Case Study · DoD Security
IT Security Specialist
Environment
DoD installation — Windows-centric, classified adjacencies
Operational context
Joint Base Lewis-McChord is one of the largest military installations in the United States, hosting tens of thousands of active duty personnel. The IT security scope covered Windows 10 endpoints across a mix of administrative and operational users, with adjacencies to classified systems imposing strict DoD baseline requirements on every device.
Active Directory served as the identity and policy backbone. Group Policy was the enforcement mechanism for security controls at scale. Any configuration drift or policy failure had direct implications for DoD accreditation requirements.
Security standards and toolchain
DISA STIGs (Security Technical Implementation Guides) defined the mandatory configuration baseline for all endpoints. Splunk served as the SIEM for threat detection and investigation. Active Directory and Group Policy provided the policy enforcement layer.
Standards Enforced
DoD-grade hardening baseline maintained throughout
All work was governed by DISA STIG requirements and DoD security framework mandates. The STIG deployment covered 500+ users with no service interruptions — a requirement that demanded careful sequencing, pre-deployment testing, and rollback planning for each configuration phase.
Contributions
What I built and how it moved the numbers
STIG-compliant Windows 10 deployment
The STIG rollout was the primary deliverable of the engagement — hardening 500+ Windows 10 endpoints to DoD baseline without interrupting active operations on a military installation. I led the deployment end-to-end: GPO-based enforcement of STIG controls, systematic disabling of legacy and unnecessary services flagged by the STIG checklist, hardening of browser and registry settings to the DoD configuration baseline, and enforcement of local security policy settings that the STIG mandates but that Active Directory policy alone does not cover. Each deployment phase was tested in staging before production rollout. The result was a 25% reduction in unauthorized access incidents — attributable to tighter authentication controls and removal of legacy access vectors.
Splunk threat hunting protocol development
The SIEM environment had not been tuned for the specific threat patterns most relevant to a DoD installation. I developed a structured threat hunting protocol using Splunk, building detection queries targeting the attack patterns with the highest likelihood in the environment: lateral movement via pass-the-hash and pass-the-ticket, privilege escalation through abuse of service accounts and scheduled tasks, and anomalous authentication patterns including off-hours logins and access from unusual source IPs. The protocol was written with enough documentation that it could be executed by any analyst on the team — it was subsequently adopted as the team-wide standard for proactive threat detection.
Vulnerability prioritization framework
Raw CVSS scores alone are not a useful prioritization framework in environments with heterogeneous asset criticality. I built a vulnerability management strategy that combined CVSS severity with asset criticality ratings — prioritizing remediation effort on high-CVSS vulnerabilities affecting high-criticality assets first, and deprioritizing low-criticality asset findings that would otherwise consume disproportionate analyst time. The framework reduced the exposure window for the most dangerous vulnerability/asset combinations and contributed to a 35% improvement in measured security posture metrics across the tracked vulnerability inventory.
Active Directory hardening and access control audit
Active Directory in long-running environments accumulates configuration drift — stale service accounts, over-privileged group memberships, and password policy gaps that create exploitable attack surface. I conducted a comprehensive AD hardening effort: enforced DoD-aligned password complexity and expiration policies, audited service account configurations to remove unnecessary privileges and rotate credentials that had not been rotated within acceptable windows, and performed group membership reviews to identify and remediate accounts with excessive privilege relative to their operational requirements. The hardening directly contributed to the reduction in unauthorized access incidents measured during the engagement.
Skills Demonstrated