STIGQter STIGQter: STIG Summary: Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide Version: 1 Release: 31 Benchmark Date: 26 Jul 2019: The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.

DISA Rule

SV-39002r2_rule

Vulnerability Number

V-8326

Group Title

Directory Server Host Dedication

Rule Version

DS00.1180_2008_R2

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove additional roles or applications such as web, database, and email from the domain controller.

Check Contents

Review the roles and services the domain controller is running.
Run "services.msc" to display the Services console.

Determine if any running services are application components.

Examples of services indicating the presence of applications are:
-DHCP Server for DHCP server
-IIS Admin Service for IIS web server
-Microsoft Exchange System Attendant for Exchange
-MSSQLServer for SQL Server.

If any application-related components have the "Started" status, this is a finding.

Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.)

Determine if any additional server roles are installed. A basic domain controller set up will include the following:
-Active Directory Domain Services
-DNS Server

If any roles not requiring installation on a domain controller are installed, this is a finding.

Supplemental Notes:
A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.

Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.

Vulnerability Number

V-8326

Documentable

False

Rule Version

DS00.1180_2008_R2

Severity Override Guidance

Review the roles and services the domain controller is running.
Run "services.msc" to display the Services console.

Determine if any running services are application components.

Examples of services indicating the presence of applications are:
-DHCP Server for DHCP server
-IIS Admin Service for IIS web server
-Microsoft Exchange System Attendant for Exchange
-MSSQLServer for SQL Server.

If any application-related components have the "Started" status, this is a finding.

Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.)

Determine if any additional server roles are installed. A basic domain controller set up will include the following:
-Active Directory Domain Services
-DNS Server

If any roles not requiring installation on a domain controller are installed, this is a finding.

Supplemental Notes:
A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.

Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1823

Comments