100% found this document useful (1 vote)
308 views32 pages

Win 11 STIG

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
308 views32 pages

Win 11 STIG

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Using PowerShell and Other Command Line

Tools for Windows 11 STIG Compliance

Author: Rudy Pankratz


Advisor: Russell Eubanks

Accepted: September 24, 2024

Abstract

Hardening non-domain joined Windows 11 operating systems is a daunting task without


automation. Non-hardened Windows 11 systems pose a security risk by leaving
vulnerabilities open for malicious actors to exploit. Organizations must harden Windows
11 systems to decrease this risk. Using built-in tools, such as PowerShell and the
command line, to update Windows 11 settings effectively reduces the human effort
required to harden non-domain systems. It is possible to increase the baseline Windows
11 installation SCAP score from 36% to 97% with minimal manual effort. This
experiment describes the overall SCAP scores of the Windows 11 baseline and the DISA
STIG-compliant non-domain joined Windows 11 installations, outlines the code
developed for each of the 127 failed findings, and details the observations.
Using PowerShell and Other Command Line Tools for Windows 2
11 STIG Compliance

1. Introduction
Insecure operating systems cause security concerns because malicious actors
exploit any discovered and undiscovered weaknesses. Information security professionals
must harden operating systems to decrease the risk of exploitation by malicious actors
(Zamora et al., 2019). To help defend against malicious actors, Defense Information
Security Agency (DISA) created Security Technical Implementation Guides (STIG)
based on the National Institute of Standards and Technology (NIST) guidelines to help
configure best practices for both operating systems and applications.

Home users and federal agencies now utilize Windows 11 as the primary
operating system. Microsoft boasts that Windows 11 has security developed into the
operating system, protecting users on a fresh install (Microsoft, 2024). While many
features, such as Microsoft Defender Antivirus, secure Wi-Fi, and Microsoft Defender
SmartScreen, are excellent features, Windows 11 requires more hardening to decrease the
risk of exploitation (Weston, 2023).

Windows 11 operating systems that are domain-joined are much easier to harden
using Group Policy Objects; however, stand-alone installations of Windows 11 are not so
easily configured. Administrators must harden non-domain joined installations of
Windows 11 individually, increasing human effort to secure those instances. To
streamline this process, security professionals and general users use PowerShell and other
command line tools to harden Windows 11 installations (Stöckle et al., 2020).

2. Research Method
While working in a government program environment with over 30 non-domain
joined Windows 11 systems, an administrator discovered that each Windows 11 system
would take nearly two hours to fully harden manually. The amount of time it took to
harden non-domain joined Windows 11 installations raised two questions: Is there a way
to automate Windows 11 hardening? What percentage of Windows 11 DISA STIG
vulnerabilities can automation harden without human interaction?

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 3
11 STIG Compliance

The answer to the first question is yes, but it requires additional preparation. The
Windows 11 DISA STIG Benchmark outlines the NIST 800-53 security control, with
each vulnerability indicated by a V code (NIST, 2020). Each V code has a “Fix Text” and
a “Tests” section that security professionals can view by using the DISA Security
Content Automation Protocol (SCAP) Compliance Checker tool (SCC). These two
sections provide insight on how to harden that specific V code. The “Fix Text” section
provides instructions on configuring policy values, usually with Group Policy Objects.

In contrast, the “Tests” section indicates how the SCC tool determined if that V
code was applicable (DISA, 2024). For automation, the “Tests” section is more
beneficial. For the second question, any automation above an 80% solution would
significantly decrease the human effort it took to harden over 30 non-domain joined
Windows 11 computers.

2.1. Tools
This experiment used the following tools:

• Windows 11 disk image (Microsoft, 2024)


• SCC tool (DISA, 2024)
• Windows 11 STIG Benchmark (DISA, 2024)
• ntrights.exe (Brink, 2019) extracted to C:\Windows\System32\
• Administrative Windows PowerShell with Set-ExecutionPolicy Bypass

Two non-domain joined Windows 11 Virtual Machines (VM) were created for
this experiment using the Windows 11 disk image downloaded from Microsoft (2024)
and VMWare Workstation 17 Player (Broadcom, 2024). One is for the Windows 11
Baseline, and the other is for manipulating the security settings. Note: While a fresh
Windows 11 installation contains pre-installed programs, this experiment did not attempt
to remove those additional pre-installed programs. The SCC tool and Windows 11 STIG
Benchmarks were installed on both VMs, while the VM where the security settings
changed had ntrights.exe installed.

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 4
11 STIG Compliance

2.2. Windows 11 Baseline


After creating the Windows 11 Baseline VM, install the SCC tool and Windows
11 STIG Benchmarks. The Windows 11 STIG contains a total of 253 findings that the
SCC tool checks for (UFC, 2022). After running the SCC tool, the initial Windows 11
Baseline SCAP non-compliance report indicated the score was 36.82%

Figure 1: Windows 11 Baseline SCAP Report

From the report, 74 findings passed, nine were non-applicable, and 127 findings
failed, indicating a Compliance Status of RED.

2.3. PowerShell and Other Command Line Code Used to Correct


Non-Compliance
This section will outline the PowerShell and other command line arguments used
to correct the non-compliance findings identified in the SCAP non-compliance report.

2.3.1 High Severity - Category I


The SCC non-compliance report indicated 13 high-severity findings.

V-253259 - Windows 11 information systems must encrypt data at rest

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 5
11 STIG Compliance

Enabling this feature with PowerShell requires an additional PowerShell module. In this
experiment, PowerShell failed to enable Bitlocker, resulting in the requirement for human
intervention.

V-253260 - BitLocker PIN for pre-boot authentication

Similarly to V-253259, this V code required human interaction. In this experiment, this V
code was left unchanged.

V-253283 – Configure Data Execution Prevention (DEP) to AlwaysOn

BCDEDIT /set “{current}” nx AlwaysOn

V-253284 – Enable Structured Exception Handling Overwrite Protection (SEHOP)

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session


Manager\kernel” /v DisableExceptionChainValidation /t REG_DWORD /d 0

V-253382 – Disable Solicited Remote Assistance

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows


NT\Terminal Services” /v fAllowToGetHelp /t REG_DWORD /d 0

V-253386 – Disable Autoplay on non-volume devices

reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer”/v NoAutoplayfornonVolume /t REG_DWORD /d 1

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

Explorer”

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

Explorer”/v NoAutoplayfornonVolume /t REG_DWORD /d 1

V-253387 – Prevent autorun commands by default

reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer” /v NoAutorun /t REG_DWORD /d 1

V-253388 – Disable Autoplay on all drives

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 6
11 STIG Compliance

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Policies\Explorer”/v NoDriveTypeAutoRun /t REG_DWORD /d 255

V-253411 – Disable the “Always install with elevated privileges” feature

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\

Microsoft\Windows\Installer”/v AlwaysInstallElevated /t REG_DWORD /d 0

V-253416 – Disable Basic authentication for Windows Remote Management


(WinRM) client

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

WinRM\Client”/v AllowBasic /t REG_DWORD /d 0

V-253418 – Disable Basic authentication for WinRM service

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

WinRM\Service”/v AllowBasic /t REG_DWORD /d 0

V-253454 – Restrict Anonymous enumeration of shares

Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\” -Name


restrictanonymous -Value 1

V-253462 – Set LanMan authentication for NTLMv2 responses to refuse LM and


NTLM

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” /v


LmCompatibilityLevel /t REG_DWORD /d 5

2.3.2 Medium Severity - Category II


The SCC tool non-compliance report indicated there were 108 medium-severity
findings.

V-253261 – Set BitLocker PIN with six digits for pre-boot authentication

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE”

/v MinimumPIN /t REG_DWORD /d 6

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 7
11 STIG Compliance

V-253285 – Disable Windows PowerShell 2.0 feature

Disable-WindowsOptionalFeature -Online -FeatureName


MicrosoftWindowsPowerShellV2Root

V-253289 – Disable Secondary Logon service

Set-Service -Name seclogon -StartupType Disabled


V-253297 – Set Windows 11 account lockout duration to 15 minutes

net accounts /lockoutduration:15

V-253298 – Set the allowed number of bad logons to three

net accounts /lockoutthreshold:3

V-253299 – Set the time before the bad logon counter to 15 minutes

net accounts /lockoutwindow:15

V-253300 – Configure the password history to remember 24 passwords

net accounts /uniquepw:24

V-253302 – Configure the minimum password age to one day

net accounts /minpwage:1

V-253303 – Set Password length to 14 characters

net accounts /minpwlen:14

V-253304 – Enable the Microsoft password complexity filter

secedit /export /cfg c:\secpol.cfg

(gc C:\secpol.cfg).replace(“PasswordComplexity = 0”, “PasswordComplexity =


1”) | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas
SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
V-253306 - Configure Account Logon - Credential Validation failures

auditpol /set /subcategory: "Credential Validation”/failure:enable /success:enable

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 8
11 STIG Compliance

V-253307 - Configure Account Logon - Credential Validation successes

auditpol /set /subcategory: "Credential Validation”/failure:enable /success:enable

V-253309 - Configure Account Management - User Account Management failures

auditpol /set /subcategory: "User Account Management”/failure:enable /success:enable

V-253312 - Configure Detailed Tracking - Process Creation successes

auditpol /set /subcategory: "Process Creation”/failure:enable /success:enable

V-253313 - Configure Logon/Logoff - Account Lockout failures

auditpol /set /subcategory: "Account Lockout”/failure:enable /success:enable

V-253319 - Configure Object Access - File Share failures

auditpol /set /subcategory: "File Share”/failure:enable /success:enable

V-253320 - Configure Object Access - File Share successes

auditpol /set /subcategory: "File Share”/failure:enable /success:enable

V-253321 - Configure Object Access - Other Object Access Events successes

auditpol /set /subcategory: "Other Object Access Events”/failure:enable /success:enable

V-253322 - Configure Object Access - Other Object Access Events failures

auditpol /set /subcategory: "Other Object Access Events”/failure:enable /success:enable

V-253327 - Configure Policy Change - Authorization Policy Change successes

auditpol /set /subcategory: "Authorization Policy Change”/failure:enable /success:enable

V-253328 - Configure Privilege Use - Sensitive Privilege Use failures

auditpol /set /subcategory: "Sensitive Privilege Use”/failure:enable /success:enable

V-253329 - Configure Privilege Use - Sensitive Privilege Use successes

auditpol /set /subcategory: "Sensitive Privilege Use”/failure:enable /success:enable

V-253330 - Configure System - IPsec Driver failures

auditpol /set /subcategory: "IPsec Driver”/failure:enable

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 9
11 STIG Compliance

V-253334 - Configure System - Security System Extension successes

auditpol /set /subcategory: "Security System Extension”/success:enable

V-253337 – Configure the Application event log size to 32768 KB

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\


EventLog\Application”/v MaxSize /t REG_DWORD /d 3276800
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\
Application” -Name MaxSize -Value 3276800

V-253338 - Configure the Security event log size to 1024000 KB

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\


Windows\EventLog\Security”/v MaxSize /t REG_DWORD /d 3276800
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\
Security” -Name MaxSize -Value 3276800

V-253339 - Configure the System event log size to 32768 KB

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\


Windows\EventLog\System” /v MaxSize /t REG_DWORD /d 3276800
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\
System” -Name MaxSize -Value 3276800
V-253343 - Configure Other Policy Change Events Successes

auditpol /set /subcategory: "Other Policy Change Events”/failure:enable /success:enable

V-253344 - Configure Other Policy Change Events Failures

auditpol /set /subcategory: "Other Policy Change Events”/failure:enable /success:enable

V-253345 - Configure Logon/Logoff Events Successes

auditpol /set /subcategory: "Other Logon/Logoff Events”/failure:enable /success:enable

V-253346 - Configure Logon/Logoff Events Failures

auditpol /set /subcategory: "Other Logon/Logoff Events”/failure:enable /success:enable

V-253347 - Configure Detailed File Share Failures

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 10
11 STIG Compliance

auditpol /set /subcategory: "Detailed File Share”/failure:enable /success:enable

V-253348 - Configure MPSSVC Rule-Level Policy Change Successes

auditpol /set /subcategory: "MPSSVC Rule-Level Policy Change”/failure:enable


/success:enable

V-253349 - Configure MPSSVC Rule-Level Policy Change Failures

auditpol /set /subcategory: "MPSSVC Rule-Level Policy Change”/failure:enable


/success:enable

V-253352 – Disable the display of slide shows on the lock screen

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

Personalization”/v NoLockScreenSlideshow /t REG_DWORD /d 1

V-253353 – Configure IPv6 source routing to the highest protection

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Services\Tcpip6\Parameters”/v DisableIPSourceRouting /t REG_DWORD /d 2

V-253354 - Prevent IP source routing

reg add “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\

Parameters”/v DisableIPSourceRouting /t REG_DWORD /d 2

V-253358 – Disable WDigest authentication

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

SecurityProviders\Wdigest”/v UseLogonCredential /t REG_DWORD /d 0

V-253359 – Remove Run as a different user from context menus

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\


SecurityProviders\Wdigest”/v UseLogonCredential /t REG_DWORD /d 0
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\
runasuser”/v SuppressionPolicy /t REG_DWORD /d 4096
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\runasuser”

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 11
11 STIG Compliance

/v SuppressionPolicy /t REG_DWORD /d 4096


reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runasuser”
/v SuppressionPolicy /t REG_DWORD /d 4096
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\runasuser”
/v SuppressionPolicy /t REG_DWORD /d 4096
V-253360 – Disable insecure logons to an SMB server

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

LanmanWorkstation” /v AllowInsecureGuestAuth /t REG_DWORD /d 0

V-253361 – Disable Internet connection sharing

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

Network Connections” /v NC_ShowSharedAccessUI /t REG_DWORD /d 0

V-253365 – Block unauthenticated connections to the authenticated domain

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

WcmSvc\GroupPolicy”/v fBlockNonDomain /t REG_DWORD /d 1

V-253366 – Disable Wi-Fi Sense

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\

wifinetworkmanager\config”/v AutoConnectAllowedOEM /t REG_DWORD /d 0

V-253367 – Configure command line data to include process creation events

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Policies\System\Audit” /v ProcessCreationIncludeCmdLine_Enabled /t
REG_DWORD /d 1

V-253368 – Configure Remote host delegation of non-exportable credentials

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Windows\CredentialsDelegation”/v AllowProtectedCreds /t REG_DWORD /d 1

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 12
11 STIG Compliance

V-253372 –Enable Boot-Start Driver Initialization policy to prevent boot drivers


with Early Launch Antimalware

reg add “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch”


/v DriverLoadPolicy /t REG_DWORD /d 8

V-253373 - Reporcess Group Policy objects even if they have not changed

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group


Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}” /v NoGPOListChanges /t
REG_DWORD /d 0

V-253374 – Prevent downloading of print driver packages over HTTP

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows


NT\Printers” /v DisableWebPnPDownload /t REG_DWORD /d 1

V-253375 – Provent downloading a list of providers via Web publishing and online
ordering wizards

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Policies\Explorer”/v NoWebServices /t REG_DWORD /d 1

V-253376 – Prevent HTTP printing

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows


NT\Printers” /v DisableHTTPPrinting /t REG_DWORD /d 1

V-253378 – Disable the network selection displayed on the logon screen

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Windows\System”/v DontDisplayNetworkSelectionUI /t REG_DWORD /d 1

V-253380 - Users must be prompted for a password on resume from sleep (on
battery)

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\

PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51” /v DCSettingIndex /t
REG_DWORD /d 1

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 13
11 STIG Compliance

V-253381 - The user must be prompted for a password on resume from sleep
(plugged in)

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\

PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51” /v ACSettingIndex /t
REG_DWORD /d 1

V-253383 – Restrict unauthenticated RPC clients

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows


NT\Rpc” /v RestrictRemoteClients /t REG_DWORD /d 1

V-253389 – Enable enhanced anti-spoofing for facial recognition

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Biometrics\FacialFeatures”/v EnhancedAntiSpoofing /t REG_DWORD /d 1

V-253391 – Prevent enumerating of Administrator accounts during elevation

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Policies\CredUI”/v EnumerateAdministrators /t REG_DWORD /d 0

V-253393 – Disallow Windows Telemetry data

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Windows\DataCollection”/v AllowTelemetry /t REG_DWORD /d 0

V-253395 – Enable the Microsoft Defender SmartScreen for Explorer

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System” /v


EnableSmartScreen /t REG_DWORD /d 1

V-253399 - Diable Windows Game Recording and Broadcasting

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

GameDVR” /v AllowGameDVR /t REG_DWORD /d 0

V-253401 - Set minimum pin length to six

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 14
11 STIG Compliance

PassportForWork\PINComplexity”/v MinimumPINLength /t REG_DWORD /d 6

V-253402 – Disable Remote Desktop Client password saving

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\


Windows NT\Terminal Services”/v DisablePasswordSaving /t REG_DWORD /d 1
V-253403 – Prevent sharing of local drives with Remote Desktop Session Hosts

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\

Windows NT\Terminal Services”/v fDisableCdm /t REG_DWORD /d 1

V-253404 - Remote Desktop Services must always prompt a client for passwords
upon connection

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Windows NT\Terminal Services”/v fPromptForPassword /t REG_DWORD /d 1

V-253405 - The Remote Desktop Session Host must require secure RPC
communications

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\

Windows NT\Terminal Services”/v fEncryptRPCTraffic /t REG_DWORD /d 1

V-253406 – Set Remote Desktop Services encryption level

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\

Windows NT\Terminal Services”/v MinEncryptionLevel /t REG_DWORD /d 3

V-253407 – Prevent RSS feed Attachments

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Internet Explorer\Feeds”/v DisableEnclosureDownload /t REG_DWORD /d 1

V-253409 – Turn off encrypted file indexing

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

Windows Search”/v AllowIndexingEncryptedStoresOrItems /t REG_DWORD /d 0

V-253410 – Prevent users from changing installation options

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 15
11 STIG Compliance

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

Installer” /v EnableUserControl /t REG_DWORD /d 0

V-253413 – Disable automatically signing in the last interactive user after a system-
initiated restart

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Policies\System”/v DisableAutomaticRestartSignOn /t REG_DWORD /d


1

V-253414 – Enable PowerShell script block logging

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

PowerShell\ScriptBlockLogging”/v EnableScriptBlockLogging /t REG_DWORD /d 1

V-253415 – Enable PowerShell Transcription

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

PowerShell\Transcription”/v EnableTranscripting /t REG_DWORD /d 1

V-253417 – Disallow unencrypted WinRM client traffic

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

WinRM\Client”/v AllowUnencryptedTraffic /t REG_DWORD /d 0

V-253419 – Disallow unencrypted WinRM service traffic

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

WinRM\Service”/v AllowUnencryptedTraffic /t REG_DWORD /d 0

V-253420 – Disallow storing RunAS credentials with WinRM service

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

WinRM\Service”/v DisableRunAs /t REG_DWORD /d 1

V-253421 – Disallow the use of Digest authentication with WinRM client

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 16
11 STIG Compliance

WinRM\Client”/v AllowDigest /t REG_DWORD /d 0

V-253422 - Prevent Windows apps from being activated by voice while the system is
locked

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

AppPrivacy”/v LetAppsActivateWithVoice /t REG_DWORD /d 2

V-253423 – Disable the convenience PIN

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

System”/v AllowDomainPINLogon /t REG_DWORD /d 0

V-253424 - Configure Windows Ink Workspace to disallow access above the lock

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\

WindowsInkWorkspace”/v AllowWindowsInkWorkspace /t REG_DWORD /d 1

V-253426 – Enable the Kernel Direct Memory Access (DMA) Protection

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Windows\Kernel DMA Protection”/v DeviceEnumerationPolicy /t REG_DWORD /d 0

V-253427 - Install the DoD Root CA certificates in the Trusted Root Store

The DoD Certificate must be installed via the Install Root tool by human intervention
(DISA,2024).

V-253428 - Install the External Root CA certificates in the Trusted Root Store on
unclassified systems

The DoD Certificate must be installed via the Install Root tool by human intervention
(DISA,2024).

V-253429 - Install the DoD Interoperability Root CA

The DoD Certificate must be installed via the

Install Root tool by human intervention (DISA,2024).

V-253430 - Install the US DoD CCEB Interoperability Root CA

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 17
11 STIG Compliance

The DoD Certificate must be installed via the

Install Root tool by human intervention (DISA,2024).

V-253435 – Rename the built-in administrator account

Rename-LocalUser -Name Adminstrator -NewName Joker


V-253436 – Rename the built-in guest account

Rename-LocalUser -Name Guest -NewName No_Guest


V-253437 – Enable Audit policy subcategories

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

Lsa”/v SCENoApplyLegacyAuditPolicy /t REG_DWORD /d 1

V-253444 – Set the machine inactivity limit to 15 minutes

reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\System”/v InactivityTimeoutSecs /t REG_DWORD /d 900

V-253448 - Force Logoff or Lock Workstation with the removal of a Smart Card

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows NT\CurrentVersion\Winlogon” /v SCRemoveOption /f

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\


Windows NT\CurrentVersion\Winlogon” /v SCRemoveOption /t REG_SZ /d 1
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon” -Name SCRemoveOption -Value 1
V-253449 - Always perform SMB packet signing

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\

LanmanWorkstation\Parameters” -Name RequireSecuritySignature -Value 1

V-253451 - Configure the SMB server to perform SMB packet signing

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\

LanManServer\Parameters” -Name RequireSecuritySignature -Value 1

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 18
11 STIG Compliance

V-253457 – Restrict Remote calls to the Security Account Manager (SAM to


Administrators

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\

Control\Lsa” -Name RestrictRemoteSAM -Value “O:BAG:BAD:(A;;RC;;;BA)”

V-253458 - Prevent NTLM from falling back to a Null session

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Control\Lsa\MSV1_0”/v allownullsessionfallback /t REG_DWORD /d 0

V-253459 - Prevent PKU2U authentication using online identities

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Control\LSA\pku2u” /v AllowOnlineID /t REG_DWORD /d 0

V-253460 - Configure Kerberos encryption types to prevent the use of DES and RC4
encryption suites

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Policies\System\Kerberos\Parameters”/v SupportedEncryptionTypes

/t REG_DWORD /d 0x7ffffff8

V-253464 - Configure the system to meet the minimum session security requirement
for NTLM SSP-based clients

Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\

Lsa\MSV1_0” -Name NTLMMinClientSec -Value 0x20080000

V-253465 - Configure the system to meet the minimum session security requirement
for NTLM SSP-based servers

Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\

Lsa\MSV1_0” -Name NTLMMinServerSec -Value 0x20080000

V-253466 - Configure the system to use FIPS-compliant algorithms for encryption,


hashing, and signing

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 19
11 STIG Compliance

Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\

Lsa\FIPSAlgorithmPolicy” -Name Enabled -Value 1

V-253468 - Enable the User Account Control approval mode for the built-in
Administrator

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Policies\System”/v FilterAdministratorToken /t REG_DWORD /d 1

V-253469 - User Account Control must prompt administrators for consent on the
secure desktop

Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\

Policies\System” -Name ConsentPromptBehaviorAdmin -Value 2

V-253471 - User Account Control must automatically deny elevation requests for
standard users

Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\

Policies\System” -Name ConsentPromptBehaviorUser -Value 0

V-253480 - Assign the “Access this computer from the network” user right to the
Administrators and Remote Desktop Users groups

Requires ntrights.exe to be in C:\Windows\System32\

ntrights -r SeNetworkLogonRight -u Everyone

ntrights -r SeNetworkLogonRight -u Users

ntrights +r SeNetworkLogonRight -u “Remote Desktop Users”

ntrights -r SeNetworkLogonRight -u “Backup Operators”

V-253482 - Assign the “Allow log on locally” user right to the Administrators and
Users groups

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 20
11 STIG Compliance

Requires ntrights.exe to be in C:\Windows\System32\

ntrights -r SeInteractiveLogonRight -u No_Guest

ntrights -r SeInteractiveLogonRight -u “Backup Operators”

V-253483 - Assign the “Back up files and directories” user right to the
Administrators group

Requires ntrights.exe to be in C:\Windows\System32\

ntrights -r SeBackupPrivilege -u “Backup Operators”

V-253491 - Configure the “Deny access to this computer from the network” user
right on workstations to prevent access from highly privileged domain accounts and
local accounts on domain systems and unauthenticated access on all systems

Requires ntrights.exe to be in C:\Windows\System32\

ntrights -r SeDenyNetworkLogonRight -u “No_Guest”

ntrights +r SeDenyNetworkLogonRight -u “Guests”

V-253494 - The “Deny log on locally” user right on workstations must be configured
to prevent access from highly privileged domain accounts on domain systems and
unauthenticated access on all systems

Requires ntrights.exe to be in C:\Windows\System32\

ntrights +r SeDenyInteractiveLogonRight -u “Guests”

V-253495 - Configure the “Deny log on through Remote Desktop Services” user
right

Requires ntrights.exe to be in C:\Windows\System32\

ntrights +r SeDenyRemoteInteractiveLogonRight -u “Guests” -u Everyone

V-253505 - Assign the “Restore files and directories” user right to the
Administrators group

Requires ntrights.exe to be in C:\Windows\System32\

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 21
11 STIG Compliance

ntrights -r SeRestorePrivilege -u “Backup Operators”


V-257770 - Enable audit failures for the command line process event

auditpol /set /subcategory: "Process Creation”/failure:enable

2.3.3 Low Severity - Category III


The SCC tool non-compliance report indicated there were six low-severity
findings.

V-253355 - Configure the system to prevent ICMP redirects

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Tcpip\Parameters”/v EnableICMPRedirect /t REG_DWORD /d 0

V-253356 - Configure the system to ignore NetBIOS name release requests except
from WINS servers

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

NetBT\Parameters” /v NoNameReleaseOnDemand /t REG_DWORD /d 1

V-253384 - Allow Microsoft accounts to be optional for modern-style apps must be


enabled

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows\CurrentVersion\Policies\System”/v MSAOptional /t REG_DWORD /d 1

V-253385 - Prevent the Application Compatibility Program Inventory from


collecting data and sending the information to Microsoft

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Windows\AppCompat”/v DisableInventory /t REG_DWORD /d 1

V-253390 - Turn off Microsoft consumer experiences

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\

Windows\CloudContent”/v DisableWindowsConsumerFeatures /t REG_DWORD /d 1

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 22
11 STIG Compliance

V-253394 - Windows Update must not obtain updates from other PCs on the
internet

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\DeliveryOptimization\Config”/v DODownloadMode /t REG_DWORD

/d 1

2.4 Windows 11 STIG Results


After applying the above commands, the SCC tool non-compliance report
indicated the score was 97.01% on the hardened Windows 11 installation.

Figure 2: Windows 11 Hardened SCAP Report

From the report, 195 findings passed, nine were non-applicable, and six findings failed,
indicating a Compliance Status of GREEN. Of the six failed findings, two were high-
severity. The two were the Bitlocker findings V-253259 and V-253260. The four
medium-severity findings were for the DoD Root Certificates V-25347, V-253428, V-
253429, and V-253430.

3. Recommendations and Implications


It is best to test the hardening script provided in the Appendix in a non-production
environment of non-domain joined Windows 11 systems prior to implementation. Some
settings may need adjusting depending on the environment to prevent users from

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 23
11 STIG Compliance

experiencing connectivity issues. In addition, users and organizations may need to


increase the max file size of the Security, Application, and System log registry key
values, depending on the production environment, to prevent loss of audit records caused
by implementing STIG items that cause an abnormal amount of audit records.

Future experimentation with fully automating non-domain joined Windows 11


STIG installations via PowerShell and other command line tools would benefit from
researching and experimenting with automating Bitlocker and other data at rest settings.
In addition, future iterations of the DISA STIG may add additional items to automate. In
the event DISA updates the Windows 11 STIG, this experiment recommends
implementing a change management approach to update and change the provided
commands to automate any changes in the DISA STIG.

4. Conclusion
Fully automating non-domain joined Windows 11 hardening with PowerShell and
other command line tools failed in this experiment. Some settings require human
interaction, such as installing the DoD root certificates and implementing data at rest
(Bitlocker). However, this experiment aimed to develop an 80% solution to automate
non-domain joined Windows 11 installations, which surpassed expectations by 17%.
Having a 97% SCAP score with the recommended hardening settings provided by DISA
decreases the risk of exploitation by malicious actors, even if this experiment did not
achieve a 100% SCAP score.

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 24
11 STIG Compliance

References
Brink, S. (2019). How to deny users and groups to log on with remote desktop in

windows 10. Retrieved from https://www.tenforums.com/tutorials/129893-

deny-users-groups-log-remote-desktop-windows-10-a.html

United Compliance Framework.

Broadcom. (2024). Desktop hypervisor. https://www.vmware.com/products/desktop-

hypervisor/workstation-and-fusion

DISA. (2024). Install root. https://public.cyber.mil/pki-pke/pkipke-document-library

DISA. (2024). Microsoft Windows 11 stig. Ver 2, rel 1.

https://public.cyber.mil/stigs/downloads/

DISA. (2024). SCAP compliance checker. https://public.cyber.mil/stigs/downloads/

Microsoft. (2024). Comprehensive security.

https://www.microsoft.com/en-us/windows/comprehensive-security

Microsoft. (2024). Download windows 11.

https://www.microsoft.com/en-gb/software-download/windows11

Microsoft. (2024). Powershell. https://learn.microsoft.com/en-

us/powershell/scripting/overview?view=powershell-7.4

NIST. (2020). NIST Special Publication 800-50 security and privacy controls for

information systems and organizations. Rev 5., Retrieved from

https://doi.org/10.6028/NIST.SP.800-53r5

Stöckle, P., Grobauer, B., & Pretschner, A. (2020, December). Automated

Implementation of Windows-related security configuration guides. In


Proceedings

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 25
11 STIG Compliance

of the 35th IEEE/ACM International Conference on Automated Software

Engineering (pp. 598-610). Retrieved from https://arxiv.org/pdf/2209.08936

United Compliance Framework. (2024). Microsoft windows 11 security technical

Implementation guide. https://www.stigviewer.com/stig/microsoft_windows_11/

2022-06-24/MAC-1_Sensitive/

Weston, D. (Director). (2019, October 24). Advancing Windows Security—David Weston,

Microsoft—Platform Security Summit 2019.

https://www.youtube.com/watch?v=FJnGA4XRaq4

Zamora, P. M., Kwiatek, M., Bippus, V. N., & Elejalde, E. C. (2019). Increasing

Windows security by hardening PC configurations. In EPJ Web of

Conferences (Vol. 214, p. 08019). EDP Sciences. Retrieved from


https://doi.org/10.1051/epjconf/201921408019

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 26
11 STIG Compliance

Appendix
## Windows 11 Non-Domain Joined Hardening - Windows 11 STIG_Benchmark V2R1
## Rudy Pankratz, [email protected], September 11, 2024

# Rename Administrator and Guest accounts (-NewName to whatever you want, but change values in the
Local Rights Assignments Below
# These accounts are disabled by default
# V-253435 and V-253436
Rename-LocalUser -Name Administrator -NewName Joker
Rename-LocalUser -Name Guest -NewName No_Guest

# Set Data Execution Prevention (DEP)


# V-253283
BCDEDIT /set “{current}” nx AlwaysON

# Set Minimum PIN length for BitLocker


# V-253261
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE” /v MinimumPIN /t
REG_DWORD /d 6 /f

# Disable Exception Chain Validation


# V-253284
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel” /v
DisableExceptionChainValidation /t REG_DWORD /d 0 /f

# Disable PowerShell V2 and SMB1Protocol


# V-253285 and V-253286
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Disable Secondary Logon Service


# V-253289
Set-Service -Name seclogon -StartupType Disabled

# Set various account lockout and password policies


# V-253297 - V-253303
net accounts /lockoutduration:15
net accounts /lockoutthreshold:3
net accounts /lockoutwindow:15
net accounts /uniquepw:24
net accounts /maxpwage:60
net accounts /minpwage:1
net accounts /minpwlen:14

# Configure Security Policy for Password Complexity


# V-253304
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace(“PasswordComplexity = 0”, “PasswordComplexity = 1”) | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 27
11 STIG Compliance

# Enable audit policies


# V-253305 - V-253336 and V-257770
$auditSubcategories = @(
“Credential Validation”,
“Security Group Management”,
“User Account Management”,
“Process Creation”,
“Account Lockout”,
“File Share”,
“Other Object Access Events”,
“Audit Policy Change”,
“Authentication Policy Change”,
“Authorization Policy Change”,
“Sensitive Privilege Use”,
“IPsec Driver”,
“Security System Extension”,
“Other Policy Change Events”,
“Other Logon/Logoff Events”,
“Detailed File Share”,
“MPSSVC Rule-Level Policy Change”
)
foreach ($subcategory in $auditSubcategories) {
auditpol /set /subcategory:$subcategory /failure:enable /success:enable
}

# Set MaxSize for Event Log Applications


# V-253337 - V-253339
$eventLogKeys = @(
“HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application”,
“HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security”,
“HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System”
)
foreach ($key in $eventLogKeys) {
Set-ItemProperty -Path $key -Name MaxSize -Value 3276800
}

#Registry Changes and Various Settings


#V-253352
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization” /v
NoLockScreenSlideshow /t REG_DWORD /d 1
#V-253353
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters” /v
DisableIPSourceRouting /t REG_DWORD /d 2
#V-253354
reg add “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters” /v
DisableIPSourceRouting /t REG_DWORD /d 2
#V-253355
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters” /v
EnableICMPRedirect /t REG_DWORD /d 0
#V-253356
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters” /v
NoNameReleaseOnDemand /t REG_DWORD /d 1
#V-253358

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 28
11 STIG Compliance

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest” /v


UseLogonCredential /t REG_DWORD /d 0
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\runasuser” /v SuppressionPolicy
/t REG_DWORD /d 4096
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\runasuser” /v SuppressionPolicy
/t REG_DWORD /d 4096
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runasuser” /v SuppressionPolicy
/t REG_DWORD /d 4096
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\runasuser” /v SuppressionPolicy
/t REG_DWORD /d 4096
#V-253360
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation” /v
AllowInsecureGuestAuth /t REG_DWORD /d 0
#V-253361
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections”
/v NC_ShowSharedAccessUI /t REG_DWORD /d 0
#V-253365
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy”
/v fBlockNonDomain /t REG_DWORD /d 1
#V-253366
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config” /v
AutoConnectAllowedOEM /t REG_DWORD /d 0
#V-253367
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit”
/v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
#V-253368
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation”
/v AllowProtectedCreds /t REG_DWORD /d 1
#V-253372
reg add “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch” /v
DriverLoadPolicy /t REG_DWORD /d 8
#V-253373
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group
Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}” /v NoGPOListChanges /t REG_DWORD /d 0
#V-253374
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers” /v
DisableWebPnPDownload /t REG_DWORD /d 1
#V-253375
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v
NoWebServices /t REG_DWORD /d 1
#V-253376
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers” /v
DisableHTTPPrinting /t REG_DWORD /d 1
#V-253378
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System” /v
DontDisplayNetworkSelectionUI /t REG_DWORD /d 1
#V-253380
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-
100d-47d6-a2d5-f7d2daa51f51” /v DCSettingIndex /t REG_DWORD /d 1
#V-253381
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-
47d6-a2d5-f7d2daa51f51” /v ACSettingIndex /t REG_DWORD /d 1

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 29
11 STIG Compliance

#V-253382
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services”
/v fAllowToGetHelp /t REG_DWORD /d 0
#V-253383
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc” /v
RestrictRemoteClients /t REG_DWORD /d 1
#V-253384
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v MSAOptional /t REG_DWORD /d 1
#V-253385
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat” /v
DisableInventory /t REG_DWORD /d 1
#V-253386
reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v
NoAutoplayfornonVolume /t REG_DWORD /d 1
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer” /v
NoAutoplayfornonVolume /t REG_DWORD /d 1
#V-253387
reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v
NoAutorun /t REG_DWORD /d 1
#V-253388
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v
NoDriveTypeAutoRun /t REG_DWORD /d 255
#V-253389
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures” /v
EnhancedAntiSpoofing /t REG_DWORD /d 1
#V-253390
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent” /v
DisableWindowsConsumerFeatures /t REG_DWORD /d 1
#V-253391
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI”
/v EnumerateAdministrators /t REG_DWORD /d 0
#V-253393
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection” /v
AllowTelemetry /t REG_DWORD /d 0
#V-253394
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\C
onfig” /v DODownloadMode /t REG_DWORD /d 1
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization” /v
DODownloadMode /t REG_DWORD /d 1
#V-253395
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System” /v
EnableSmartScreen /t REG_DWORD /d 1
#V-253399
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR” /v
AllowGameDVR /t REG_DWORD /d 0
#V-253401
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity”
/v MinimumPINLength /t REG_DWORD /d 6
#V-253402
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services”
/v DisablePasswordSaving /t REG_DWORD /d 1

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 30
11 STIG Compliance

#V-253403
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services” /v
fDisableCdm /t REG_DWORD /d 1
#V-253404
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services”
/v fPromptForPassword /t REG_DWORD /d 1
#V-253405
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services” /v
fEncryptRPCTraffic /t REG_DWORD /d 1
#V-253406
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services” /v
MinEncryptionLevel /t REG_DWORD /d 3
#V-253407
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds” /v
DisableEnclosureDownload /t REG_DWORD /d 1
#V-253409
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search” /v
AllowIndexingEncryptedStoresOrItems /t REG_DWORD /d 0
#V-253410
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer” /v
EnableUserControl /t REG_DWORD /d 0
#V-253411
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer” /v
AlwaysInstallElevated /t REG_DWORD /d 0
#V-253413
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v DisableAutomaticRestartSignOn /t REG_DWORD /d 1
#V-253414
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
” /v EnableScriptBlockLogging /t REG_DWORD /d 1
#V-253415
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription” /v
EnableTranscripting /t REG_DWORD /d 1
#V-253416
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client” /v
AllowBasic /t REG_DWORD /d 0
#V-253417
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client” /v
AllowUnencryptedTraffic /t REG_DWORD /d 0
#V-253418
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service” /v
AllowBasic /t REG_DWORD /d 0
#V-253419
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service” /v
AllowUnencryptedTraffic /t REG_DWORD /d 0
#V-253420
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service” /v
DisableRunAs /t REG_DWORD /d 1
#V-253421
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client” /v
AllowDigest /t REG_DWORD /d 0
#V-253422

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 31
11 STIG Compliance

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy” /v


LetAppsActivateWithVoice /t REG_DWORD /d 2
#V-253423
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System” /v
AllowDomainPINLogon /t REG_DWORD /d 0
#V-253424
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace” /v
AllowWindowsInkWorkspace /t REG_DWORD /d 1
#V-253426
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA
Protection”/v DeviceEnumerationPolicy /t REG_DWORD /d 0
#V-253437
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” /v
SCENoApplyLegacyAuditPolicy /t REG_DWORD /d 1
#V-253444
reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v
InactivityTimeoutSecs /t REG_DWORD /d 900
#V-253448
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
/v SCRemoveOption /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
/v SCRemoveOption /t REG_SZ /d 1
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” -Name
SCRemoveOption -Value 1
#V-253449
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” -
Name RequireSecuritySignature -Value 1
#V-253451
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters” -Name
RequireSecuritySignature -Value 1
#V-253454
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\” -Name restrictanonymous -Value 1
#V-253457
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa” -Name RestrictRemoteSAM -
Value “O:BAG:BAD:(A;;RC;;;BA)”
#V-253458
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0” /v
allownullsessionfallback /t REG_DWORD /d 0
#V-253459
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u” /v
AllowOnlineID /t REG_DWORD /d 0
#V-253460
reg add
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerbero
s\Parameters” /v SupportedEncryptionTypes /t REG_DWORD /d 0x7ffffff8
#V-253462
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” /v
LmCompatibilityLevel /t REG_DWORD /d 5
#V-253464
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0” -Name
NTLMMinClientSec -Value 0x20080000
#V-253465
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0” -Name
NTLMMinServerSec -Value 0x20080000

Rudy [email protected]
Using PowerShell and Other Command Line Tools for Windows 32
11 STIG Compliance

#V-253466
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy” -Name
Enabled -Value 1
#V-253468
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
/v FilterAdministratorToken /t REG_DWORD /d 1
#V-253469
Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name
ConsentPromptBehaviorAdmin -Value 2
#V-253471
Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name
ConsentPromptBehaviorUser -Value 0

# Local Rights Assignments


# V-253480
ntrights -r SeNetworkLogonRight -u Everyone
ntrights -r SeNetworkLogonRight -u Users
ntrights +r SeNetworkLogonRight -u “Remote Desktop Users”
ntrights -r SeNetworkLogonRight -u “Backup Operators”
# V-253482
# Make sure to change the value of No_Guest if the Administrator renamed the Guest account to
something else
ntrights -r SeInteractiveLogonRight -u No_Guest
ntrights -r SeInteractiveLogonRight -u “Backup Operators”
# V-253483
ntrights -r SeBackupPrivilege -u “Backup Operators”
# V-253491
# Make sure to change the value of No_Guest if the Administrator renamed the Guest account to something
else
ntrights +r SeDenyNetworkLogonRight -u “Guests”
ntrights -r SeDenyNetworkLogonRight -u “No_Guest”
# V-253494
ntrights +r SeDenyInteractiveLogonRight -u “Guests”
# V-253495
ntrights +r SeDenyRemoteInteractiveLogonRight -u “Guests” -u Everyone
# V-253505
ntrights -r SeRestorePrivilege -u “Backup Operators”

# Update Group Policy


gpupdate /force
# Restart the Computer to force policy changes
Restart-Computer -Force

Rudy [email protected]

You might also like