Download all the required files from the GitHub Repository

Windows Server 2012, 2016, and 2019 are insecure operating systems out of the box and requires many changes to insure FISMA compliance. Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended and required configuration changes to lockdown, harden, and secure the operating system and ensure government compliance. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many physical attacks on a system.

Standalone systems are some of the most difficult and annoying systems to secure. When not automated, they require manual changes of each STIG/SRG. Totalling over 1000 configuration changes on a typical deployment and an average of 5 minutes per change equaling 3.5 days worth of work. This script aims to speed up that process significantly.

• This script is designed for operation in Enterprise environments and assumes you have hardware support for all the requirements.
• This script is not designed to bring a system to 100% compliance, rather it should be used as a stepping stone to complete most, if not all, the configuration changes that can be scripted.
  • Minus system documentation, this collection should bring you up to about 95% compliance on all the STIGS/SRGs applied.

• Standards for a highly secure windows device.
• Bitlocker must be suspended or turned off prior to implementing this script, it can be enabled again after rebooting.
  • Follow-up runs of this script can be run without disabling bitlocker.
• Hardware Requirements
  • Hardware Requirements for Memory Integrity
  • Hardware Requirements for Virtualization-Based Security
  • Hardware Requirements for Windows Defender Application Guard
  • Hardware Requirements for Windows Defender Credential Guard

• System Guard Secure Launch
• System Guard Root of Trust
• Hardware-based Isolation
• Memory integrity
• Windows Defender Application Guard
• Windows Defender Credential Guard

• Cyber.mil - Group Policy Objects
• Microsoft Security Compliance Toolkit 1.0

• Microsoft - Recommended block rules
• Microsoft - Recommended driver block rules
• Microsoft - Windows Defender Application Control
• NSACyber - Application Whitelisting Using Microsoft AppLocker
• NSACyber - Hardware-and-Firmware-Security-Guidance

• Firefox V4R29
• Google Chrome V1R19
• Internet Explorer 11 V1R19
• Microsoft .Net Framework 4 V1R9 - Work in Progress
• Oracle JRE 8 V1R5
• Windows Defender Antivirus V2R1
• Windows Firewall V1R7
• Windows Server 2012(R2) V3R1
• Windows Server 2016 V2R1
• Windows Server 2019 V2R1

If manually downloaded, the script must be launched from the directory containing all the files from the GitHub Repository

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
.\sos-secure-standalone-server.ps1

The script may be launched from the extracted GitHub download like this:

iex ((New-Object System.Net.WebClient).DownloadString('https://simeononsecurity.ch/scripts/standalonewindowsserver.ps1'))