20.24 Ensure 'Domain Controllers run on a machine dedicated to that function' (STIG DC only)

Information

This policy setting ensures that Domain Controllers are run on a system that is dedicated to Domain Controller functions only.

Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer.

In addition, some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remove any

Roles and Features

or

Programs and Features

that are not required for the domain controller to function.

Impact:

A system must be dedicated to the Domain Controller and can not have other applications, Roles and Features, or Programs and Features installed.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a.

Plugin: Windows

Control ID: 2396ab3ef93497cd7117e1b3db20e11b29ae63ed20a91433401649496f5474f2