The data directory should specify a dedicated disk partition and restricted access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15167	DM6189-SQLServer9	SV-23867r1_rule	DCPA-1	Medium

Description
Data directories require different access controls than software file directories. Locating data directories in separate directories on a dedicated disk partition allows assign of access controls to only those users that require access and helps protect the data from unauthorized access.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-04-03

Details

Check Text ( C-20523r1_chk )
Review the default data and log directory specifications: For SQL Server 2005 Default Instance: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultData HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultLog For SQL Server 2005 Named Instance: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultData HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog If the DefaultData directory lists the same directory as the DefaultLog directory, this is a Finding. Review the master database file locations: From the query prompt: SELECT physical_name, type_desc FROM [master].sys.master_files ORDER BY physical_name Review each database file locations: From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: USE [database name] SELECT physical_name, type_desc FROM sys.database_files ORDER BY physical_name If any results show more than one database using the same physical filename, this is a Finding. If any files from either the master_files or database_files show log files (_log.ldf files) in the same directory as data files, this is a Finding. Note: Transactional log files (.LDF) files can coexist with data files (*.MDF). A transactional log files will have a similar name or a variant name of its matching data file (ex: master.mdf vs. mastlog.ldf). Not all data files will have a corresponding transactional log file. If any databases share the same directory, verify in the System Security Plan that the databases are shared by the same application. If they are not, this is a Finding.

Check Text ( C-20523r1_chk )

Review the default data and log directory specifications:

For SQL Server 2005 Default Instance:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultData
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultLog

For SQL Server 2005 Named Instance:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultData
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog

If the DefaultData directory lists the same directory as the DefaultLog directory, this is a Finding.

Review the master database file locations:

From the query prompt:

SELECT physical_name, type_desc
FROM [master].sys.master_files
ORDER BY physical_name

Review each database file locations:

From the query prompt:

SELECT name
FROM [master].sys.databases
WHERE state = 0

Repeat for each database:

USE [database name]
SELECT physical_name, type_desc
FROM sys.database_files
ORDER BY physical_name

If any results show more than one database using the same physical filename, this is a Finding.

If any files from either the master_files or database_files show log files (*_log.ldf files) in the same directory as data files, this is a Finding.

Note: Transactional log files (*.LDF) files can coexist with data files (*.MDF). A transactional log files will have a similar name or a variant name of its matching data file (ex: master.mdf vs. mastlog.ldf). Not all data files will have a corresponding transactional log file.

If any databases share the same directory, verify in the System Security Plan that the databases are shared by the same application. If they are not, this is a Finding.

Fix Text (F-14830r1_fix)
Create at least one dedicated disk partition to store database data and log files. Create dedicated directories to store database data files for each individual application that uses the database. Specify the dedicated database data file disk partition for the default data directory. Include this information in the System Security Plan and AIS Functional Architecture documentation.