Implementing DISA STIGs via LGPO

Many Government customers I work with have an umbrella requirement to implement DISA STIGs as their baseline security policy. For those unfamiliar, DISA (Defense Information Systems Agency) STIGs (Security Technical Implementation Guide) are a list of recommended security settings and features that should be enabled to ensure security. They cover a myriad of software including Windows 10, the Chrome browser, Adobe Reader, Office 365; basically anything you can imagine the government using.

Screenshot of DISA STIG Windows 10 pdf

I’ve interchangeably heard STIGs refer to both the recommendations (provided via PDF and XML) and the Group Policy exports (screenshot below). We’ll be using the July 2019 update, which you can find here:

DISA STIG Group Policy Package unzipped

In this post we’re simply looking at applying the group polices via LGPO (stay tuned for a future post where we explore how we can use them). LGPO is part of the Security Compliance Toolkit, and provides us a way to apply group policies without a domain controller.

Once I have both LGPO and the DISA STIG on my target computer, it’s as simple as running a command to execute LGPO:

LGPO command
LGPO import processing

How can we be sure that the STIG applied? We can certainly look at the group policy editor. But if we lock the computer and try to log in, we get a much more visual confirmation:

Login warning prompt

So there we have it! A set of security policies applied within a matter of seconds, written by the government of the United States.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *