Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-8317 | DS00.1190_AD | SV-31551r1_rule | DCSP-1 | Medium |
Description |
---|
When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files that share a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent that prevents the directory service from acquiring more space for directory or audit data. |
STIG | Date |
---|---|
Windows 2008 Domain Controller Security Technical Implementation Guide | 2013-07-03 |
Check Text ( C-14105r1_chk ) |
---|
- Refer to the AD database, log, and work file information obtained in check DS00.0120. Note the logical drive (e.g., “C:”) on which the files are located. - Determine if the server is currently providing file sharing services to users: -- Enter “net share” at a command line prompt. - Record the logical drive(s) or file system partition for any site-created data shares. [Ignore all system (Windows NETLOGON, SYSVOL, and administrative (ending in $)) shares. User shares that are hidden, ending with $, should not be ignored.] - If data files owned by users are located on the same logical partition as the directory server database, log, or work files, then this is a Finding. |
Fix Text (F-14373r1_fix) |
---|
Ensure the directory server data files are stored on a different logical partition then the files owned by users. |