Skip to content


Brian Wilhite edited this page May 29, 2019 · 7 revisions


A composite DSC resource to manage the Windows Server STIG settings




Parameter Attribute DataType Description Allowed Values
OsVersion True String The version of the server operating system STIG to apply and monitor 2012R2,2016
OsRole True String The role of the server operating system STIG to apply and monitor. This value further filters the OsVersion to select the exact STIG to apply DC,MS
StigVersion False Version Uses the OsVersion and OsRole to select the version of the STIG to apply and monitor. If this parameter is not provided, the most recent version of the STIG is automatically selected. 2.12,2.13
ForestName False String A string that sets the forest name for items such as security group. The input should be the FQDN of the forest. If this is omitted the forest name of the computer that generates the configuration will be used.
DomainName False String A string that sets the domain name for items such as security group. The input should be the FQDN of the domain. If this is omitted the domain name of the computer that generates the configuration will be used.
Exception False PSObject A hashtable of StigId=Value key pairs that are injected into the STIG data and applied to the target node. The title of STIG settings are tagged with the text "Exception" to identify the exceptions to policy across the data center when you centralize DSC log collection.
OrgSettings False PSObject The path to the xml file that contains the local organizations preferred settings for STIG items that have allowable ranges.
SkipRule False PSObject The SkipRule Node is injected into the STIG data and applied to the taget node. The title of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the data center when you centralize DSC log collection.
SkipRuleType False PSObject All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule function. Each rule follows the same process as the SkipRule parameter.


Apply the Windows Server STIG V2R12 to a node

    Use the embedded STIG data with default range values to apply the most recent STIG settings.
    In this example, the composite resource gets the highest 2012 R2 member server STIG version
    file it can find locally and applies it to the server. The composite resource merges in the
    default values for any settings that have a valid range.
configuration Example
        $NodeName = 'localhost'

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
        WindowsServer BaseLine
            OsVersion   = '2012R2'
            OsRole      = 'MS'
            StigVersion = '2.12'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'


Apply the Windows Server STIG to a node, but override a rule value

    Use embedded STIG data and inject exception data.
    In this example, the Windows Server 2012R2 V2 R8 domain controller STIG is
    processed by the composite resource and merges in the default values for any
    settings that have a valid range. Additionally, an exception is added inline
    to the configuration, so that the setting in STIG ID V-1075 would be over
    written with the value 1.

configuration Example
        $NodeName = 'localhost'

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
        WindowsServer BaseLine
            OsVersion   = '2012R2'
            OsRole      = 'MS'
            StigVersion = '2.12'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
            Exception   = @{'V-1075'= @{'ValueData'='1'} }


Apply the Windows Server STIG to a node, but override the default organizational settings with a local file

    Provide an organizational range xml file to merge into the main STIG settings.
    In this example, the Windows Server 2012R2 member server STIG is processed
    by the composite resource. Instead of merging in the default values for any settings
    that have a valid range, the organization has provided a list of values to merge
    into the valid ranges.

# Creates a sample Organizational Settings file for the example to use.
function New-OrgSettingXmlFile
<?xml version="1.0"?>
<!-- The organizational settings file is used to define the local organizations preferred setting within an allowed range of the STIG. Each setting in this file is linked by STIG ID and the valid range is in an associated comment. -->
<OrganizationalSettings version="2.12">
    <!-- Ensure 'V-1090' -le '4'-->
    <OrganizationalSetting value="3" id="V-1090"/>
    <!-- Ensure ''V-1097'' -le '3' -and ''V-1097'' -ne '0'-->
    <OrganizationalSetting value="2" id="V-1097"/>
    <!-- Ensure ''V-1098'' -ge '15'-->
    <OrganizationalSetting value="16" id="V-1098"/>
"@ | Out-File -FilePath "$PSScriptRoot\orgsettings.xml"

configuration Example
        $NodeName = 'localhost'

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
        WindowsServer BaseLine
            OsVersion   = '2012R2'
            OsRole      = 'MS'
            StigVersion = '2.12'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
            OrgSettings = "$PSScriptRoot\orgsettings.xml"



Apply the Windows Server STIG to a node, but skip a specific rule

    Use embedded STIG data and inject a skipped rule. In this example,
    the Windows Server 2012R2 V2 R8 domain controller STIG is processed
    by the composite resource and merges in the default values for any
    settings that have a valid range. Additionally, a skip is added
    inline to the configuration, so that the setting in STIG ID V-1075
    would be marked to skip configuration when applied.

configuration Example
        $NodeName = 'localhost'

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
        WindowsServer BaseLine
            OsVersion   = '2012R2'
            OsRole      = 'DC'
            StigVersion = '2.12'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
            SkipRule    = 'V-1075'


Apply the Windows Server STIG to a node, but skip an entire class of rules

    Use embedded STIG data and skip an entire rule set. In this example,
    the Windows Server 2012R2 V2 R8 domain controller STIG is processed by
    the composite resource and merges in the default values for any settings
    that have a valid range. Additionally, a skip is added inline to the
    configuration, so that the setting for all STIG ID's with the type
    'AuditPolicyRule' would be marked to skip configuration when applied.

configuration Example
        $NodeName = 'localhost'

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
        WindowsServer BaseLine
            OsVersion    = '2012R2'
            OsRole       = 'DC'
            StigVersion  = '2.12'
            DomainName   = 'sample.test'
            ForestName   = 'sample.test'
            SkipRuleType = 'AuditPolicyRule'

Clone this wiki locally