UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Data files owned by users must be on a different logical partition from the directory server data files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8317 WN12-AD-000006-DC SV-51180r2_rule DCSP-1 Medium
Description
When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.
STIG Date
Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide 2019-12-13

Details

Check Text ( C-46606r1_chk )
Refer to the AD database location obtained in check V-8316. Note the logical drive (e.g., C:) on which the files are located.

Determine if the server is currently providing file sharing services to users with the following command.
Enter "net share" at a command prompt.

Note the logical drive(s) or file system partition for any site-created data shares.
Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored.

If user shares are located on the same logical partition as the directory server data files, this is a finding.
Fix Text (F-44337r1_fix)
Ensure files owned by users are stored on a different logical partition then the directory server data files.