Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-8317 | DS00.1190_AD | SV-31551r1_rule | DCSP-1 | Medium |
Description |
---|
When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files that share a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent that prevents the directory service from acquiring more space for directory or audit data. |
STIG | Date |
---|---|
Active Directory Service 2008 Security Technical Implementation Guide (STIG) | 2011-05-23 |
Check Text ( C-14105r2_chk ) |
---|
1. Refer to the AD database, log, and work file information obtained in check V-8316. Note the logical drive (e.g., “C:”) on which the files are located. 2. Determine if the server is currently providing file sharing services to users by typing the following command: Enter “net share” at a command line prompt. 3. Record the logical drive(s) or file system partition for any site-created data shares. (Ignore all system (Windows NETLOGON, SYSVOL, and administrative (ending in $)) shares. User shares that are hidden, ending with $, should not be ignored.) 4. If data files owned by users are located on the same logical partition as the directory server database, log, or work files, then this is a finding. |
Fix Text (F-14373r2_fix) |
---|
Ensure the directory server data files are stored on a different logical partition then the files owned by users. |