Deploy STIG-compliant Windows Virtual Machines (Preview)

Microsoft Azure Security Technical Implementation Guides (STIGs) solution templates help you accelerate your DoD STIG compliance by delivering an automated solution to deploy virtual machines and apply STIGs through the Azure portal.

This quickstart shows how to deploy a STIG-compliant Windows virtual machine (Preview) on Azure or Azure Government using the corresponding portal.

Prerequisites

  • Azure or Azure Government subscription
  • Storage account
    • If desired, must be in the same resource group/region as the VM
    • Required if you plan to store Log Analytics diagnostics
  • Log Analytics workspace (required if you plan to store diagnostic logs)

Sign in to Azure

Sign in at the Azure portal or Azure Government portal depending on your subscription.

Create a STIG-compliant virtual machine

  1. Select Create a resource.

  2. Type Azure STIG Templates for Windows in the search bar and press enter.

  3. Select Azure STIG Templates for Windows from the search results and then Create.

  4. In the Basics tab, under Project details:

    a. Select an existing Subscription.

    b. Create a new Resource group or enter an existing resource group.

    c. Select your Region.

    Important

    Make sure to choose an empty resource group or create a new one.

    Project details section showing where you select the Azure subscription and the resource group for the virtual machine

  5. Under Instance details, enter all required information:

    a. Enter the VM name.

    b. Select the Windows OS version.

    c. Select the instance Size.

    d. Enter the administrator account Username.

    e. Enter the administrator account Password.

    f. Confirm Password.

    Instance details section where you provide a name for the virtual machine and select its region, image, and size

  6. Under Disk:

    a. Select the OS disk type.

    b. Select the Encryption type.

    Disk options section showing where you select the disk and encryption type for the virtual machine

  7. Under Networking:

    a. Select the Virtual Network. Either use existing virtual network or select Create new (note RDP inbound is disallowed).

    b. Select Subnet.

    c. Application security group (optional).

    Network interface section showing where you select the network and subnet for the virtual machine

  8. Under Management:

    a. For Diagnostic settings select Storage account (optional, required to store diagnostic logs).

    b. Enter Log Analytics workspace (optional, required to store log analytics).

    Management section showing where you select the diagnostic settings for the virtual machine

  9. Select Review + create to review summary of all selections.

  10. Once the validation check is successful select Create.

  11. Once the creation process is started, the Deployment process page will be displayed:

    a. Deployment Overview tab displays the deployment process including any errors that may occur. Once deployment is complete, this tab provides information on the deployment and provides the opportunity to download the deployment details.

    b. Inputs tab provides a list of the inputs to the deployment.

    c. Outputs tab provides information on any deployment outputs.

    d. Template tab provides downloadable access to the JSON scripts used in the template.

  12. The deployed virtual machine can be found in the resource group used for the deployment. Since inbound RDP is disallowed, Azure Bastion must be used to connect to the VM.

High availability and resiliency

Our solution template creates a single instance virtual machine using premium or standard operating system disk, which supports SLA for Virtual Machines.

We recommend you deploy multiple instances of virtual machines configured behind Azure Load Balancer and/or Azure Traffic Manager for higher availability and resiliency.

Business continuity and disaster recovery (BCDR)

As an organization you need to adopt a business continuity and disaster recovery (BCDR) strategy that keeps your data safe, and your apps and workloads online, when planned and unplanned outages occur.

Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to secondary location, and access apps from there. After the primary location is running again, you can fail back to it.

Site Recovery can manage replication for:

  • Azure VMs replicating between Azure regions.
  • On-premises VMs, Azure Stack VMs, and physical servers.

To learn more about backup and restore options for virtual machines in Azure, continue to Overview of backup options for VMs.

Clean up resources

When no longer needed, you can delete the resource group, virtual machine, and all related resources.

Select the resource group for the virtual machine, then select Delete. Confirm the name of the resource group to finish deleting the resources.

Support

Contact Azure support to get assistance with issues related to STIG solution templates. You can create and manage support requests in the Azure portal. For more information see, Create an Azure support request. Use the following support paths when creating a ticket:

Azure -> Virtual Machine running Windows -> Cannot create a VM -> Troubleshoot my ARM template error

New support request for Windows STIG solution template

Next steps

This quickstart showed you how to deploy a STIG-compliant Windows virtual machine (Preview) on Azure or Azure Government. For more information about creating virtual machines in:

To learn more about Azure services, continue to the Azure documentation.