Detections
Analytics
WN12-AD-000009-DC - The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function - Roles
Information
Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts increasing the attack surface of the computer.Some applications require the addition of privileged accounts providing potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Remove additional roles or applications such as web, database, and email from the domain controller.See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R7_STIG.zip
Item Details
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-2, CAT|II, CCI|CCI-001082, Rule-ID|SV-226078r794311_rule, STIG-ID|WN12-AD-000009-DC, STIG-Legacy|SV-51183, STIG-Legacy|V-8326, Vuln-ID|V-226078
Plugin: Windows
Control ID: 95c70fbdfcebf68e529a6014a8557f1fb4b277a8efe542e79a5be2129c5eaae3