I've been through that struggle before and understand the pain. As a former job candidate trying to break in to cyber, I realized too I didn't have much funds. Will continue to post when I have time to add more content :)

Check out SteelCloud ConfigOS, Ansible for Redhat, or Puppet.

🤣

He actually said "Automatically"

@@johnhart6320 Ahhh Thank you!

Look into Cisco Ansible for automating the switches/routers. Unfortunately this is outside of my expertise at this time. Otherwise you can always copy and paste manually into a text file from all the applicable manual cisco STIG checklist for router/switch and that’s the only way I know how to STIG them now. public.cyber.mil/stigs/supplemental-automation-content/

@@tech-time-videos I wrote this review 2 months ago and only watched half of your video. Now I finished your entire video and think it's even better than before. Not sure you needed any automation or Ansible for Windows because it looks like it fixed all your "RED" findings for you? I'm exhausted today so I think I'll just RE-watch this tomorrow morning and see if I can't implement all of this with the CISCO 9300 switch sitting next to me. I need to harden it and we have a bunch more to do. I'm playing with this one so I guess I'm trying to come up with something to STIG all of them faster. Tedious process it seems. I'll have tons of coffee in the morning, thanks again for your video. Maybe someone out there can comment on a link to any SWITCH hardening STIG'ing they have seen on KZbin.

@@jkmattbiz I'm not a much of a network guy. Just know how to bang into it and look around. If you figure it out, let me know! The way I've seen this done is whoever the admin STIG'ing it can also copy all the commands into notepad and delete the hostname of the switch to whatever they named it, then paste it all in. This is maybe a 30-45 min process. Not sure.

@@tech-time-videos definitely will follow up when I get this figured out. That is what I'd like to do to automate this process and build out a script to run on each switch. My supervisor said you can use that SCAP tool that you did on Windows and Linux configurations but he's not sure if Cisco Catalyst switches have that same option and we'll need to manually submit each command line interface commands initially and then possibly plug in the remaining switches and just run the script, like the notepad you were talking about. Thank you

@jam2 for the video, I only did this on the windows 10 host. If you are pushing policy from the domain down using group policy management, you can force the occasion by using the /force switch on the clients (windows 10) I only shared how I would accomplish this locally but the gpo store you want to create a store for the templates. learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store

I would import the latest STIG first. Then have your previous checklist saved and ready. When you create a new checklist with the latest STIG, there is a import checklist data feature, where you can copy the previous Findings and Comments so you don't have to reinvent the wheel. Track all differences if new STIGs come up or view change history from the original zipped folder.

@@tech-time-videos holy cow....thank you so much. I got thrown into this a couple of months ago and with the help of your video was able to get my initial STIGs and GPOs done. However the have released new stuff since then and I could not figure out how to merge the old into the new. This is a huge help so thank you. One other question if I may....when doing the GPOs using LGPO, I would imagine that an AO is going to need to see some proof that those were done? Unlike the StigViewer there isnt a checklist for that. Ive just been copying the text from the command line and putting it into a word document but didnt know if that was necessary or if there is a better way of documenting those processes.

@@CyberOptek check this link learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gporeport?view=windowsserver2022-ps you can export GPO into HTML report to show as evidence for a single host and use it as a represenative.

@@tech-time-videos Huge help...thank you.

@wallerdog, the standalone STIG viewer per say 2.14, there are dependencies. When you CD in the directory, do you see the other items? It should work if you have this. Remember you cannot just move the file alone and expect it to open up. It's tied with the folders: bin; conf; legal; lib within that U_STIGViewer_2-12_Win64.

Thanks. Will do once I knockout some other items.

for CIS, try CIS-CAT Lite directly from CIS

Yes you do need to do that. After that, you want to review the "Not Reviewed" checks that the LGPO can't import. There is also an Active Directory and DNS STIG that you can use to harden that as well. It's a manual process.

@@tech-time-videos oh ok… so let’s say before running the gpo policy object. Does that cover group policy editor stigs for windows server 2016?Asking Because I pretty much have followed all the step you did but kind of hesitant on apply gpo policy object because it comes with gpo for Domain Controller and just for server 2016 . I’m not sure which gpo is for which.

@@jeremewright3329 The SCAP scores for the Windows Server 2016 will be about 97.92% I believe from my memory with the GPO imports. Once you attach some host machines or if there are computers in the Active Directory, the scores will be less due to various checks. In addition, Domain Controllers have a ton of "Not Reviewed" checks that has to be completed manually.

Are you using the new STIG Viewer 3.2? There are other 3rd party tools that you can use like Nessus to run compliance scans against the STIG, then export in a spreadsheet.

did you find CIS hardened GPOs ?

@@travelwithme5096 Had to make em

These are VMs on my VMworkstation Pro. I'm not that familiar with Linux to be honest. Hoping to tackle that soon and while testing out the ansible.

@@tech-time-videos awesome- I’m taking some training which includes ansible shortly

For SCAP, or for entire STIG checklist after XCCDF import? There are two different things. The GPOs only get you so far and the rest you have to spot check.

Ask ChatGPT? 😅 use ansible Outside my expertise but I can figure it out.

try X_Admin whatever your domain name is .\X_Admin

the GPOs wipe out the username. It doesn't change the password. It changes the default administrator account to username of X_Admin. If you end up locking yourself out, use your installation disc to change X_Admin

Yes. I've done that a few times before lol.