Windows Server 2025 data files owned by users must be on a different logical partition from the directory server data files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278143 | WN25-DC-000120 | SV-278143r1182092_rule | CCI-001090 | medium |
| Description | ||||
| When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions to allow access to the user data. The directory service may be vulnerable to a denial-of-service (DoS) attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data. | ||||
| STIG | Date | |||
| Microsoft Windows Server 2025 Security Technical Implementation Guide | 2026-02-20 | |||
Details
Check Text (C-278143r1182092_chk)
This applies to domain controllers. It is not applicable for other systems.
Run "Regedit".
Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters".
Note the directory locations in the values for "DSA Database file".
Open a command prompt.
Enter "net share".
Note the logical drive(s) or file system partition for any organization-created data shares.
Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) must not be ignored.
If user shares are located on the same logical partition as the directory server data files, this is a finding.
Fix Text (F-82578r1181134_fix)
Move shares used to store files owned by users to a different logical partition than the directory server data files.