SharePoint 2010 Security Technical Implementation Guide (STIG)

  • Version/Release: V1R7
  • Published: 2015-10-02
  • Released: 2015-10-23
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG is applicable to all Microsoft SharePoint 2010 implementations. For complete security protection of any SharePoint implementation, the Windows OS, application server (s) and the database server (s) must also be secured using the applicable STIGs.
b
SharePoint must support the requirement to initiate a session lock after an organizationally defined time period of system or application inactivity has transpired.
AC-11 - Medium - CCI-000057 - V-27965 - SV-37638r2_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
SHPT-00-000007
Vuln IDs
  • V-27965
Rule IDs
  • SV-37638r2_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically at the operating system-level, but may also be at the application level. The organization must define the period of inactivity before a session lock is initiated, so this setting must be configurable. In SharePoint, enabling security validation provides application level security for web pages while the authenticated user is absent. The user must be required to re-authenticate after a specified inactivity period is exceeded.System AdministratorPESL-1
Checks: C-37483r6_chk

1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Verify that each web application meets this requirement. - Select the web application. - Select General Settings. - Navigate to Web Page Security Validation and verify it is set to 10 minutes or less. 4. Mark as a finding if the default timeout period is not set to 10 minutes or less for any of the web applications.

Fix: F-32730r6_fix

Configure security validation. 1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Perform the following step for each web application. - Select web application. - Select General Settings. - Navigate to Web Page Security Validation. - Set the Security validation is property to On. - Set the Security validation expires: property to After. - Set the default timeout period to 10 minutes. - Select OK to save settings.

b
SharePoint must maintain and support the use of organizationally defined security attributes to stored information.
AC-16 - Medium - CCI-001399 - V-27968 - SV-36059r2_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-001399
Version
SHPT-00-000010
Vuln IDs
  • V-27968
Rule IDs
  • SV-36059r2_rule
Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, For Official Use Only (FOUO), Personally Identifiable Information (PII), and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). A SharePoint information management policy or a third party Information Right Management (IRM) solution must be installed to implement this requirement. Although a 3rd party solution is recommended for a more robust solution, SharePoint can natively meet this requirement through combined use of information rights policy and defined content type. Content types must be defined which bind metadata to the content in storage and in process. System AdministratorECAD-1, ECML-1
Checks: C-36985r3_chk

To verify that content types are used: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types and verify that content types have been defined. 3. Navigate to each document library and click Document Library Settings. 4. Under Content Types, verify that at least one content type is listed. 5. Mark as a finding if content types are not defined for each document library. Mark as not applicable for SharePoint implementations that process, store, or access only publicly-releasable information (i.e., does not provide access to classified, FOUO, or sensitive information).

Fix: F-32249r3_fix

To define content types and metadata, perform the following for each desired application security attribute, such as PII or FOUO, as defined by organizational requirements. 1. On the site home page, click Site Actions and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types. 3. Enter a name for the content type and click OK to view the advanced properties. 4. Scroll down this page and add the columns to prompt the user to enter as metadata or properties to collect when documents of this content type are added to SharePoint.

b
SharePoint must allow authorized users to associate security attributes with information.
AC-16 - Medium - CCI-001427 - V-27974 - SV-36067r3_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-001427
Version
SHPT-00-000040
Vuln IDs
  • V-27974
Rule IDs
  • SV-36067r3_rule
Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, FOUO, and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). For SharePoint installations, this capability is natively provided once content types, metadata, and an information management policy is configured as required by SHPT-00-000009 and SHPT-00-000010. Once content types are defined, enabled and configured, users will be prompted to enter these attributes when adding new documents or list items.System AdministratorECAD-1
Checks: C-36974r3_chk

To verify users are prompted automatically when entering new documents into SharePoint: 1. Using an account with authorized user permissions (not system administrator), attempt to add a document to a document library. 2. Verify the user is prompted to enter metadata and content type information. 3. Mark as a finding if the sample users are not prompted for content type information as required by the site's SSP as designated by the organization (e.g., FOUO, Personally Identifiable Information [PII], or other sensitivity levels requiring access control, retention, or tracking.)

Fix: F-32238r5_fix

Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, point to Site Settings. 2. Click Site Settings. 3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies. 4. On the Site Collection Policies page, click Create. 5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users. 6. Configure the desired features to associate with the policy. 7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features. 8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.

b
SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands.
AC-3 - Medium - CCI-000021 - V-27996 - SV-36114r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000021
Version
SHPT-00-000100
Vuln IDs
  • V-27996
Rule IDs
  • SV-36114r2_rule
An organization may see fit to define a policy stating certain commands contained within an application require dual authorization before they may be invoked. Dual authorization requires two distinct approving authorities to approve the use of the command prior to being invoked. When the organization defines a set of application related privileged commands requiring dual authorization, the application must support those organizational requirements. Once an information management policy has been created, the metadata and security attributes created can be enforced using a workflow. However, as with most applications, privilege restrictions, such as dual authorizations cannot be set for the super account, Farm Administrator. When adding a workflow to a SharePoint library or list, this enforces a business process on all items in the library or list. A workflow describes the actions the system or users must perform on each item, such as obtain dual approvals. Note: If many documents across different libraries require dual authorization, the site should consider creating a content type and adding this type as part of an information management policy.System AdministratorECCD-1, ECCD-2
Checks: C-37322r7_chk

To view what workflows are associated within Central Administration: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Workflows. 3. Verify there is at least one active workflow configured for dual approval. 4. Mark as a finding if the SSP requires dual approval, but it is not enforced by workflow. 5. Mark as not a finding if dual authorization is not required by the SSP.

Fix: F-32559r6_fix

Create an approval workflow for document libraries or documents which requires dual authorization. 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Site libraries and lists. 3. On the Site Libraries and Lists page, select a library or list. 4. On the List Settings page, in the Permissions and Management list, click Workflow Settings. 5. On the Workflow Settings page, click Add a workflow. 6. Follow the directions of the workflow wizard to create an approval workflow that requires dual approval for the documents stored in the selected library.

b
The organization must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
SC-9 - Medium - CCI-001131 - V-28023 - SV-36661r2_rule
RMF Control
SC-9
Severity
Medium
CCI
CCI-001131
Version
SHPT-00-000805
Vuln IDs
  • V-28023
Rule IDs
  • SV-36661r2_rule
Preventing the disclosure of transmitted information requires that applications take measures to using a cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of TLS, SSL, or Internet Protocol Security (IPSec) Virtual Private Network (VPN). System AdministratorDesignated Approving AuthorityECCT-1, ECCT-2
Checks: C-35745r2_chk

1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. On the Web Applications Management page, verify that each Web Application URL begins with https. 4. Mark as a finding if the URL does not begin with https. 5. Mark as not a finding if SharePoint communications between all components and clients are protected by alternative physical measures that have been approved by the DAA.

Fix: F-30987r3_fix

1. Open IIS Manager. 2. In the Connections pane, expand Sites. 3. Click the Web Application site. 4. In the Actions pane, click Bindings…. 5. In the Site Bindings window, click Add. 6. In the Add Site Binding window, change Type to https and select the site’s SSL certificate. 7.Click OK and then click Close.

b
SharePoint must identify potentially security-relevant error conditions.
SI-11 - Medium - CCI-001311 - V-28026 - SV-36713r2_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001311
Version
SHPT-00-000810
Vuln IDs
  • V-28026
Rule IDs
  • SV-36713r2_rule
The error messages and usage data to be monitored should be carefully considered. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational requirements. Usage and Health Data Collection Service Application collects data about usage and health of your farm. This information is used for Health Monitoring and this is also required for running the Web Analytics Service. If there is no Usage and Health Data Collection Service Application or the Usage and Health Data Collection Proxy is stopped, the Web Analytics Report will not show any data. SharePoint Usage and Health Data Collection Service Application must be enabled in order to detect potential security errors. The usage and health data settings are farm-wide and cannot be set for individual servers in the farm.System AdministratorDCBP-1
Checks: C-37382r2_chk

1. In SharePoint Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. On the Configure web analytics and health data collection page, in the Usage Data Collection section, verify Enable usage data collection is checked. 4. In the Health Data Collection section, verify Enable health data collection is checked. 5. Mark as a finding if Enable usage data collection and Enable health data collection are not checked.

Fix: F-32619r2_fix

Enable and configure the Usage and Health Data Collection Service Application. 1. In SharePoint Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. On the Configure web analytics and health data collection page, in the Usage Data Collection section, check the box for Enable usage data collection. 4. In the Health Data Collection section, check the box for Enable health data collection. 5. Click OK.

c
Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage.
MP-4 - High - CCI-001019 - V-28066 - SV-37792r2_rule
RMF Control
MP-4
Severity
High
CCI
CCI-001019
Version
SHPT-00-000640
Vuln IDs
  • V-28066
Rule IDs
  • SV-37792r2_rule
When data is written to digital media there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Encryption of data at rest in SQL is required if the data owner deems it necessary.System AdministratorECCR-1
Checks: C-37427r1_chk

Each of the following scripts must be run as TSQL queries, replacing string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Run this TSQL query below. USE SharePointContentDB GO SELECT {NAME},is_encrypted FROM sys.databases WHERE name='TDE_Testing' GO 2. Mark as a finding if return value is not 1. 3. Mark as not a finding if a third-party solution is used and documented with the IAO.

Fix: F-32667r1_fix

Data-at-rest encryption is provided by encryption of the SQL 2008 SharePoint database using TDE or a third party solution. Each of the following scripts must be run as TSQL queries and replace string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Create the DMK. USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; GO 2. Create the TDE Certificate. USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate'; GO 3. Back up the TDE Certificate. USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'C:\Backup\CompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'C:\Backup\CompanyABCtdeCert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!'); GO 4. Create the DEK. USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO 5. Encrypt the database. USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO 6. Monitor the progress; once encryption_state is ‘3’, the database is encrypted. USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO

b
SharePoint must terminate the network connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.
SC-10 - Medium - CCI-001133 - V-28071 - SV-37794r2_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
SHPT-00-000645
Vuln IDs
  • V-28071
Rule IDs
  • SV-37794r2_rule
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions include, de-allocating associated TCP/IP address/port pairs at the operating-system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses. System AdministratorDCBP-1
Checks: C-37028r2_chk

1. In Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Click a web application, and then click General Settings in the Manage section of the ribbon. 4. Click on the Web Application General Settings dialog window in the Web Page Security Validation section. 5. Verify Security validation is” is set to On and Security validation expires: is set to 10 minutes or less. 6. Mark as a finding if Web Page Security Validation is set to Off or a value greater than 10 minutes.

Fix: F-32295r3_fix

1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Click a web application, and then click General Settings in the Manage section of the ribbon. 4. In the Web Application General Settings dialog window, in the Web Page Security Validation section, set Web Page Security Validation to On and a value less than 10 minutes.

b
SharePoint must protect audit information from unauthorized access to the usage and health logs.
AU-9 - Medium - CCI-000162 - V-28087 - SV-36596r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
SHPT-00-000430
Vuln IDs
  • V-28087
Rule IDs
  • SV-36596r2_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult. To ensure the veracity of audit data the information system and/or SharePoint must protect audit information from unauthorized access. SharePoint is an integrated product with comprehensive built-in auditing capabilities working with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.) are stored in a SQL database.System AdministratorECTP-1
Checks: C-37358r3_chk

Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.

Fix: F-32595r3_fix

Change permissions to the directory where usage data collection is stored: 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the Log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group and SYSTEM group from the permissions list.

b
SharePoint must protect audit information from unauthorized modification of usage and health data collection logs.
AU-9 - Medium - CCI-000163 - V-28089 - SV-36597r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
SHPT-00-000435
Vuln IDs
  • V-28089
Rule IDs
  • SV-36597r2_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint must protect audit information from unauthorized modification. SharePoint is an integrated product with comprehensive built-in auditing capabilities working with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.) are stored in a SQL database. Only designated audit administrators and internal accounts should have any type of permission to these files.System AdministratorECTP-1
Checks: C-37359r2_chk

Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.

Fix: F-32596r2_fix

Check the directory permissions where usage data collection is stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the Log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group and SYSTEM group from the permissions list.

b
SharePoint must protect audit information from unauthorized deletion of usage and health logs.
AU-9 - Medium - CCI-000164 - V-28094 - SV-36598r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
SHPT-00-000440
Vuln IDs
  • V-28094
Rule IDs
  • SV-36598r2_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint must protect audit information from unauthorized deletion. SharePoint is an integrated product with comprehensive built-in auditing capabilities that works with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.) are stored in a SQL database.System AdministratorECTP-1
Checks: C-37361r3_chk

Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.

Fix: F-32598r2_fix

Change permissions to the directory where usage data collection is stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the Log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group and SYSTEM group from the permissions list.

b
SharePoint must protect audit tools from unauthorized access.
AU-9 - Medium - CCI-001493 - V-28097 - SV-36599r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
SHPT-00-000445
Vuln IDs
  • V-28097
Rule IDs
  • SV-36599r2_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. SharePoint is an integrated product with comprehensive built-in auditing capabilities working with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.), are stored in a SQL database.System AdministratorECTP-1
Checks: C-37383r2_chk

Obtain local site documentation noting authorized administrators. 1. On the site home page, click “Site Actions” and then click Site Settings. 2. On the Site Settings page, in the Users and Permissions list, click Site collection administrators. 3. Verify all users or groups listed in the site collection administrators group are authorized. 4. Mark as a finding if there are users or groups listed as site administrators that should not be listed as administrators. Check users and groups with full control permission as they can access audit reporting. 1. On the site home page, click Site Actions and then click Site Permissions. 2. Examine all the owners and groups that have full control of the site. 3. Ask the SA or Application Administrators if all the users or groups listed as having full control of the site need full control over the site. 4. It is a finding if there are users or groups listed as having full control over the site which do not need to have full control.

Fix: F-32620r3_fix

Remove users and groups from the site administrator / site owner groups. Remove unneeded identifiers from site collection administrators. 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Users and Permissions list, click “Site collection administrators”. 3. Remove any non-site owner users or groups. 4. Click OK. Change permissions on users and groups not requiring full site control. 1. On the site home page, click Site Actions, and then click Site Permissions. 2. Put users not requiring full control in groups with less privilege (i.e., Site contributor, site user).

b
SharePoint must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
AU-12 - Medium - CCI-000171 - V-28114 - SV-37767r2_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
SHPT-00-000315
Vuln IDs
  • V-28114
Rule IDs
  • SV-37767r2_rule
Without auditing enabled, individual system accesses cannot be tracked and malicious activity cannot be detected and traced back to an individual account.System AdministratorECAT-1, ECAT-2
Checks: C-37305r6_chk

The auditing information management policy needs to be configured to available in new site and list policies. This feature makes auditing services available for auditing user actions on documents and list items to the Audit Log. Information in the Audit Log can help in determining accountability. 1. In SharePoint Central Administration, click Security. 2. On the Security page, on the Information policy list, click Configure Information Management Policy. 3. On the Information Management Policy Configuration page, select Auditing. 4. Verify the option Available for use in new site and list policies is selected. 5. Mark this as a finding if the option Available for use in new site and list policies is not set.

Fix: F-32543r6_fix

Ensure the auditing information management policy is configured to be available. 1. In SharePoint Central Administration, click Security. 2. On the Security page, in the Information policy list, click Configure Information Management Policy. 3. On the Information Management Policy Configuration page, select Auditing. 4. Select the option Available for use in new site and list policies. 5. Click Save.

b
The Central Administration Web Application must use Kerberos as the authentication provider.
IA-2 - Medium - CCI-000774 - V-28119 - SV-36726r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000774
Version
SHPT-00-000530
Vuln IDs
  • V-28119
Rule IDs
  • SV-36726r2_rule
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonce's or challenges (e.g., Transport Layer Security (TLS), WS_Security), and time synchronous or challenge-response one-time authenticators. System AdministratorIAIA-1, IAIA-2
Checks: C-37021r2_chk

1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. On the Web Application Management page, click the Central Administration Web Application, and then click Authentication Providers in the Security section of the ribbon. 4. In the Authentication Providers dialog window, click each Zone and verify if Integrated Windows authentication with Negotiate (Kerberos) are selected in the IIS Authentication Settings section. 5. Mark as not a finding if SharePoint is not used to process sensitive (not public releasable) information. 6. Mark as a finding if Integrated Windows authentication with Negotiate (Kerberos) is not enabled for each zone that processes sensitive (not public releasable) information.

Fix: F-32290r2_fix

Enable Kerberos on the Central Administration Web Application. 1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. On the Web Application Management page, click the Central Administration Web Application, and then click Authentication Providers in the Security section of the ribbon. 4. In the Authentication Providers dialog window, click the associated zone that processes sensitive information (not public releasable) and enable Integrated Windows authentication with Negotiate (Kerberos) and click Save.

b
SharePoint managed service accounts must be set to enable automatic password change.
IA-5 - Medium - CCI-000199 - V-28138 - SV-37784r2_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
SHPT-00-000600
Vuln IDs
  • V-28138
Rule IDs
  • SV-37784r2_rule
Passwords have a number of inherent risks. One method of minimizing this risk is to enforce the use of complex passwords. Another method is to enforce periodic password changes. If the information system does not limit the lifetime of passwords and force password changes, the system may be vulnerable to password attacks and may become compromised. This setting only enables automatic password changes for managed account. These accounts are in AD DS. The Windows server STIG guidance requires annual password changes for all service accounts. System AdministratorIAGA-1
Checks: C-36986r4_chk

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Go through each service account to see if “Enable automatic password change” is checked. 4. Mark as a finding if “Enable automatic password change” is not checked.

Fix: F-32250r3_fix

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Edit setting for each managed account. 4. Select “Enable automatic password change”.

b
SharePoint must support the requirement that privileged access is further defined between audit-related privileges and other privileges.
AU-9 - Medium - CCI-001352 - V-28144 - SV-36578r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001352
Version
SHPT-00-000465
Vuln IDs
  • V-28144
Rule IDs
  • SV-36578r2_rule
Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an information system which the user being audited has privileged access. The privileged user could inhibit auditing or directly modify audit records. To prevent this from occurring, privileged access shall be further defined between audit-related privileges and other privileges, thus, limiting the users with audit-related privileges. Reducing the risk of audit compromises by privileged users can also be achieved by performing audit activity on a separate information system where the user in question has limited access or by using storage media that cannot be modified (e.g., write-once recording devices).System AdministratorECTP-1
Checks: C-37393r5_chk

1. Navigate to “Active Directory Users and Computers” -> Users. 2. Double click on the name of the audit administrators group. 3. View the properties of each group and work with the SA or application administrator to verify the accounts are for authorized audit administrators. 4. Mark as a finding if privileged users who do not have authorized audit responsibilities for SharePoint are listed in this group.

Fix: F-32630r4_fix

1. Create a SharePoint audit security group in AD or use an existing audit administrators group that has been designated and authorized to perform audit functions. 2. Add the accounts of authorized audit administrators to the group. 3. On the server(s) for which the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups. 4. View the properties of each group and verify that this account is a member of the Administrators group and no other groups.

b
To support the requirements and principles of least functionality; SharePoint must support the organizational requirement to provide only essential capabilities.
CM-7 - Medium - CCI-000381 - V-28169 - SV-37768r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
SHPT-00-000475
Vuln IDs
  • V-28169
Rule IDs
  • SV-37768r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Services not necessary to the SharePoint installation must not be installed on the servers in the farm.System AdministratorDCPP-1
Checks: C-37496r1_chk

Verify only organizationally-approved (as documented in the site’s SSP) are installed and active in SharePoint. 1. Navigate to the Central Administration home page. 2. In the Application Management section, click Manage Service Applications. 3. From the Manage Service Applications page, view the list of active services, web parts, and applications. 4. Verify that installed services are documented in the site’s SSP. 5. Mark as a finding if active services, web parts, and applications are not documented in the SSP.

Fix: F-32744r1_fix

Follow these steps to access the management pages of a service application by using Central Administration. 1. Navigate to the Central Administration home page. 2. In the Application Management section, click Manage Service Applications. 3. From the Manage Service Applications page, select the service application to be removed. 4. Remove all services that are not needed or approved for use by the organization.

b
When configuring Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements.
CM-7 - Medium - CCI-000382 - V-28170 - SV-37769r2_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SHPT-00-000480
Vuln IDs
  • V-28170
Rule IDs
  • SV-37769r2_rule
During the installation of Microsoft SharePoint, the Central Administration Web site is established on a randomly-assigned TCP port by default. Allowing a randomly-assigned default may result in use of a port which violates DoD policy or conflicts with ports already in use. Use of certain well-known ports may also result in slow operational responses or may expose the application to denial of service attacks. System AdministratorDCPP-1
Checks: C-36997r4_chk

1. In Central Administrator, view the URL in the address bar of the browser. 2. The URL includes a colon which is followed by the port number. 3. Mark as a finding if the port number used is not allowed in accordance with DoD PPSM policy or is less than 1024.

Fix: F-32261r3_fix

1. Open the SharePoint 2010 Management Shell (Start > All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Management Shell). 2. Change the port number to a PPSM approved port which does not conflict with existing port usage by using the following command: –Set -SPCentralAdministration -Port <PortNumber>. 3. Press Enter to save.

b
Backup of SharePoint system level files for critical systems must be performed when identified as required by the owning organization.
CP-9 - Medium - CCI-000537 - V-28177 - SV-36698r1_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000537
Version
SHPT-00-000495
Vuln IDs
  • V-28177
Rule IDs
  • SV-36698r1_rule
Information system backup is a critical step in maintaining data assurance and availability. System-level information includes: system-state information, operating system and application software, and licenses. System AdministratorCODB-1, CODB-2, CODB-3
Checks: C-37001r1_chk

1. Verify the SharePoint farm servers, particularly those designated as critical information systems, are backed up periodically on a schedule identified by the DAA or designated representative. 2. Mark as a finding if backup is not performed or is not performed in compliance with required frequency.

Fix: F-32265r1_fix

Backup SharePoint farm servers, particularly those designated as critical information systems periodically on a schedule identified by the DAA or designated representative.

a
To support audit review, analysis, and reporting, SharePoint must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
AU-6 - Low - CCI-000152 - V-28184 - SV-36581r1_rule
RMF Control
AU-6
Severity
Low
CCI
CCI-000152
Version
SHPT-00-000405
Vuln IDs
  • V-28184
Rule IDs
  • SV-36581r1_rule
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Audit review, analysis, and reporting are all activities are related to the evaluation of system activity through the inspection and analysis of system log data. Some examples include, but are not limited to, organizational requirements to cooperate with legal counsel and/or auditors in order to provide reports on certain types of system activity or analyzing system logs to ascertain sources or causes of certain system activity. System AdministratorECAT-1, ECAT-2
Checks: C-37273r5_chk

Since it is not reasonable to check every collection or library in a large implementation, sample test some of the site's site collections using the following procedures. SharePoint audits actions at the site level. 1. On the site collection home page, click Site Actions and then click Site Settings. 2. On the Site Settings page, in the Site Collection Administration list, click Site collection audit settings. 3. Mark as a finding if the organizationally defined settings are not checked in the "Documents and Items” and the “Lists, Libraries, and Sites” sections.

Fix: F-32510r4_fix

1. On the site collection home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Collection Administration list, click on Site collection audit settings. 3. In the Documents and Items section, specify the events to audit. 4. In the Lists, Libraries, and Sites section, specify the events to audit. 5. Click OK.

b
SharePoint must implement security functions as largely independent modules to avoid unnecessary interactions between modules.
SC-3 - Medium - CCI-001088 - V-28207 - SV-37789r2_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001088
Version
SHPT-00-000760
Vuln IDs
  • V-28207
Rule IDs
  • SV-37789r2_rule
Microsoft recommends separate Application Pools (and security accounts) for site collections with authenticated and anonymous content; to isolate applications storing security or management information; or where users have great liberty to create and administer sites and to collaborate on content. With this configuration, if an attacker gains control of one Application Pool, they do not gain universal access to all data hosted in the SharePoint farm. Configuring separate Application Pools with the appropriate security based on access and content allows for content isolation and load balancing, limiting access to specific servers. Organizations can use custom HTTP modules for specific zones to create unique sign-on rules based on these groups of users.System AdministratorDCSP-1
Checks: C-37389r2_chk

1. Use the IIS Manager to navigate to the SharePoint Applications Pools and Sites list. 2. Verify the following for SharePoint applications: - Applications are not assigned to the Default Application Pool. - Central Administration is not assigned to an Application Pool with applications that have non-privileged user access. - Internet and Extranet sites are assigned to different Application Pools. Verify the Central Administration Application is in a separate Application Pool. 1. Open IIS Manager. 2. Click Application Pools. 3. Identify the SharePoint Central Administration application. 4. If SharePoint Central Administration is not the only application in the pool, this is a finding.

Fix: F-32626r1_fix

Consult the IIS STIG for further guidance. Either remove applications from the application pool or create a separate application pool for the SharePoint Central Administration site.

b
For environments requiring an Internet-facing capability, the SharePoint application server upon which Central Administration is installed must not be installed in the DMZ.
AC-4 - Medium - CCI-001414 - V-28217 - SV-36120r2_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001414
Version
SHPT-00-000130
Vuln IDs
  • V-28217
Rule IDs
  • SV-36120r2_rule
Information flow control regulates where information is allowed to travel within and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. SharePoint Central Administrator is a powerful management tool used to administer the farm. This server should be installed on a trusted network segment. This server should be used to run required services rather than user-oriented web applications. System AdministratorEBBD-1, EBBD-2, EBBD-3
Checks: C-37401r2_chk

1. Inspect the logical location of the server farm web front end servers on a network diagram. 2. Verify the Central Administration site is not installed on a server located in a DMZ or other publicly accessible segment of the network. 3. Mark as a finding if Central Administrator is installed on a publicly facing SharePoint server.

Fix: F-32637r1_fix

Remove the application server from the DMZ.

a
SharePoint must enable IRM to bind attributes to information to facilitate the organization’s established information flow policy as needed.
AC-4 - Low - CCI-000223 - V-28230 - SV-36418r2_rule
RMF Control
AC-4
Severity
Low
CCI
CCI-000223
Version
SHPT-00-000165
Vuln IDs
  • V-28230
Rule IDs
  • SV-36418r2_rule
The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in an information system, allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific organizations/individuals. Binding security attributes to information allows policy enforcement mechanisms to act on that information and enforce policy. System AdministratorEBBD-1, EBBD-2, EBBD-3
Checks: C-37056r2_chk

An IRM must be enabled in SharePoint. The Windows Rights Management Services (RMS) (or a comparable IRM product) can either be located through Active Directory or specified. 1. In Central Administration, click on Security. 2. On the Security page, in the Information policy list, click “Configure information rights management”. 3. If “Do not use IRM on this server” is selected, this is a finding.

Fix: F-32324r3_fix

1. In Central Administration, click on Security. 2. On the Security page, in the Information policy list, click “Configure information rights management”. 3. Select “Use the default RMS server specified in Active Directory” or identify a specific server by selecting “Use this RMS server:” and entering the server name.

b
SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations.
AC-5 - Medium - CCI-000037 - V-28241 - SV-37759r2_rule
RMF Control
AC-5
Severity
Medium
CCI
CCI-000037
Version
SHPT-00-000190
Vuln IDs
  • V-28241
Rule IDs
  • SV-37759r2_rule
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out the action. Additionally, the person or entity accountable for monitoring the activity must be separate as well. To meet this requirement, applications, when applicable, shall be divided where functionality is based on roles and duties. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles. System AdministratorECLP-1
Checks: C-37345r2_chk

Verify permission levels for roles are created and assigned correct permissions for each site. The Web Site Admin permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Audit permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Managers permission level is a copy of Full Control with modifications according to organizationally defined permission list. These permission levels must be configured to produce separation of duties in SharePoint. 1. On a site home page, click Site Actions and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Verify the permissions for Web Site Admin, Web Site Audit, and Web Site Manager are set according to organizationally defined permissions. 4. Mark as a finding if any of the three permission levels do not exist. Mark as a finding if permissions for Web Site Admin, Web Site Audit, and Web Site Manager are not set in accordance with organizationally defined permissions.

Fix: F-32580r4_fix

Create and/or confirm the three required permission levels exist and have permissions in accordance with organizationally defined permissions. 1. On a site home page, click Site Actions, and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Create missing permission levels by clicking Add a Permission Level. 4. On the Add a Permission Level page, in the Name field, type a name for the new permission level (Web Site Admin, Web Site Audit, or Web Site Manager). 5. In the Description field, type a description of the new permission level. 6. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally defined permissions from the IAO. 7. Click Create.

b
Timer job retries for automatic password change on Managed Accounts must meet DoD password retry policy.
AC-7 - Medium - CCI-000044 - V-28249 - SV-37975r2_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
SHPT-00-000210
Vuln IDs
  • V-28249
Rule IDs
  • SV-37975r2_rule
When an authentication method is exposed to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may consecutively fail a log in attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. By limiting the number of failed log in attempts, the risk of unauthorized system access via user password guessing otherwise known as brute forcing is reduced. Limits are imposed by locking the account. The automatic password change feature for Managed Accounts allows SharePoint to automatically generate new strong passwords on a schedule set by the administrator. This generates a password change job in the Timer Service. Limiting the number of times the job attempts to change the password, will help guard against a password change attack. System AdministratorECLO-1, ECLO-2
Checks: C-37270r3_chk

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure password change settings. 3. On the Password Management Settings page, in the Automatic Password Change Settings section, verify “Number of retries before password change timer fails:” is set to 3. (Numbers less than 3 are not normally recommended.) 4. Mark as a finding if the “Number of retries before password change timer fails:” is set to a number greater than 3.

Fix: F-32507r3_fix

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure password change settings. 3. On the Password Management Settings page, in the Automatic Password Change Settings section, set the “Number of retries before password change timer fails:” to 3.

b
SharePoint clients must be configured to display an approved system use notification message or banner before granting access to the system.
AC-8 - Medium - CCI-000048 - V-28252 - SV-36428r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
SHPT-00-000235
Vuln IDs
  • V-28252
Rule IDs
  • SV-36428r1_rule
Applications are required to display an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access that includes an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to agree by clicking on a box indicating “OK” or some other equivalent action. System AdministratorECWM-1
Checks: C-36978r1_chk

1. Obtain a listing of all SharePoint Web applications. 2. Open a Web browser and navigate to the SharePoint Web application home page. 3. Verify the authorized DoD warning banner text is displayed on the SharePoint web application home page. 4. If the authorized DoD warning banner text is not displayed on the first screen of the SharePoint web application, this is a finding. NOTE: Supplementary Information: DoD Login Banner "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-32242r1_fix

Configure the SharePoint web application’s home page to display the authorized DoD warning banner text on or before the login page.

b
SharePoint must retain the notification message or banner on the screen until users take explicit actions to log on to or further access.
AC-8 - Medium - CCI-000050 - V-28254 - SV-36431r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
SHPT-00-000240
Vuln IDs
  • V-28254
Rule IDs
  • SV-36431r1_rule
To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to agree by clicking on a box indicating "OK" or agreement with the terms of the banner. The text of this banner should be customizable in the event of future user agreement changes. System AdministratorECWM-1
Checks: C-36980r1_chk

1. Obtain a list of all SharePoint Web applications. 2. Open a Web browser and navigate to the SharePoint Web applications home page. 3. No further access is possible to the SharePoint web application unless a positive action to agree (such as clicking on a box indicating “OK”) is required. 4. If further access to the SharePoint Web application is possible before positive action to agree, this is a finding.

Fix: F-32244r1_fix

Configure the SharePoint Web application home page to not allow any further access until the user executes a positive action to agree.

b
SharePoint must be configured to display the banner, when appropriate, before granting further access.
AC-8 - Medium - CCI-001384 - V-28256 - SV-36432r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-001384
Version
SHPT-00-000245
Vuln IDs
  • V-28256
Rule IDs
  • SV-36432r1_rule
Applications are required to display the following information: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system. System use notification messages can be implemented in the form of warning banners displayed when individuals login to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. System AdministratorECWM-1
Checks: C-36983r1_chk

1. Obtain a list of all publicly accessible SharePoint application(s). 2. Open a Web browser and point it to each SharePoint publicly accessible applications. 3. Verify a DoD warning banner is displayed on the home page of each publicly accessible application. 4. If a DoD warning banner is not displayed on the home page of each publicly accessible SharePoint application, this is a finding.

Fix: F-32247r1_fix

Configure publicly accessible SharePoint Web applications home page to display a DoD warning banner before logging in.

b
The Central Administration site must not be accessible from Extranet or Internet connections.
SC-2 - Medium - CCI-001083 - V-28281 - SV-36741r2_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001083
Version
SHPT-00-000690
Vuln IDs
  • V-28281
Rule IDs
  • SV-36741r2_rule
SharePoint must prevent the presentation of information system management-related functionality at an interface utilized by general, (i.e., non-privileged), users. Central Administration is an application used to manage SharePoint system settings and the settings of the web applications running under SharePoint. The Central Administration application should be protected using a defense-in-depth approach. Regular users should not be able to access the Central Administration as the first line of defense. The second line of defense is that regular users do not have user ids defined in the Central Administration application. System AdministratorDCPA-1
Checks: C-37494r2_chk

Check outside access to Central Administration. 1. On an administrative work station, open Central Administration and make note of the URL (i.e., http://sharepointserver:7040). 2. Try to open the Central Administration application on a regular user’s workstation. Open a Web browser and type in the URL to Central Administration. If Central Administration can be opened, it is a finding.

Fix: F-32742r2_fix

Block outside Central Administration access. Use IIS IP address restrictions, firewall, or other filtering solutions to limit access to the Central Administration site.

b
SharePoint sites must not use NTLM.
IA-2 - Medium - CCI-000774 - V-29301 - SV-37822r3_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000774
Version
SHPT-00-000531
Vuln IDs
  • V-29301
Rule IDs
  • SV-37822r3_rule
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonce's or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators. SharePoint must not use NTLM in the authentication process. System AdministratorIAIA-1, IAIA-2
Checks: C-37023r5_chk

SharePoint must be configured to not use NTLM. Review the SharePoint server configuration to ensure replay-resistant authentication mechanisms for network access to privileged accounts are used. SharePoint must be configured to use Kerberos as the primary authentication provider. Log on to the server. Click Start. Type Internet Information Services Manager in the Search Bar, click Enter. Expand the server node in the tree view and expand the "Sites" node. *For each...* Select a SharePoint Web Application site to review. In the "IIS" section, double-click Authentication and then select "Windows Authentication". Right-click "Windows Authentication" and select "Providers". Ensure "Negotiate" is listed first. If NTLM is listed first in the Enabled Providers box, this is a finding.

Fix: F-32291r5_fix

1. Using IIS Manager (IIS 7), navigate to view the SharePoint Web Application sites. 2. Select a SharePoint Web Application site to configure. 3. In the IIS section, double-click Authentication and select Windows Authentication. 4. Right-click Windows Authentication and select Providers. 5. Add Negotiate to the list in the Enabled Providers box. 6. Remove NTLM from the list in the Enabled Providers box.

b
SharePoint farm service account (Database Access account) must be configured with minimum privileges in Active Directory (AD).
AC-5 - Medium - CCI-000037 - V-29306 - SV-37832r2_rule
RMF Control
AC-5
Severity
Medium
CCI
CCI-000037
Version
SHPT-00-000191
Vuln IDs
  • V-29306
Rule IDs
  • SV-37832r2_rule
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person who is tasked with implementing the action. This requirement is intended to limit exposure due to user accounts being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. This policy limits the Farm Account privileges in AD. However, default permissions for this account are configured by the SharePoint Products Configuration Wizard during product installation. This account is referred to during the installation as the “Database Access” account. By default, the account is used as the service account for the SharePoint Timer Service and the SharePoint Central Administration Web Site Application Pool. These settings should not be changed. Furthermore, this account should not be used as the service account for non-privileged services, applications, or application pools. See TechNet Article cc678863 for information regarding required permission. The server farm account requires membership in the Domain Users group in Active Directory.System AdministratorECLP-1
Checks: C-37713r4_chk

Verify the account has least privilege in Active Directory. 1. Navigate to Active Directory Users and Computers -&gt; Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab and verify that this account is a member of the Domain Users group only. 4. Mark as a finding if the server farm service account is a member of an Active Directory security groups other than Domain Users.

Fix: F-32960r3_fix

Ensure the farm service account has minimum permissions in Active Directory. 1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab to view group membership for this account. 4. Remove this account from membership in groups other than Domain Users.

b
The Online Web Part Gallery must be configured for limited access.
SC-18 - Medium - CCI-001167 - V-29338 - SV-37994r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001167
Version
SHPT-00-000682
Vuln IDs
  • V-29338
Rule IDs
  • SV-37994r2_rule
Web Part galleries are groupings of Web Parts. There are four Web Part galleries: Closed Web Parts, Site Name Gallery, Server Gallery, and Online Gallery. The Online Gallery is a collection of Microsoft MSNBC Web Parts located on the Internet. Allowing users to access the Online Web Part Gallery causes a significant performance hit on the server, due to the server attempting to connect to the MSNBC online gallery. This could result in a Denial-of-Service. The Online Gallery could contain Web Parts from unknown third parties, which could increase the risk of a malicious code execution attack. Preventing users from accessing the Online Web Part Gallery decreases the system's attack surface. System AdministratorECCR-2
Checks: C-37298r2_chk

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Manage web part security. 3. On the Security for Web Part Pages page, for each web application in the Web Application section, perform the following: - Select a web application in the Web Application list. - In the Online Web Part Gallery section, verify the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option is selected. 4. Mark as a finding if the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option in the Online Web Part Gallery section is not selected.

Fix: F-32535r2_fix

Enable the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option for each web application. 1. In Central Administration, click Security. 2. On the Security page, in the General Security list, click Manage web part security. 3 On the Security for Web Part Pages page, for each web application in the web application section, perform the following: - Select a web application in the Web Application list. - In the Online Web Part Gallery section, select the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance". 4. Click OK.

c
SharePoint-specific malware (i.e., anti-virus) software must be integrated and configured.
SC-18 - High - CCI-001167 - V-29339 - SV-37995r3_rule
RMF Control
SC-18
Severity
High
CCI
CCI-001167
Version
SHPT-00-000683
Vuln IDs
  • V-29339
Rule IDs
  • SV-37995r3_rule
Configuring anti-virus settings ensures documents will be scanned for viruses upon download from and upload to the SharePoint server. Anti-virus settings are not configured by default, therefore leaving SharePoint document libraries open to potential viruses.System AdministratorECCR-2
Checks: C-37299r4_chk

1. Verify a SharePoint specific antivirus solution is installed. 2. In SharePoint Central Administration, click Security. 3. On the Security page, in the General Security list, click Manage antivirus settings. 4. Mark as a finding if the following boxes are unchecked: - Scan documents on upload. - Scan documents on download. - Attempt to clean infected documents.

Fix: F-32536r3_fix

Install and configure anti-virus package. 1. Install a SharePoint specific antivirus solution. 2. In SharePoint Central Administration, click Security. 3. On the Security page, in the General Security list, click Manage antivirus settings. 4. Check the boxes for the following: - Scan documents on upload. - Scan documents on download. - Attempt to clean infected documents. 5. Click OK.

b
The “Automatically delete the site collection if use is not confirmed” property must not be enabled for web applications.
Medium - V-29363 - SV-38109r2_rule
RMF Control
Severity
Medium
CCI
Version
SHPT-00-000127
Vuln IDs
  • V-29363
Rule IDs
  • SV-38109r2_rule
Automatic deletion is an administrative feature that can delete unused sites without administrative intervention and without a backup mechanism. Automatic deletion permanently removes all content and information from the site collection and any sites beneath it. If the site collection administrator or secondary site collection administrator fails to confirm a site is still in use when receiving an email notification asking if the site is still in use, the site is automatically deleted. This could result in a Denial-of-Service to the users of that site. Also, data could be lost if a backup was not made prior to removing the site collection.EBBD-1, EBBD-2, EBBD-3
Checks: C-37482r2_chk

1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Confirm site use and delegation. 3. Repeat the following steps for each web application: - Select the web application. - Verify that the "Automatically delete the site collection if use is not confirmed" checkbox is not checked. 4. Mark as a finding if the checkbox is checked for any active application on the SharePoint farm.

Fix: F-32729r4_fix

Disable the "Automatically delete the site collection if use is not confirmed" property for each web application. 1. In Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Confirm site use and deletion. 3. Repeat the following steps for each web application: - Select the web application. - Deselect the "Automatically delete the site collection if use is not confirmed" checkbox.

b
Access to Central Administration site must be limited to authorized users and groups.
SC-2 - Medium - CCI-001083 - V-29367 - SV-38129r2_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001083
Version
SHPT-00-000692
Vuln IDs
  • V-29367
Rule IDs
  • SV-38129r2_rule
SharePoint must prevent the presentation of information system management-related functionality at an interface utilized by general, (i.e., non-privileged), users administrative interfaces to non-privileged users. Information system management functionality includes: functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate. An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different domain and with additional access controls. The Central Administrator is the web application used to manage SharePoint system configuration and web application settings.System AdministratorDCPA-1
Checks: C-37501r3_chk

Obtain local site documentation noting authorized administrators. 1. Open Central Administration. 2. Select Site-Actions &gt; Site Permissions. 3. Verify only organizationally defined users or groups are listed. 4. Mark as a finding if unauthorized users or groups are listed.

Fix: F-32749r3_fix

1. Open Central Administration. 2. Select Site Actions > Site Permissions. 3. Remove all users and groups not on the organizationally defined list maintained by the IAO.

a
A secondary site collection administrator must be defined when creating a new site collection.
AC-5 - Low - CCI-000037 - V-29373 - SV-38149r2_rule
RMF Control
AC-5
Severity
Low
CCI
CCI-000037
Version
SHPT-00-000197
Vuln IDs
  • V-29373
Rule IDs
  • SV-38149r2_rule
If a site reaches its maximum size, users will be denied access until an administrator fixes the problem. Having a secondary administrator reduces the risk of having a Denial-of-Service on a site. If the site reaches its maximum size, the secondary administrator can fix the problem if the primary administrator is not available. In some situations, having a secondary site administrator could be inappropriate for reasons of control or confidentiality.System AdministratorECLP-1
Checks: C-41874r4_chk

This check should be marked not applicable if the farm is used only for the support of mySites. 1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Change site collection administrators. 4. For each Site Collection, review Secondary Site Collection Administrator. 5. Mark as a finding if Secondary Site Collection Administrator is not defined unless the site collection is for mySites.

Fix: F-37724r3_fix

1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Change site collection administrators. 4. For each Site Collection, define a Secondary Site Collection Administrator unless the site collection is for mySites. 5. Select OK.

b
SharePoint service accounts must be configured for separation of duties.
AC-5 - Medium - CCI-000037 - V-29398 - SV-38296r2_rule
RMF Control
AC-5
Severity
Medium
CCI
CCI-000037
Version
SHPT-00-000199
Vuln IDs
  • V-29398
Rule IDs
  • SV-38296r2_rule
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. SharePoint service accounts must be configured for separation of duties, particularly the farm services account which should not be used to manage other services. The required service accounts must be created in AD (default users group member only). These AD accounts are applied when installing and configuring SharePoint services. If the default Farm Services Account is used for all services during initial configuration, this must be changed when each service is configured. This violates the principles of least privilege since not all services have equal trust levels. Some services, (e.g., Excel Service or Search Service), may be configured to interact with outside resources. Microsoft recommends separate accounts for each service with the minimum required privileges for each service account. When each service is installed, a service account is requested by the application. Ensure one service account is not used for all services. Either use separate accounts for all services or group the services based on trust and access privileges. Each account will be a member of the default user domain group in AD. The exact services installed on each farm may vary.System AdministratorECLP-1
Checks: C-37711r5_chk

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure service accounts. 3. On the Service Accounts page, in the Credential Management section, select each service installed, and view the service account entry. 4. Verify each service is managed by a separate account or accounts are assigned based on common access permissions or trust levels. 5. If each service does not operate using a unique account or accounts are not assigned based on common access permissions or trust levels, this is a finding.

Fix: F-32958r5_fix

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure service accounts. 3. On the Service Accounts page, in the Credential Management section, select each service installed, and configure the service account field by selecting the appropriate AD account from the drop-down menu. 4. Create separate accounts for each service (or assign accounts based on common access permissions or trust levels).

b
The SharePoint setup user domain account must be configured with the minimum privileges in Active Directory.
AC-5 - Medium - CCI-000037 - V-29399 - SV-38299r2_rule
RMF Control
AC-5
Severity
Medium
CCI
CCI-000037
Version
SHPT-00-000193
Vuln IDs
  • V-29399
Rule IDs
  • SV-38299r2_rule
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person tasked with implementing the action. This requirement is intended to limit exposure due to users (or entities acting on behalf of users) being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. See TechNet Article cc678863 for information regarding required permission. The setup user administrator account is used during initial creation of the farm, to update the farm servers, and to configure certain farm configuration option. The setup user administrator account should be limited to membership in the Domain Users group in Active Directory. System AdministratorECLP-1
Checks: C-37712r3_chk

1. Navigate to Active Directory Users and Computers -&gt; Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab and verify this account is a member of the Domain Users group only. 4. Mark as a finding if the Setup User account is a member of other Active Directory domain groups other than Domain Users. Mark as a finding if the Setup User account has unneeded permissions or services assigned.

Fix: F-32959r3_fix

Ensure the Setup User domain user has minimum permissions in Active Directory. 1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab to view group membership for this account. 4. Remove this account from membership in groups other than Domain Users.

b
SharePoint must protect audit information from unauthorized access to the trace data log files.
AU-9 - Medium - CCI-000162 - V-30282 - SV-39935r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
SHPT-00-000431
Vuln IDs
  • V-30282
Rule IDs
  • SV-39935r2_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult. To ensure the veracity of audit data the information system and/or SharePoint must protect audit information from unauthorized access. SharePoint is an integrated product with comprehensive built-in auditing capabilities working with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.) are stored in a SQL database. System AdministratorECTP-1
Checks: C-39017r2_chk

Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group.. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.

Fix: F-34083r3_fix

Change the directory permissions where trace data logs are stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group from the permissions list.

b
SharePoint must protect audit information from unauthorized modification to trace data logs.
AU-9 - Medium - CCI-000163 - V-30287 - SV-39940r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
SHPT-00-000436
Vuln IDs
  • V-30287
Rule IDs
  • SV-39940r2_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint must protect audit information from unauthorized modification. SharePoint is an integrated product with comprehensive built-in auditing capabilities working with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.) are stored in a SQL database. Only designated audit administrators and internal accounts should have any type of permission to these files.System AdministratorECTP-1
Checks: C-39018r2_chk

Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group.. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.

Fix: F-34085r3_fix

Change permissions to the directory where trace logs are stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group from the permissions list.

b
SharePoint must protect audit information from unauthorized deletion of trace log files.
AU-9 - Medium - CCI-000164 - V-30290 - SV-39943r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
SHPT-00-000441
Vuln IDs
  • V-30290
Rule IDs
  • SV-39943r2_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint must protect audit information from unauthorized deletion. SharePoint is an integrated product with comprehensive built-in auditing capabilities that works with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.) are stored in a SQL database. System AdministratorECTP-1
Checks: C-39019r2_chk

Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group.. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.

Fix: F-34087r2_fix

Change permissions to the directory where trace data logs are stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group from the permissions list.

b
SharePoint information management policies must be created, configured, and maintained to support the use of organizationally defined security attributes.
AC-16 - Medium - CCI-001399 - V-30364 - SV-40023r2_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-001399
Version
SHPT-00-000009
Vuln IDs
  • V-30364
Rule IDs
  • SV-40023r2_rule
A SharePoint information management policy is a set of rules governing the availability and behavior of a certain type of content in the application. These policies enable administrators to control and evaluate who can access information, how long to retain information, and how effectively people are complying with the policy. For all systems processing non-publicly releasable information, an information management policy must be applied to content in document libraries and site collections by default. Applying policy to a content type or metadata allows the policy to be applied globally across document libraries, sites, or site collections. These policies must be created and configured to automatically enforce organizationally-defined security policy to a document library, a site, or a specific content type. Information management policy can be used to apply permissions, audit requirements, security labels, or barcodes based on organizationally defined content types, thus leveraging a centralized security policy and security attributes that binds to SharePoint information while in storage and in process. NOTE: Sites should run and review usage reports for the information management policy. This report shows how many policies are in place in a web application and how many documents are affected by each policy. This information can help identify which SharePoint sites are not using the global policies which may indicate a compliance issue. The information on this report can also help organizations determine how effectively the organizationally-defined labeling and other compliance requirements documented in the Site Security Plan (SSP) are being implemented. System AdministratorECAD-1
Checks: C-39038r5_chk

To verify an information management policy is enabled for use with site content, view the document properties of a sample file. Verify document or list items. 1. Go to a Site Collection within the farm. 2. Open the list or library containing the item or document to view the barcode. 3. Point to the item or document identified by the SA or site representative. 4. Click the arrow that appears, and then click View Item or View Properties. 5. Verify document property listing contains columns for labels at a minimum. Also, verify columns for barcoding, retention, and auditing (if required by the SSP) are present. 6. Mark as a finding if information management policy metadata (labeling, retention, auditing, or barcoding) do not show in the document properties for document and list content (if required by the SSP).

Fix: F-34139r5_fix

Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, then click Site Settings. 2. On the Site Settings page, in the Site Collection Administration list, click Site collection policies. 3. On the Site Collection Policies page, click Create. 4. Follow the menus and prompts to create a name and description for the policy. 5. Configure the desired features to associate with the policy. 6. When finished selecting the options for the individual policy features to add to this information management policy, click OK to apply the policy features. 7. Once an information management policy has been created for the site collection level, apply it to lists, libraries, or list content type in accordance with organizationally defined security requirements.

b
The SharePoint setup user domain account must be configured with the minimum privileges for the local server.
AC-5 - Medium - CCI-000037 - V-30366 - SV-40025r2_rule
RMF Control
AC-5
Severity
Medium
CCI
CCI-000037
Version
SHPT-00-000195
Vuln IDs
  • V-30366
Rule IDs
  • SV-40025r2_rule
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person tasked with implementing the action. This requirement is intended to limit exposure due to users (or entities acting on behalf of users) being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. See TechNet Article cc678863 for information regarding required permission. The setup user administrator account is used during initial creation of the farm, to update the farm servers, and to configure certain farm configuration option. The setup user administrator account must have membership in the local administrators Windows group on each server in the farm (excluding SQL Server and the Exchange server.) System AdministratorECLP-1
Checks: C-39041r4_chk

1. On the server(s) where the SharePoint software is installed, navigate to Server Manager -&gt; Local Users and Groups -&gt; Groups. 2. Double-click on each group to view membership. 3. Verify the SharePoint setup user domain account is a member of the Administrators and WSS_ADMIN_WPG groups only. 4. Mark as a finding if the setup user account is a member of any other group than Administrators and WSS_ADMIN_WPG on the local server where SharePoint is installed.

Fix: F-34141r4_fix

1. On the server (s) where the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups -> Groups. 2. Double-click on each group to view membership. 3. Remove the SharePoint setup user account from membership in groups other than Administrators and WSS_ADMIN_WPG.