Ensure Exclusive Usage of Microsoft AD Servers
Ensure Microsoft AD servers only run their intended roles, no additional apps unless security-related.
Plain language
This control is about making sure that certain types of Microsoft servers, which help manage who can access what in your computer systems, are used only for their specific purposes. This matters because if these servers are used for other things, they could be more vulnerable to attackers who might gain access to your sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers are only used for their designed role and no other applications or services are installed, unless they are security related.
Why it matters
Multipurpose use of Microsoft AD servers increases attack surface, risking critical access controls and potential data breaches.
Operational notes
Regularly audit server roles and maintain an inventory to ensure no unauthorised applications are installed on AD servers.
Implementation tips
- The IT team should conduct an initial review of all Microsoft Active Directory (AD) servers. They need to list all services running on these servers and verify they match the intended purposes only. This ensures the servers are not doing anything extra that could add risk.
- Managers should liaise with the IT team to establish clear rules for what can be installed on AD servers. These rules will help prevent unnecessary applications from being installed. An email policy announcement can inform everyone about these rules.
- IT team should configure alerts to notify them if any non-security application is installed. They can use monitoring software that flags changes. This will allow immediate action if something unexpected appears on the server.
- System administrators should routinely check for updates specifically intended for Microsoft AD services. Once identified, they should apply these updates as necessary. Keeping systems updated ensures they remain secure and operate smoothly.
- HR should collaborate with IT to provide training for staff about the importance of this control. Regular workshops can help users understand why safeguarding these servers is crucial and how their behaviour can affect server security.
Audit / evidence tips
-
Askthe server inventory list: Request a list of all Microsoft AD servers and their roles
Goodis an accurate and comprehensive list with no missing roles
-
Askto see the server configuration records: Request documents that detail what is installed on each AD server
Goodis documentation showing compliance with the specified roles
-
Askthe written policy that defines what can and cannot be installed on AD servers
Goodis a clear, enforced policy with staff acknowledgment
-
Askto review alert logs: Request logs from the monitoring software that show all installations on AD servers
Goodincludes active monitoring and swift resolution of flagged issues
-
Askabout training records: Request records of staff training sessions on server management. Look if training includes topics relevant to this control and participation records
Goodis regular, relevant training with high staff attendance and comprehension
Cross-framework mappings
How ISM-1926 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.9 | ISM-1926 mandates a hardened configuration baseline for AD-related servers by restricting them to their designed roles | |
| Annex A 8.19 | ISM-1926 requires that Microsoft AD DS/AD CS/AD FS/Entra Connect servers are used only for their designed role, with no additional applic... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-AC-ML3.1 | ISM-1926 reduces the attack surface of AD servers by ensuring they only perform their intended roles without unrelated services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.