GettingStarted2
PowerSTIG is a PowerShell module updated quarterly and hosted on PowerShellGallery.com, that provides a collection of PowerShell DSC composite resources used to apply DISA STIG security baselines.
Each supported “product” is implemented as its own DSC composite resource. For example, since PowerSTIG supports the Windows 11 Client STIG, the PowerStig module includes a corresponding Windows 11 Client composite resource. For more information, see what is a composite resource.
When you reference one of these composite resources in your DSC configuration, PowerSTIG applies the applicable STIG rules for that product, securing the endpoint according to DISA guidance. For more information, see what is a composite resource.
Installing PowerSTIG provides everything you need to author PowerShell DSC configuration files that define how an endpoint should be secured. For example, if you are managing a Windows 11 client, you may want that system to comply with the Windows 11 DISA STIG. If the same system also runs a .NET application, you can additionally apply the .NET STIG by including both composite resources in your DSC configuration. PowerSTIG allows you to layer multiple STIGs together, ensuring the endpoint is secured according to all applicable security baselines.
Windows 11 and DotNet A Configuration file might looke like this. I've skipped 2 rules in the Windows 11 STIG.
Configuration PowerStig
{
Import-DscResource -ModuleName PowerStig -ModuleVersion 4.27.0
Import-DscResource -ModuleName PSDscResources -ModuleVersion 2.12.0.0
Node localhost
{
WindowsClient 11-Baseline
{
StigVersion = "2.4"
OsVersion = "11"
SkipRule = 'V-253261', 'V-253445'
}
DotNetFramework 4-Baseline
{
StigVersion = "2.7"
FrameworkVersion = "4"
}
}
}
. PowerStig -OutputPath "c:\someFolder"It's common to have the configuration definted, as you see above, and also have a call to the configuration in the same file. When you run the configuration, the line . PowerStig -OutputPath "c:\someFolder" actually calls the configuration itself, which then creates the MOF file in the location specified. Since we have a node name in our configuration file, the output file is named localhost.mof. Opening the MOF file with a text editor you will see all of the rules configured. In the case above, with just two products, we have a MOF file that contains 245 rules that will be applied to any system that applies the configuration.
A PowerShell DSC composite resource is a resource that uses other PowerShell DSC resources. A composite resource is not a new resource (get/set/test) but rather a wrapper of sorts for actual DSC resources.
For example, if I have a configuration that requires a registry setting and a file, every one of my configurations would be similar to:
Configuration MyConfig
{
Registry regSection
{
xx = xx
}
File fileSection
{
yy = yy
}
}PowerStig is a utility used to generate MOF files that state how a device should be configured. To create a MOF file, you first create a configuration file, which declares the configuration of the device. For example, what registry values should be set, what ACLs are set, etc.
Once this configuration file is written, you generate a MOF file from the configuration file. The MOF file is what actually is applied to the device to configure it.
Getting Started
- You need to have PowerShell 5.1 installed, PowerStig doesn't support PowerShell 7.
- The PowerShell 5.x installation comes with PowerShell DSC (Desired State Configuration). You can see this by