Create a compliant and secure Windows 10/11 system with our Gold Master image creation tool. Adhere to DoD STIG/SRG Requirements and NSA Cybersecurity guidance for standalone Windows systems with ease, using our ultimate STIG script.
MIT License
Download all the required files from the GitHub Repository
Note: This script should work for most, if not all, systems without issue. While @SimeonOnSecurity creates, reviews, and tests each repo intensively, we can not test every possible configuration nor does @SimeonOnSecurity take any responsibility for breaking your system. If something goes wrong, be prepared to submit an issue. Do not run this script if you don't understand what it does. It is your responsibility to review and test the script before running it.
We now offer a playbook collection for this script. Please see the following:
We test this script using an automated docker container
Windows is insecure operating system out of the box and requires many changes to insure FISMA compliance. Organizations like Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended and required configuration changes to lockdown, harden, and secure the operating system and ensure government compliance. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many physical attacks on a system.
Standalone systems are some of the most difficult and annoying systems to secure. When not automated, they require manual changes of each STIG/SRG. Totalling over 1000 configuration changes on a typical deployment and an average of 5 minutes per change equaling 3.5 days worth of work. This script aims to speed up that process significantly.
gpedit.msc
on on the system you're trying to modify.The script may be launched from the extracted GitHub download like this:
iex ((New-Object System.Net.WebClient).DownloadString('https://simeononsecurity.ch/scripts/standalonewindows.ps1'))
Note: This installation version installs all of the configurations. If you seek to customize it, please use the Manual Install
Assuming you have Chocolatey installed. You may install this script via the following command:
choco install standalone-windows-stig
Or view the package on the Chocolatey Repo.
Note: The Chocolatey version of this script may lag behind this repo by multiple major versions. We update it sparingly, but stably. Additionally, this version will install all of the configurations. If you seek to customize it, please use the Manual Install
If manually downloaded, the script must be launched from the directory containing all the other files from the GitHub Repository
All of the parameters in the "secure-standalone.ps1" script are optional, with a default value of $true. This means that if no value is specified for a parameter when the script is run, it will be treated as if it were set to $true.
The script takes the following parameters, all of which are optional and default to $true if not specified:
An example of how to run the script with all default parameters would be:
.\secure-standalone.ps1
If you want to specify a different value for one or more of the parameters, you can include them in the command along with their desired value. For example, if you wanted to run the script and set the $firefox parameter to $false, the command would be:
.\secure-standalone.ps1 -firefox $false
You can also specify multiple parameters in the command like this:
.\secure-standalone.ps1 -firefox $false -chrome $false
Note that in this example, both the Firefox and Chrome parameters are set to $false.