draft SharePoint SP XCCDF 2007 Accounts This chapter focuses on setting up and managing all of the required SharePoint accounts for both single server and server farm deployments. The account names can be tailored to suit the deployment environment. For this evaluation, the SharePoint 2007 Server was installed and configured on a single server. Recommendations pertaining to accounts for server farm deployments were derived from Microsoft documents, which are referenced in this security guide. SharePoint621 In single server installations, create a Setup User local account to install SharePoint Server 2007. The Setup User account is used to run setup on each server computer, SharePoint Products and Technologies Configuration Wizard, the Psconfig command-line tool, and the Stsadm command-line tool. This local account must be a member of the Administrators group on the local computer. Follow the principle of least privilege to ensure that the Setup User local account is provided with only the minimum privileges needed to accomplish the tasks it is authorized to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. For information about account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Single server standard requirements link4. Select the Office SharePoint Server security account requirements link. SharePoint944 In single server installations, create an Office SharePoint Server Search service account. This service is used to encrypt sensitive search configuration settings like passwords. By default, this service runs as the Local Service built-in account. Any other application or service running as this built-in account will have access to the passwords. This is a security risk. Change the search service account to a non built-in account. Follow these steps to implement this recommendation:1. Create a local account on the SharePoint Server. 2. Login to Central Administration.3. Navigate to Operations > Topology and Services.4. Select Services on Server.5. Select Office SharePoint Server Search.6. Navigate to Farm Search Service Account.7. Select Configurable.8. Enter the username and password of the account created in step 1.9. Select OK. SharePoint921 In both single server and server farm installations, create a dedicated Excel Services Unattended Service domain account. The Excel Services Unattended Service domain account is the account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Calculation Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it. Follow the principle of least privilege to ensure that the Excel Services Unattended Service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about single server account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Single server standard requirements link4. Select the Office SharePoint Server security account requirements link.For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint946 In server farm installations, create a separate domain user account for each application pool and follow the principle of least privilege. An application pool domain account is an application pool identity for the Web applications that reside in the application pool. A default account is automatically setup and configured for the default application pool. To provide isolation among application pools, use a separate domain account for each application pool. Follow the principle of least privilege to ensure that the application pool domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint948 In server farm installations, create a dedicated Office SharePoint Server Search Service domain account. The Office SharePoint Server Search Service domain account is used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs. The account must be a domain user account and must not be a member of the Farm Administrators group. Follow the principle of least privilege to ensure that the Office SharePoint Server Search Service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint949 In server farm installations, create a dedicated SQL Server Service domain account. SQL Server prompts for this account during SQL Server setup. This account is used as the service account for the following SQL Server services: MSSQLSERVER and SQLSERVERAGENT. Follow the principle of least privilege to ensure that the SQL Server Service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint913 In server farm installations, create a dedicated Setup User domain account and install SharePoint Server 2007 using this account. The Setup User domain account is a required security account for a SharePoint Server 2007. The account must be a member of the Administrators group on each Web front-end server and application server computer in the farm. This account must also be a member of the SQL Server Service group with SQL Security administrator and database creator rights on SQL servers. Follow the principle of least privilege to ensure that the Setup User domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint914 In server farm installations, create a dedicated Server Farm domain account. The Server Farm domain account, also referred to as a database access account, is the application pool identity for the SharePoint Central Administration Web site and the process account for the Windows SharePoint Services Timer service. Follow the principle of least privilege to ensure that the Server Farm domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint919 In server farm installations, create a dedicated Default Content Access domain account. The Default Content Access domain account is used by the Windows SharePoint Services Search application server role to crawl content across sites. Follow the principle of least privilege to ensure that the Default Content Access domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint920 In server farm installations, create a dedicated Profile Import Default Access domain account. The Profile Import Default Access domain account is used to connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source and to import profile data from a directory service. Follow the principle of least privilege to ensure that the Profile Import Default Access domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint1090 In server farm installations, create a dedicated Windows SharePoint Services Search service domain account. The Windows SharePoint Services Search service is used as the service account for the Windows SharePoint Services Help Search service. The account must be a domain user account and must not be a member of the Farm Administrators group. Follow the principle of least privilege to ensure that the Windows SharePoint Services Search service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint1091 In server farm installations, create a dedicated Windows SharePoint Services Search content access domain account. The Windows SharePoint Services Search content access domain account is used by the Windows SharePoint Services Search application server role to crawl content across sites. The account must be a domain user account and must not be a member of the Farm Administrators group. Follow the principle of least privilege to ensure that the Windows SharePoint Services Search content access domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure. For information about server farm account requirements:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true 2. Navigate to Plan for administrative and service accounts (Office SharePoint Server).3. Select the Server farm standard requirements link.4. Select the Office SharePoint Server security account requirements link. SharePoint765 Reset the Document Conversions Launcher Service password when the domain account password for this service has changed on the domain controller. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. If the Document Conversions Launcher Service account password is not updated when the domain password changes, then, when the Document Conversions Launcher service shuts down and attempts to restart, it will not be able to restart, therefore presenting a denial of service. 1. Login to Central Administration.2. Navigate to Operations > Security Configuration.3. Select Service accounts. 4. Navigate to Windows Service.5. Select Document Conversions Launcher Service.6. Enter the new Password.7. Select OK.Do the following to restart the Document Conversions Launcher Service:1. Right click My Computer and select Manage.2. Expand Services and Applications.3. Select Services.4. Right click Office Document Conversions Launcher Service and select restart. SharePoint766 Reset the Office Document Conversions Load Balancer Service password when the domain account password for this service has changed on the domain controller. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. If the Office Document Conversions Load Balancer Service account password is not updated when the domain password changes, then, when the Document Conversions Load Balancer service shuts down and attempts to restart, it will not be able to restart, therefore presenting a denial of service. 1. Login to Central Administration.2. Navigate to Operations > Security Configuration.3. Select Service accounts. 4. Navigate to Windows service.5. Select Document Conversions Load Balancer Service.6. Enter the new Password.7. Select OK.Do the following to restart the Office Document Conversions Load Balancer Service:1. Right click My Computer and select Manage.2. Expand Services and Applications.3. Select Services.4. Right click on Office Document Conversions Load Balancer Service and select restart. SharePoint785 Reset the Web application pool identity account password when the domain account password for a web application pool has changed on the domain controller. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. If the Web application pool identity account password is not updated when the domain password changes, and the IIS application is restarted, any web sites created under that Web application pool will not be available, therefore presenting a denial of service. If the Web application pool cannot start, a "Service Unavailable" HTTP error will be displayed to the users of any Web pages or services that the Web application provides.The following URL provides procedures to update the Web application pool identity account in SharePoint:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/4f52688f-7c27-41b7-8e28-c532d0e93e4d1033.mspx?mfr=true2. Scroll down the page and select the Change passwords for Web application pools (Office SharePoint Server) link. SharePoint931 Reset the SQL Server service password when the domain account password for this service has changed on the domain controller. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. If the SQL Server service password is not updated when the domain password changes, and the SQL Server service is restarted, it will not be able to restart, therefore presenting a denial of service. The following URL provides procedures to change the SharePoint SQL Server service password:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/4f52688f-7c27-41b7-8e28-c532d0e93e4d1033.mspx?mfr=true2. Scroll down to bottom of page and select the Change passwords for SQL Server Services (Office SharePoint Server) link. SharePoint932 Reset the default content access account password in SharePoint when the domain account password for this account has changed on the domain controller. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. The default content access account is used by SharePoint to crawl content. If the default content access account credentials are not updated when the password changes for the default content access account on the domain controller, the search feature will not be able to crawl content. The following URL provides procedures to update the default content access account in SharePoint:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/4f52688f-7c27-41b7-8e28-c532d0e93e4d1033.mspx?mfr=true2. Scroll down to bottom of page and select the Change passwords for the default access account (Office SharePoint Server) link. SharePoint933 Reset the Shared Service Providers (SSP) service account password when the domain account password for this service has changed on the domain controller. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. The Shared Service Providers (SSP) service account is used to operate the SSP Web services for inter-server communications and to run timer jobs for the SSP. If the password expires and is not updated, these functions will not work properly. The following URL provides procedures to update the Shared Service Providers (SSP) service account password in SharePoint:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/4f52688f-7c27-41b7-8e28-c532d0e93e4d1033.mspx?mfr=true2. Scroll down to bottom of page and select the Change passwords for Shared Service Providers (Office SharePoint Server) link. SharePoint793 If the dedicated Server Farm account password expires or has been reset on the domain controller, reset the password for the Central Administration Web application pool and the SharePoint Timer service. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. Since the Server Farm account credentials are stored in the Central Administration Web application pool and the Timer service, and these credentials are not updated when the password changes on the domain controller, then when the Central Administration web application pool or Timer service attempts to restart they will not be able to, therefore presenting a denial of service. The following URL provides procedures to update the password for the Central Administration Web application pool and SharePoint Timer service:http://technet2.microsoft.com/Office/en-us/library/eb6c2cfe-fa00-4417-867a-84b3032696801033.mspx?mfr=true SharePoint818 If the Office SharePoint Server Search service or Windows SharePoint Services Search service account password expires or has been reset on the domain controller, change the Office SharePoint Server Search service password and/or the Windows SharePoint Services Search service password. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. The SharePoint Server Search service and Windows SharePoint Services Search service store domain credentials. If these credentials are not updated when the password changes on the domain controller, then when the SharePoint Server Search service or Windows SharePoint Services Search Service attempts to restart they will not be able to, therefore presenting a denial of service. Follow the procedures in the following URL in order to change the password for the Search Service account:http://technet2.microsoft.com/Office/en-us/library/d6908004-0353-42b4-9a35-e380dc5e1e161033.mspx?mfr=true SharePoint726 If the Microsoft SSO service is enabled in the SharePoint deployment, reset the Single Sign-On (SSO) password when the domain account password for this service has changed on the domain controller. Good password security policies require passwords to be reset periodically. Resetting passwords helps protect data from being compromised. If the SSO service password is not updated when the domain password changes, then, when the SSO service shuts down and attempts to restart, it will not be able to restart, therefore presenting a denial of service. Repeat the following steps 1-8 for each SharePoint Server running the Microsoft Single Sign-On Service (SSOSrv).1. Login to the SharePoint Server running the SSOSrv as the SSO Administrator.2. Login to Central Administration as the SSO Administrator.3. Navigate to Operations > Security Configuration.4. Select Service accounts.5. Navigate to Windows Service.6. Select Single Sign-on Service.7. Enter the new SSO Password.8. Select OK.Repeat the following steps 1-4 for each SharePoint Server running the SSOSrv.To restart the SSO service do the following:1. Right click My Computer.2. Select Manage.3. Expand Services and Applications.4. Select Services.5. Right click on the Microsoft Single Sign-on Service and select restart. SharePoint763 Create the required Single Sign-On (SSO) accounts in order to set up, run, and administer the SSO system if the Microsoft SSO service is enabled in the SharePoint deployment. These SSO accounts are responsible for managing various actions of the Single Sign-On service in SharePoint server 2007. They provide separation of roles and isolation of permissions; this helps track changes made to the SSO service. The following URL describes the required accounts and how to configure these accounts:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/3df68222-235b-45de-82fa-b89166c5c6bd1033.mspx?mfr=true2. Scroll down and select the Plan for single sign-on link. SharePoint935 Ensure that passwords for all dedicated domain accounts are configured to expire every 90 days. Passwords are a primary method used to control access to resources. A compromised password is a way for a malicious user to explore a system without causing suspicion. Following this recommendation reduces the attack surface of the SharePoint deployment. This recommendation applies to all recommendations pertaining to domain accounts in this chapter. Self-explanatory. Installation and Configuration This chapter provides recommendations for installing and configuring SharePoint Server 2007. SharePoint585 Apply the latest operating system service pack to the Windows Server 2003 platform after the initial install of the operating system. Applying operating system service packs to the Windows Operating system protects against potential system vulnerabilities. If the latest service pack is not applied then an intruder could potentially compromise the system or might prevent certain functionality from being available. Self-explanatory. SharePoint718 Apply the security update "Microsoft Security Bulletin MS07-059". The vulnerability addressed by the security update could allow an attacker to run an arbitrary script that could result in elevation of privilege within the SharePoint site. The vulnerability could also allow an attacker to run an arbitrary script to modify a user's cache, resulting in information disclosure at the workstation. The vulnerability is identified as CVE-2007-2581. Before applying the update, review the known issues: see Microsoft Knowledge Base Article 942017. Download and install the software referenced in the Microsoft Knowledge Base article KB937832. SharePoint752 Apply all hotfixes to the operating system according to the policies set for the organization. Hotfixes are quick fixes to address a problem discovered after the latest service pack for an operating system has been released. Applying hotfixes will protect the system against known vulnerabilities. Self-explanatory. In order to implement this recommendation, first implement the recommendation "Ensure that the proper policies, procedures, and software are in place to protect the operating system against viruses". SharePoint770 Apply the security guidance of the Microsoft Security Best Practices guidance for IIS 6.0. Microsoft Internet Information Service (IIS) is a core component of SharePoint Server 2007. Ensuring IIS is installed and configured securely reduces the risk of the system being compromised. Self-explanatory. For more information refer to Microsoft's best practice found at: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f8f81568-31f2-4210-9982-b9391afc30eb.mspx?mfr=true SharePoint1084 Apply all SharePoint Server hotfixes and service packs. Applying hotfixes and service packs protects the system against potential or known vulnerabilities. If the latest hotfixes and service packs are not applied then an intruder could potentially compromise the system or might prevent certain functionality from being available. Self-explanatory. SharePoint1092 Apply the security guidance of the NSA guide for Windows Server 2003. Microsoft Windows Server 2003 is a core component of SharePoint Server 2007. Ensuring Windows Server 2003 is installed and configured securely reduces the risk of the system being compromised. Self-explanatory. For more information refer to the National Security Agency web site at http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1 SharePoint770 Apply the security guidance for Internet Explorer 7 found at the NIST National Vulnerability Database checklist site. Microsoft Internet Explorer is a core component of SharePoint Server 2007. Ensuring IE is installed and configured securely reduces the risk of the system being compromised. Self-explanatory. For more information refer to the NIST website: http://nvd.nist.gov/ncp.cfm?repository SharePoint909 Apply the guidance of the Center for Internet Security (CIS) SQL Server Benchmark. Microsoft SQL Server is a core component of SharePoint Server 2007. Ensuring SQL Server is installed and configured securely reduces the risk of the system being compromised. Self-explanatory. For more information refer to the CIS website: http://www.cisecurity.org/bench_sqlserver.html SharePoint586 Ensure that the proper policies, procedures, and software are in place to protect the operating system against vulnerabilities. Setting these guidelines will help protect the server against potential vulnerabilities. If these guidelines do not exist and no software is in place to protect the server, an intruder could potentially gain access and compromise important data or cause denial of service. Self-explanatory. SharePoint724 Ensure that users update their passwords according to the policies set by the organization. Requiring users to modify their password is good security practice. If the organization does not require users to change their password and a malicious user acquires a password, they may have long term access. Also, follow the recommendation to "Ensure that the proper policies and procedures exist to set Strong Passwords". Self-explanatory. SharePoint725 Ensure that the proper policies and procedures exist to set strong passwords. Setting a strong password will help protect servers and users from unauthorized users gaining access to the SharePoint server. If strong passwords are not used, an unauthorized user could potentially crack the password and gain access to the data on the SharePoint server. Passwords should contain a minimum of 12 characters. Also, passwords should contain characters from at least 3 of the following: - upper case letters - lower case letters - numbers - special characters (e.g. !,@, #, $, %) SharePoint758 For an environment that requires an Internet-facing capability or in a two-server or more deployment, ensure that the Central Administration site is not hosted on a front-end Web server. External malicious users could gain access to a front-end Web server, therefore the Central Administration web site should not be hosted on this server. If a malicious user gains access to the Central Administration site data could be compromised. Self-explanatory. In the case where an Internet-facing capability is required, two or more servers will be needed so that the Central Administration site will not be on the front-end Web server. SharePoint759 Block external access to the Central Administration site. Blocking external access to the Central Administration site will help protect the Central Administration site against malicious external users. If the Central Administration site is not blocked from external users then sensitive data could be at risk. Blocking external access to the Central Administration site can be achieved by placing a firewall between front-end Web servers and the server that hosts the Central Administration site. Configure the firewall with the following policies: 1. Disallow all http access to the server hosting the Central Administration site. 2. Allow secure web access from the front-end Web server on the non-published port that the Central Administration site is listening on. SharePoint798 Install Microsoft SharePoint Server 2007-compatible antivirus software on every front-end web server in the farm. A standard antivirus package for Windows Server 2003 will not scan items in the SharePoint databases. An antivirus program helps to protect content in the SharePoint environment. Therefore, it is necessary to purchase and install a SharePoint Server 2007-specific antivirus package. After the software is installed, follow recommendation 3.9 "Configure antivirus settings". Self-explanatory. SharePoint610 Install a SharePoint Server 2007-specific antivirus package. A standard antivirus package for Windows Server 2003 will not scan items in the SharePoint databases. An antivirus program helps to protect content in the SharePoint environment. So, it is necessary to purchase and install a SharePoint Server 2007-specific antivirus package. After the software is installed, the antivirus options need to be selected. The option settings determine whether files are scanned on upload, download, or both and they define actions to be taken on infected documents. Self-explanatory. See recommendation 3.9 "Configure antivirus settings" which describes how to configure global antivirus settings. SharePoint592 Enable Secure Sockets Layer (SSL) on the Central Administration site. The SharePoint Central Administration site allows an administrator to manage settings for the Web server and virtual servers. SSL protects data by encrypting the traffic that is transmitted over the network. The following link provides instructions to enable SSL on the Central Administration site:http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse10.mspx?mfr=true SharePoint616 Do not publish intranet IP addresses of SharePoint servers in the organization's external Domain Name System (DNS). Many SharePoint deployments will have Internet-facing servers publishing the same data with different security controls in place. It is important to publish only the external IP addresses in DNS and not the intranet addresses. Publishing intranet addresses in an external Domain Name System would make the intranet addresses available to potential attackers. Self-explanatory. Central Administration This chapter provides recommendations for the Central Administration site. The recommendations focus on the following areas: Security Operations, Application Management, SharePoint Web Application Management, SharePoint Site Management, User Profiles and My Sites, Office SharePoint Server Shared Services, and Shared Services Administration Search. In order to manage SharePoint through the Central Administration site, a user must login to the site as either a member of the server's local Administrators group or as a user configured as a SharePoint Administrator. SharePoint623 Create a new Single Sign-On (SSO) encryption key every 90 days if the Microsoft SSO service is enabled in the SharePoint deployment. The encryption key encrypts and decrypts security credentials; therefore, creating a new encryption key every 90 days limits the amount of time that a compromised key can be used. Note: The first server that Microsoft Single Sign-On service (SSOSrv) is enabled on becomes the encryption-key server.1. Login to the Encryption Key Server as the SSO Administrator. 2. Login to the Central Administration site as the SSO Administrator. 3. Select Operations > Security Configuration.4. Select Manage settings for single sign-on.5. Select Manage encryption key.6. Select Create Encryption Key.7. Check the box "Re-encrypt all credentials by using the new encryption key".8. Select OK. SharePoint624 If the Microsoft Single Sign-On (SSO) service is enabled in the SharePoint deployment, create a new SSO encryption key and reencrypt user credentials in the SSO database with the new encryption key immediately if suspicious that account credentials or the encryption key have been compromised. The encryption key is used to encrypt and decrypt the credentials that are stored in the SSO database. If account credentials and the encryption key are compromised by a malicious user, data on the system will not be secure. Changing the encryption key and reencrypting user credentials can protect the data from being compromised. Note: Since the reencryption process is a long running job, reencrypt credentials only at non-peak periods.1. Login to the encryption-key server as the SSO Administrator. 2. Login to Central Administration as the SSO Administrator. 3. Navigate to Operations > Security Configuration.4. Select Manage settings for single sign-on.5. Select Manage encryption key. 6. Select Create Encryption Key. 7. Check the box "Re-encrypt all credentials by using the new encryption key".8. Select OK. SharePoint748 In a farm configuration, select an application server to host the SSO encryption key server if the Microsoft SSO service is enabled in the SharePoint deployment. An application server computer is not directly accessed by end-users and it is typically protected by additional layers of security, therefore making it the best choice to host the SSO encryption key server. Self-explanatory. SharePoint749 Always login to the Single Sign-On (SSO) encryption key server locally when configuring or managing SSO, if the Microsoft SSO service is enabled in the SharePoint deployment. Logging onto the encryption key server locally helps protect against network attacks. Since the data on the encryption key server is highly sensitive it is critical to access this server only locally and not remotely. Note: The first server that Microsoft Single Sign-On service (SSOSrv) is enabled on becomes the encryption key server.The following steps describe how to access the SSO configuration items in Central Administration. 1. Login to the SSO encryption-key server as the SSO Administrator.2. Login to Central Administration as the SSO Administrator.3. Navigate to Operations > Security Configuration.4. Select Manage settings for single sign-on. SharePoint599 Use Basic Authentication only in conjunction with an SSL-secured Web application. Basic Authentication provides a web application a simple way to authenticate users using a username and password. The downside is that the username and password are sent over the Intranet/Internet in plaintext. Thus, the username and password are easily compromised unless they are hidden by encryption. Secure Sockets Layer (SSL) protects the username and password from compromise because it transmits data over networks securely by encrypting the traffic. Since SSL adds complexity to the implementation and can affect server performance, consider whether transmitting the username and password in plaintext constitutes a risk in the SharePoint deployment. Ensure that SSL is enabled before enabling Basic Authentication; see recommendation 3.17 "Enable SSL for Web Applications".To enable Basic Authentication:1. Login to Central Administration.2. Navigate to Application Management > Application Security.3. Select Authentication Providers.4. Select the relevant Web application.5. Select the zone to modify.NOTE: The following step is available only if Windows Authentication Type has been selected in the Authentication Type section.6. In the IIS Authentication Settings section, check "Basic authentication (password is sent in clear text)".7. Select Save. SharePoint600 Specify the set of blocked file types appropriate for the SharePoint deployment. Blocked file types is a simple method for preventing certain file types from being uploaded onto SharePoint. This feature of SharePoint prevents specific file types from being saved or retrieved from any site on the server. If a user tries to save or retrieve a blocked file type, he or she will see an error and will not be able to save or retrieve the file. This capability provides a simple way to mitigate the threat of uploading undesirable files, such as those with viruses or executables that are malicious. Note that users can change file extensions to circumvent the blocked file type configuration. For example, a user could change "malicious.exe" to "malicious.exe.xls" to circumvent the blocking of files with the "exe" extension. Some protection is still afforded, however, since double-clicking "malicious.exe.xls" will open the file in Excel rather than execute it. 1. Login to Central Administration.2. Navigate to Operations > Security Configuration.3. Select Blocked file types.4. Select a Web Application (or accept the default).5. Review the list of blocked types and add any relevant additional types to the particular deployment. Warning: do not remove extensions already in the list unless there is a compelling reason to do so.6. Select OK.To further counter the threat of changed file extensions, consider a separate product for managing viruses and malware that can integrate with SharePoint 2007, such as Microsoft Forefront.NOTE: To allow a file type that is currently blocked, select it in the list of blocked file types and delete it. Deleting it for a given web application does not delete it from the blocked file types list of any other web application. Also note that the Note on the Blocked File Types page in Central Administration appears to be erroneous in referring to a "global" list of blocked file types; there does not appear to be any "global" list. SharePoint719 Ensure that the auditing information management policy is configured to be available. The auditing information management policy is configured by default to be available in new site and list policies. This feature makes auditing services available for auditing user actions on documents and list items to the Audit Log. Information in the Audit Log can help in troubleshooting and determining accountability. 1. Login to Central Administration.2. Navigate to Operations > Security Configuration.3. Select Information management policy configuration.4. Select Auditing.5. Select the Status option "Available for use in new site and list policies".6. Select Save. SharePoint722 If external users require authenticated access to a SharePoint deployment, configure a pluggable authentication provider. An authentication provider is a component that verifies user credentials. Internal users can be verified through Windows authentication, while the pluggable authentication provider authenticates external users. The following documents describe pluggable authentication:http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-providers-for-sharepoint-2007.aspxhttp://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx SharePoint807 Configure antivirus settings. Configuring antivirus settings ensures that documents will be scanned for viruses upon download from and upload to the SharePoint server. Antivirus settings are not configured by default, therefore leaving the documents downloaded from or uploaded to SharePoint open to potential viruses. First, follow the recommendation to: "Install a SharePoint Server 2007-specific antivirus package".Next, follow these steps to configure antivirus settings:1. Login to Central Administration.2. Navigate to Operations > Security Configuration.3. Select Antivirus.4. Check the following boxes:4.1. Scan documents on upload.4.2. Scan documents on download.4.3. Attempt to clean infected documents.5. Select OK. SharePoint751 Use an Information Rights Management (IRM) solution for documents needing access control when outside of the SharePoint environment. Once a document has been downloaded from a SharePoint site, its content generally is no longer protected unless some form of information rights management has been embedded in the document. If a document contains highly sensitive information, it may be in the interests of the enterprise to provide embedded protection so that the information can be controlled regardless of where the document may go. If such documents are otherwise protected, IRM may not be needed. IRM allows content creators to control and protect their documents when disseminated outside of SharePoint in electronic form. IRM creates a set of access controls that live with the content and therefore control access even when the document is outside of the SharePoint library. Several vendors provide solutions. Microsoft provides the Windows Rights Management Services (RMS); see the following link:http://technet2.microsoft.com/Office/en-us/library/073bfc71-7b01-4b77-bdc3-ac018889d54b1033.mspx?mfr=trueTo configure Information Rights Management:1. Login to Central Administration.2. Navigate to Operations > Security Configuration.3. Select Information Rights Management.4. Select appropriate option.5. Select OK. SharePoint727 Enable the "Prevents users from creating connections between Web Parts, and helps to improve security and performance" option. Web Parts provide a means of connecting to data sources and integrating information from different data sources. Web Parts are custom pieces of code written by partners, IT, or individual developers. They can be unsafe or malicious. Following this recommendation can reduce the attack surface that a malicious web part can get to. Specifically, Web Part connections allow Web Parts to discover each other on a page and communicate to one another, up to and including access to all sensitive information within the Web Part. Web Parts can be connected to libraries, lists, and to each other to reveal and manipulate data. Allowing users to create connections between Web Parts could increase the chance of a malicious code execution if the Web Part being connected to is from an unknown party. In the event that enterprise policy allows such connections, administrators should carefully consider which Web Parts to make available to users to avoid such attacks. 1. Login to Central Administration.2. Navigate to Application Management > Application Security. 3. Select Security for Web Part pages.4. For each Web Application in the Web Application section repeat steps 5-7.5. Select the correct Web Application in the Web Application section.6. Select the "Prevents users from creating connections between Web Parts, and helps to improve security and performance" option in the Web Part Connections section.7. Select OK. SharePoint728 Enable the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option for each web application. Web Part galleries are groupings of Web Parts. There are four Web Part galleries: Closed Web Parts, Site Name Gallery, Server Gallery, and Online Gallery. The Online Gallery is a collection of Microsoft MSNBC Web Parts that are located on the Internet. Allowing users to access the Online Web Part Gallery causes a significant performance hit on the server, due to the server attempting to connect to the MSNBC online gallery. This could result in a denial of service. The Online Gallery could contain web parts from unknown third parties, which could increase the risk of a malicious code execution attack. Preventing users from accessing the Online Web Part Gallery decreases the system's attack surface. 1. Login to Central Administration.2. Navigate to Application Management > Application Security.3. Select Security for Web Part pages.4. For each Web Application in the Web Application section repeat steps 5-7. 5. Select the next Web Application in the Web Application section.6. Select the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option in the Online Web Part Gallery section.7. Select OK. SharePoint729 Set the "Enable Self-Service Site Creation" option based on the deployment environment. The Self-Service Site Management page can be used to allow users to create and manage their own top-level Web sites automatically. When self-service site creation is enabled for a Web application, users can create their own top-level Web sites under a specific path (by default, the /sites path). When self-service site creation is enabled, an announcement is added to the top-level site at the root path of the Web application, and users who have permissions to view that announcement can link to the new site. Whether self-service site creation should be enabled depends on the environment. For the Intranet environment, enable self-service site creation according to business need. For the secure collaboration environment, enable self-service site creation only for people or groups who have a business need for this feature. For the external anonymous environment, do not enable self-service site creation on the Internet. To set the "Enable Self-Service Site Creation" option:1. Login to Central Administration.2. Navigate to Application Management > Application Security.3. Select Self-Service site management.4. For each Web Application in the Web Application section repeat steps 5-7. 5. Navigate to Enable Self-Service Site Creation section.6. Select value [On or Off] as appropriate for deployment.7. (Optional) Select Require secondary contact.8. Select OK. SharePoint736 Ensure that each web application is configured to provide only the required List, Site, and Personal permissions necessary for that web application. There are three sets of rights with individual permissions that are automatically applied for every new Web application that is created: List, Site, and Personal permissions. List permissions include the standard user rights for viewing, adding, or deleting list items -- for example, manage lists, edit items, delete items, approve items, and add items. Site permissions handle rights available on sites throughout the entire site collection -- for example, the ability for a user to apply or change themes and borders or create groups and subsites to a site. Finally, Personal permissions allow users to add or modify personalized Web Parts to sites. Providing only the permissions necessary to use and manage the web application guards against erroneous use or modification of data. 1. Login to Central Administration.2. Navigate to Application Management > Application Security.3. Select User Permissions for Web Application.4. For each Web Application in the Web Application section repeat steps 5-7. 5. Select the next Web Application in the Web Application section.6. Review all List, Site, and Personal permission lists and ensure the minimum user rights have been implemented. SharePoint737 Ensure that users are granted the correct level of rights when accessing Web applications from a particular zone. Policies are a new feature in SharePoint 2007. The Policy for Web Applications tool enables administrators to create centralized policies that impact top-level site collections as well as sites configured in the Web application. Administrators can create policies that determine the level of rights users are granted when connecting to a Web application from a specific zone. Examples of zones are Internet, Extranet, and Intranet. For example, if a user wanted to access a site on the Internet and download files, and there is a zone policy is in place which allows Read access only, that user is prohibited from downloading files. If policies are being used, it is essential that only the users who should have access to specific zones are granted access that provides the appropriate level of rights. Failure to verify this could result in data being exposed to unauthorized people. 1. Login to Central Administration.2. Navigate to Application Management > Application Security.3. Select Policy for Web Applications.4. For each Web Application in the Web Application section repeat steps 5 and 6.5. Select the Web Application of interest.6. Verify user permissions.For additional information, see http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx SharePoint774 When creating or extending a SharePoint web application, disable anonymous access to the SharePoint web application. Anonymous access allows users to access a SharePoint Web site without authentication. However, the availability of anonymous access increases the susceptibility of the SharePoint deployment to malicious attacks. The default is for anonymous access to be disabled. In some cases, of course, a specific need to provide anonymous access may exist, such as an Internet facing deployment. 1. Login to Central Administration.2. Navigate to Application Management > SharePoint Web Application Management.3. Select Create or extend Web application.4. Select Create a new Web application or Extend an existing Web application.4.1. If extending an existing Web application, select the appropriate Web application.5. Navigate to Security Configuration > Allow Anonymous.6. Select [No].7. Enter other options with values appropriate to the deployment.8. Select OK. SharePoint778 Enable SSL for Web Applications. SSL provides an added layer of security by encrypting and authenticating data that is transferred over a network connection. SSL is disabled by default for web applications. If SSL is not in use, the data is not as well protected and is potentially exposed to integrity and confidentiality compromise. However, SSL adds overhead that may not be justified in cases where the exchanged data is not at all sensitive. 1. Login to Central Administration.2. Navigate to Application Management > SharePoint Web Application Management.3. Select Create or extend Web application.4. Select Create a new Web application if creating a new application, or Extend an existing Web application if extending an existing application.4.1. If extending an existing Web application, select the appropriate Web application.5. Navigate to Security Configuration > Use Secure Sockets Layer (SSL).6. Select the option [Yes].7. Enter other options with values appropriate to the deployment.8. Select OK. SharePoint779 To completely delete the information associated with a SharePoint Web application use the "Delete Web Application" capability. The "Delete Web Application" capability can be used to remove a Web application including its content databases. The "Remove SharePoint from IIS Web site" capability can be used to remove a site but does not provide the option to remove its content databases. Using the "Delete Web Application" capability to remove the content databases protects against data leaks from the residual content databases that would be left by the "Remove SharePoint from IIS Web site" capability. Note: Consider backing up the web site and content databases before taking this action. Caution: Deleting the content database and all IIS Web sites will disable any non-SharePoint application that was using one or more of those IIS Web sites.1. Login to Central Administration.2. Navigate to Application Management > SharePoint Web Application Management. 3. Select Delete Web application.4. Select the Web Application to be deleted.5. Navigate to Deletion Options > Delete content databases.6. Select [Yes].7. Navigate to Delete IIS Web sites.8. Select [Yes].9. Select Delete. SharePoint780 After creating a new web application, specify an appropriate quota template for the default site collection of the new web application. Quota templates are used to specify the site storage size limit. By default, no quota template is selected for the default site collection of a new web application. Uncontrolled growth of a site collection may degrade the performance of the deployment and even disrupt its functionality. The selected template should be specified based on the types of sites being deployed and the capacity of the available hardware. 1. Login to Central Administration.2. Navigate to Application Management > SharePoint Web Application Management.3. Select Web application general settings.4. Select Web application.5. Select Default Quota Template.6. If an appropriate quota template exists, select it from the dropdown under "Select quota template" and go to step 11, otherwise continue with step 7 to create a new quota template.7. Navigate to Default Quota Template.8. Select Quota Templates.9. Select Create a new quota template.10. Enter a new name in the New template name textbox.11. Navigate to the Storage Limit Values section:11.1. Check the checkbox to enable "Limit site storage to a maximum of:" and enter a value.11.2. Check the checkbox to enable "Send warning E-mail when site storage reaches:" and enter a value.12. Select OK. SharePoint799 Verify that the "Security validation is" property is set to [On]. Without security validation being enabled, once a user authenticates, he or she will be able to access a site indefinitely in a given session. Enabling validation reduces the chance that a page will be accessed by an unauthorized person while the authenticated user is absent. It forces the user to reauthenticate after a specified inactivity period is exceeded. To verify that the "Security validation is" property is set to [On]:1. Login to Central Administration.2. Navigate to Application Management > SharePoint Web Application Management.3. Select Web application general settings.4. Select a Web Application.5. Navigate to Web Page Security Validation.6. Verify that the "Security validation is" property is set to [On].7. Verify that the "Security validation expires:" property is set to [After].8. Accept the default timeout period of 30 minutes or shorten it if appropriate.9. If changes have been made, select OK, otherwise select Cancel.10. Repeat steps 3 through 9 for each Web Application. SharePoint808 Configure the policy for profile services according to organizational policies. User profiles can display a broad range of information about the user, some of which may be sensitive. Sensitive information should be displayed only to users that have a business need to see it. Policy for profile services determines which attributes are shown in user profiles and specifies which users can see each attribute. 1. Login to Central Administration.2. Navigate to Shared Services Administration.3. Select shared service to manage.4. Login to the service.5. Navigate to User Profiles and My Site.6. Select Profile services policies.7. In the Manage Policy section, choose policy items for which the default values are not appropriate.8. Select Edit policy and enter the new value. Otherwise, use the default values.9. Select OK.10. Repeat steps 3 through 9 for each Shared Services Provider. SharePoint810 When configuring My Site settings, include in the Default Reader Site Group only the accounts that require read access to future My Sites. The Default Reader Site Group specifies the accounts that will be added as Readers in My Sites that are created. Note that changes to the Default Reader Site Group will affect only My Sites created after the change. Note also that the default member of the Default Reader Site Group is the "NT AUTHORITY\authenticated users" group. If the user(s) of an included account does not have a need to know, the information at the My Site(s) could be compromised. 1. Login to Central Administration.2. Navigate to Shared Services Administration.3. Select shared service to manage.4. Login to the service.5. Navigate to User Profiles and My Sites.6. Select My Site settings.7. Navigate to Default Reader Site Group section.8. Remove the "NT AUTHORITY\authenticated users" group account if appropriate.9. Add or remove user or group accounts, as appropriate.10. Select OK.11. Repeat steps 3 through 10 for each Shared Services Provider. SharePoint812 Grant Shared Service Rights only to users that have a business need to manage shared services and grant to these users only the permissions for which they have a business need. Users that have Shared Service Rights can manage shared services. Users not having a specific business need to manage shared services, such as "Manage User Profiles" and "Manage Permissions", may negatively affect the performance or the deployment and even stop it from functioning correctly. Following this recommendation implements the principle of least privilege, which generally reduces exposure to risk. 1. Login to Central Administration.2. Navigate to Shared Services Administration.3. Select shared service to manage.4. Login to the service.5. Navigate to User Profiles and My Sites.6. Select Personalization Services Permissions.7. Remove unnecessary users and groups by checking the checkboxes next to them and selecting Remove Selected Users.8. Repeat steps 9 through 12 for each remaining user and group.9. Check the checkbox of the user or group.10. Select Modify Permissions of Selected Users.11. Ensure that the selected user or group has only the minimally required set of permissions, making changes as needed.12. Select OK.13. Repeat steps 4 through 12 for each Shared Services Provider.If additional users or groups are needed, ensure that each has only the minimally required set of permissions when adding them (using "Add Users/Groups"). SharePoint813 Enter into the "URLs to remove" text field any URLs that should not appear in search results. The "URLs to remove" text field is used to specify the URLs that should be removed from search results. The specified URLs will be removed from search results immediately when the Remove Now button is clicked. Also, crawl rules will be created to exclude the specified URLs from future crawls. The existence of some SharePoint resources, such as sites, documents, or lists, should be known only to users who have a business need to know. Displaying the URLs of such resources in search results reveals their existence, which may also suggest what information is held in that resource. 1. Login to Central Administration.2. Navigate to Shared Services Administration.3. Select shared service to manage.4. Login to the service.5. Navigate to Search.6. Select Search settings.7. Select Search result removal.8. Enter the URLs to remove in the URLs to remove text field.9. Select Remove Now.Note: This recommendation should be implemented each time a URL, for example, the path to a new subsite containing sensitive information, needs to be excluded from the search results. SharePoint815 Specify a quota template when creating a top-level Web site. Quota templates help manage site and server resources. A quota template identifies the amount of storage allocated for a given site. If no storage limit is set, a site could use so many resources that other sites will not be able to function properly. 1. Login to Central Administration.2. Navigate to Application Management > SharePoint Site Management. 3. Select Create site collection.4. Fill in all the required fields to create a new top-level Web site.5. Either define a new quota template by selecting Manage Quota Templates, or select a predefined template, and ensure that storage limit values are set appropriately.6. Select OK. SharePoint816 Verify that the "Automatically delete the site collection if use is not confirmed" property is not enabled for each web application. Automatic deletion is an administrative feature that can delete unused sites without administrative intervention and without a backup mechanism. Automatic deletion permanently removes all content and information from the site collection and any sites beneath it. If the site collection administrator or secondary site collection administrator fails to confirm a site is still in use when receiving an email notification asking if the site is still in use, the site is automatically deleted. This could result in a denial of service to the users of that site. Also, data could be lost if a backup was not made prior to removing the site collection. To verify that a Web application has not been setup for automatic deletion, do the following:1. Login to Central Administration.2. Navigate to Application Management > SharePoint Site Management.3. Select Site use confirmation and deletion.4. Repeat the following steps for each web application: 4.1. Select the Web Application. 4.2. Verify that the "Automatically delete the site collection if use is not confirmed" checkbox is not checked. SharePoint821 Define a secondary site collection administrator when creating a new site collection. If a site reaches its maximum size, users will be denied access until an administrator fixes the problem. Having a secondary administrator reduces the risk of having a denial of service on a site. If the site reaches its maximum size, the secondary administrator can fix the problem if the primary administrator is not available. In some situations, having a secondary site administrator could be inappropriate for reasons of control or confidentiality. 1. Login to Central Administration.2. Navigate to Application Management > SharePoint Site Management. 3. Select Create site collection.4. Fill in all the required fields to create a new top-level Web site.5. Define a Secondary Site Collection Administrator.6. Select OK. SharePoint822 Identify the SMTP mail server in the outgoing e-mail settings. E-mail messages are sent to site administrators when a site approaches its maximum size. If the outgoing e-mail server has not been identified in the e-mail settings, no e-mail will be sent to site administrators to fix the problem. If a site reaches its maximum size, users will be denied access to the site. Caution: SMTP must be installed on the server (in this case Windows Server 2003) in order for SharePoint to send the emails.1. Login to Central Administration.2. Navigate to Operations > Topology and Services.3. Select Outgoing e-mail settings.4. Enter the SMTP server in the Outbound SMTP server field.5. In the From address box, enter the address as it should appear to e-mail recipients.6. In the Reply-to address box, enter the e-mail address that recipients will reply to.7. In the Character set menu, select the appropriate character set.8. Select OK. SharePoint899 Do not enable client-side automatic logon on any Internet Explorer that is used to access the Central Administration web application. Automatic logon does not require the user to type the username and password for the Central Administration site, it simply uses the credentials of the user that is logged into the system. If a malicious user gains access to a system that can launch the Central Administration site and automatic logon is turned on, the user would gain access to the Central Administration site. To check Internet Explorer browser settings do the following:1. Start up Internet Explorer (IE).2. Select Internet Options from the Tools menu.3. Select Security.4. Select Custom level.5. Scroll to the bottom of the window. 6. Navigate to User Authentication > Logon.7. Ensure that the "Prompt for username and password" box is selected.8. Select OK. SharePoint1082 Verify that URLs that should not appear in search results are specified in "exclude" crawl rules. The Manage Crawl Rules window specifies URLs to include or exclude from the crawl. It shows a list of URLs that have been specified to be included or excluded in the crawl. The existence of some SharePoint resources, such as sites, documents, or lists, should be known only to users who have a business need to know. Displaying the URLs of such resources in search results reveals their existence, which may also suggest what information is held in that resource. 1. Login to Central Administration.2. Navigate to Shared Services Administration.3. Select shared service to manage.4. Login to the service.5. Navigate to Search.6. Select Search settings.7. Select Crawl Rules.8. Verify that the list of exclude rules includes all the URLs that should not appear in search results.For additional information, refer to: http://technet2.microsoft.com/Office/en-us/library/3b45788c-7169-4a97-9a13-b6668ba7b7b91033.mspx?mfr=true SharePoint594 Use Microsoft Internet Explorer 6.x or later to access Central Administration. In order to have complete access to all functionality, Microsoft recommends using Internet Explorer 6.x or later. If an older browser is used, some functionality might not be supported in the Central Administration site, which is clearly a denial of service. Self-explanatory. SharePoint740 Set the "Allow external users to participate in workflow by sending them a copy of the document?" option to [No]. When selected, this option in Central Administration enables a workflow to be configured so that an external user, one who has no access to the SharePoint site, can receive a copy of a document as an email attachment. This should not be allowed in an environment in which documents may contain sensitive information whose dissemination must be controlled. In some open environments, however, this option could provide convenient functionality. 1. Login to Central Administration.2. Navigate to Application Management > Workflow Management.3. Select Workflow settings.4. Select a Web Application.5. Navigate to Workflow Task Notifications.6. Select the [No] option for "Allow external users to participate in workflow by sending them a copy of the document?".7. Select other options as desired.8. Select OK.Repeat steps 3 through 8 for each Web Application. SharePoint757 Grant the right 'Create personal site' only to users that have the business need to have a personal site. By default, all authenticated users can create a My Site. This recommendation grants this right only to users having a business need to have such a site. Allowing all users to have personal sites increases the risk of inappropriate or extraneous content. In situations where the need for all users to have personal sites does not exist, the implementation of this recommendation has the potential to increase the security of the deployment and to improve performance. Follow steps 1-8 to remove the 'Create personal site' permission from NT AUTHORITY\Authenticated Users group.1. Login to Central Administration.2. Navigate to Shared Services Administration.3. Select Shared Services Provider.4. Select Personalization services permissions.5. Check the box "NT AUTHORITY\Authenticated Users" group.6. Select Modify permissions of selected users.7. Uncheck box 'Create personal site'.8. Select Save.Follow these steps to grant specific users the right 'Create personal site'.1. Select Add Users/Groups.2. Navigate to Choose Users.3. Enter users and group names.4. Navigate to Choose permissions.5. Check Create personal site.6. Select Save. Site Administration This chapter provides recommendations that are implemented at the Site level. SharePoint716 Exclude any sensitive content from the SharePoint crawl. A crawler is a program that connects to and reads information in order to create entries for a search engine index. SharePoint includes a crawler that extracts data from various content sources. When a user does a search over the crawled content, the results of the search include identification of all sources matching the search criteria whether a user has permission to view the source or not. Thus, the listing of restricted content in the search results can lead to information disclosure. There is an obvious downside to this: individual documents, lists, sites, and so on that are excluded from the crawl become unavailable for searching by users who are authorized to view the sources. The following methods can be used:Page designers can add the <META NAME="ROBOTS" CONTENT="NOHTMLINDEX"/> elementmanually to all pages that they do not want the index server to crawl.At the site level:1. Navigate to Site Actions > Site Settings > Modify All Site Settings > Site Administration.2. Select Search Visibility.3. Navigate to Allow this web to appear in search results.4. Select the option [No].5. Select OK.Exclude content in a list or library from search results:1. Select the list or the library that contains content that should not appear in search results.2. Navigate to the Settings menu.3. Select Document Library Settings for a library or List Settings for a list.4. Navigate to General Settings.5. Select Advanced Settings.6. Navigate to Search.7. Select the option [No].8. Select OK. SharePoint717 Do not create Best Bets for information whose existence should not be revealed to users who are not authorized to access the information. Best Bets are associated with keywords and their synonyms. A Best Bet is a link to the information that is highly relevant to the keyword, or one of its synonyms. So, when a keyword is used in a search by a user, the Best Bet location appears in the Best Bet Web Part on the search results page. The purpose is to direct users to items the enterprise administrator has identified as most appropriate. However, in some situations the existence of the Best Bet (the target information that the user will be directed to) should not be revealed to users who are not authorized to access that information. In such a situation, creating the Best Bet potentially compromises sensitive information. At the same time, though, the Best Bet feature is denied to authorized users who can search over the same space as unauthorized users. Self-explanatory. SharePoint835 Set the "Auto-accept requests?" property to [No] when creating new site groups. If auto-accept is enabled in Site Settings, users will automatically be added to the site group when they make a request to join the group. They will have the permissions of the group to which they are added and this might include access to subsites. Thus, the site owner will not have control over who becomes a member of the group, thereby enabling frivolous use of the site. Groups that are specifically designed to allow public membership should, of course, have the ''Auto-accept requests?'' property set to [Yes]. At the site level:1. Navigate to Site Actions > Site Settings > People and groups.2. On the New dropdown list, select New Group.3. On the New Group Page:3.1. Enter Name and About Me Description.3.2. Enter Owner.3.3. Configure Group Settings options.3.4. Navigate to Membership Requests section.3.5. Set the "Allow requests to join/leave this group?" property to [Yes] or [No] as appropriate for the site.3.6. Navigate to Auto-accept requests? section.3.7. If the "Allow requests to join/leave this group?" property has been set to [No], the "auto-accept requests?" property options are disabled and the property defaults to [No]; otherwise, select [No].3.8. In the Give Group Permission to this Site section, set the group permissions as appropriate. 4. Select Create. SharePoint836 Set the "Who can edit the membership of the group?" property to [Group Owner] when creating new site groups. Adding and removing group members may have security implications for the sites to which that group has access. Inadvertent addition or deletion of members to/from groups may endanger the security of the site. Only the owner of the group should have this capability. Careless addition or removal of group members in a group can have negative security implications for the sites to which that group has access. If only the owner of the group has the capability to edit membership of the group, the risk of having undesired members in the group is significantly reduced. At the site level:1. Navigate to Site Actions > Site Settings > People and Groups.2. Select New.3. Select New Group from drop down list.4. On the New Group Page:4.1. Enter Name and About Me Description.4.2. Enter Owner.4.3. Configure Group Settings options.4.4. Navigate to Who can edit membership of the group? section.4.5. Select [Group Owner].5. Select Create. SharePoint934 Set the "Who can view the membership of the group?" property to [Group Members] when creating new site groups. The alternative to this recommendation is to allow Everyone to view the members of the group. In some situations, however, knowing the membership of a group can reveal other sensitive information. This might be the case in a collaborative environment in which people from different functional organizations are members of the same group to accomplish some team objective. In such a case, knowing the membership of the group could reveal some part or all of their objective, which may be sensitive information. At the site level:1. Navigate to Site Actions > Site Settings > People and Groups.2. Select New.3. Select New Group from drop down list.4. On the New Group Page:4.1. Enter Name and About Me Description.4.2. Enter Owner.4.3. Configure Group Settings options.4.4. Navigate to Who can view membership of the group? section.4.5. Select [Group Members].5. Select Create. SharePoint943 Create information management policies. Information management policy usage reports can contribute to an understanding of how records management is being managed and whether users are complying with policy. This is especially relevant for organizations that must comply with legal or regulatory requirements. For example, a Human Resources policy, used in an organization to ensure that employee records are handled in accordance with legally recommended guidelines, could include the features such as auditing, retention period, and labels for physical copies. Information management policy usage reports are enabled by the administrator for Central Administration, while specific information management policies are created by site administrators. Naturally, if policies are not relevant to the organization's activities and records management, the information management policy usage reports may be superfluous. At the top-level site.1. Navigate to Site Actions > Site Settings > Modify All Site Settings > Site Collection Administration.2. Select Site collection policies.3. Select Create.4. Enter Name, Administrative Description, and Policy Statement text.5. Check one or more of the policy enabling checkboxes, such as Enable Labels, as appropriate for the policy being created, and complete the specific entries needed for the checked items.6. Select OK. SharePoint1079 Verify that existing Best Bets do not reveal sensitive information. Best Bets are associated with keywords and their synonyms. A Best Bet is a link to the information that is highly relevant to the keyword or one of its synonyms. So, when a keyword is used in a search by a user, the Best Bet location appears in the Best Bet Web Part on the search results page. The purpose is to direct users to items the enterprise administrator has identified as most appropriate. However, in some situations the existence of the Best Bet (that is, the target information that the user will be directed to) should not be revealed to users who are not authorized to access that information. In such a situation, the Best Bet potentially compromises sensitive information. Since sensitive content may periodically be added to document libraries or lists, an existing Best Bet might compromise the information. Follow these steps to review Best Bets and to verify that they do not point to sensitive information:1. Navigate to the top-level site of the site collection.2. Navigate to Site Actions > Site Settings > Modify All Site Settings.3. Navigate to Site Collection Administration.4. Select Search keywords.5. Select a Keyword, under the Keyword column, and choose Edit in the dropdown.6. Navigate to Best Bets on the Edit Keyword page.7. Review and verify that the listed Best Bets do not point to sensitive information. To see the URL and Description associated with a Best Bet, select Edit in the row of the Best Bet.8. If a Best Bet points to sensitive information, select Remove in the row of the Best Bet.9. Select OK if any Best Bets have been removed, otherwise Select Cancel.10. Repeat steps 5-9 for each existing Best Bet. Backup and Recovery This chapter provides recommendations for backing up and recovering SharePoint Server 2007 deployments. Items in this chapter refer to content recovery and disaster recovery as though they are clearly separate capabilities. In fact, some may think of disaster recovery as inclusive of content recovery. However, throughout various documentation on SharePoint 2007 and in webcasts/podcasts/etc., this sort of terminology is used. Recently, Microsoft published a paper [Reference 3] in which three levels of recovery are used: content recovery, site recovery, and disaster recovery. Content recovery generally refers to capabilities like document versioning and the two-stage recycle bin. These are capabilities targeted to specific content and they can be managed by individual users as well as site administrators. The Microsoft paper characterizes content recovery as a frequent and small-scale activity. Site recovery refers to tools used to recover from accidental deletion or data corruption of a site. This kind of recovery is performed by site administrators. Disaster recovery methods generally refer to backup and recovery on a larger scale, involving sites or farms, under the control of a farm administrator. This terminology serves the practical purpose of being suggestive of scope and is used in this chapter. SharePoint625 Backup the Single Sign-On (SSO) encryption key each time a new key is created if the Microsoft SSO service is enabled in the SharePoint deployment. The Single Sign-On encryption key is used to encrypt and decrypt user credentials. If the encryption key becomes corrupt and there is no backup of the key, this would cause a denial of service. Note: The first server that Microsoft Single Sign-On service (SSOSrv) is enabled on becomes the encryption-key server.1. Login to the Encryption Key Server as the SSO Administrator. 2. Login to Central Administration as the SSO Administrator.3. Navigate to Operations > Security Configuration.4. Select Manage settings for single sign-on.5. Select Manage encryption key.6. Navigate to Encryption Key Backup.7. Under Drive, select the removable disk drive on which to store the encryption-key backup.8. Select Back Up. SharePoint698 Create a comprehensive recovery plan for the SharePoint 2007 deployment. A catastrophic event can destroy data without the possibility of recovery. Only with adequate preparation can an organization react quickly to effectively restore operation after a disaster. Create backup and recovery procedures and document them in a recovery plan. A comprehensive recovery plan covers backup and recovery procedures for content, infrastructure components, network services, third-party software, and all other aspects that contribute to the successful operation of the SharePoint deployment. Other recommendations in this chapter deal with recovery in more detail. SharePoint699 Document the infrastructure that supports the SharePoint 2007 deployment as part of the recovery plan. Hardware, software, and network components that support the SharePoint 2007 deployment can fail. Administrators of supporting systems can be unavailable during a crisis. Proper documentation provides the information needed to successfully recover from a disaster. Documentation must include information about network and system administrators, operating systems, third-party software, and network components that support the SharePoint deployment. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Documenting Your Infrastructure and Plan for Disaster" in Reference 1. SharePoint700 Document the server farm configuration as part of the recovery plan. A particular configuration has its own complexities and dependencies that, if not adequately documented, make it difficult or impossible to recover properly from a disaster. Consider at least the following items in documenting the configuration: central administration server, web front-end servers, search server, shared services providers, and Excel calculation services, as appropriate for the installation. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Documenting Your Server Farm Configuration" in Reference 1. SharePoint701 Document the SharePoint Servers' configurations in complete detail. Documenting the configurations in detail is essential for troubleshooting and remedying in the event of failure. Consider all configuration information associated with a SharePoint Server such as the hardware configuration, web front-end customizations, all software additions such as hot fixes and service packs, and so on. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Documenting Your Farm Installation" in Reference 1. SharePoint702 Test the comprehensive recovery plan annually. A recovery plan that does not work is useless. It must be tested to ensure that it will work. Also, it must be tested at least annually because changes to the deployment are almost certain to have occurred since the last test. Carry out a simulation of the plan annually. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Testing Your Disaster Recovery Plan" in Reference 1. SharePoint703 Become familiar with the methods available for backing up and restoring SharePoint Server 2007 content and choose the combination of methods best suited to the deployment. No single method is likely to cover all contingencies. Choosing the right combination of methods ensures proper coverage. Refer to the appropriate Microsoft documentation. An excellent source of information is Reference 3. Also, see Table 30-1 "Disaster Recovery Methods for SharePoint Server 2007" in Reference 1. SharePoint704 Use content recovery methods in preference to larger scale methods when feasible. Content recovery methods tend to be quicker and easier than site or disaster recovery methods, enabling more rapid return to service. Using a content recovery method lessens the impact on other users. For example, using a site collection restore method for a single user's deleted file overwrites everyone else's content as well. Using a disaster recovery method when a content recovery method suffices can result in data loss and unnecessarily longer time to recovery. Three tools are available with SharePoint to restore content to a usable state: document versioning, the Recycle Bin, and the stsadm.exe command-line tool using the -o [import | export] command-line options. See recommendations 5.9, 5.10, and 5.11 for more details about these methods. SharePoint705 Enable document versioning. Document versioning is the native versioning functionality for document libraries in SharePoint Server 2007. Enabling this feature provides a layer of defense against data corruption and erroneous changes made by users. Document versioning creates a history for a document each time a document is saved by saving a copy. Therefore, a document that becomes corrupted can be restored to a previous version. Note, however, that document versioning neither prevents deletion of documents nor protects the content of documents. In addition, under conditions of heavy use, such as many users creating many edited versions of many documents, document versioning consumes resources. SharePoint Server 2007 offers options for versions. These option settings can be controlled separately for each document library. They are located on the Versioning Settings page under Document Library Settings. Reference 1 (Managing Document Versioning, page 318) suggests that a best practice is to configure site templates to have predefined document libraries with the versioning options preset according to organizational policy. Modifying a site and saving it as a new template is one method. Using SharePoint Designer 2007 is another method: its features enable more flexible deployment of functionality within SharePoint; Master Pages make changing the look and feel of sites in SharePoint easy. The Document Center template, provided with SharePoint 2007, has versioning set to track both major and minor versions.There are two ways to set the versioning options for a document library on a given site. Use whichever one happens to be most convenient:The first method for a document library on a given site: 1. Navigate to Site Actions > Site Settings > Modify Pages Library Settings > General Settings.2. Select Versioning settings.3. Set the versioning options appropriately for the selected site.The versioning settings can also be reached from the Document Library:1. Select the Document Center tab on the home site.2. In the left pane (Site Hierarchy), select Documents.3. Navigate to Settings > Modify Pages Library Settings > General Settings.4. Select Versioning settings.5. Depending on business needs, select either Create major versions or Create major and minor (draft) versions. 6. Set the number of versions to retain. Keep as few versions as possible to minimize storage needs.7. Select OK. SharePoint706 Verify that the two-stage feature of the recycle bin is not disabled. The first-stage, aka user-stage, Recycle Bin provides an undelete feature that allows end users with appropriate permissions to recover accidentally deleted files, documents, list items, lists, and document libraries from a site. The second-stage, aka site-collection, Recycle Bin is located at the site collection administrator level. When an item is deleted from the first-stage Recycle Bin, it can only be recovered by a site collection administrator from the second-stage Recycle Bin. The two-stage recycle bin is a convenient, easy to use method for restoring deleted files. It is enabled by default. If disabled, all content in the recycle bin is removed, freeing up the disk space, which may help in case storage space is too low. To verify options for the two-stage recycle bin:1. Login to Central Administration.2. Navigate to Application Management > SharePoint Web Application Management.3. Select Web application general settings.4. Select a Web Application.5. Scroll down to the options for the recycle bin.6. Verify Recycle Bin Status option is [On].7. Verify Second stage Recycle Bin option is not [Off].8. Repeat steps 4-7 for each web application. SharePoint707 Back up the SharePoint 2007 deployment. Having a backup of the SharePoint deployment is critical for disaster recovery. Without an appropriate backup, the SharePoint deployment would have to be reconstituted practically from scratch and much or all of the former content could be lost. Office SharePoint Server provides two built-in backup and recovery tools: Central Administration and the stsadm.exe command-line tool. Third-party tools are also available.Central Administration provides an easy way to back up the Office SharePoint Server system at various levels, the highest being the entire farm and the lowest being a content database.1. Login to Central Administration.2. Navigate to Operations > Backup and Restore.3. Select Perform a backup.4. Select Farm.5. Select Continue to Backup Options.6. Specify the type of backup (full or differential) and the backup location.7. Select OK.The stsadm.exe command-line tool offers options to back up an entire farm, a site collection, or an item. This method of backup and recovery is processor intensive, may use large amounts of storage, and does not scale well. However, for a single server or for small farms it is a reasonable line of defense for disaster recovery.1. Open a command window on the server.2. Change directory to the location of stsadm.exe (e.g., cd C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN).3. To display all operations available in the tool type "stsadm.exe -help".4. To get help on backup type "stsadm.exe -help backup". Also, refer to documentation on stsadm.exe; for example, see Command-Line Operations in the Windows SharePoint Services Administrator's Guide athttp://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsk01.mspx?mfr=trueAlso, see the example in Reference 1, Chapter 30, page 1086. SharePoint709 Perform a complete, farm level backup periodically but sparingly. Circumstances conceivably could arise in which only a complete restoration of the entire SharePoint deployment can restore operations. Clearly, then, a complete backup must be available and relevant. However, doing a complete farm level backup is an intensive operation that can interfere with operations. Therefore, good judgment must be applied in deciding how frequently to do such a backup. For complete farm level backup:stsadm.exe -o backup -directory <UNC path> -backupmethod <full | differential>[-item <created path from tree>][-percentage <integer between 1 and 100>][-backupthreads <integer between 1 and 10>][-showtree][-quiet]A simple example is:stsadm.exe -o backup -directory \\backupservername\backups\ -backupmethod full SharePoint710 Backup the SQL Server that hosts the content databases. Backing up this server preserves all content from site collections. It provides a substantial recovery capability even though no other backups have been performed. The SQL Server backup can be done through farm-level backup with stsadm.exe or through direct SQL Server backup. Refer to appropriate documentation for these methods. See, for example, the Backup Procedures section of Reference 3, which discusses both stsadm farm-level backup and SQL Server backup. SharePoint711 Backup SharePoint-related Internet Information Services (IIS) Metabases regularly. The Metabase contains the IIS configuration data, which supports Intranet/Internet-related SharePoint activity. Thus, regular backups are important to continuity of operations. Although the Metabase is included in system-state backups done with the Windows Server Backup/Restore Wizard, the restoration action restores the entire system, including the system registry. This is unacceptable if only the Metabase needs to be restored. For Metabase backups, use a script that is scheduled to run regularly. See, for example, the batch file definition in Reference 1, Chapter 30, page 1093. SharePoint712 Implement fault tolerance appropriate for the SharePoint deployment. Fault tolerance measures can reduce the time required to restore operation in case of failures. Such measures range from very simple to very extensive and vary widely in cost. The extent of measures needed depends largely on how long the enterprise can tolerate denial of service. Fault tolerance measures support restoration methods by reducing the time needed to restore operation. For example, a hot standby database server would be able to take over operation in an extremely short time should the main database server fail. Thus, even though it may take 6 hours to restore the main database server, the SharePoint system can continue operation during those six hours. Consult guidance available from Microsoft and third-party vendors. See, for example, the discussion in Reference 1, Chapter 30, subsection "Implementing Fault Tolerance", page 1094. SharePoint760 Backup the SSO database after the initial install and then again each time the credentials are reencrypted if the Microsoft SSO service is enabled in the SharePoint deployment. Creating backups will help prevent a denial of service if the SSO database becomes corrupt. If the database is not backed up after reencrypting credentials, restoring the database will result in bad credentials. 1. Login to Central Administration.2. Navigate to Operations > Backup and Restore. 3. Select Perform a backup.4. Check the SSO box.5. Select Continue to Backup Options.6. Select Full or Differential for the Type of Backup.7. Enter the Backup location.8. Select OK. SharePoint761 Do not store the backup media for the Single Sign-On (SSO) encryption key in the same location as the backup media for the SSO database if the Microsoft SSO service is enabled in the SharePoint deployment. If a user obtains a copy of both the SSO database and the encryption key, the credentials stored in the database could be compromised. Self-explanatory. SharePoint789 Maintain a copy of the SharePoint backups in an offsite location. In order to recover from a catastrophic event, one copy of the backups should be kept offsite in a properly controlled environment. The offsite backups can protect the organization against the loss of critical data. Self-explanatory. SharePoint790 Perform a trial data recovery operation every two months. Performing a trial data recovery will verify that files are being backed up properly. If the backup is not being performed correctly, an organization will not be able to recover critical data. Self-explanatory. Ensure this is completed on a non-operational system(s). If this is not possible, check the backup settings for the particular backup operation being tested. SharePoint801 Ensure that the recycle bin is [On] and set an appropriate value for the retention period based on the available disk space. The recycle bin helps to prevent the loss of erroneously deleted data. By default, the recycle bin is [On] and has "Delete items in the Recycle Bin:" set to [After 30 days]. When the recycle bin is turned [On] in a Web application, each site in this application has its own separate recycle bin. To prevent uncontrolled growth of disk space consumed by recycle bins, a retention period must be specified at the Web application level. 1. Login to Central Administration.2. Navigate to Application Management > SharePoint Web Application Management. 3. Select Web application general settings.4. Select Web Application.5. Navigate to the Recycle Bin section.5.1. Under Recycle Bin Status select [On].5.2. Under Delete items in the Recycle Bin select [After] and enter the appropriate value for the retention period.6. Select OK.7. Repeat steps 2-6 for each web application. SharePoint820 Perform a backup of a site collection before deleting the site collection. When a site collection is deleted, all the data for the site collection is removed from the system. A current backup is critical if the site that was deleted ever needs to be restored. If no backup exists then critical data could be lost. Follow the procedures for backing up a site in the Backup and Recovery Chapter of this document. SharePoint831 Back up critical sites. Backing up sites for which loss of content must be avoided is a good defense against loss of items that have been emptied from the second-stage recycle bin and loss of web pages that have been deleted from a site collection. Having a backup of a site would make it possible to recover the site quickly instead of having to do a full farm level restore. Administrators can use Office SharePoint Designer 2007, Microsoft IT Site Delete Capture 1.0, a database snapshot, or the stsadm.exe tool to back up and recover Web sites.Office SharePoint Designer 2007 is a Microsoft product that can be purchased. See the Designer home page at http://office.microsoft.com/en-us/sharepointdesigner/FX100487631033.aspx. Office SharePoint Designer 2007 provides the ability to back up and restore site collections, down to the individual file level. Backing up a Web site with this tool creates a content migration package (.cmp file). NOTE: The backup file does not include objects in the Recycle Bin.MSIT Site Delete Capture 1.0 is a free tool available at http://go.microsoft.com/fwlink/?LinkID=92682&clcid=0x409. When a site is deleted, Office SharePoint Server generates a Web Delete event. Microsoft IT (MSIT) created Microsoft IT Site Delete Capture feature 1.0 to detect and act on the Web Delete event. When a Web Delete event is detected, the feature archives the site to a file share before it is removed from the configuration and content databases. NOTE: This tool is not part of Office SharePoint Server, and may not be updated. This tool is built on supported Microsoft technologies, but it is not supported by Microsoft.A SQL Server snapshot is a read-only view of a database as the database existed at the time that the snapshot was created. For more information about using snapshots with Office SharePoint Server, see this article in the Microsoft Knowledge Base: "How to use SQL Server to take a snapshot of a Windows SharePoint Services 3.0 content database" (http://go.microsoft.com/fwlink/?LinkID=99636&clcid=0x409). NOTE: The snapshot version of a Web site does not have full functionality; for example, files cannot be written or uploaded to the snapshot version.The stsadm.exe tool is part of SharePoint 2007. The stsadm.exe tool can be used to backup and recover small farms using its backup and recover options. This method of backup and recover is processor intensive, may use large amounts of storage, and does not scale well. However, for small farms it is a reasonable line of defense for disaster recovery.To use this tool:1. Open a command window on the server.2. Change directory to the location of stsadm.exe (e.g., cd C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN).3. To display all operations available in the tool type "stsadm.exe -help".4. To get help on backup type "stsadm.exe -help backup". Also, refer to documentation on stsadm.exe; for example, see Command-Line Operations in the Windows SharePoint Services Administrator's Guide athttp://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsk01.mspx?mfr=trueAlso, see the example in Reference 1, Chapter 30, page 1086. Logging and Reporting This chapter contains recommendations focusing on logging and reporting. SharePoint714 Set the diagnostic logging thresholds appropriately for the particular SharePoint deployment. The diagnostic logging feature in Central Administration sets thresholds for logging and reporting events associated with user activities. On the one hand, having as much logged information as possible helps in tracking down problems or discovering trends. On the other hand, capturing everything will have a detrimental effect on performance. To set the logging thresholds:1. Login to Central Administration.2. Navigate to Operations > Logging and Reporting.3. Select Diagnostic logging.4. Select appropriate Event Throttling options.5. Select OK. SharePoint720 Periodically review events in the logs created by diagnostic logging. Reviewing the logs may provide clues to improving performance and eliminating errors being experienced by users and may also highlight problems that are not currently interfering with operations but may be indicators of future serious problems. The Server Event Logs interface enables viewing of error events generated from the Diagnostic Logging settings. Access to this interface is as follows:1. On the server machine, select Start.2. Select Run.3. Enter eventvwr.msc in the Open: textbox.4. Select OK.Alternately, use Start > All Programs > Administrative Tools > Event Viewer. SharePoint721 Enable the information management policy usage reports. Information management policy usage reports can contribute to an understanding of how records management is being managed and whether users are complying with policy. This is especially relevant for organizations that must comply with legal or regulatory requirements. For example, a Human Resources policy, used in an organization to ensure that employee records are handled in accordance with legally recommended guidelines, could include the features such as auditing, retention period, and labels for physical copies. If policies are not relevant to the organization's activities and records management, the information management policy usage reports may be superfluous. 1. Login to Central Administration.2. Navigate to Operations > Logging and Reporting.3. Select Information management policy usage reports.4. Select a Web Application.5. Navigate to Schedule Recurring Reports 6. Check the box for "Enable recurring policy usage reports".7. Set the options here appropriately for the intended SharePoint operations.8. Navigate to Report File Location.9. Enter an appropriate URL in the Report file location: textbox.10. Navigate to Report Template and specify the template to use for creating reports. 11. Select OK.12. Repeat steps 2 through 11 for each Web Application.Note: Information management policies are defined by site administrators. To create an information management policy on a site:1. Login to or open the top-level site.2. Select Site Actions.3. Select Site Settings.4. Select Modify All Site Settings.5. Navigate to Site Collection Administration.6. Select Site collection policies.7. Select Create.8. Enter Name, Administrative Description, and Policy Statement text.9. Check one or more of the policy enabling checkboxes, such as Enable Labels:, as appropriate for the policy being created and complete the specific entries needed for the checked items.10. Select OK. SharePoint723 Ensure that the "Collect error reports" option is selected for diagnostic logging but only if none of the content in the SharePoint deployment is sensitive in any way. Having as much information about errors as possible helps in tracking down problems and applying appropriate remedies. Enabling this option sends error reports to Microsoft and its partners, which may contribute to remediations that can avoid future problems for the SharePoint operations. However, read and understand the Microsoft Error Reporting Service privacy statement before selecting this option. Also, note that, in part, the privacy statement says "Reports might unintentionally contain personal information, but this information is not used to identify you or contact you. For example, a report that contains a snapshot of memory might include your name, part of a document you were working on, or data that you recently submitted to a website. If you are concerned that a report might contain personal or confidential information, you should not send the report." Therefore, if any of the content in the SharePoint deployment is sensitive in any way, do not enable this option. 1. Login to Central Administration.2. Navigate to Operations > Logging and Reporting.3. Select Diagnostic Logging.4. Check the Collect error reports checkbox.5. Select OK. SharePoint762 Enable logging for the Single Sign-On (SSO) service if the Microsoft SSO service is enabled in the SharePoint deployment. Logging SSO events is important for accountability as well as for determining suspicious activity on a system. If SSO events are not logged and changes are made to the SSO database, there is no way to determine who made the changes. In order to review the SSO events that have been logged, follow the recommendation "Periodically review events in the logs created by diagnostic logging". 1. Login to Central Administration.2. Navigate to Operations > Logging and Reporting.3. Select Diagnostic logging.4. Navigate to Event Throttling.5. Select SSO in the Select a category dropdown list.6. Select an appropriate level in the Least critical event to report to the event log dropdown list.7. Select an appropriate level in the Least critical event to report to the trace log dropdown list.8. Select OK. SharePoint Extensions This chapter provides recommendations about extensions to SharePoint Server 2007; no attempt has been made to thoroughly research this area, which is peripheral to the scope of this security guide. SharePoint741 Enforce a policy for developers of code used to extend SharePoint functionality to ensure that the software runs with the minimum amount of privileges needed to provide its functionality. Software that runs with more privileges than required is more likely to perform potentially dangerous operations than properly constrained software, which can cause loss of data, loss of data integrity, and denial of service. Demand detailed documentation from developers regarding the minimum amount of privileges required to run the software. Assuming that the software appears to have been designed and implemented appropriately with regard to privileges, test the software to the extent possible to verify the documented claims before deploying it in a production environment. SharePoint742 Specify the use of content-based evidence instead of origin-based evidence for local program code used to extend SharePoint functionality. Origin-based evidence is independent of the content of an assembly. The .NET common language runtime (CLR) considers only the source of an assembly, such as current application directory or URL. With content-based evidence, the .NET CLR examines the content of an assembly for evidence in the form of strong names, publisher identity, and assembly hash codes. Content-based evidence is more accurate, providing higher assurance that code is safe to run. Developers should refer to Visual Studio .NET and other Microsoft documentation concerning code access security. Visual Studio 2005, for example, provides capability to sign assemblies with strong names. SharePoint743 With any third-party software products used to extend SharePoint functionality, ensure that the software runs with the minimum amount of privileges needed to provide its functionality. Software that runs with more privileges than required is more likely to perform potentially dangerous operations than properly constrained software. Over-privileged software can cause loss of data, loss of data integrity, and denial of service. Demand detailed documentation from the software vendor regarding the minimum amount of privileges required to run the software. Assuming that the software appears to have been designed and implemented appropriately with regard to privileges, test the software to the extent possible to verify the documented claims before deploying it in a production environment. SharePoint744 When adding a [SafeControl] entry to the Web.config file, use fully qualified assembly names. The Web.config file gives the administrator control over which assemblies are permitted to run on a virtual server. Only assemblies identified by a <SafeControl> entry are allowed. A partially qualified assembly name identifies only the name of the assembly. A fully qualified assembly name also identifies version number, culture, and developer identity. Using fully qualified assembly names in a <SafeControl> entry provides important information that can be used in security policies based on content-based evidence. See Microsoft documentation that describes the requirements for fully qualified assembly names. See, for example, http://msdn2.microsoft.com/en-us/library/k8xx4k69.aspx (.NET Framework Developer's Guide: Assembly Names). SharePoint745 Do not set the trust level to Full for ASP.NET applications running on the SharePoint server. By default, SharePoint applications (web parts) run under the WSS_Minimal trust level policy. This policy and the WSS_Medium trust level policy ship with SharePoint. Specifying the Full trust level for ASP.NET applications enables them to perform all operations, making the SharePoint installation less secure. For ASP.NET applications needing more than the permissions allowed under WSS_Minimal, create a custom security policy file that provides only the permissions needed. See Microsoft documentation for creating an appropriate .config file. For more information about ASP.NET configuration files and editing a Web.config file, see ASP.NET Configuration at http://msdn2.microsoft.com/en us/library/Aa719558(VS.71).aspx SharePoint746 Set the "processRequestInApplicationTrust" attribute of the [trust] element to [false]. This attribute of the <trust> element controls whether an application's PermitOnly stack walk modifiers will be in effect during execution. When set to [true], the Page class uses the PermitOnly stack walk modifier on the ASP.NET permission set. In this case, granting more extensive permissions via a policy file is made useless. The default setting for SharePoint environments is [false] while the default setting for ASP.NET is [true]. Setting the attribute to [false] enables the use of custom security policy files. In the <trust> element of a Web.config file, set the attribute to [false] (that is, processRequestInApplicationTrust="false") Notes and Warnings This chapter provides notes and warnings for administrators regarding SharePoint Server 2007. SharePoint619 Before configuring security options on a Web application, plan and test the configuration first. Many of the settings, such as the user rights for Web applications, can benefit from being tested before users are added to the operational site for general access. SharePoint715 Enable usage analysis processing. Usage analysis processing produces log files containing information about what has happened on a site, such as number of page hits for each individual page, number of unique users, browser and operating system information, and referring domains and Uniform Resource Locator (URL). Having this kind of information could help in tracking down problems that might be causing denial of service to users. SharePoint735 The Application Security section of the Central Administration tool is where user permissions, rights, and policies for individual Web applications are defined. It is critical to ensure the correct Web application is selected in the management control before defining these permissions; otherwise valid users could be prohibited from performing their required roles. SharePoint754 Disabling and re-enabling permission levels for a Web application in the Central Administration GUI instantly modifies those permissions in all site collections contained in the selected Web application. Be careful when making changes to large Web applications because every site collection contained in it is then modified by the system. This modification could cause a large increase in CPU utilization, which could cause a denial of service. (Reference 6.) SharePoint837 Inheriting Permissions from Parent Sites: When creating a new website, if Use same permissions as parent site is selected, one set of user permissions is shared by both sites, the parent and the site. Consequently, user permissions on the new site cannot be changed except by an administrator of this parent site. Making changes to the user permissions for the subsite is done by making the changes to the parent site. Any changes made to the permissions on the parent site will propagate throughout the site hierarchy via any subsites that are inheriting permissions from the parent. This potentially leads to having permissions that are not appropriate for the parent or one or more of the inheriting subsites. SharePoint930 Be cautious when buying third-party Web Parts that require a full permission set to execute successfully. This is a sign that the software has not been designed carefully. References SharePoint824 Reference 1: Bill English with the Microsoft SharePoint Community Experts, 2007, Microsoft Office SharePoint Server 2007: Administrator's Companion, Library of Congress Control Number: 2006937020, Microsoft Press, Redmond, Washington 98052-6399. SharePoint1085 Reference 2: Curry, B., 2007, Microsoft SharePoint Products and Technologies: Administrator's Pocket Consultant, ISBN:9780735623828, Microsoft Press, Redmond, Washington 98052-6399. SharePoint1086 Reference 3: Lanceleaux, B. and Office SharePoint Server 2007 Content Publishing, October 2007, Date protection and recovery for Microsoft Office SharePoint Server 2007 in small to medium-sized deployments, available at Microsoft Technet, Microsoft Office System, Office SharePoint Server 2007 (http://technet2.microsoft.com/Office/en-us/library/32a18803-52d2-4967-ab9d-0e199c9bf0041033.mspx?mfr=true), Microsoft Corporation. SharePoint1087 Reference 4: Microsoft TechNet, June 28, 2007, Administering backup and recovery for Office SharePoint Server 2007, http://technet2.microsoft.com/fwlink/?LinkId=102627andamp;clcid=0x409, Microsoft Corporation. SharePoint1088 Reference 5: Microsoft TechNet, June 28, 2007, Prepare to back up Office SharePoint Server 2007, http://technet2.microsoft.com/Office/en-us/library/620dc024-8dfe-4c4c-8bb4-2ff0cfa84a311033.mspx, Microsoft Corporation. SharePoint1089 Reference 6: Office IT and Servers User Assistance (o12ITdx@microsoft.com), June 2007, Microsoft Office SharePoint Server 2007 Office SharePoint Server Security, Microsoft Corporation.