使用 STIG 脚本自动化 Windows Server STIG 合规性
**从下载所有需要的文件 GitHub Repository
**注意:**此脚本应该适用于大多数(如果不是全部)系统而不会出现问题。尽管 @SimeonOnSecurity creates, reviews, and tests each repo intensively, we can not test every possible configuration nor does @SimeonOnSecurity take any responsibility for breaking your system. If something goes wrong, be prepared to submit an issue 如果您不了解它的作用,请不要运行该脚本。您有责任在运行之前检查和测试脚本。
可靠的:
我们现在为这个脚本提供了一个 playbook 集合。请看以下内容: - Github Repo - Ansible Galaxy
## 介绍:
Windows 10 是开箱即用的不安全操作系统,需要进行许多更改才能确保 FISMA 遵守。 组织喜欢 Microsoft , Cyber.mil , the Department of Defense , and the National Security Agency 建议并要求更改配置以锁定、强化和保护操作系统并确保政府合规。这些更改涵盖了广泛的缓解措施,包括阻止遥测、宏、删除过时软件以及防止对系统的许多物理攻击。
独立系统是最难保护的系统之一。如果不是自动化的,它们需要手动更改每个 STIG/SRG。在典型部署中总共进行了 1000 多次配置更改,每次更改平均需要 5 分钟,相当于 3.5 天的工作量。该脚本旨在显着加快该过程。
注意事项:
- 此脚本专为在 Enterprise 环境中运行而设计,并假定您拥有满足所有要求的硬件支持。
- 对于个人系统,请参阅此 GitHub Repository
- 此脚本并非旨在使系统 100% 合规,而是应将其用作完成大部分(如果不是全部)可以编写脚本的配置更改的垫脚石。
- 减去系统文档,此集合应使您对所有应用的 STIGS/SRG 的合规性达到约 95%。
## 要求:
- 每个 STIG 都需要 Windows 10 Enterprise。
-[X]
Standards
适用于高度安全的 Windows 10 设备
-[X] System is
fully up to date
- 跑过 Windows 10 Upgrade Assistant 更新和验证最新的主要版本。
- 在执行此脚本之前必须暂停或关闭 Bitlocker,它可以在重新启动后再次启用。
- 可以在不禁用 bitlocker 的情况下运行此脚本的后续运行。
- 硬件要求 - Hardware Requirements for Memory Integrity - Hardware Requirements for Virtualization-Based Security - Hardware Requirements for Windows Defender Application Guard - Hardware Requirements for Windows Defender Credential Guard
推荐阅读材料:
- System Guard Secure Launch - System Guard Root of Trust - Hardware-based Isolation - Memory integrity - Windows Defender Application Guard - Windows Defender Credential Guard
该集合使用的脚本和工具列表:
- Cyber.mil - Group Policy Objects - Microsoft Security Compliance Toolkit 1.0
额外的配置被认为来自:
- Microsoft - Recommended block rules - Microsoft - Recommended driver block rules - Microsoft - Windows Defender Application Control - NSACyber - Application Whitelisting Using Microsoft AppLocker - NSACyber - Hardware-and-Firmware-Security-Guidance - NSACyber - Windows Secure Host Baseline
STIGS/SRGs 应用:
- Adobe Acrobat Pro DC Continuous V2R1 - Adobe Acrobat Reader DC Continuous V2R1 - Firefox V5R2 - Google Chrome V2R4 - Internet Explorer 11 V1R19 - Microsoft Edge V1R2 - Microsoft .Net Framework 4 V1R9 - Microsoft Office 2013 V2R1 - Microsoft Office 2016 V2R1 - Microsoft Office 2019/Office 365 Pro Plus V2R3 - Microsoft OneDrive STIG V2R1 - Oracle JRE 8 V1R5 - Windows 10 V2R2 - Windows Firewall V1R7
事后在本地组策略中编辑策略:
- 从此导入 ADMX 策略定义 repo 进入您要修改的系统上的 C:\windows\PolicyDefinitions。
- 打开
gpedit.msc
on on the system you’re trying to modify.
How to run the script:
Automated Install:
The script may be launched from the extracted GitHub download like this:
iex ((New-Object System.Net.WebClient).DownloadString('https://simeononsecurity.com/scripts/standalonewindows.ps1'))
Manual Install:
If manually downloaded, the script must be launched from the directory containing all the other files from the GitHub Repository
All of the parameters in the “secure-standalone.ps1” script are optional, with a default value of $true. This means that if no value is specified for a parameter when the script is run, it will be treated as if it were set to $true.
The script takes the following parameters, all of which are optional and default to $true if not specified:
- cleargpos: (Boolean) Clear GPOs not being used
- installupdates: (Boolean) Install updates and reboot if necessary
- adobe: (Boolean) STIG Adobe Reader
- firefox: (Boolean) STIG Firefox
- chrome: (Boolean) STIG Chrome
- IE11: (Boolean) STIG Internet Explorer 11
- edge: (Boolean) STIG Edge
- dotnet: (Boolean) STIG .NET Framework
- office: (Boolean) STIG Office
- onedrive: (Boolean) STIG OneDrive
- java: (Boolean) STIG Java
- windows: (Boolean) STIG Windows
- defender: (Boolean) STIG Windows Defender
- firewall: (Boolean) STIG Windows Firewall
- mitigations: (Boolean) STIG Mitigations
- nessusPID: (Boolean) Resolve Unquoted Strings in Path
- horizon: (Boolean) STIG VMware Horizon
- sosoptional: (Boolean) Optional STIG/Hardening items
An example of how to run the script with all default parameters would be:
.\secure-standalone.ps1
If you want to specify a different value for one or more of the parameters, you can include them in the command along with their desired value. For example, if you wanted to run the script and set the $firefox parameter to $false, the command would be:
.\secure-standalone.ps1 -firefox $false
You can also specify multiple parameters in the command like this:
.\secure-standalone.ps1 -firefox $false -chrome $false
请注意,在此示例中,Firefox 和 Chrome 参数均设置为 $false。