none
Configuring DISA STIG Group Policy Settings for Windows 10

    Question

  • I am looking at the best way to configure the DISA STIG group policy settings for Windows 10 Enterprise. Ideally DISA would provide a official group policy backup /template file with all the settings configured in their STIG files, allowing administrators to easily import the complete set of settings directly into an actual GPO for testing / deployment.

    Unfortunately I have checked with DISA and they indicated they do not provide an actual GPO backup, they indicated that administrators must configure the settings themselves based on their guidance in the STIG. So this appears to mean the only way to get the STIG settings into a actual GPO is to manually configure each of the 200+ settings in the GPO.

    I am wondering if anyone is aware of a better or easier way to configure/import DISA STIG settings into a GPO. I see other threads on this regarding using the Microsoft Security Compliance Manager to somehow accomplish this but I have yet to find a solution that would actually work in this scenerio.

    DISA provides a Manual-xccdf.xml file which contains all the STIG settings and that is able to be imported into STIG view application as well as other compliance tools. Unfortunately this file can't be imported into the Microsoft SCM to allow a backup to be created.

    Is anyone aware of a way to import this xccdf content into the Microsoft SCM? 

    Friday, March 4, 2016 1:49 AM

All replies

  • Bump
    Wednesday, September 14, 2016 3:58 PM
  • Either of you guys make progress on this?

    Tuesday, September 20, 2016 6:16 PM
  • No progress yet? I'd love to learn more about this
    Friday, November 4, 2016 5:47 PM
  • Check out the support disks for the Host Secure Baseline in the IASE website. They include GPOs for the OS, Office and IE and a few others. Saves you plenty of time in making GPOs with STIG settings.
    Monday, May 22, 2017 5:21 PM
  • Essentially...you are stuck with creating an initial STIG baseline. I have done this in the past, and actually used SCM, cloned the MS SCM baseline for Win10, then went through and made the changes for STIG. Still have to review each setting, but I found that more flexible.

    One thing you can look at is the SCAP extensions for SCCM (https://technet.microsoft.com/en-us/library/cc677271.aspx

    Here is a guide for converting SCAP files (from DISA) to SCCM DCM baseline items -  https://configmgr.com/stig-compliance-with-scap-and-dcm-in-configmgr/ 

    Once you have an SCCM baseline from your STIG, you can audit a test machine for compliance and see where the gaps are.

    So, start with the MS SCM baseline, create GPO, deploy GPO, create DCM baseline from the SCAP STIG files, deploy DCM baseline, and see what is non-compliant after the GPO is applied.

    Address individual GPO settings to achieve compliance. 

    Note - in my experience there wasn't a great deal of deviation between STIG and MS SCM baselines for Windows, there are greater gaps in the Office and IE baselines. 

    Hope this helps, I can empathise it is a painful process, but once you have that initial GPO that is STIG compliant, make sure you check for STIG revisions and changes to keep it up to date. There won't be a Windows 11, so maintaining STIG compliant GPO's should be manageable after the initial investment if you keep on top of it. 

    Friday, July 28, 2017 5:22 AM
  • DISA now provides quarterly STIG GPO downloads here:

    https://iase.disa.mil/stigs/gpo/Pages/index.aspx

    "This package is to be used to assist administrators implementing STIG
    settings within their environment. The administrator must fully test GPOs in
    test environments prior to live production deployments. The GPOs provided
    contain most applicable GPO STIG settings contained in STIG files.

    This package contains ADMX template files, GPO backup exports, GPO reports,
    and WMI filter exports and STIG Checklist files. It is to provide enterprise
    administrators the supporting GPOs and related files to aid them in the
    deployment of GPOs within their enterprise to meet STIG requirements.  See the
    ReadMe.txt file for additional information."

    Hope this helps!

     - Glenn Fincher (Microsoft)

    Wednesday, March 7, 2018 7:36 PM