Win 11 STIG
Win 11 STIG
Abstract
1. Introduction
Insecure operating systems cause security concerns because malicious actors
exploit any discovered and undiscovered weaknesses. Information security professionals
must harden operating systems to decrease the risk of exploitation by malicious actors
(Zamora et al., 2019). To help defend against malicious actors, Defense Information
Security Agency (DISA) created Security Technical Implementation Guides (STIG)
based on the National Institute of Standards and Technology (NIST) guidelines to help
configure best practices for both operating systems and applications.
Home users and federal agencies now utilize Windows 11 as the primary
operating system. Microsoft boasts that Windows 11 has security developed into the
operating system, protecting users on a fresh install (Microsoft, 2024). While many
features, such as Microsoft Defender Antivirus, secure Wi-Fi, and Microsoft Defender
SmartScreen, are excellent features, Windows 11 requires more hardening to decrease the
risk of exploitation (Weston, 2023).
Windows 11 operating systems that are domain-joined are much easier to harden
using Group Policy Objects; however, stand-alone installations of Windows 11 are not so
easily configured. Administrators must harden non-domain joined installations of
Windows 11 individually, increasing human effort to secure those instances. To
streamline this process, security professionals and general users use PowerShell and other
command line tools to harden Windows 11 installations (Stöckle et al., 2020).
2. Research Method
While working in a government program environment with over 30 non-domain
joined Windows 11 systems, an administrator discovered that each Windows 11 system
would take nearly two hours to fully harden manually. The amount of time it took to
harden non-domain joined Windows 11 installations raised two questions: Is there a way
to automate Windows 11 hardening? What percentage of Windows 11 DISA STIG
vulnerabilities can automation harden without human interaction?
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 3
11 STIG Compliance
The answer to the first question is yes, but it requires additional preparation. The
Windows 11 DISA STIG Benchmark outlines the NIST 800-53 security control, with
each vulnerability indicated by a V code (NIST, 2020). Each V code has a “Fix Text” and
a “Tests” section that security professionals can view by using the DISA Security
Content Automation Protocol (SCAP) Compliance Checker tool (SCC). These two
sections provide insight on how to harden that specific V code. The “Fix Text” section
provides instructions on configuring policy values, usually with Group Policy Objects.
In contrast, the “Tests” section indicates how the SCC tool determined if that V
code was applicable (DISA, 2024). For automation, the “Tests” section is more
beneficial. For the second question, any automation above an 80% solution would
significantly decrease the human effort it took to harden over 30 non-domain joined
Windows 11 computers.
2.1. Tools
This experiment used the following tools:
Two non-domain joined Windows 11 Virtual Machines (VM) were created for
this experiment using the Windows 11 disk image downloaded from Microsoft (2024)
and VMWare Workstation 17 Player (Broadcom, 2024). One is for the Windows 11
Baseline, and the other is for manipulating the security settings. Note: While a fresh
Windows 11 installation contains pre-installed programs, this experiment did not attempt
to remove those additional pre-installed programs. The SCC tool and Windows 11 STIG
Benchmarks were installed on both VMs, while the VM where the security settings
changed had ntrights.exe installed.
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 4
11 STIG Compliance
From the report, 74 findings passed, nine were non-applicable, and 127 findings
failed, indicating a Compliance Status of RED.
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 5
11 STIG Compliance
Enabling this feature with PowerShell requires an additional PowerShell module. In this
experiment, PowerShell failed to enable Bitlocker, resulting in the requirement for human
intervention.
Similarly to V-253259, this V code required human interaction. In this experiment, this V
code was left unchanged.
Explorer”
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 6
11 STIG Compliance
V-253261 – Set BitLocker PIN with six digits for pre-boot authentication
/v MinimumPIN /t REG_DWORD /d 6
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 7
11 STIG Compliance
V-253299 – Set the time before the bad logon counter to 15 minutes
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 8
11 STIG Compliance
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 9
11 STIG Compliance
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 10
11 STIG Compliance
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 11
11 STIG Compliance
CurrentVersion\Policies\System\Audit” /v ProcessCreationIncludeCmdLine_Enabled /t
REG_DWORD /d 1
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 12
11 STIG Compliance
V-253373 - Reporcess Group Policy objects even if they have not changed
V-253375 – Provent downloading a list of providers via Web publishing and online
ordering wizards
V-253380 - Users must be prompted for a password on resume from sleep (on
battery)
PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51” /v DCSettingIndex /t
REG_DWORD /d 1
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 13
11 STIG Compliance
V-253381 - The user must be prompted for a password on resume from sleep
(plugged in)
PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51” /v ACSettingIndex /t
REG_DWORD /d 1
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 14
11 STIG Compliance
V-253404 - Remote Desktop Services must always prompt a client for passwords
upon connection
V-253405 - The Remote Desktop Session Host must require secure RPC
communications
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 15
11 STIG Compliance
V-253413 – Disable automatically signing in the last interactive user after a system-
initiated restart
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 16
11 STIG Compliance
V-253422 - Prevent Windows apps from being activated by voice while the system is
locked
V-253424 - Configure Windows Ink Workspace to disallow access above the lock
V-253427 - Install the DoD Root CA certificates in the Trusted Root Store
The DoD Certificate must be installed via the Install Root tool by human intervention
(DISA,2024).
V-253428 - Install the External Root CA certificates in the Trusted Root Store on
unclassified systems
The DoD Certificate must be installed via the Install Root tool by human intervention
(DISA,2024).
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 17
11 STIG Compliance
V-253448 - Force Logoff or Lock Workstation with the removal of a Smart Card
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 18
11 STIG Compliance
V-253460 - Configure Kerberos encryption types to prevent the use of DES and RC4
encryption suites
CurrentVersion\Policies\System\Kerberos\Parameters”/v SupportedEncryptionTypes
/t REG_DWORD /d 0x7ffffff8
V-253464 - Configure the system to meet the minimum session security requirement
for NTLM SSP-based clients
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\
V-253465 - Configure the system to meet the minimum session security requirement
for NTLM SSP-based servers
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 19
11 STIG Compliance
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\
V-253468 - Enable the User Account Control approval mode for the built-in
Administrator
V-253469 - User Account Control must prompt administrators for consent on the
secure desktop
Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\
V-253471 - User Account Control must automatically deny elevation requests for
standard users
Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\
V-253480 - Assign the “Access this computer from the network” user right to the
Administrators and Remote Desktop Users groups
V-253482 - Assign the “Allow log on locally” user right to the Administrators and
Users groups
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 20
11 STIG Compliance
V-253483 - Assign the “Back up files and directories” user right to the
Administrators group
V-253491 - Configure the “Deny access to this computer from the network” user
right on workstations to prevent access from highly privileged domain accounts and
local accounts on domain systems and unauthenticated access on all systems
V-253494 - The “Deny log on locally” user right on workstations must be configured
to prevent access from highly privileged domain accounts on domain systems and
unauthenticated access on all systems
V-253495 - Configure the “Deny log on through Remote Desktop Services” user
right
V-253505 - Assign the “Restore files and directories” user right to the
Administrators group
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 21
11 STIG Compliance
V-253356 - Configure the system to ignore NetBIOS name release requests except
from WINS servers
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 22
11 STIG Compliance
V-253394 - Windows Update must not obtain updates from other PCs on the
internet
/d 1
From the report, 195 findings passed, nine were non-applicable, and six findings failed,
indicating a Compliance Status of GREEN. Of the six failed findings, two were high-
severity. The two were the Bitlocker findings V-253259 and V-253260. The four
medium-severity findings were for the DoD Root Certificates V-25347, V-253428, V-
253429, and V-253430.
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 23
11 STIG Compliance
4. Conclusion
Fully automating non-domain joined Windows 11 hardening with PowerShell and
other command line tools failed in this experiment. Some settings require human
interaction, such as installing the DoD root certificates and implementing data at rest
(Bitlocker). However, this experiment aimed to develop an 80% solution to automate
non-domain joined Windows 11 installations, which surpassed expectations by 17%.
Having a 97% SCAP score with the recommended hardening settings provided by DISA
decreases the risk of exploitation by malicious actors, even if this experiment did not
achieve a 100% SCAP score.
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 24
11 STIG Compliance
References
Brink, S. (2019). How to deny users and groups to log on with remote desktop in
deny-users-groups-log-remote-desktop-windows-10-a.html
hypervisor/workstation-and-fusion
https://public.cyber.mil/stigs/downloads/
https://www.microsoft.com/en-us/windows/comprehensive-security
https://www.microsoft.com/en-gb/software-download/windows11
us/powershell/scripting/overview?view=powershell-7.4
NIST. (2020). NIST Special Publication 800-50 security and privacy controls for
https://doi.org/10.6028/NIST.SP.800-53r5
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 25
11 STIG Compliance
2022-06-24/MAC-1_Sensitive/
https://www.youtube.com/watch?v=FJnGA4XRaq4
Zamora, P. M., Kwiatek, M., Bippus, V. N., & Elejalde, E. C. (2019). Increasing
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 26
11 STIG Compliance
Appendix
## Windows 11 Non-Domain Joined Hardening - Windows 11 STIG_Benchmark V2R1
## Rudy Pankratz, [email protected], September 11, 2024
# Rename Administrator and Guest accounts (-NewName to whatever you want, but change values in the
Local Rights Assignments Below
# These accounts are disabled by default
# V-253435 and V-253436
Rename-LocalUser -Name Administrator -NewName Joker
Rename-LocalUser -Name Guest -NewName No_Guest
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 27
11 STIG Compliance
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 28
11 STIG Compliance
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 29
11 STIG Compliance
#V-253382
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services”
/v fAllowToGetHelp /t REG_DWORD /d 0
#V-253383
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc” /v
RestrictRemoteClients /t REG_DWORD /d 1
#V-253384
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v MSAOptional /t REG_DWORD /d 1
#V-253385
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat” /v
DisableInventory /t REG_DWORD /d 1
#V-253386
reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v
NoAutoplayfornonVolume /t REG_DWORD /d 1
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer” /v
NoAutoplayfornonVolume /t REG_DWORD /d 1
#V-253387
reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v
NoAutorun /t REG_DWORD /d 1
#V-253388
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v
NoDriveTypeAutoRun /t REG_DWORD /d 255
#V-253389
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures” /v
EnhancedAntiSpoofing /t REG_DWORD /d 1
#V-253390
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent” /v
DisableWindowsConsumerFeatures /t REG_DWORD /d 1
#V-253391
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI”
/v EnumerateAdministrators /t REG_DWORD /d 0
#V-253393
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection” /v
AllowTelemetry /t REG_DWORD /d 0
#V-253394
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\C
onfig” /v DODownloadMode /t REG_DWORD /d 1
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization” /v
DODownloadMode /t REG_DWORD /d 1
#V-253395
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System” /v
EnableSmartScreen /t REG_DWORD /d 1
#V-253399
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR” /v
AllowGameDVR /t REG_DWORD /d 0
#V-253401
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity”
/v MinimumPINLength /t REG_DWORD /d 6
#V-253402
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services”
/v DisablePasswordSaving /t REG_DWORD /d 1
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 30
11 STIG Compliance
#V-253403
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services” /v
fDisableCdm /t REG_DWORD /d 1
#V-253404
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services”
/v fPromptForPassword /t REG_DWORD /d 1
#V-253405
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services” /v
fEncryptRPCTraffic /t REG_DWORD /d 1
#V-253406
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services” /v
MinEncryptionLevel /t REG_DWORD /d 3
#V-253407
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds” /v
DisableEnclosureDownload /t REG_DWORD /d 1
#V-253409
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search” /v
AllowIndexingEncryptedStoresOrItems /t REG_DWORD /d 0
#V-253410
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer” /v
EnableUserControl /t REG_DWORD /d 0
#V-253411
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer” /v
AlwaysInstallElevated /t REG_DWORD /d 0
#V-253413
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v DisableAutomaticRestartSignOn /t REG_DWORD /d 1
#V-253414
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
” /v EnableScriptBlockLogging /t REG_DWORD /d 1
#V-253415
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription” /v
EnableTranscripting /t REG_DWORD /d 1
#V-253416
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client” /v
AllowBasic /t REG_DWORD /d 0
#V-253417
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client” /v
AllowUnencryptedTraffic /t REG_DWORD /d 0
#V-253418
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service” /v
AllowBasic /t REG_DWORD /d 0
#V-253419
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service” /v
AllowUnencryptedTraffic /t REG_DWORD /d 0
#V-253420
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service” /v
DisableRunAs /t REG_DWORD /d 1
#V-253421
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client” /v
AllowDigest /t REG_DWORD /d 0
#V-253422
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 31
11 STIG Compliance
Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 32
11 STIG Compliance
#V-253466
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy” -Name
Enabled -Value 1
#V-253468
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v FilterAdministratorToken /t REG_DWORD /d 1
#V-253469
Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name
ConsentPromptBehaviorAdmin -Value 2
#V-253471
Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name
ConsentPromptBehaviorUser -Value 0
Rudy [email protected]