U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CIS Windows 2003 Server Domain Controller Benchmark v2.0.0 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
Microsoft Windows Server 2003 cpe:/o:microsoft:windows_2003_server (View CVEs)

Checklist Highlights

Checklist Name:
CIS Windows 2003 Server Domain Controller Benchmark
Checklist ID:
Review Status:
Third Party: Center for Internet Security (CIS)
Original Publication Date:

Checklist Summary:

This document is a security benchmark for the Microsoft Windows Server 2003 operating system for domain controllers. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows Server compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail. You should still use the questionnaire in Appendix A to explore some of the trafe-offs of implementing these settings.

Checklist Role:

  • Domain Controller

Known Issues:

This guide imposes changes that are best implemented in a managed environment. They are designed to limit communication between computers to positively identified and authorized personnel. Major systems should still function, but testing this benchmark in a controlled environment is essential. Settings at the Legacy level are designed for domain controllers that need to operate with older systems such as Windows NT, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system. Settings at the Enterprise level are designed for domain controllers operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended technical controls. Settings at the Specialized Security - Limited Functionality level (formerly High Security) are designed for domain controllers in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment. The information contained in this text applies equally wll to Local Security Policies and Group Policies. In a large domain infrastructure, Group Policy can (and should) be set to override the Local Security Policy. Anyone attempting to make modifications to the Local Security Policy which seem to �¢??mysteriously disappear�¢?� should contact their system administrator or their management to see if Group Policy may be overriding their changes.

Target Audience:

This benchmark is intended for anyone using a Windows Server 2003 operating system who feels at all responsible for the security of that system. A security manager or Information Security Officer should certainly be able to use this guide and the associated tools to gather information about the security status of a network of Windows machines. The owner of a small business or home office can use this guide as a straightforward aid in enhancing his or her own personal network security. A Windows system administrator can use this guide and the associated tools to produce explicit scores that can be given to management to reflect where they currently stand, versus where they should stand with regard to security.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.


Refer to Known Issues.


Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any of the Product or the Recommendations. CIS is providing the Products and the Recommendations as is and as available without representations, warranties or covenants of any kind.

Product Support:

Not provided.

Point of Contact:



Not provided.


Not provided.

Change History:

Updated references - 5/1/18
updated reference links - 9/10/2018
Updated URL - 7/26/19


URL Description
https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc163061(v=technet.10) Windows XP Security Compliance Management Toolkit
https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc163140(v=technet.10) Windows Server 2003 Security Compliance Management Toolkit
https://docs.microsoft.com/en-us/previous-versions/tn-archive/dd162275(v=technet.10) Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
https://www.cisecurity.org The Center for Internet Security
https://www.microsoft.com/en-us/security?rtc=1 Microsoft Windows Security
https://www.sans.org The SANS Institute


Reference URL Description

NIST checklist record last modified on 07/26/2019