DISA STIG’s and SRG’s – Part II (GPO’s)

In DoD Security by Imperitiv Solutions1 Comment

In this post we’ll discuss some of the ways to use the GPO’s and which one I prefer to go with and why. You can download the DISA GPO templates here. The download is a ZIP file that’s usually updated quarterly. There are GPO’s for Windows, Office, Chrome and others. It also comes with a change log, so you can see what’s been updated. Each GPO has a corresponding STIG with many of the settings from the STIG in the GPO. But keep in mind that not every STIG recommendation is included in the DISA provided GPOs. Windows Server 2016 is close, but the Windows 7 GPO is missing some STIG settings. So, if your planning to use these in a DoD environment where you must be STIG compliant, you’ll have some work to do.

Within each subfolder in the download is a “Reports” folder where you can view an HTM formatted file that is included so you can see the setting from the actual GPO without having to import it. There’s also a GPO folder where you can import the settings from. If there are both user and computer settings for the corresponding STIG, DISA has exported a separate GPO for each set. So, if you want them all in one, you’ll have to merge them manually.

However, be careful when you import them. The import will overwrite any existing content in the GPO you import it to. So, don’t use an existing production GPO thinking you’ll be able to merge those settings into it. It’s best to create a new/empty GPO and import the settings to it. From there you can run through the settings in your Group Policy Management Console (GPMC) and weed out any settings you don’t need, change any that don’t suit your needs or make any other necessary changes.

The DISA GPO’s generally come with a prebuilt WMI filter, so you can apply the GPO and target it to that specific technology. For example, you can import the “Windows 10.mof” file and apply that WMI query (shown here) so that it only applies to Windows 10 computers.

And some of these settings harden your environment tight enough to break both legacy and current applications. So always remember to verify everything in a test environment first. Sometimes these tighter settings don’t cause any initial problems. They can lie there dormant waiting to ruin your weekend until a server is rebooted, a service is restarted, or an update installed.

There are also some settings that are placeholders which will look funny and may cause problems if you don’t replace them with appropriate values. In the User Rights Assignment section for member servers, they’ve put a pair of placeholder called “ADD YOUR ENTERPRISE ADMINS” and “ADD YOUR DOMAIN ADMINS” for a few settings. They’re in the “deny” settings so they won’t likely hurt anything, but there’s no need to push your luck.

Additionally, in the “Interactive Logon” section for all the operating system GPO’s you’ll see the DoD logon banner. You’ll want to take that out all together or replace it with you companies warning banner; it would be rather inappropriate to leave that in.

In the next part of this article we’ll go over one method for creating and deploying GPO’s. And remember, as with any new tool, test it out in a lab or development environment. Don’t go using what you’ve seen here in production until you test your changes first.

Comments

  1. It is especially important to fully test with all GPOs against all Windows Operating Systems, internet browsers, specific and legacy applications which are targeted by each STIG GPO which are currently used in the environment.

Leave a Comment