Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-205723 | WN19-DC-000120 | SV-205723r958524_rule | CCI-001090 | medium |
| Description | ||||
| When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data. | ||||
| STIG | Date | |||
| Microsoft Windows Server 2019 Security Technical Implementation Guide | 2025-05-23 | |||
Details
Check Text (C-205723r958524_chk)
This applies to domain controllers. It is NA for other systems.
Run "Regedit".
Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters".
Note the directory locations in the values for "DSA Database file".
Open "Command Prompt".
Enter "net share".
Note the logical drive(s) or file system partition for any organization-created data shares.
Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored.
If user shares are located on the same logical partition as the directory server data files, this is a finding.
Fix Text (F-5988r355088_fix)
Move shares used to store files owned by users to a different logical partition than the directory server data files.