NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS 2.2.1 suggest that servers deployed in a production environment must only be serving one critical role.

For example, if we add another critical role like file services to a web server then we increase the attack vectors on that server. Generally, web servers deployed in a production environment are open to public internet and are more susceptible to attacks. They require high maintenance with respect to installing security patches and making sure that they are up to date. If an attacker manages to hack into the web server then he gets an easy route to also hack into the file server leading to an additional problem of mitigating sensitive file system data. So it is a best practice in information security to isolate servers to serving only one critical role.

Demonstration by example:

For example, on a Windows 2008 operating system, the server manager supports adding multiple roles on a system. The different roles that can be added to the Windows 2008 server are

  • Active Directory Certificate Services
  • Active Directory Domain Services
  • Active Directory Federation Services
  • Active Directory Lightweight Directory Services
  • Active Directory Rights Management Services
  • Application server
  • DHCP server
  • DNS server
  • Fax server
  • File services
  • Hyper-V
  • Network policy and access services
  • Print and document services
  • Web server (IIS)
  • Windows Deployment Services
  • Windows Server Update Services

Out of the above roles, ControlsInsight classifies the following as the critical roles. If we detect that any asset or a system has multiple critical roles installed then we flag the asset as Risky.

  • Directory Services (Active Directory/LDAP/Kerberos)
  • Mail Services (Exchange/POP3/SMTP)
  • File Server
  • FTP Server
  • Print Server/Spooler
  • HTTP Server
  • Database Server (MySQL/Microsoft SQL)

In the below example,

  • Asset1 is 10.4.26.26 and has two critical roles installed – File services and Web server
  • Asset2 is 10.4.27.214 and has single critical role installed – File services

Asset1 showing two critical roles installed


Asset2 showing only one critical role installed


ControlsInsight shows the findings on a per asset basis