Automate .NET STIG Compliance with PowerShell Script
Table of Contents
Automate the .NET Framework STIG
Applying the .NET STIG is definitely not straightforward. For many administrators it can take hours to fully implement on a single system. This script applies the required registry changes and modifies the machine.config file to implement FIPS and other controls as required.
Notes:
This script can not and will not ever get the .NET stig to 100% compliance. Right now, as is, it stands to complete roughly 75% of the checks and does go back and complete the applicable checks on all previous .NET versions.
Manual intervention is required for any .NET application or IIS Site.
Requirements:
- Windows 7, Windows Server 2008 or newer
- Testing in your environment before running on production systems.
STIGS/SRGs Applied:
Sources:
- Add from one XML data to another existing XML file
- Caspol.exe (Code Access Security Policy Tool)
- Microsoft .NET Framework Documentation
- PowerShell $PSScriptRoot
- PowerShell: Run command from script’s directory
- Powershell XML importnode from different file
Download the required files
You may download the required files from the GitHub Repository
How to run the script
The script may be launched from the extracted GitHub download like this:
How to run the script
Manual Install:
If manually downloaded, the script must be launched from an administrative powershell in the directory containing all the files from the GitHub Repository
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
.\sos-.net-4-stig.ps1
Automated Install:
Use this one-liner to automatically download, unzip all supporting files, and run the latest version of the script.
iwr -useb 'https://simeononsecurity.com/scripts/sosdotnet.ps1'|iex