Domain controllers must be blocked from Internet access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-243475 | AD.0015 | SV-243475r959010_rule | CCI-000366 | medium |
| Description | ||||
| Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed to numerous attacks and compromise the domain. Restricting Internet access for domain controllers will aid in protecting these privileged areas from being compromised. | ||||
| STIG | Date | |||
| Active Directory Domain Security Technical Implementation Guide | 2024-09-13 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-243475r959010_chk)
Verify domain controllers are blocked from Internet access. Various methods may be employed to accomplish this, such as restrictions at boundary firewalls, through proxy services, host based firewalls or IPsec.
Review the Internet access restrictions with the administrator. If Internet access is not prevented, this is a finding.
If a critical function requires Internet access, this must be documented and approved by the organization.
Fix Text (F-46707r723459_fix)
Block domain controllers from internet access. This can be accomplished with various methods, such as restrictions at boundary firewalls, proxy services, host based firewalls, or IPsec.
If a critical function requires Internet access, this must be documented and approved by the organization.