STIGQter: STIG Summary: Microsoft Windows Server 2016 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Domain controllers must run on a machine dedicated to that function.

DISA Rule

SV-224976r569186_rule

Vulnerability Number

V-224976

Group Title

SRG-OS-000095-GPOS-00049

Rule Version

WN16-DC-000130

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Remove additional roles or applications such as web, database, and email from the domain controller.

Check Contents

This applies to domain controllers, It is NA for other systems.

Review the installed roles the domain controller is supporting.

Start "Server Manager".

Select "AD DS" in the left pane and the server name under "Servers" to the right.

Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.)

Determine if any additional server roles are installed. A basic domain controller setup will include the following:

- Active Directory Domain Services
- DNS Server
- File and Storage Services

If any roles not requiring installation on a domain controller are installed, this is a finding.

A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.

Run "Programs and Features".

Review installed applications.

If any applications are installed that are not required for the domain controller, this is a finding.

Vulnerability Number

V-224976

Documentable

False

Rule Version

WN16-DC-000130

Severity Override Guidance

This applies to domain controllers, It is NA for other systems.

Review the installed roles the domain controller is supporting.

Start "Server Manager".

Select "AD DS" in the left pane and the server name under "Servers" to the right.

Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.)

Determine if any additional server roles are installed. A basic domain controller setup will include the following:

- Active Directory Domain Services
- DNS Server
- File and Storage Services

If any roles not requiring installation on a domain controller are installed, this is a finding.

A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.

Run "Programs and Features".

Review installed applications.

If any applications are installed that are not required for the domain controller, this is a finding.

Check Content Reference

M

Target Key

4205

Comments