Microsoft Windows Server 2025

Windows Server 2025 data files owned by users must be on a different logical partition from the directory server data files

STIG ID: WN25-DC-000120 | SRG: SRG-OS-000138-GPOS-00069 | Severity: Medium | CCI: CCI-001090 | Vulnerability ID: V-278143

Description

When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions to allow access to the user data.

The directory service may be vulnerable to a denial-of-service (DoS) attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.

Check

C-82673r1182091_chk

This applies to domain controllers. It is not applicable for other systems.

Run "Regedit".

Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters".

Note the directory locations in the values for "DSA Database file".

Open a command prompt.

Enter "net share".

Note the logical drive(s) or file system partition for any organization-created data shares.

Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) must not be ignored.

If user shares are located on the same logical partition as the directory server data files, this is a finding.

Fix

F-82578r1181134_fix

Move shares used to store files owned by users to a different logical partition than the directory server data files.