MS SharePoint 2010 Security Technical Implementation Guide

This STIG is applicable to all Microsoft SharePoint 2010 implementations. For complete security protection of any SharePoint implementation, the Windows OS, application server (s) and the database server (s) must also be secured using the applicable STIGs.

Details

Version / Release: V1R8

Published: 2018-04-02

Updated At: 2018-09-23 19:14:56

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-37638r2_rule SHPT-00-000007 CCI-000057 MEDIUM SharePoint must support the requirement to initiate a session lock after an organizationally defined time period of system or application inactivity has transpired. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. The session lock is implemented
    SV-36059r2_rule SHPT-00-000010 CCI-002272 MEDIUM SharePoint must maintain and support the use of organizationally defined security attributes to stored information. Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementat
    SV-36067r3_rule SHPT-00-000040 CCI-002289 MEDIUM SharePoint must allow authorized users to associate security attributes with information. Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementat
    SV-36114r2_rule SHPT-00-000100 CCI-000021 MEDIUM SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands. An organization may see fit to define a policy stating certain commands contained within an application require dual authorization before they may be invoked. Dual authorization requires two distinct approving authorities to approve the use of the command
    SV-36661r2_rule SHPT-00-000805 CCI-002421 MEDIUM The organization must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. Preventing the disclosure of transmitted information requires that applications take measures to using a cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of TLS, SSL, or Internet Protocol Sec
    SV-36713r2_rule SHPT-00-000810 CCI-001312 MEDIUM SharePoint must identify potentially security-relevant error conditions. The error messages and usage data to be monitored should be carefully considered. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational requirements. Usage and Health Data
    SV-37792r2_rule SHPT-00-000640 CCI-002475 HIGH Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage. When data is written to digital media there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to d
    SV-37794r2_rule SHPT-00-000645 CCI-001133 MEDIUM SharePoint must terminate the network connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity. This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions include, de-allocating associated TCP/IP address/port pairs at the operating-system level, or de-allocating networking
    SV-36596r2_rule SHPT-00-000430 CCI-000162 MEDIUM SharePoint must protect audit information from unauthorized access to the usage and health logs. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult. To ensure the veracity of audit data the information system and/or SharePoint must protect au
    SV-36597r2_rule SHPT-00-000435 CCI-000163 MEDIUM SharePoint must protect audit information from unauthorized modification of usage and health data collection logs. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint mu
    SV-36598r2_rule SHPT-00-000440 CCI-000164 MEDIUM SharePoint must protect audit information from unauthorized deletion of usage and health logs. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint mu
    SV-36599r2_rule SHPT-00-000445 CCI-001493 MEDIUM SharePoint must protect audit tools from unauthorized access. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application
    SV-37767r2_rule SHPT-00-000315 CCI-000171 MEDIUM SharePoint must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system. Without auditing enabled, individual system accesses cannot be tracked and malicious activity cannot be detected and traced back to an individual account.System Administrator
    SV-36726r2_rule SHPT-00-000530 CCI-001941 MEDIUM The Central Administration Web Application must use Kerberos as the authentication provider. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonce's or challenges (e.g
    SV-37784r2_rule SHPT-00-000600 CCI-000199 MEDIUM SharePoint managed service accounts must be set to enable automatic password change. Passwords have a number of inherent risks. One method of minimizing this risk is to enforce the use of complex passwords. Another method is to enforce periodic password changes. If the information system does not limit the lifetime of passwords and force
    SV-36578r2_rule SHPT-00-000465 CCI-001351 MEDIUM SharePoint must support the requirement that privileged access is further defined between audit-related privileges and other privileges. Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an information system which the user bei
    SV-37768r1_rule SHPT-00-000475 CCI-000381 MEDIUM To support the requirements and principles of least functionality; SharePoint must support the organizational requirement to provide only essential capabilities. Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Addition
    SV-37769r2_rule SHPT-00-000480 CCI-000382 MEDIUM When configuring Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements. During the installation of Microsoft SharePoint, the Central Administration Web site is established on a randomly-assigned TCP port by default. Allowing a randomly-assigned default may result in use of a port which violates DoD policy or conflicts with po
    SV-36698r1_rule SHPT-00-000495 CCI-000537 MEDIUM Backup of SharePoint system level files for critical systems must be performed when identified as required by the owning organization. Information system backup is a critical step in maintaining data assurance and availability. System-level information includes: system-state information, operating system and application software, and licenses. System Administrator
    SV-36581r1_rule SHPT-00-000405 CCI-001864 LOW To support audit review, analysis, and reporting, SharePoint must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Audit review, analysis, and reporting are all
    SV-37789r2_rule SHPT-00-000760 CCI-002383 MEDIUM SharePoint must implement security functions as largely independent modules to avoid unnecessary interactions between modules. Microsoft recommends separate Application Pools (and security accounts) for site collections with authenticated and anonymous content; to isolate applications storing security or management information; or where users have great liberty to create and admi
    SV-36120r2_rule SHPT-00-000130 CCI-001414 MEDIUM For environments requiring an Internet-facing capability, the SharePoint application server upon which Central Administration is installed must not be installed in the DMZ. Information flow control regulates where information is allowed to travel within and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. SharePoint C
    SV-36418r2_rule SHPT-00-000165 CCI-002210 LOW SharePoint must enable IRM to bind attributes to information to facilitate the organization’s established information flow policy as needed. The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow control regulates where information is allowed to travel w
    SV-37759r2_rule SHPT-00-000190 CCI-002220 MEDIUM SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations. Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry
    SV-37975r2_rule SHPT-00-000210 CCI-000044 MEDIUM Timer job retries for automatic password change on Managed Accounts must meet DoD password retry policy. When an authentication method is exposed to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may consec
    SV-36428r1_rule SHPT-00-000235 CCI-000048 MEDIUM SharePoint clients must be configured to display an approved system use notification message or banner before granting access to the system. Applications are required to display an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, reg
    SV-36431r1_rule SHPT-00-000240 CCI-000050 MEDIUM SharePoint must retain the notification message or banner on the screen until users take explicit actions to log on to or further access. To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to agree by clicking on a box indica
    SV-36432r1_rule SHPT-00-000245 CCI-001384 MEDIUM SharePoint must be configured to display the banner, when appropriate, before granting further access. Applications are required to display the following information: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing consistent with privacy acc
    SV-36741r2_rule SHPT-00-000690 CCI-001083 MEDIUM The Central Administration site must not be accessible from Extranet or Internet connections. SharePoint must prevent the presentation of information system management-related functionality at an interface utilized by general, (i.e., non-privileged), users. Central Administration is an application used to manage SharePoint system settings and th
    SV-37822r3_rule SHPT-00-000531 CCI-001941 MEDIUM SharePoint sites must not use NTLM. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonce's or challenges (e.g.,
    SV-37832r2_rule SHPT-00-000191 CCI-000225 MEDIUM SharePoint farm service account (Database Access account) must be configured with minimum privileges in Active Directory (AD). Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry
    SV-37994r2_rule SHPT-00-000682 CCI-001167 MEDIUM The Online Web Part Gallery must be configured for limited access. Web Part galleries are groupings of Web Parts. There are four Web Part galleries: Closed Web Parts, Site Name Gallery, Server Gallery, and Online Gallery. The Online Gallery is a collection of Microsoft MSNBC Web Parts located on the Internet. Allowing us
    SV-37995r3_rule SHPT-00-000683 CCI-001167 HIGH SharePoint-specific malware (i.e., anti-virus) software must be integrated and configured. Configuring anti-virus settings ensures documents will be scanned for viruses upon download from and upload to the SharePoint server. Anti-virus settings are not configured by default, therefore leaving SharePoint document libraries open to potential viru
    SV-38109r2_rule SHPT-00-000127 CCI-000381 MEDIUM The “Automatically delete the site collection if use is not confirmed” property must not be enabled for web applications. Automatic deletion is an administrative feature that can delete unused sites without administrative intervention and without a backup mechanism. Automatic deletion permanently removes all content and information from the site collection and any sites bene
    SV-38129r2_rule SHPT-00-000692 CCI-001083 MEDIUM Access to Central Administration site must be limited to authorized users and groups. SharePoint must prevent the presentation of information system management-related functionality at an interface utilized by general, (i.e., non-privileged), users administrative interfaces to non-privileged users. Information system management functional
    SV-38149r2_rule SHPT-00-000197 CCI-000366 LOW A secondary site collection administrator must be defined when creating a new site collection. If a site reaches its maximum size, users will be denied access until an administrator fixes the problem. Having a secondary administrator reduces the risk of having a Denial-of-Service on a site. If the site reaches its maximum size, the secondary admini
    SV-38296r2_rule SHPT-00-000199 CCI-002220 MEDIUM SharePoint service accounts must be configured for separation of duties. Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry
    SV-38299r2_rule SHPT-00-000193 CCI-000225 MEDIUM The SharePoint setup user domain account must be configured with the minimum privileges in Active Directory. Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry
    SV-39935r2_rule SHPT-00-000431 CCI-000162 MEDIUM SharePoint must protect audit information from unauthorized access to the trace data log files. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult. To ensure the veracity of audit data the information system and/or SharePoint must protect au
    SV-39940r2_rule SHPT-00-000436 CCI-000163 MEDIUM SharePoint must protect audit information from unauthorized modification to trace data logs. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint mu
    SV-39943r2_rule SHPT-00-000441 CCI-000164 MEDIUM SharePoint must protect audit information from unauthorized deletion of trace log files. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or SharePoint mu
    SV-40023r2_rule SHPT-00-000009 CCI-000287 MEDIUM SharePoint information management policies must be created, configured, and maintained to support the use of organizationally defined security attributes. A SharePoint information management policy is a set of rules governing the availability and behavior of a certain type of content in the application. These policies enable administrators to control and evaluate who can access information, how long to reta
    SV-40025r2_rule SHPT-00-000195 CCI-000225 MEDIUM The SharePoint setup user domain account must be configured with the minimum privileges for the local server. Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry