policies and restrictions
  • Audit policy configuration
  • Service hardening
  • Network security settings

Enterprise Ready

  • Designed for repeatable use
  • Supports bulk deployment
  • Compatible with SCCM/Intune
  • Minimal manual intervention

Compliance Coverage

  • Windows Server 2019/2022 STIGs
  • Windows 10/11 STIGs
  • Mapped to CCI and SRG
  • CAT I, II, III findings

STIG Categories Covered

Account Policies

  • Password complexity
  • Lockout thresholds
  • Session timeouts

Audit Policies

  • Logon events
  • Object access
  • Privilege use

Security Options

  • UAC settings
  • Admin approval mode
  • Network access

User Rights

  • Logon rights
  • Privilege assignments
  • Deny policies

Windows Features

  • SMBv1 disable
  • PowerShell logging
  • WinRM security

Registry Hardening

  • Autorun disable
  • LM hash storage
  • Null session restrictions

Usage

Running Individual Scripts

# Run a specific STIG remediation
.\V-12345-Password-Complexity.ps1

# Run with verbose output
.\V-12345-Password-Complexity.ps1 -Verbose

# Run multiple STIGs
Get-ChildItem .\*.ps1 | ForEach-Object { & $_.FullName }

Best Practices

  • Test in a non-production environment first
  • Review each script before execution
  • Document baseline configurations
  • Use STIG Viewer to validate compliance