The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8326	DS00.1180_AD	SV-31550r1_rule	DCSP-1	Medium

Description
Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts that increase the attack surface of the computer. Some applications require the addition of privileged accounts that provide potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services that conflict with the directory server. In that case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.

Description

Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts that increase the attack surface of the computer. Some applications require the addition of privileged accounts that provide potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services that conflict with the directory server. In that case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.

STIG	Date
Active Directory Service 2003 Security Technical Implementation Guide (STIG)	2011-05-20

Details

Check Text ( C-14107r2_chk )
1. Display the programs that are running on the directory server by starting the Services console (Start, Run, "services.msc"). 2. Determine if any running programs are application components. Check if any application-related services have the “Started” status. Examples of some services that indicate the presence of applications are: - DHCP Server for DHCP server - IIS Admin Service for IIS web server - Microsoft Exchange System Attendant for Exchange - MSSQLServer for SQL Server. 3. If any application-related components have the “Started” status, then this is a finding. Supplemental Notes: Any Domain Name System (DNS) server that is integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.

Check Text ( C-14107r2_chk )

1. Display the programs that are running on the directory server by starting the Services console (Start, Run, "services.msc").

2. Determine if any running programs are application components. Check if any application-related services have the “Started” status.

Examples of some services that indicate the presence of applications are:
- DHCP Server for DHCP server
- IIS Admin Service for IIS web server
- Microsoft Exchange System Attendant for Exchange
- MSSQLServer for SQL Server.

3. If any application-related components have the “Started” status, then this is a finding.

Supplemental Notes:

Any Domain Name System (DNS) server that is integrated with the directory server (e.g., AD-integrated DNS) *is* an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.

Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are *dedicated* to directory server support and only administrative users have access to them.

Fix Text (F-14381r2_fix)
Remove the web, database, e-mail, or other application from the domain controller.