STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.

DISA Rule

SV-226078r569184_rule

Vulnerability Number

V-226078

Group Title

SRG-OS-000134-GPOS-00068

Rule Version

WN12-AD-000009-DC

Severity

CAT II

CCI(s)

• CCI-001082 - The information system separates user functionality (including user interface services) from information system management functionality.

Weight

10

Fix Recommendation

Remove additional roles or applications such as web, database, and email from the domain controller.

Check Contents

Review the roles and services the domain controller is running.
Run "services.msc" to display the Services console.

Determine if any running services are application components.

Examples of services indicating the presence of applications are:
-DHCP Server for DHCP server
-IIS Admin Service for IIS web server
-Microsoft Exchange System Attendant for Exchange
-MSSQLServer for SQL Server.

If any application-related components have the "Started" status, this is a finding.

Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.)

Determine if any additional server roles are installed. A basic domain controller set up will include the following:
-Active Directory Domain Services
-DNS Server
-File and Storage Services

If any roles not requiring installation on a domain controller are installed, this is a finding.

Supplemental Notes:
A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.

Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.

Vulnerability Number

V-226078

Documentable

False

Rule Version

WN12-AD-000009-DC

Severity Override Guidance

Review the roles and services the domain controller is running.
Run "services.msc" to display the Services console.

Determine if any running services are application components.

Examples of services indicating the presence of applications are:
-DHCP Server for DHCP server
-IIS Admin Service for IIS web server
-Microsoft Exchange System Attendant for Exchange
-MSSQLServer for SQL Server.

If any application-related components have the "Started" status, this is a finding.

Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.)

Determine if any additional server roles are installed. A basic domain controller set up will include the following:
-Active Directory Domain Services
-DNS Server
-File and Storage Services

If any roles not requiring installation on a domain controller are installed, this is a finding.

Supplemental Notes:
A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.

Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.

Check Content Reference

M

Target Key

4217

Comments