The CA Agents are running on Local system context in the domain controllers. This is a security RISK as this service can be exploited as the Local System on a DC is equivalent to Domain Administrator Privileges. Also the service can be stopped without any additional password. If the service is stopped the protection templates also stop working.
We should ideally enable more security for this agent service to either remove it from local system context or enable a password to stop or disable the service like the Antivirus OEMS do.
