The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15147	DG0111-SQLServer9	SV-24289r1_rule	DCPA-1	Medium

Description
Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application's data and audit logs from another. DBMS software libraries and configuration files also require differing access control lists.

Description

Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application's data and audit logs from another. DBMS software libraries and configuration files also require differing access control lists.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20460r1_chk )
If separation of data, transaction and audit data is not supported by the DBMS, this check is Not a Finding. In the references below, replace SQL5Root with the registry path: "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server" Replace [#] with the SQL Server instance number as listed under: SQL5Root \ Instance Names \ SQL \ [instance name] Review the disk/directory specification where database data, transaction log and audit files are stored: SQL5Root \ MSSQL.[#] \ Setup \ SQLProgramDir Review the default data and log directory specifications in the registry: SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultData SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultLog If the program file directory and disk partition is the same as either the DefaultData or the DefaultLog directories, this is a Finding. If stored separately and access permissions for each directory is the same, this is a Finding.

Check Text ( C-20460r1_chk )

If separation of data, transaction and audit data is not supported by the DBMS, this check is Not a Finding.

In the references below, replace SQL5Root with the registry path:

"HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server"

Replace [#] with the SQL Server instance number as listed under:

SQL5Root \ Instance Names \ SQL \ [instance name]

Review the disk/directory specification where database data, transaction log and audit files are stored:

SQL5Root \ MSSQL.[#] \ Setup \ SQLProgramDir

Review the default data and log directory specifications in the registry:

SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultData
SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultLog

If the program file directory and disk partition is the same as either the DefaultData or the DefaultLog directories, this is a Finding.

If stored separately and access permissions for each directory is the same, this is a Finding.

Fix Text (F-18327r1_fix)
Configure the DBMS to specify dedicated host system disk directories to store database and log files for each application sharing the database. Do not share the application's data disk directory with application software libraries.