Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Verify that each web application meets this requirement. - Select the web application. - Select General Settings. - Navigate to Web Page Security Validation and verify it is set to 10 minutes or less. 4. Mark as a finding if the default timeout period is not set to 10 minutes or less for any of the web applications.
Configure security validation. 1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Perform the following step for each web application. - Select web application. - Select General Settings. - Navigate to Web Page Security Validation. - Set the Security validation is property to On. - Set the Security validation expires: property to After. - Set the default timeout period to 10 minutes. - Select OK to save settings.
To verify that content types are used: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types and verify that content types have been defined. 3. Navigate to each document library and click Document Library Settings. 4. Under Content Types, verify that at least one content type is listed. 5. Mark as a finding if content types are not defined for each document library. Mark as not applicable for SharePoint implementations that process, store, or access only publicly-releasable information (i.e., does not provide access to classified, FOUO, or sensitive information).
To define content types and metadata, perform the following for each desired application security attribute, such as PII or FOUO, as defined by organizational requirements. 1. On the site home page, click Site Actions and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types. 3. Enter a name for the content type and click OK to view the advanced properties. 4. Scroll down this page and add the columns to prompt the user to enter as metadata or properties to collect when documents of this content type are added to SharePoint.
To verify users are prompted automatically when entering new documents into SharePoint: 1. Using an account with authorized user permissions (not system administrator), attempt to add a document to a document library. 2. Verify the user is prompted to enter metadata and content type information. 3. Mark as a finding if the sample users are not prompted for content type information as required by the site's SSP as designated by the organization (e.g., FOUO, Personally Identifiable Information [PII], or other sensitivity levels requiring access control, retention, or tracking.)
Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, point to Site Settings. 2. Click Site Settings. 3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies. 4. On the Site Collection Policies page, click Create. 5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users. 6. Configure the desired features to associate with the policy. 7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features. 8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.
To view what workflows are associated within Central Administration: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Workflows. 3. Verify there is at least one active workflow configured for dual approval. 4. Mark as a finding if the SSP requires dual approval, but it is not enforced by workflow. 5. Mark as not a finding if dual authorization is not required by the SSP.
Create an approval workflow for document libraries or documents which requires dual authorization. 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Site libraries and lists. 3. On the Site Libraries and Lists page, select a library or list. 4. On the List Settings page, in the Permissions and Management list, click Workflow Settings. 5. On the Workflow Settings page, click Add a workflow. 6. Follow the directions of the workflow wizard to create an approval workflow that requires dual approval for the documents stored in the selected library.
1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. On the Web Applications Management page, verify that each Web Application URL begins with https. 4. Mark as a finding if the URL does not begin with https. 5. Mark as not a finding if SharePoint communications between all components and clients are protected by alternative physical measures that have been approved by the DAA.
1. Open IIS Manager. 2. In the Connections pane, expand Sites. 3. Click the Web Application site. 4. In the Actions pane, click Bindings…. 5. In the Site Bindings window, click Add. 6. In the Add Site Binding window, change Type to https and select the site’s SSL certificate. 7.Click OK and then click Close.
1. In SharePoint Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. On the Configure web analytics and health data collection page, in the Usage Data Collection section, verify Enable usage data collection is checked. 4. In the Health Data Collection section, verify Enable health data collection is checked. 5. Mark as a finding if Enable usage data collection and Enable health data collection are not checked.
Enable and configure the Usage and Health Data Collection Service Application. 1. In SharePoint Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. On the Configure web analytics and health data collection page, in the Usage Data Collection section, check the box for Enable usage data collection. 4. In the Health Data Collection section, check the box for Enable health data collection. 5. Click OK.
Each of the following scripts must be run as TSQL queries, replacing string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Run this TSQL query below. USE SharePointContentDB GO SELECT {NAME},is_encrypted FROM sys.databases WHERE name='TDE_Testing' GO 2. Mark as a finding if return value is not 1. 3. Mark as not a finding if a third-party solution is used and documented with the IAO.
Data-at-rest encryption is provided by encryption of the SQL 2008 SharePoint database using TDE or a third party solution. Each of the following scripts must be run as TSQL queries and replace string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Create the DMK. USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; GO 2. Create the TDE Certificate. USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate'; GO 3. Back up the TDE Certificate. USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'C:\Backup\CompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'C:\Backup\CompanyABCtdeCert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!'); GO 4. Create the DEK. USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO 5. Encrypt the database. USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO 6. Monitor the progress; once encryption_state is ‘3’, the database is encrypted. USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO
1. In Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Click a web application, and then click General Settings in the Manage section of the ribbon. 4. Click on the Web Application General Settings dialog window in the Web Page Security Validation section. 5. Verify Security validation is” is set to On and Security validation expires: is set to 10 minutes or less. 6. Mark as a finding if Web Page Security Validation is set to Off or a value greater than 10 minutes.
1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. Click a web application, and then click General Settings in the Manage section of the ribbon. 4. In the Web Application General Settings dialog window, in the Web Page Security Validation section, set Web Page Security Validation to On and a value less than 10 minutes.
Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.
Change permissions to the directory where usage data collection is stored: 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the Log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group and SYSTEM group from the permissions list.
Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.
Check the directory permissions where usage data collection is stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the Log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group and SYSTEM group from the permissions list.
Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.
Change permissions to the directory where usage data collection is stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure usage and health data collection. 3. Obtain the Log file location for the Usage Data Collection Settings. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group and SYSTEM group from the permissions list.
Obtain local site documentation noting authorized administrators. 1. On the site home page, click “Site Actions” and then click Site Settings. 2. On the Site Settings page, in the Users and Permissions list, click Site collection administrators. 3. Verify all users or groups listed in the site collection administrators group are authorized. 4. Mark as a finding if there are users or groups listed as site administrators that should not be listed as administrators. Check users and groups with full control permission as they can access audit reporting. 1. On the site home page, click Site Actions and then click Site Permissions. 2. Examine all the owners and groups that have full control of the site. 3. Ask the SA or Application Administrators if all the users or groups listed as having full control of the site need full control over the site. 4. It is a finding if there are users or groups listed as having full control over the site which do not need to have full control.
Remove users and groups from the site administrator / site owner groups. Remove unneeded identifiers from site collection administrators. 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Users and Permissions list, click “Site collection administrators”. 3. Remove any non-site owner users or groups. 4. Click OK. Change permissions on users and groups not requiring full site control. 1. On the site home page, click Site Actions, and then click Site Permissions. 2. Put users not requiring full control in groups with less privilege (i.e., Site contributor, site user).
The auditing information management policy needs to be configured to available in new site and list policies. This feature makes auditing services available for auditing user actions on documents and list items to the Audit Log. Information in the Audit Log can help in determining accountability. 1. In SharePoint Central Administration, click Security. 2. On the Security page, on the Information policy list, click Configure Information Management Policy. 3. On the Information Management Policy Configuration page, select Auditing. 4. Verify the option Available for use in new site and list policies is selected. 5. Mark this as a finding if the option Available for use in new site and list policies is not set.
Ensure the auditing information management policy is configured to be available. 1. In SharePoint Central Administration, click Security. 2. On the Security page, in the Information policy list, click Configure Information Management Policy. 3. On the Information Management Policy Configuration page, select Auditing. 4. Select the option Available for use in new site and list policies. 5. Click Save.
1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. On the Web Application Management page, click the Central Administration Web Application, and then click Authentication Providers in the Security section of the ribbon. 4. In the Authentication Providers dialog window, click each Zone and verify if Integrated Windows authentication with Negotiate (Kerberos) are selected in the IIS Authentication Settings section. 5. Mark as not a finding if SharePoint is not used to process sensitive (not public releasable) information. 6. Mark as a finding if Integrated Windows authentication with Negotiate (Kerberos) is not enabled for each zone that processes sensitive (not public releasable) information.
Enable Kerberos on the Central Administration Web Application. 1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Web Applications list, click Manage web applications. 3. On the Web Application Management page, click the Central Administration Web Application, and then click Authentication Providers in the Security section of the ribbon. 4. In the Authentication Providers dialog window, click the associated zone that processes sensitive information (not public releasable) and enable Integrated Windows authentication with Negotiate (Kerberos) and click Save.
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Go through each service account to see if “Enable automatic password change” is checked. 4. Mark as a finding if “Enable automatic password change” is not checked.
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Edit setting for each managed account. 4. Select “Enable automatic password change”.
1. Navigate to “Active Directory Users and Computers” -> Users. 2. Double click on the name of the audit administrators group. 3. View the properties of each group and work with the SA or application administrator to verify the accounts are for authorized audit administrators. 4. Mark as a finding if privileged users who do not have authorized audit responsibilities for SharePoint are listed in this group.
1. Create a SharePoint audit security group in AD or use an existing audit administrators group that has been designated and authorized to perform audit functions. 2. Add the accounts of authorized audit administrators to the group. 3. On the server(s) for which the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups. 4. View the properties of each group and verify that this account is a member of the Administrators group and no other groups.
Verify only organizationally-approved (as documented in the site’s SSP) are installed and active in SharePoint. 1. Navigate to the Central Administration home page. 2. In the Application Management section, click Manage Service Applications. 3. From the Manage Service Applications page, view the list of active services, web parts, and applications. 4. Verify that installed services are documented in the site’s SSP. 5. Mark as a finding if active services, web parts, and applications are not documented in the SSP.
Follow these steps to access the management pages of a service application by using Central Administration. 1. Navigate to the Central Administration home page. 2. In the Application Management section, click Manage Service Applications. 3. From the Manage Service Applications page, select the service application to be removed. 4. Remove all services that are not needed or approved for use by the organization.
1. In Central Administrator, view the URL in the address bar of the browser. 2. The URL includes a colon which is followed by the port number. 3. Mark as a finding if the port number used is not allowed in accordance with DoD PPSM policy or is less than 1024.
1. Open the SharePoint 2010 Management Shell (Start > All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Management Shell). 2. Change the port number to a PPSM approved port which does not conflict with existing port usage by using the following command: –Set -SPCentralAdministration -Port <PortNumber>. 3. Press Enter to save.
1. Verify the SharePoint farm servers, particularly those designated as critical information systems, are backed up periodically on a schedule identified by the DAA or designated representative. 2. Mark as a finding if backup is not performed or is not performed in compliance with required frequency.
Backup SharePoint farm servers, particularly those designated as critical information systems periodically on a schedule identified by the DAA or designated representative.
Since it is not reasonable to check every collection or library in a large implementation, sample test some of the site's site collections using the following procedures. SharePoint audits actions at the site level. 1. On the site collection home page, click Site Actions and then click Site Settings. 2. On the Site Settings page, in the Site Collection Administration list, click Site collection audit settings. 3. Mark as a finding if the organizationally defined settings are not checked in the "Documents and Items” and the “Lists, Libraries, and Sites” sections.
1. On the site collection home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Collection Administration list, click on Site collection audit settings. 3. In the Documents and Items section, specify the events to audit. 4. In the Lists, Libraries, and Sites section, specify the events to audit. 5. Click OK.
1. Use the IIS Manager to navigate to the SharePoint Applications Pools and Sites list. 2. Verify the following for SharePoint applications: - Applications are not assigned to the Default Application Pool. - Central Administration is not assigned to an Application Pool with applications that have non-privileged user access. - Internet and Extranet sites are assigned to different Application Pools. Verify the Central Administration Application is in a separate Application Pool. 1. Open IIS Manager. 2. Click Application Pools. 3. Identify the SharePoint Central Administration application. 4. If SharePoint Central Administration is not the only application in the pool, this is a finding.
Consult the IIS STIG for further guidance. Either remove applications from the application pool or create a separate application pool for the SharePoint Central Administration site.
1. Inspect the logical location of the server farm web front end servers on a network diagram. 2. Verify the Central Administration site is not installed on a server located in a DMZ or other publicly accessible segment of the network. 3. Mark as a finding if Central Administrator is installed on a publicly facing SharePoint server.
Remove the application server from the DMZ.
An IRM must be enabled in SharePoint. The Windows Rights Management Services (RMS) (or a comparable IRM product) can either be located through Active Directory or specified. 1. In Central Administration, click on Security. 2. On the Security page, in the Information policy list, click “Configure information rights management”. 3. If “Do not use IRM on this server” is selected, this is a finding.
1. In Central Administration, click on Security. 2. On the Security page, in the Information policy list, click “Configure information rights management”. 3. Select “Use the default RMS server specified in Active Directory” or identify a specific server by selecting “Use this RMS server:” and entering the server name.
Verify permission levels for roles are created and assigned correct permissions for each site. The Web Site Admin permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Audit permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Managers permission level is a copy of Full Control with modifications according to organizationally defined permission list. These permission levels must be configured to produce separation of duties in SharePoint. 1. On a site home page, click Site Actions and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Verify the permissions for Web Site Admin, Web Site Audit, and Web Site Manager are set according to organizationally defined permissions. 4. Mark as a finding if any of the three permission levels do not exist. Mark as a finding if permissions for Web Site Admin, Web Site Audit, and Web Site Manager are not set in accordance with organizationally defined permissions.
Create and/or confirm the three required permission levels exist and have permissions in accordance with organizationally defined permissions. 1. On a site home page, click Site Actions, and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Create missing permission levels by clicking Add a Permission Level. 4. On the Add a Permission Level page, in the Name field, type a name for the new permission level (Web Site Admin, Web Site Audit, or Web Site Manager). 5. In the Description field, type a description of the new permission level. 6. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally defined permissions from the IAO. 7. Click Create.
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure password change settings. 3. On the Password Management Settings page, in the Automatic Password Change Settings section, verify “Number of retries before password change timer fails:” is set to 3. (Numbers less than 3 are not normally recommended.) 4. Mark as a finding if the “Number of retries before password change timer fails:” is set to a number greater than 3.
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure password change settings. 3. On the Password Management Settings page, in the Automatic Password Change Settings section, set the “Number of retries before password change timer fails:” to 3.
1. Obtain a listing of all SharePoint Web applications. 2. Open a Web browser and navigate to the SharePoint Web application home page. 3. Verify the authorized DoD warning banner text is displayed on the SharePoint web application home page. 4. If the authorized DoD warning banner text is not displayed on the first screen of the SharePoint web application, this is a finding. NOTE: Supplementary Information: DoD Login Banner "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Configure the SharePoint web application’s home page to display the authorized DoD warning banner text on or before the login page.
1. Obtain a list of all SharePoint Web applications. 2. Open a Web browser and navigate to the SharePoint Web applications home page. 3. No further access is possible to the SharePoint web application unless a positive action to agree (such as clicking on a box indicating “OK”) is required. 4. If further access to the SharePoint Web application is possible before positive action to agree, this is a finding.
Configure the SharePoint Web application home page to not allow any further access until the user executes a positive action to agree.
1. Obtain a list of all publicly accessible SharePoint application(s). 2. Open a Web browser and point it to each SharePoint publicly accessible applications. 3. Verify a DoD warning banner is displayed on the home page of each publicly accessible application. 4. If a DoD warning banner is not displayed on the home page of each publicly accessible SharePoint application, this is a finding.
Configure publicly accessible SharePoint Web applications home page to display a DoD warning banner before logging in.
Check outside access to Central Administration. 1. On an administrative work station, open Central Administration and make note of the URL (i.e., http://sharepointserver:7040). 2. Try to open the Central Administration application on a regular user’s workstation. Open a Web browser and type in the URL to Central Administration. If Central Administration can be opened, it is a finding.
Block outside Central Administration access. Use IIS IP address restrictions, firewall, or other filtering solutions to limit access to the Central Administration site.
SharePoint must be configured to not use NTLM. Review the SharePoint server configuration to ensure replay-resistant authentication mechanisms for network access to privileged accounts are used. SharePoint must be configured to use Kerberos as the primary authentication provider. Log on to the server. Click Start. Type Internet Information Services Manager in the Search Bar, click Enter. Expand the server node in the tree view and expand the "Sites" node. *For each...* Select a SharePoint Web Application site to review. In the "IIS" section, double-click Authentication and then select "Windows Authentication". Right-click "Windows Authentication" and select "Providers". Ensure "Negotiate" is listed first. If NTLM is listed first in the Enabled Providers box, this is a finding.
1. Using IIS Manager (IIS 7), navigate to view the SharePoint Web Application sites. 2. Select a SharePoint Web Application site to configure. 3. In the IIS section, double-click Authentication and select Windows Authentication. 4. Right-click Windows Authentication and select Providers. 5. Add Negotiate to the list in the Enabled Providers box. 6. Remove NTLM from the list in the Enabled Providers box.
Verify the account has least privilege in Active Directory. 1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab and verify that this account is a member of the Domain Users group only. 4. Mark as a finding if the server farm service account is a member of an Active Directory security groups other than Domain Users.
Ensure the farm service account has minimum permissions in Active Directory. 1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab to view group membership for this account. 4. Remove this account from membership in groups other than Domain Users.
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Manage web part security. 3. On the Security for Web Part Pages page, for each web application in the Web Application section, perform the following: - Select a web application in the Web Application list. - In the Online Web Part Gallery section, verify the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option is selected. 4. Mark as a finding if the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option in the Online Web Part Gallery section is not selected.
Enable the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option for each web application. 1. In Central Administration, click Security. 2. On the Security page, in the General Security list, click Manage web part security. 3 On the Security for Web Part Pages page, for each web application in the web application section, perform the following: - Select a web application in the Web Application list. - In the Online Web Part Gallery section, select the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance". 4. Click OK.
1. Verify a SharePoint specific antivirus solution is installed. 2. In SharePoint Central Administration, click Security. 3. On the Security page, in the General Security list, click Manage antivirus settings. 4. Mark as a finding if the following boxes are unchecked: - Scan documents on upload. - Scan documents on download. - Attempt to clean infected documents.
Install and configure anti-virus package. 1. Install a SharePoint specific antivirus solution. 2. In SharePoint Central Administration, click Security. 3. On the Security page, in the General Security list, click Manage antivirus settings. 4. Check the boxes for the following: - Scan documents on upload. - Scan documents on download. - Attempt to clean infected documents. 5. Click OK.
1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Confirm site use and delegation. 3. Repeat the following steps for each web application: - Select the web application. - Verify that the "Automatically delete the site collection if use is not confirmed" checkbox is not checked. 4. Mark as a finding if the checkbox is checked for any active application on the SharePoint farm.
Disable the "Automatically delete the site collection if use is not confirmed" property for each web application. 1. In Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Confirm site use and deletion. 3. Repeat the following steps for each web application: - Select the web application. - Deselect the "Automatically delete the site collection if use is not confirmed" checkbox.
Obtain local site documentation noting authorized administrators. 1. Open Central Administration. 2. Select Site-Actions > Site Permissions. 3. Verify only organizationally defined users or groups are listed. 4. Mark as a finding if unauthorized users or groups are listed.
1. Open Central Administration. 2. Select Site Actions > Site Permissions. 3. Remove all users and groups not on the organizationally defined list maintained by the IAO.
This check should be marked not applicable if the farm is used only for the support of mySites. 1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Change site collection administrators. 4. For each Site Collection, review Secondary Site Collection Administrator. 5. Mark as a finding if Secondary Site Collection Administrator is not defined unless the site collection is for mySites.
1. In SharePoint Central Administration, click Application Management. 2. On the Application Management page, in the Site Collections list, click Change site collection administrators. 4. For each Site Collection, define a Secondary Site Collection Administrator unless the site collection is for mySites. 5. Select OK.
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure service accounts. 3. On the Service Accounts page, in the Credential Management section, select each service installed, and view the service account entry. 4. Verify each service is managed by a separate account or accounts are assigned based on common access permissions or trust levels. 5. If each service does not operate using a unique account or accounts are not assigned based on common access permissions or trust levels, this is a finding.
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure service accounts. 3. On the Service Accounts page, in the Credential Management section, select each service installed, and configure the service account field by selecting the appropriate AD account from the drop-down menu. 4. Create separate accounts for each service (or assign accounts based on common access permissions or trust levels).
1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab and verify this account is a member of the Domain Users group only. 4. Mark as a finding if the Setup User account is a member of other Active Directory domain groups other than Domain Users. Mark as a finding if the Setup User account has unneeded permissions or services assigned.
Ensure the Setup User domain user has minimum permissions in Active Directory. 1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab to view group membership for this account. 4. Remove this account from membership in groups other than Domain Users.
Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group.. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.
Change the directory permissions where trace data logs are stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group from the permissions list.
Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group.. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.
Change permissions to the directory where trace logs are stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group from the permissions list.
Verify security permissions to log file are to authorized administrators only. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Verify permissions include only the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group.. 6. Mark as a finding if groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group have permission to the log folder.
Change permissions to the directory where trace data logs are stored. 1. In Central Administration, click Monitoring. 2. On the Monitoring page, in the Reporting list, click Configure diagnostic logging. 3. Obtain the Path location for the Trace Log. 4. Navigate to the file location, right-click, and select Properties. View the Security tab. 5. Delete any groups or users other than the LOCAL SERVICE, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG_V4, WSS_WPG, local Administrators group, and SYSTEM group from the permissions list.
To verify an information management policy is enabled for use with site content, view the document properties of a sample file. Verify document or list items. 1. Go to a Site Collection within the farm. 2. Open the list or library containing the item or document to view the barcode. 3. Point to the item or document identified by the SA or site representative. 4. Click the arrow that appears, and then click View Item or View Properties. 5. Verify document property listing contains columns for labels at a minimum. Also, verify columns for barcoding, retention, and auditing (if required by the SSP) are present. 6. Mark as a finding if information management policy metadata (labeling, retention, auditing, or barcoding) do not show in the document properties for document and list content (if required by the SSP).
Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, then click Site Settings. 2. On the Site Settings page, in the Site Collection Administration list, click Site collection policies. 3. On the Site Collection Policies page, click Create. 4. Follow the menus and prompts to create a name and description for the policy. 5. Configure the desired features to associate with the policy. 6. When finished selecting the options for the individual policy features to add to this information management policy, click OK to apply the policy features. 7. Once an information management policy has been created for the site collection level, apply it to lists, libraries, or list content type in accordance with organizationally defined security requirements.
1. On the server(s) where the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups -> Groups. 2. Double-click on each group to view membership. 3. Verify the SharePoint setup user domain account is a member of the Administrators and WSS_ADMIN_WPG groups only. 4. Mark as a finding if the setup user account is a member of any other group than Administrators and WSS_ADMIN_WPG on the local server where SharePoint is installed.
1. On the server (s) where the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups -> Groups. 2. Double-click on each group to view membership. 3. Remove the SharePoint setup user account from membership in groups other than Administrators and WSS_ADMIN_WPG.