Implementing DISA STIGs via LGPO

Many Government customers I work with have an umbrella requirement to implement DISA STIGs as their baseline security policy. For those unfamiliar, DISA (Defense Information Systems Agency) STIGs (Security Technical Implementation Guide) are a list of recommended security settings and features that should be enabled to ensure security. They cover a myriad of software including Windows 10, the Chrome browser, Adobe Reader, Office 365; basically anything you can imagine the government using.

I’ve interchangeably heard STIGs refer to both the recommendations (provided via PDF and XML) and the Group Policy exports (screenshot below). We’ll be using the July 2019 update, which you can find here: https://nvd.nist.gov/ncp/checklist/629.

In this post we’re simply looking at applying the group polices via LGPO (stay tuned for a future post where we explore how we can use them). LGPO is part of the Security Compliance Toolkit, and provides us a way to apply group policies without a domain controller.

Once I have both LGPO and the DISA STIG on my target computer, it’s as simple as running a command to execute LGPO:

How can we be sure that the STIG applied? We can certainly look at the group policy editor. But if we lock the computer and try to log in, we get a much more visual confirmation:

So there we have it! A set of security policies applied within a matter of seconds, written by the government of the United States.