SharePoint Server 2007 Security Guide

1. Office SharePoint Server Search Service Account

Verify that an Office SharePoint Server Search service account exists.

Question: Is this a single server installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9280-9
( http://cce.mitre.org ) CCE-9592-7

Rationale
This service is used to encrypt sensitive search configuration settings like passwords. By default, this service runs as the Local Service built-in account. Any other application or service running as this built-in account will have access to the passwords. This is a security risk. Change the search service account to a non built-in account.

How-To
For information about single server account requirements or server farm account requirements review the Microsoft Technet articles referred to in references.
1: Create a local account on the SharePoint Server.
2: Login to Central Administration.
3: Navigate to Operations > Topology and Services.
4: Select Services on Server.
5: Select Office SharePoint Server Search.
6: Navigate to Farm Search Service Account.
7: Select Configurable.
8: Enter the username and password of the account created in step 1.
9: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:1 File: sp2007-ocil.xml

2. Excel Services Unattended Service Domain Account

Verify that a dedicated Excel Services Unattended Service domain account exists and that the accounts description is, "Excel Services Unattended Service domain account".

Question: Is this a single server installation or a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10170-9
( http://cce.mitre.org ) CCE-9813-7

Rationale
The Excel Services Unattended Service domain account is the account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Calculation Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it. Follow the principle of least privilege to ensure that the Excel Services Unattended Service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For information about single server account requirements or server farm account requirements review the Microsoft Technet articles referred to in references.
1: Go to Active Directory.
2: Locate the dedicated Excel Services Unattended Service domain account.
3: Open the dedicated Excel Services Unattended Service domain account properties.
4: Verify the description of the dedicated Excel Services Unattended Service domain account properties is, "dedicated Excel Services Unattended Service domain account".

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about single server account requirements access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Single server standard requirements link, and select the Office SharePoint Server security account requirements link. For information about server farm account requirements select the Server farm standard requirements link and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-3:def:1 File: sp2007-oval.xml

3. Application Pool Domain User Account

Verify that a separate domain user account exists for each application pool.

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10249-1

Rationale
An application pool domain account is an application pool identity for the Web applications that reside in the application pool. A default account is automatically setup and configured for the default application pool. To provide isolation among application pools, use a separate domain account for each application pool. Follow the principle of least privilege to ensure that the application pool domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
Follow the steps below:
1: For information about server farm account requirements: Access the following link: http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx? mfr=true
2: Navigate to Plan for administrative and service accounts (Office SharePoint Server).
3: Select the Server farm standard requirements link.
4: Select the Office SharePoint Server security account requirements link.
5: Scroll down to the bottom of the file (Application pool Identity Account)

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:61 File: sp2007-ocil.xml

4. Office SharePoint Search Service Domain Account

Verify that a dedicated Office SharePoint Server Search Service domain account exists and that the accounts description is, "Office SharePoint Server Search Service domain account".

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9952-3
( http://cce.mitre.org ) CCE-9609-9

Rationale
The Office SharePoint Server Search Service domain account is used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs. The account must be a domain user account and must not be a member of the Farm Administrators group. Follow the principle of least privilege to ensure that the Office SharePoint Server Search Service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For more information about server farm account requirements review the Microsoft Technet article referred to in references.
1: Go to Active Directory.
2: Locate the dedicated Office SharePoint Server Search Service domain account.
3: Open the dedicated Office SharePoint Server Search Service domain account properties.
4: Verify the description of the dedicated Office SharePoint Server Search Service domain account properties is, "Office SharePoint Server Search Service domain account".

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about server farm account requirements: Access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Server farm standard requirements link, and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-5:def:1 File: sp2007-oval.xml

5. SQL Server Service Domain Account

Verify that a dedicated SQL Server Service domain account exists and the accounts description is, "SQL Server Service domain account".

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10168-3
( http://cce.mitre.org ) CCE-10331-7

Rationale
SQL Server prompts for this account during SQL Server setup. This account is used as the service account for the following SQL Server services: MSSQLSERVER and SQLSERVERAGENT. Follow the principle of least privilege to ensure that the SQL Server Service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For more information about server farm account requirements review the Microsoft Technet article referred to in references.
1: Go to Active Directory.
2: Locate the dedicated SQL Server Service domain account.
3: Open the dedicated SQL Server Service domain account properties.
4: Verify the description of the dedicated SQL Server Service domain account properties is, 'dedicated SQL Server Service domain account.'

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about server farm account requirements: Access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Server farm standard requirements link, and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-6:def:1 File: sp2007-oval.xml

6. Server Farm Domain Account

Verify that a dedicated Server Farm domain account exists and the accounts description is,"Server Farm domain account".

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9484-7
( http://cce.mitre.org ) CCE-9485-4

Rationale
The Server Farm domain account, also referred to as a database access account, is the application pool identity for the SharePoint Central Administration Web site and the process account for the Windows SharePoint Services Timer service. Follow the principle of least privilege to ensure that the Server Farm domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For more information about server farm account requirements review the Microsoft Technet article referred to in references.
1: Go to Active Directory.
2: Locate the dedicated Server Farm domain account.
3: Open the dedicated Server Farm domain account properties.
4: Verify the description of the dedicated Server Farm domain account properties is, "Server Farm domain account".

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about server farm account requirements, access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Server farm standard requirements link, and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-8:def:1 File: sp2007-oval.xml

7. Default Content Access Domain Account

Verify that a dedicated Default Content Access domain account exists and the accounts description is, "Default Content Access domain account".

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9900-2
( http://cce.mitre.org ) CCE-10054-5

Rationale
The Default Content Access domain account is used by the Windows SharePoint Services Search application server role to crawl content across sites. Follow the principle of least privilege to ensure that the Default Content Access domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For more information about server farm account requirements review the Microsoft Technet article referred to in references.
1: Go to Active Directory.
2: Locate the dedicated Default Content Access domain account.
3: Open the dedicated Default Content Access domain account properties.
4: Verify the description of the dedicated Default Content Access domain account properties is, "Default Content Access domain account".

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about server farm account requirements, access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Server farm standard requirements link, and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-9:def:1 File: sp2007-oval.xml

8. Profile Import Default Access Domain Account

Verify that a dedicated Profile Import Default Access domain account exists and that the accounts description is, 'Profile Import Default Access domain account'

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9676-8
( http://cce.mitre.org ) CCE-9482-1

Rationale
The Profile Import Default Access domain account is used to connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source and to import profile data from a directory service. Follow the principle of least privilege to ensure that the Profile Import Default Access domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For information about server farm account requirements refer to the Microsoft technet source listed in the references.
1: Go to Active Directory.
2: Locate the dedicated Profile Import Default Access domain accounts properties.
3: Open the dedicated Profile Import Default Access domain accounts properties.
4: Verify the description of the dedicated Profile Import Default Access domain account properties is, 'dedicated Profile Import Default Access domain account.'

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about server farm account requirements, access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Server farm standard requirements link, and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-10:def:1 File: sp2007-oval.xml

9. Windows SharePoint Services Search Service Domain Account

Verify that a dedicated Windows SharePoint Services Search service domain account exists and that the accounts description is, 'Windows SharePoint Services Search service domain account'

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9313-8
( http://cce.mitre.org ) CCE-9578-6

Rationale
The Windows SharePoint Services Search service is used as the service account for the Windows SharePoint Services Help Search service. The account must be a domain user account and must not be a member of the Farm Administrators group. Follow the principle of least privilege to ensure that the Windows SharePoint Services Search service domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For information about server farm account requirements refer to the Microsoft technet referred to in the references.
1: Go to Active Directory.
2: Locate the dedicated Windows SharePoint Services Search service domain account.
3: Open the dedicated Windows SharePoint Services Search service domain account properties.
4: Verify the description of the dedicated Windows SharePoint Services Search service domain account properties is, 'dedicated Windows SharePoint Services Search service domain account.'

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about server farm account requirements, access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Server farm standard requirements link, and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-11:def:1 File: sp2007-oval.xml

10. Search Content Access Domain Account

Verify that a dedicated Windows SharePoint Services Search content access domain account exists and that the accounts description is, 'Windows SharePoint Services Search content access domain account'

Question: Is this a server farm installation?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9277-5
( http://cce.mitre.org ) CCE-9404-5

Rationale
The Windows SharePoint Services Search content access domain account is used by the Windows SharePoint Services Search application server role to crawl content across sites. The account must be a domain user account and must not be a member of the Farm Administrators group. Follow the principle of least privilege to ensure that the Windows SharePoint Services Search content access domain account is provided with only the minimum privileges needed to accomplish the tasks it is intended to perform, thereby reducing the opportunity for a malicious user or process to compromise the SharePoint environment. Having unique accounts increases data protection. If one account is compromised, the malicious user will have access only to data for that account and other accounts will remain secure.

How-To
For information about server farm account requirements refer to the Microsoft Technet resource provided in references.
1: Go to Active Directory.
2: Locate the dedicated Windows SharePoint Services Search content access domain account.
3: Open the dedicated Windows SharePoint Services Search content access domain account properties.
4: Verify the description of the dedicated Windows SharePoint Services Search content access domain account properties is, 'dedicated Windows SharePoint Services Search content access domain account.'

1. Reference
Publisher: Microsoft TechNet
Identifier: Plan for administrative and service accounts
Description: For information about server farm account requirements, access the following link: http://technet.microsoft.com/en-us/library/cc263445.aspx, Navigate to Plan for administrative and service accounts (Office SharePoint Server), select the Server farm standard requirements link, and select the Office SharePoint Server security account requirements link.
http://technet.microsoft.com/en-us/library/cc263445.aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-12:def:1 File: sp2007-oval.xml

11. Required Single Sign-On (SSO) Accounts

Verify that the required Single Sign-On (SSO) accounts have been created in order to set up, run, and administer the SSO system.

Question: Is the SSO service enabled in this SharePoint Deployment?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9281-7

Rationale
These SSO accounts are responsible for managing various actions of the Single Sign-On service in SharePoint server 2007. They provide separation of roles and isolation of permissions; this helps track changes made to the SSO service.

How-To
The following URL describes the required accounts and how to configure these accounts:1. Access the following link: http://technet2.microsoft.com/Office/en-us/library/3df68222-235b-45de-82fa-b89166c5c6bd1033.mspx?mfr=true2. Scroll down and select the Plan for single sign-on link.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-22:def:1 File: sp2007-oval.xml

12. Domain Account Password Expiration

Ensure that passwords for all dedicated domain accounts are configured to expire every 60 days.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10121-2

Rationale
Passwords are a primary method used to control access to resources. A compromised password is a way for a malicious user to explore a system without causing suspicion. Following this recommendation reduces the attack surface of the SharePoint deployment. This recommendation applies to all recommendations pertaining to domain accounts in this chapter.

How-To
Self-explanatory.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-23:def:1 File: sp2007-oval.xml

1. Operating System Service Pack

Apply the latest operating system service pack to the Windows Server 2003 platform after the initial install of the operating system.

Rationale
Applying operating system service packs to the Windows Operating system protects against potential system vulnerabilities. If the latest service pack is not applied then an intruder could potentially compromise the system or might prevent certain functionality from being available.

How-To
Self-explanatory.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-24:def:1 File: sp2007-oval.xml

2. Microsoft Security Bulletin MS07-059

Apply the security update "Microsoft Security Bulletin MS07-059".

Rationale
The vulnerability addressed by the security update could allow an attacker to run an arbitrary script that could result in elevation of privilege within the SharePoint site. The vulnerability could also allow an attacker to run an arbitrary script to modify a user's cache, resulting in information disclosure at the workstation. The vulnerability is identified as CVE-2007-2581. Before applying the update, review the known issues: see Microsoft Knowledge Base Article 942017.

How-To
Download and install the software referenced in the Microsoft Knowledge Base article KB937832.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-25:def:1 File: sp2007-oval.xml

3. Operating System Hotfixes

Apply hotfixes to the operating system according to the policies set for the organization.

Rationale
Hotfixes are quick fixes to address a problem discovered after the latest service pack for an operating system has been released. Applying hotfixes will protect the system against known vulnerabilities.

How-To
Self-explanatory. In order to implement this recommendation, first implement the recommendation "Ensure that the proper policies, procedures, and software are in place to protect the operating system against viruses".

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:2 File: sp2007-ocil.xml

4. Microsoft IIS 6.0 Best Practice Guidance

Apply the security guidance of the Microsoft Security Best Practices guidance for IIS 6.0.

Rationale
Microsoft Internet Information Service (IIS) is a core component of SharePoint Server 2007. Ensuring IIS is installed and configured securely reduces the risk of the system being compromised.

How-To
Self-explanatory. For more information refer to Microsoft's best practice found at: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f8f81568-31f2-4210-9982-b9391afc30eb.mspx?mfr=true

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:3 File: sp2007-ocil.xml

5. SharePoint Server 2007 Security Updates

Apply all SharePoint Server 2007 security updates and service packs.

Rationale
Applying updates and service packs protects the system against potential or known vulnerabilities. If the latest updates and service packs are not applied then an intruder could potentially compromise the system or might prevent certain functionality from being available.

How-To
Self-explanatory.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:4 File: sp2007-ocil.xml

6. NSA Guide for Windows Server 2003

Apply the security guidance of the NSA guide for Windows Server 2003.

Rationale
Microsoft Windows Server 2003 is a core component of SharePoint Server 2007. Ensuring Windows Server 2003 is installed and configured securely reduces the risk of the system being compromised.

How-To
Self-explanatory. For more information refer to the National Security Agency web site at http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:5 File: sp2007-ocil.xml

7. NIST Internet Explorer 7 Security Guidance

Apply the security guidance for Internet Explorer 7 found at the NIST National Vulnerability Database checklist site.

Rationale
Microsoft Internet Explorer is a core component of SharePoint Server 2007. Ensuring IE is installed and configured securely reduces the risk of the system being compromised.

How-To
Self-explanatory. For more information refer to the NIST website: http://nvd.nist.gov/ncp.cfm?repository

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:6 File: sp2007-ocil.xml

8. CIS SQL Server Benchmark

Apply the guidance of the Center for Internet Security (CIS) SQL Server Benchmark.

Rationale
Microsoft SQL Server is a core component of SharePoint Server 2007. Ensuring SQL Server is installed and configured securely reduces the risk of the system being compromised.

How-To
Self-explanatory. For more information refer to the CIS website: http://www.cisecurity.org/bench_sqlserver.html

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:7 File: sp2007-ocil.xml

9. Operating System Policies and Procedures

Ensure that the proper policies, procedures, and software are in place to protect the operating system against vulnerabilities.

Rationale
Setting these guidelines will help protect the server against potential vulnerabilities. If these guidelines do not exist and no software is in place to protect the server, an intruder could potentially gain access and compromise important data or cause denial of service.

How-To
Self-explanatory.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:8 File: sp2007-ocil.xml

10. Password Policies And Procedures

Ensure that the proper policies and procedures exist to set strong passwords.

Rationale
Setting a strong password will help protect servers and users from unauthorized users gaining access to the SharePoint server. If strong passwords are not used, an unauthorized user could potentially crack the password and gain access to the data on the SharePoint server.

How-To
Passwords should contain a minimum of 12 characters. Also, passwords should contain characters from at least 3 of the following: - upper case letters - lower case letters - numbers - special characters (e.g. !,@, #, $, %)

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:9 File: sp2007-ocil.xml

11. Central Administration Hosting and Deployment

For an environment that requires an Internet-facing capability or in a two-server or more deployment, ensure that the Central Administration site is not hosted on a front-end Web server.

Rationale
External malicious users could gain access to a front-end Web server, therefore the Central Administration web site should not be hosted on this server. If a malicious user gains access to the Central Administration site data could be compromised.

How-To
Self-explanatory. In the case where an Internet-facing capability is required, two or more servers will be needed so that the Central Administration site will not be on the front-end Web server.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:10 File: sp2007-ocil.xml

12. External Access To Central Administration

Block external access to the Central Administration site.

Rationale
Blocking external access to the Central Administration site will help protect the Central Administration site against malicious external users. If the Central Administration site is not blocked from external users then sensitive data could be at risk.

How-To
Blocking external access to the Central Administration site can be achieved by placing a firewall between front-end Web servers and the server that hosts the Central Administration site. Configure the firewall with the following policies listed below.
1: Disallow all http access to the server hosting the Central Administration site.
2: Allow secure web access from the front-end Web server on the non-published port that the Central Administration site is listening on.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:11 File: sp2007-ocil.xml

13. Anti-virus Software For SharePoint 2007

Install Microsoft SharePoint Server 2007-compatible antivirus software on every front-end web server in the farm.

Rationale
A standard antivirus package for Windows Server 2003 will not scan items in the SharePoint databases. An antivirus program helps to protect content in the SharePoint environment. Therefore, it is necessary to purchase and install a SharePoint Server 2007-specific antivirus package.

How-To
Self-explanatory.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:12 File: sp2007-ocil.xml

14. Central Administration And SSL

Enable Secure Sockets Layer (SSL) on the Central Administration site.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10218-6

Rationale
The SharePoint Central Administration site allows an administrator to manage settings for the Web server and virtual servers. SSL protects data by encrypting the traffic that is transmitted over the network.

How-To
The following link provides instructions to enable SSL on the Central Administration site:http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse10.mspx?mfr=true

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-39:def:1 File: sp2007-oval.xml

15. SharePoint Servers and DNS Configuration

Do not publish intranet IP addresses of SharePoint servers in the organization's external Domain Name System (DNS).

Rationale
Many SharePoint deployments will have Internet-facing servers publishing the same data with different security controls in place. It is important to publish only the external IP addresses in DNS and not the intranet addresses. Publishing intranet addresses in an external Domain Name System would make the intranet addresses available to potential attackers.

How-To
Self-explanatory.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:13 File: sp2007-ocil.xml

16. Password Expiration Schedule for Local Accounts

Ensure that passwords expire on all local accounts at least every [60] days.

Rationale
It is good security practice to change account passwords on a regular basis.

How-To
Self-explanatory.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-9-23:def:1 File: sp2007-oval.xml

1. Single Sign-On (SSO) Encryption Key Creation

Create a new Single Sign-On (SSO) encryption key every 90 days if the Microsoft SSO service is enabled in the SharePoint deployment.

Rationale
The encryption key encrypts and decrypts security credentials; therefore, creating a new encryption key every 90 days limits the amount of time that a compromised key can be used.

How-To
Note: The first server that Microsoft Single Sign-On service (SSOSrv) is enabled on becomes the encryption-key server. Follow steps below.
1: Login to the Encryption Key Server as the SSO Administrator.
2: Login to the Central Administration site as the SSO Administrator.
3: Select Operations > Security Configuration.
4: Select Manage settings for single sign-on.
5: Select Manage encryption key.
6: Select Create Encryption Key.
7: Check the box "Re-encrypt all credentials by using the new encryption key".
8: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:14 File: sp2007-ocil.xml

2. Single Sign-On Encryption Key Compromise

If the Microsoft Single Sign-On (SSO) service is enabled in the SharePoint deployment, create a new SSO encryption key and reencrypt user credentials in the SSO database with the new encryption key immediately if suspicious that account credentials or the encryption key have been compromised.

Rationale
The encryption key is used to encrypt and decrypt the credentials that are stored in the SSO database. If account credentials and the encryption key are compromised by a malicious user, data on the system will not be secure. Changing the encryption key and reencrypting user credentials can protect the data from being compromised.

How-To
Note: Since the reencryption process is a long running job, reencrypt credentials only at non-peak periods. Follow steps below.
1: Login to the encryption-key server as the SSO Administrator.
2: Login to Central Administration as the SSO Administrator.
3: Navigate to Operations > Security Configuration.
4: Select Manage settings for single sign-on.
5: Select Manage encryption key.
6: Select Create Encryption Key.
7: Check the box "Re-encrypt all credentials by using the new encryption key".
8: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:15 File: sp2007-ocil.xml

3. Single Sign-On Encryption Key Server Hosting

Host the SSO encryption key server on an application server if the Microsoft SSO service is enabled in the SharePoint deployment.

Question: Is this a farm configuration?

Rationale
An application server computer is not directly accessed by end-users and it is typically protected by additional layers of security, therefore making it the best choice to host the SSO encryption key server.

How-To
Self-explanatory.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:16 File: sp2007-ocil.xml

4. Single Sign-On Configuration and Management

Always login to the Single Sign-On (SSO) encryption key server locally when configuring or managing SSO, if the Microsoft SSO service is enabled in the SharePoint deployment.

Rationale
Logging onto the encryption key server locally helps protect against network attacks. Since the data on the encryption key server is highly sensitive it is critical to access this server only locally and not remotely.

How-To
Note: The first server that Microsoft Single Sign-On service (SSOSrv) is enabled on becomes the encryption key server.The following steps describe how to access the SSO configuration items in Central Administration. Follow steps below.
1: Login to the SSO encryption-key server as the SSO Administrator.
2: Login to Central Administration as the SSO Administrator.
3: Navigate to Operations > Security Configuration.
4: Select Manage settings for single sign-on.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:17 File: sp2007-ocil.xml

5. Authentication for SSL-secured Web Applications

Use Basic Authentication only in conjunction with an SSL-secured Web application.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10262-4

Rationale
Basic Authentication provides a web application a simple way to authenticate users using a username and password. The downside is that the username and password are sent over the Intranet/Internet in plaintext. Thus, the username and password are easily compromised unless they are hidden by encryption. Secure Sockets Layer (SSL) protects the username and password from compromise because it transmits data over networks securely by encrypting the traffic. Since SSL adds complexity to the implementation and can affect server performance, consider whether transmitting the username and password in plaintext constitutes a risk in the SharePoint deployment.

How-To
Ensure that SSL is enabled before enabling Basic Authentication; see recommendation "Ensure that SSL is enabled on the appropriate Web Applications". To enable Basic Authentication:
1: Login to Central Administration.
2: Navigate to Application Management > Application Security.
3: Select Authentication Providers.
4: Select the relevant Web application.
5: Select the zone to modify.NOTE: The following step is available only if Windows Authentication Type has been selected in the Authentication Type section.
6: In the IIS Authentication Settings section, check "Basic authentication (password is sent in clear text)"
7: Select Save.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:18 File: sp2007-ocil.xml

6. Microsoft Default Blocked File Types

Ensure that the default set of Microsoft recommended blocked file types are set in the SharePoint Deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10152-7
( http://cce.mitre.org ) CCE-10073-5
( http://cce.mitre.org ) CCE-10068-5
( http://cce.mitre.org ) CCE-10099-0
( http://cce.mitre.org ) CCE-10191-5
( http://cce.mitre.org ) CCE-9296-5
( http://cce.mitre.org ) CCE-10003-2
( http://cce.mitre.org ) CCE-10034-7
( http://cce.mitre.org ) CCE-9298-1
( http://cce.mitre.org ) CCE-10063-6
( http://cce.mitre.org ) CCE-10217-8
( http://cce.mitre.org ) CCE-10125-3
( http://cce.mitre.org ) CCE-10283-0
( http://cce.mitre.org ) CCE-10296-2
( http://cce.mitre.org ) CCE-10270-7
( http://cce.mitre.org ) CCE-9318-7
( http://cce.mitre.org ) CCE-10208-7
( http://cce.mitre.org ) CCE-10221-0
( http://cce.mitre.org ) CCE-9300-5
( http://cce.mitre.org ) CCE-10162-6
( http://cce.mitre.org ) CCE-10029-7
( http://cce.mitre.org ) CCE-9302-1
( http://cce.mitre.org ) CCE-10225-1
( http://cce.mitre.org ) CCE-10042-0
( http://cce.mitre.org ) CCE-9950-7
( http://cce.mitre.org ) CCE-10069-3
( http://cce.mitre.org ) CCE-10117-0
( http://cce.mitre.org ) CCE-10258-2
( http://cce.mitre.org ) CCE-9646-1
( http://cce.mitre.org ) CCE-10179-0
( http://cce.mitre.org ) CCE-10210-3
( http://cce.mitre.org ) CCE-10241-8
( http://cce.mitre.org ) CCE-9923-4
( http://cce.mitre.org ) CCE-9954-9
( http://cce.mitre.org ) CCE-10236-8
( http://cce.mitre.org ) CCE-10143-6
( http://cce.mitre.org ) CCE-9778-2
( http://cce.mitre.org ) CCE-9685-9
( http://cce.mitre.org ) CCE-9310-4
( http://cce.mitre.org ) CCE-9993-7
( http://cce.mitre.org ) CCE-9883-0
( http://cce.mitre.org ) CCE-9962-2
( http://cce.mitre.org ) CCE-10257-4
( http://cce.mitre.org ) CCE-10147-7
( http://cce.mitre.org ) CCE-9411-0
( http://cce.mitre.org ) CCE-9331-0
( http://cce.mitre.org ) CCE-10106-3
( http://cce.mitre.org ) CCE-10269-9
( http://cce.mitre.org ) CCE-10177-4
( http://cce.mitre.org ) CCE-10080-0
( http://cce.mitre.org ) CCE-9766-7
( http://cce.mitre.org ) CCE-9824-4
( http://cce.mitre.org ) CCE-10194-9
( http://cce.mitre.org ) CCE-10128-7
( http://cce.mitre.org ) CCE-10260-8
( http://cce.mitre.org ) CCE-10286-3
( http://cce.mitre.org ) CCE-10308-5
( http://cce.mitre.org ) CCE-10322-6
( http://cce.mitre.org ) CCE-9334-4
( http://cce.mitre.org ) CCE-10324-2
( http://cce.mitre.org ) CCE-9963-0
( http://cce.mitre.org ) CCE-10100-6
( http://cce.mitre.org ) CCE-10025-5
( http://cce.mitre.org ) CCE-10289-7
( http://cce.mitre.org ) CCE-9350-0
( http://cce.mitre.org ) CCE-9363-3
( http://cce.mitre.org ) CCE-10261-6
( http://cce.mitre.org ) CCE-9979-6
( http://cce.mitre.org ) CCE-10133-7

Rationale
Blocked file types is a simple method for preventing certain file types from being uploaded onto SharePoint. This feature of SharePoint prevents specific file types from being saved or retrieved from any site on the server. If a user tries to save or retrieve a blocked file type, he or she will see an error and will not be able to save or retrieve the file. This capability provides a simple way to mitigate the threat of uploading undesirable files, such as those with viruses or executables that are malicious. Note that users can change file extensions to circumvent the blocked file type configuration. For example, a user could change "malicious.exe" to "malicious.exe.xls" to circumvent the blocking of files with the "exe" extension. Some protection is still afforded, however, since double-clicking "malicious.exe.xls" will open the file in Excel rather than execute it.

How-To
Follow steps below. To further counter the threat of changed file extensions, consider a separate product for managing viruses and malware that can integrate with SharePoint 2007, such as Microsoft Forefront. NOTE: To allow a file type that is currently blocked, select it in the list of blocked file types and delete it. Deleting it for a given web application does not delete it from the blocked file types list of any other web application. Also note that the Note on the Blocked File Types page in Central Administration appears to be erroneous in referring to a "global" list of blocked file types; there does not appear to be any "global" list.
1: Login to Central Administration.
2: Navigate to Operations > Security Configuration.
3: Select Blocked file types.
4: Select a Web Application (or accept the default).
5: Review the list of blocked types and add any relevant additional types to the particular deployment. Warning: do not remove extensions already in the list unless there is a compelling reason to do so.
6: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-46:def:1 File: sp2007-oval.xml

7. Auditing Information Management Policy

Ensure that the auditing information management policy is configured to be available.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10146-9

Rationale
The auditing information management policy is configured by default to be available in new site and list policies. This feature makes auditing services available for auditing user actions on documents and list items to the Audit Log. Information in the Audit Log can help in troubleshooting and determining accountability.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Operations > Security Configuration
3: Select Information management policy configuration.
4: Select Auditing.
5: Select the Status option "Available for use in new site and list policies".
6: Select Save.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:247 File: sp2007-ocil.xml

8. Pluggable Authentication Providers

Ensure that a pluggable authentication provider has been configured if external users require authenticated access to a SharePoint deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10287-1

Rationale
An authentication provider is a component that verifies user credentials. Internal users can be verified through Windows authentication, while the pluggable authentication provider authenticates external users.

How-To
The following documents describe pluggable authentication:http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-providers-for-sharepoint-2007.aspxhttp://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:22 File: sp2007-ocil.xml

9. Anti-virus Document Scanning

Enable the "Scan documents on upload" antivirus setting.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9833-5

Rationale
Configuring antivirus settings ensures that documents will be scanned for viruses upon download from and upload to the SharePoint server. Antivirus settings are not configured by default, therefore leaving the documents downloaded from or uploaded to SharePoint open to potential viruses.

How-To
First, follow the recommendation to: "Install a SharePoint Server 2007-specific antivirus package". Next, follow these steps to configure antivirus settings:
1: Login to Central Administration.
2: Navigate to Operations > Security Configuration.
3: Select Antivirus.
4: Check the following box: Scan documents on upload.
5: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:249 File: sp2007-ocil.xml

10. Ensure that an Information Rights Management (IRM) solution

Ensure that an Information Rights Management (IRM) solution has been installed and configured if documents need access control outside of the SharePoint environment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10142-8
( http://cce.mitre.org ) CCE-10300-2
( http://cce.mitre.org ) CCE-9437-5

Rationale
Once a document has been downloaded from a SharePoint site, its content generally is no longer protected unless some form of information rights management has been embedded in the document. If a document contains highly sensitive information, it may be in the interests of the enterprise to provide embedded protection so that the information can be controlled regardless of where the document may go. If such documents are otherwise protected, IRM may not be needed. IRM allows content creators to control and protect their documents when disseminated outside of SharePoint in electronic form. IRM creates a set of access controls that live with the content and therefore control access even when the document is outside of the SharePoint library.

How-To
Several vendors provide solutions. Microsoft provides the Windows Rights Management Services (RMS); see the following link:http://technet2.microsoft.com/Office/en-us/library/073bfc71-7b01-4b77-bdc3-ac018889d54b1033.mspx?mfr=true Follow steps below to configure Information Rights Management.
1: Login to Central Administration.
2: Navigate to Operations > Security Configuration.
3: Select Information Rights Management.
4: Select appropriate option.
5: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:23 File: sp2007-ocil.xml

11. Connections Between Web Parts

Enable the "Prevents users from creating connections between Web Parts, and helps to improve security and performance" option.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10141-0

Rationale
Web Parts provide a means of connecting to data sources and integrating information from different data sources. Web Parts are custom pieces of code written by partners, IT, or individual developers. They can be unsafe or malicious. Following this recommendation can reduce the attack surface that a malicious web part can get to. Specifically, Web Part connections allow Web Parts to discover each other on a page and communicate to one another, up to and including access to all sensitive information within the Web Part. Web Parts can be connected to libraries, lists, and to each other to reveal and manipulate data. Allowing users to create connections between Web Parts could increase the chance of a malicious code execution if the Web Part being connected to is from an unknown party. In the event that enterprise policy allows such connections, administrators should carefully consider which Web Parts to make available to users to avoid such attacks.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > Application Security.
3: Select Security for Web Part pages.
4: For each Web Application in the Web Application section repeat steps 5-7.
5: Select the correct Web Application in the Web Application section.
6: Select the "Prevents users from creating connections between Web Parts, and helps to improve security and performance" option in the Web Part Connections section.
7: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-51:def:1 File: sp2007-oval.xml

12. Online Web Part Gallery Security Settings

Enable the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option for each web application.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10190-7

Rationale
Web Part galleries are groupings of Web Parts. There are four Web Part galleries: Closed Web Parts, Site Name Gallery, Server Gallery, and Online Gallery. The Online Gallery is a collection of Microsoft MSNBC Web Parts that are located on the Internet. Allowing users to access the Online Web Part Gallery causes a significant performance hit on the server, due to the server attempting to connect to the MSNBC online gallery. This could result in a denial of service. The Online Gallery could contain web parts from unknown third parties, which could increase the risk of a malicious code execution attack. Preventing users from accessing the Online Web Part Gallery decreases the system's attack surface.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > Application Security.
3: Select Security for Web Part pages.
4: For each Web Application in the Web Application section repeat steps 5-7.
5: Select the next Web Application in the Web Application section.
6: Select the "Prevents users from accessing the Online Web Part Gallery, and helps to improve security and performance" option in the Online Web Part Gallery section.
7: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-52:def:1 File: sp2007-oval.xml

13. Self-Service Site Creation

Ensure that the "Enable Self-Service Site Creation" option is set appropriately for the deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10326-7

Rationale
The Self-Service Site Management page can be used to allow users to create and manage their own top-level Web sites automatically. When self-service site creation is enabled for a Web application, users can create their own top-level Web sites under a specific path (by default, the /sites path). When self-service site creation is enabled, an announcement is added to the top-level site at the root path of the Web application, and users who have permissions to view that announcement can link to the new site. Whether self-service site creation should be enabled depends on the environment. For the Intranet environment, enable self-service site creation according to business need. For the secure collaboration environment, enable self-service site creation only for people or groups who have a business need for this feature. For the external anonymous environment, do not enable self-service site creation on the Internet.

How-To
Follow steps below to set the "Enable Self-Service Site Creation" option.
1: Login to Central Administration.
2: Navigate to Application Management > Application Security.
3: Select Self-Service site management.
4: For each Web Application in the Web Application section repeat steps 5-7.
5: Navigate to Enable Self-Service Site Creation section.
6: Select value [On or Off] as appropriate for deployment.
7: (Optional) Select Require secondary contact.
8: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:62 File: sp2007-ocil.xml

14. Web Application List, Site, and Personal Permissions

Ensure that each web application is configured to provide only the required List, Site, and Personal permissions necessary for that web application.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10340-8
( http://cce.mitre.org ) CCE-10230-1
( http://cce.mitre.org ) CCE-10031-3
( http://cce.mitre.org ) CCE-10168-3
( http://cce.mitre.org ) CCE-10331-7
( http://cce.mitre.org ) CCE-9912-7
( http://cce.mitre.org ) CCE-10172-5
( http://cce.mitre.org ) CCE-9366-6
( http://cce.mitre.org ) CCE-10104-8
( http://cce.mitre.org ) CCE-9527-3
( http://cce.mitre.org ) CCE-10043-8
( http://cce.mitre.org ) CCE-10307-7
( http://cce.mitre.org ) CCE-9448-2
( http://cce.mitre.org ) CCE-9853-3
( http://cce.mitre.org ) CCE-10199-8
( http://cce.mitre.org ) CCE-10102-2
( http://cce.mitre.org ) CCE-9618-0
( http://cce.mitre.org ) CCE-10006-5
( http://cce.mitre.org ) CCE-10173-3
( http://cce.mitre.org ) CCE-9940-8
( http://cce.mitre.org ) CCE-10111-3
( http://cce.mitre.org ) CCE-10244-2
( http://cce.mitre.org ) CCE-10133-7
( http://cce.mitre.org ) CCE-10146-9
( http://cce.mitre.org ) CCE-10287-1
( http://cce.mitre.org ) CCE-9833-5
( http://cce.mitre.org ) CCE-9952-3
( http://cce.mitre.org ) CCE-9609-9
( http://cce.mitre.org ) CCE-10142-8
( http://cce.mitre.org ) CCE-10300-2
( http://cce.mitre.org ) CCE-9437-5
( http://cce.mitre.org ) CCE-10141-0
( http://cce.mitre.org ) CCE-10190-7

Rationale
There are three sets of rights with individual permissions that are automatically applied for every new Web application that is created: List, Site, and Personal permissions. List permissions include the standard user rights for viewing, adding, or deleting list items -- for example, manage lists, edit items, delete items, approve items, and add items. Site permissions handle rights available on sites throughout the entire site collection -- for example, the ability for a user to apply or change themes and borders or create groups and subsites to a site. Finally, Personal permissions allow users to add or modify personalized Web Parts to sites. Providing only the permissions necessary to use and manage the web application guards against erroneous use or modification of data.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > Application Security.
3: Select User Permissions for Web Application.
4: For each Web Application in the Web Application section repeat steps 5-7.
5: Select the next Web Application in the Web Application section.
6: Review all List, Site, and Personal permission lists and ensure the minimum user rights have been implemented.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:63 File: sp2007-ocil.xml

15. Accessing Web Applications from Zones

Ensure that users are granted the correct level of rights when accessing Web applications from a particular zone.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10326-7

Rationale
Policies are a new feature in SharePoint 2007. The Policy for Web Applications tool enables administrators to create centralized policies that impact top-level site collections as well as sites configured in the Web application. Administrators can create policies that determine the level of rights users are granted when connecting to a Web application from a specific zone. Examples of zones are Internet, Extranet, and Intranet. For example, if a user wanted to access a site on the Internet and download files, and there is a zone policy is in place which allows Read access only, that user is prohibited from downloading files. If policies are being used, it is essential that only the users who should have access to specific zones are granted access that provides the appropriate level of rights. Failure to verify this could result in data being exposed to unauthorized people.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > Application Security.
3: Select Policy for Web Applications.
4: For each Web Application in the Web Application section repeat steps 5 and 6.
5: Select the Web Application of interest.
6: Verify user permissions.For additional information, see http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:64 File: sp2007-ocil.xml

16. Anonymous Access for Web Applications

Ensure that anonymous access has been disabled for each web application.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10340-8

Rationale
Anonymous access allows users to access a SharePoint Web site without authentication. However, the availability of anonymous access increases the susceptibility of the SharePoint deployment to malicious attacks. The default is for anonymous access to be disabled. In some cases, of course, a specific need to provide anonymous access may exist, such as an Internet facing deployment.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Extend an existing Web application.
4: For each Web Application in the Web Application section repeat steps 5-9.
5: Select the appropriate Web application.
6: Navigate to Security Configuration > Allow Anonymous.
7: Select [No].
8: Enter other options with values appropriate to the deployment.
9: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-56:def:1 File: sp2007-oval.xml

17. Web Application SSL Settings

Ensure that SSL is enabled on the appropriate Web Applications.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10230-1

Rationale
SSL provides an added layer of security by encrypting and authenticating data that is transferred over a network connection. SSL is disabled by default for web applications. If SSL is not in use, the data is not as well protected and is potentially exposed to integrity and confidentiality compromise. However, SSL adds overhead that may not be justified in cases where the exchanged data is not at all sensitive.

How-To
Follow the steps below:
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Extend an existing Web application.
4: Repeat steps 5-8 for each Web application.
5: Select the appropriate Web application.
6: Navigate to Security Configuration > Use Secure Sockets Layer (SSL).
7: Ensure that the option [Yes] is selected.
8: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:24 File: sp2007-ocil.xml

18. Deleting SharePoint Web Applications

To completely delete the information associated with a SharePoint Web application use the "Delete Web Application" capability.

Rationale
The "Delete Web Application" capability can be used to remove a Web application including its content databases. The "Remove SharePoint from IIS Web site" capability can be used to remove a site but does not provide the option to remove its content databases. Using the "Delete Web Application" capability to remove the content databases protects against data leaks from the residual content databases that would be left by the "Remove SharePoint from IIS Web site" capability.

How-To
Follow steps below. Note: Consider backing up the web site and content databases before taking this action. Caution: Deleting the content database and all IIS Web sites will disable any non-SharePoint application that was using one or more of those IIS Web sites.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Delete Web application.
4: Select the Web Application to be deleted.
5: Navigate to Deletion Options > Delete content databases.
6: Select [Yes].
7: Navigate to Delete IIS Web sites.
8: Select [Yes].
9: Select Delete.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:25 File: sp2007-ocil.xml

19. Web Application Default Quota Templates

Ensure that a default quota template has been set for each Web application.

Question: Ensure that an appropriate default quota template has been set for all site collections.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10031-3

Rationale
Quota templates are used to specify the site storage size limit. By default, no quota template is selected for the default site collection of a new web application. Uncontrolled growth of a site collection may degrade the performance of the deployment and even disrupt its functionality. The selected template should be specified based on the types of sites being deployed and the capacity of the available hardware.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Web application general settings.
4: For each Web Application in the Web Application section repeat steps 5-15.
5: Select Web application.
6: Select Default Quota Template.
7: If an appropriate quota template exists, select it from the dropdown under "Select quota template" and go to step 11, otherwise continue with step 7 to create a new quota template.
8: Navigate to Default Quota Template.
9: Select Quota Templates.
10: Select Create a new quota template.
11: Enter a new name in the New template name textbox.
12: Navigate to the Storage Limit Values section.
13: Check the checkbox to enable "Limit site storage to a maximum of:" and enter a value.
14: Check the checkbox to enable "Send warning E-mail when site storage. reaches:" and enter a value..
15: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-59:def:1 File: sp2007-oval.xml

20. Web Page Security Validation

Verify that the "Security validation is" property is set to [On].

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9912-7

Rationale
Without security validation being enabled, once a user authenticates, he or she will be able to access a site indefinitely in a given session. Enabling validation reduces the chance that a page will be accessed by an unauthorized person while the authenticated user is absent. It forces the user to reauthenticate after a specified inactivity period is exceeded.

How-To
Follow steps below to verify that the "Security validation is" property is set to [On].
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Web application general settings.
4: Select a Web Application.
5: Navigate to Web Page Security Validation.
6: Verify that the "Security validation is" property is set to [On].
7: Verify that the "Security validation expires:" property is set to [After].
8: Accept the default timeout period of 30 minutes or shorten it if appropriate.
9: If changes have been made, select OK, otherwise select Cancel.
10: Repeat steps 3 through 9 for each Web Application.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-60:def:1 File: sp2007-oval.xml

21. Policy For Profile Services

Configure the policy for profile services according to organizational policies.

Rationale
User profiles can display a broad range of information about the user, some of which may be sensitive. Sensitive information should be displayed only to users that have a business need to see it. Policy for profile services determines which attributes are shown in user profiles and specifies which users can see each attribute.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Shared Services Administration.
3: Select shared service to manage.
4: Login to the service.
5: Navigate to User Profiles and My Site.
6: Select Profile services policies.
7: In the Manage Policy section, choose policy items for which the default values are not appropriate.
8: Select Edit policy and enter the new value. Otherwise, use the default values.
9: Select OK.
10: Repeat steps 3 through 9 for each Shared Services Provider.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:26 File: sp2007-ocil.xml

22. My Site Default Reader Site Group Account

When configuring My Site settings, include in the Default Reader Site Group only the accounts that require read access to future My Sites.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10172-5
( http://cce.mitre.org ) CCE-9366-6

Rationale
The Default Reader Site Group specifies the accounts that will be added as Readers in My Sites that are created. Note that changes to the Default Reader Site Group will affect only My Sites created after the change. Note also that the default member of the Default Reader Site Group is the "NT AUTHORITY\authenticated users" group. If the user(s) of an included account does not have a need to know, the information at the My Site(s) could be compromised.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Shared Services Administration.
3: Select shared service to manage.
4: Login to the service.
5: Navigate to User Profiles and My Sites.
6: Select My Site settings.
7: Navigate to Default Reader Site Group section.
8: Remove the "NT AUTHORITY\authenticated users" group account if appropriate.
9: Add or remove user or group accounts, as appropriate.
10: Select OK.
11: Repeat steps 3 through 10 for each Shared Services Provider.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:27 File: sp2007-ocil.xml

23. Shared Service Rights

Grant Shared Service Rights only to users that have a business need to manage shared services and grant to these users only the permissions for which they have a business need.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10104-8
( http://cce.mitre.org ) CCE-9844-2
( http://cce.mitre.org ) CCE-9610-7
( http://cce.mitre.org ) CCE-10020-6
( http://cce.mitre.org ) CCE-9846-7
( http://cce.mitre.org ) CCE-9471-4

Rationale
Users that have Shared Service Rights can manage shared services. Users not having a specific business need to manage shared services, such as "Manage User Profiles" and "Manage Permissions", may negatively affect the performance or the deployment and even stop it from functioning correctly. Following this recommendation implements the principle of least privilege, which generally reduces exposure to risk.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Shared Services Administration.
3: Select shared service to manage.
4: Login to the service.
5: Navigate to User Profiles and My Sites.
6: Select Personalization Services Permissions.
7: Remove unnecessary users and groups by checking the checkboxes next to them and selecting Remove Selected Users.
8: Repeat steps 9 through 12 for each remaining user and group.
9: Check the checkbox of the user or group.
10: Select Modify Permissions of Selected Users.
11: Ensure that the selected user or group has only the minimally required set of permissions, making changes as needed.
12: Select OK.
13: Repeat steps 4 through 12 for each Shared Services Provider.If additional users or groups are needed, ensure that each has only the minimally required set of permissions when adding them (using "Add Users/Groups").

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:28 File: sp2007-ocil.xml

24. Site Collection Quota Templates

Ensure that a quota template has been set on each site collection.

Question: Ensure that a quota template has been set on top-level Web sites for each web application.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10159-2

Rationale
Quota templates help manage site and server resources. A quota template identifies the amount of storage allocated for a given site. If no storage limit is set, a site could use so many resources that other sites will not be able to function properly.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Site Management.
3: Select collection quotas and locks.
4: Repeat step 5-7 for each Site Collection.
5: Select the Site Collection.
6: Set the Site Quota Information appropriately.
7: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:265 File: sp2007-ocil.xml

25. Site Collection Deletion Property Settings

Verify that the "Automatically delete the site collection if use is not confirmed" property is not enabled for each web application.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9944-0

Rationale
Automatic deletion is an administrative feature that can delete unused sites without administrative intervention and without a backup mechanism. Automatic deletion permanently removes all content and information from the site collection and any sites beneath it. If the site collection administrator or secondary site collection administrator fails to confirm a site is still in use when receiving an email notification asking if the site is still in use, the site is automatically deleted. This could result in a denial of service to the users of that site. Also, data could be lost if a backup was not made prior to removing the site collection.

How-To
Follow the steps below to verify that a Web application has not been setup for automatic deletion.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Site Management.
3: Select Site use confirmation and deletion.
4: Repeat the following steps for each web application.
5: Select the Web Application.
6: Verify that the "Automatically delete the site collection if use is not confirmed" checkbox is not checked.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:266 File: sp2007-ocil.xml

26. Secondary Site Collection Administrators

Ensure that a secondary site collection administrator is defined for all site collections.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9483-9

Rationale
If a site reaches its maximum size, users will be denied access until an administrator fixes the problem. Having a secondary administrator reduces the risk of having a denial of service on a site. If the site reaches its maximum size, the secondary administrator can fix the problem if the primary administrator is not available. In some situations, having a secondary site administrator could be inappropriate for reasons of control or confidentiality.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Site Management.
3: Select Site Collection Administrators.
4: Repeat steps 5-7 for each Site Collection.
5: Select a Site Collection.
6: Ensure that a Secondary Site Collection Administrator has been defined.
7: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-67:def:1 File: sp2007-oval.xml

27. SMTP Mail Server

Ensure that an SMTP Mail Server is defined.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10255-8
( http://cce.mitre.org ) CCE-10414-1
( http://cce.mitre.org ) CCE-10410-9
( http://cce.mitre.org ) CCE-10317-6

Rationale
E-mail messages are sent to site administrators when a site approaches its maximum size. If the outgoing e-mail server has not been identified in the e-mail settings, no e-mail will be sent to site administrators to fix the problem. If a site reaches its maximum size, users will be denied access to the site.

How-To
Follow the steps below. Caution: SMTP must be installed on the server (in this case Windows Server 2003) in order for SharePoint to send the emails.
1: Login to Central Administration.
2: Navigate to Operations > Topology and Services.
3: Select Outgoing e-mail settings.
4: Enter the SMTP server in the Outbound SMTP server field.
5: In the From address box, enter the address as it should appear to e-mail recipients.
6: In the Reply-to address box, enter the e-mail address that recipients will reply to.
7: In the Character set menu, select the appropriate character set.
8: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:268 File: sp2007-ocil.xml

28. Client-Side Automatic Logon

Do not enable client-side automatic logon on any Internet Explorer that is used to access the Central Administration web application.

Rationale
Automatic logon does not require the user to type the username and password for the Central Administration site, it simply uses the credentials of the user that is logged into the system. If a malicious user gains access to a system that can launch the Central Administration site and automatic logon is turned on, the user would gain access to the Central Administration site.

How-To
Follow steps below to check Internet Explorer browser settings.
1: Start up Internet Explorer (IE).
2: Select Internet Options from the Tools menu.
3: Select Security.
4: Select Custom level.
5: Scroll to the bottom of the window.
6: Navigate to User Authentication > Logon.
7: Ensure that the "Prompt for username and password" box is selected.
8: Select [OK].

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:29 File: sp2007-ocil.xml

29. Crawl Rule Exclusions

Verify that URLs that should not appear in search results are specified in "exclude" crawl rules.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9664-4

Rationale
The Manage Crawl Rules window specifies URLs to include or exclude from the crawl. It shows a list of URLs that have been specified to be included or excluded in the crawl. The existence of some SharePoint resources, such as sites, documents, or lists, should be known only to users who have a business need to know. Displaying the URLs of such resources in search results reveals their existence, which may also suggest what information is held in that resource.

How-To
For additional information, refer to: http://technet2.microsoft.com/Office/en-us/library/3b45788c-7169-4a97-9a13-b6668ba7b7b91033.mspx?mfr=true
1: Login to Central Administration.
2: Navigate to Shared Services Administration.
3: Select shared service to manage.
4: Login to the service.
5: Navigate to Search.
6: Select Search settings.
7: Select Crawl Rules.
8: Verify that the list of exclude rules includes all the URLs that should not appear in search results.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:65 File: sp2007-ocil.xml

30. Accessing Central Administration with Internet Explorer

Use Microsoft Internet Explorer 6.x or later to access Central Administration.

Rationale
In order to have complete access to all functionality, Microsoft recommends using Internet Explorer 6.x or later. If an older browser is used, some functionality might not be supported in the Central Administration site, which is a denial of service.

How-To
Self-explanatory.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-71:def:1 File: sp2007-oval.xml

31. External User Workflow Participation

Set the "Allow external users to participate in workflow by sending them a copy of the document?" option to [No].

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10321-8

Rationale
When selected, this option in Central Administration enables a workflow to be configured so that an external user, one who has no access to the SharePoint site, can receive a copy of a document as an email attachment. This should not be allowed in an environment in which documents may contain sensitive information whose dissemination must be controlled. In some open environments, however, this option could provide convenient functionality.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > Workflow Management.
3: Select Workflow settings.
4: Select a Web Application.
5: Navigate to Workflow Task Notifications.
6: Select the [No] option for "Allow external users to participate in workflow by sending them a copy of the document?".
7: Select other options as desired.
8: Select OK.
9: Repeat steps 3 through 8 for each Web Application.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-72:def:1 File: sp2007-oval.xml

32. Personal Sites

Grant the right 'Create personal site' only to users that have the business need to have a personal site.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10334-1
( http://cce.mitre.org ) CCE-10228-5

Rationale
By default, all authenticated users can create a My Site. This recommendation grants this right only to users having a business need to have such a site. Allowing all users to have personal sites increases the risk of inappropriate or extraneous content. In situations where the need for all users to have personal sites does not exist, the implementation of this recommendation has the potential to increase the security of the deployment and to improve performance.

How-To
Follow steps 1-8 below to remove the 'Create personal site' permission from NT AUTHORITY\Authenticated Users group. Follow steps 10 - 15 to grant specific users the right 'Create personal site'.
1: Login to Central Administration.
2: Navigate to Shared Services Administration.
3: Select Shared Services Provider.
4: Select Personalization services permissions.
5: Check the box "NT AUTHORITY\Authenticated Users" group.
6: Select Modify permissions of selected users.
7: Uncheck box 'Create personal site'.
8: Select Save.
9:
10: Select Add Users/Groups.
11: Navigate to Choose Users.
12: Enter users and group names.
13: Navigate to Choose permissions.
14: Check Create personal site.
15: Select Save.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:30 File: sp2007-ocil.xml

33. Anti-Virus Scanning For Downloaded Documents

Enable the "Scan documents on download" antivirus setting.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9689-1

Rationale
Configuring antivirus settings ensures that documents will be scanned for viruses upon download from and upload to the SharePoint server. Antivirus settings are not configured by default, therefore leaving the documents downloaded from or uploaded to SharePoint open to potential viruses.

How-To
First, follow the recommendation to: "Install a SharePoint Server 2007-specific antivirus package". Next, follow these steps to configure antivirus settings:1. Login to Central Administration.2. Navigate to Operations > Security Configuration.3. Select Antivirus.4. Check the following boxes:4.1. Scan documents on upload.4.2. Scan documents on download.4.3.
1: Login to Central Administration
2: Navigate to Operations > Security Configuration.
3: Select Antivirus.
4: Check the following box: Scan documents on download.
5: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:919 File: sp2007-ocil.xml

34. Cleaning Infected Documents

Enable the "Attempt to clean infected documents" antivirus setting.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9497-9

Rationale
Configuring antivirus settings ensures that documents will be scanned for viruses upon download from and upload to the SharePoint server. Antivirus settings are not configured by default, therefore leaving the documents downloaded from or uploaded to SharePoint open to potential viruses.

How-To
First, follow the recommendation to: "Install a SharePoint Server 2007-specific antivirus package". Next, follow these steps to configure antivirus settings:
1: Login to Central Administration.
2: Navigate to Operations > Security Configuration.
3: Select Antivirus.
4: Check the following box: Attempt to clean infected documents
5: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:921 File: sp2007-ocil.xml

35. Non-Microsoft Blocked File Types

Verify that the blocked file types, other than the default Microsoft set, are set appropriately for the SharePoint deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10302-8

Rationale
Blocked file types is a simple method for preventing certain file types from being uploaded onto SharePoint. This feature of SharePoint prevents specific file types from being saved or retrieved from any site on the server. If a user tries to save or retrieve a blocked file type, he or she will see an error and will not be able to save or retrieve the file. This capability provides a simple way to mitigate the threat of uploading undesirable files, such as those with viruses or executables that are malicious. Note that users can change file extensions to circumvent the blocked file type configuration. For example, a user could change "malicious.exe" to "malicious.exe.xls" to circumvent the blocking of files with the "exe" extension. Some protection is still afforded, however, since double-clicking "malicious.exe.xls" will open the file in Excel rather than execute it.

How-To
Follow the instructions below:
1: Login to Central Administration.
2: Navigate to Operations > Security Configuration.
3: Select Blocked file types.
4: Select a Web Application (or accept the default).
5: Review the list of blocked types and add any relevant additional types to the particular deployment. Warning: do not remove extensions already in the list unless there is a compelling reason to do so.
6: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:612 File: sp2007-ocil.xml

1. SharePoint Site Crawls

Exclude any sensitive content from the SharePoint crawl.

Rationale
A crawler is a program that connects to and reads information in order to create entries for a search engine index. SharePoint includes a crawler that extracts data from various content sources. When a user does a search over the crawled content, the results of the search include identification of all sources matching the search criteria whether a user has permission to view the source or not. Thus, the listing of restricted content in the search results can lead to information disclosure. There is an obvious downside to this: individual documents, lists, sites, and so on that are excluded from the crawl become unavailable for searching by users who are authorized to view the sources.

How-To
The following methods can be used:Page designers can add the <META NAME="ROBOTS" CONTENT="NOHTMLINDEX"/> elementmanually to all pages that they do not want the index server to crawl. Follow steps 1-5 at the site level. Follow steps 7-14 to exclude content in a list or library from search results.
1: Navigate to Site Actions > Site Settings > Modify All Site Settings > Site Administration.
2: Select Search Visibility.
3: Navigate to Allow this web to appear in search results.
4: Select the option [No].
5: Select OK.
6: Select the list or the library that contains content that should not appear in search results.
7:
8: Navigate to the Settings menu.
9: Select Document Library Settings for a library or List Settings for a list.
10: Navigate to General Settings.
11: Select Advanced Settings.
12: Navigate to Search.
13: Select the option [No].
14: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:66 File: sp2007-ocil.xml

2. SharePoint Information Management Policies

Ensure that information management policies exist and are appropriate for the organizations deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10413-3

Rationale
Information management policy usage reports can contribute to an understanding of how records management is being managed and whether users are complying with policy. This is especially relevant for organizations that must comply with legal or regulatory requirements. For example, a Human Resources policy, used in an organization to ensure that employee records are handled in accordance with legally recommended guidelines, could include the features such as auditing, retention period, and labels for physical copies. Information management policy usage reports are enabled by the administrator for Central Administration, while specific information management policies are created by site administrators. Naturally, if policies are not relevant to the organization's activities and records management, the information management policy usage reports may be superfluous.

How-To
Follow these steps at the top-level site.
1: Navigate to Site Actions > Site Settings > Modify All Site Settings > Site Collection Administration.
2: Select Site collection policies.
3: Select Create.
4: Enter Name, Administrative Description, and Policy Statement text.
5: Check one or more of the policy enabling checkboxes, such as Enable Labels, as appropriate for the policy being created, and complete the specific entries needed for the checked items.
6: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:67 File: sp2007-ocil.xml

3. Best Bets

Verify that existing Best Bets do not reveal sensitive information.

Rationale
Best Bets are associated with keywords and their synonyms. A Best Bet is a link to the information that is highly relevant to the keyword or one of its synonyms. So, when a keyword is used in a search by a user, the Best Bet location appears in the Best Bet Web Part on the search results page. The purpose is to direct users to items the enterprise administrator has identified as most appropriate. However, in some situations the existence of the Best Bet (that is, the target information that the user will be directed to) should not be revealed to users who are not authorized to access that information. In such a situation, the Best Bet potentially compromises sensitive information. Since sensitive content may periodically be added to document libraries or lists, an existing Best Bet might compromise the information.

How-To
Follow these steps to review Best Bets and to verify that they do not point to sensitive information.
1: Navigate to the top-level site of the site collection.
2: Navigate to Site Actions > Site Settings > Site Collection Administration.
3: Select Search keywords.
4: Select a Keyword, under the Keyword column, and choose Edit in the dropdown.
5: Navigate to Best Bets on the Edit Keyword page.
6: Review and verify that the listed Best Bets do not point to sensitive information. To see the URL and Description associated with a Best Bet, select Edit in the row of the Best Bet.
7: If a Best Bet points to sensitive information, select Remove in the row of the Best Bet.
8: Select OK if any Best Bets have been removed, otherwise Select Cancel.
9: Repeat steps 5-9 for each existing Best Bet.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:68 File: sp2007-ocil.xml

4. Site Group Requests

Ensure the "Auto-accept requests?" property is set to [No] for all site groups.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9491-2

Rationale
If auto-accept is enabled in Site Settings, users will automatically be added to the site group when they make a request to join the group. They will have the permissions of the group to which they are added and this might include access to subsites. Thus, the site owner will not have control over who becomes a member of the group, thereby enabling frivolous use of the site. Groups that are specifically designed to allow public membership should, of course, have the ''Auto-accept requests?'' property set to [Yes].

How-To
At the site level:
1: Navigate to Site Actions > Site Settings > People and groups.
2: On the Settings dropdown list, select Group Settings.
3: On the Change Group Settings Page:
4: Navigate to Membership Requests section.
5: Verify the "Allow accept requests?" property is set to [No].
6: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:71 File: sp2007-ocil.xml

5. Site Group Editing

Ensure the "Who can edit the membership of the group?" property is set to [Group Owner] for all site groups.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10412-5

Rationale
Adding and removing group members may have security implications for the sites to which that group has access. Inadvertent addition or deletion of members to/from groups may endanger the security of the site. Only the owner of the group should have this capability. Careless addition or removal of group members in a group can have negative security implications for the sites to which that group has access. If only the owner of the group has the capability to edit membership of the group, the risk of having undesired members in the group is significantly reduced.

How-To
At the site level:
1: Navigate to Site Actions > Site Settings > People and Groups.
2: On the Settings dropdown list, select Group Settings.
3: On the Change Group Settings Page:
4: Navigate to Group Settings section.
5: Verify the "Who can edit membership of the group?" property is set to [Group Owner].

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:72 File: sp2007-ocil.xml

6. Viewing Site Group Membership

Ensure the "Who can view the membership of the group?" property is set to [Group Members] for all site groups.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10363-0

Rationale
The alternative to this recommendation is to allow Everyone to view the members of the group. In some situations, however, knowing the membership of a group can reveal other sensitive information. This might be the case in a collaborative environment in which people from different functional organizations are members of the same group to accomplish some team objective. In such a case, knowing the membership of the group could reveal some part or all of their objective, which may be sensitive information.

How-To
At the site level:
1: Navigate to Site Actions > Site Settings > People and Groups.
2: On the Settings dropdown list, select Group Settings.
3: On the Change Group Settings Page:
4: Navigate to Group Settings section.
5: Verify the "Who can edit membership of the group?" property is set to [Group Members].
6: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:73 File: sp2007-ocil.xml

1. Single Sign-On (SSO) Encryption Key Backups

Backup the Single Sign-On (SSO) encryption key each time a new key is created if the Microsoft SSO service is enabled in the SharePoint deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10120-4

Rationale
The Single Sign-On encryption key is used to encrypt and decrypt user credentials. If the encryption key becomes corrupt and there is no backup of the key, this would cause a denial of service.

How-To
Follow the steps below. Note: The first server that Microsoft Single Sign-On service (SSOSrv) is enabled on becomes the encryption-key server.
1: Login to the Encryption Key Server as the SSO Administrator.
2: Login to Central Administration as the SSO Administrator.
3: Navigate to Operations > Security Configuration.
4: Select Manage settings for single sign-on.
5: Select Manage encryption key.
6: Navigate to Encryption Key Backup.
7: Under Drive, select the removable disk drive on which to store the encryption-key backup.
8: Select Back Up.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:19 File: sp2007-ocil.xml

2. SharePoint Recovery Planning

Ensure that a comprehensive recovery plan exists for the SharePoint 2007 deployment.

Rationale
A catastrophic event can destroy data without the possibility of recovery. Only with adequate preparation can an organization react quickly to effectively restore operation after a disaster.

How-To
Create backup and recovery procedures and document them in a recovery plan. A comprehensive recovery plan covers backup and recovery procedures for content, infrastructure components, network services, third-party software, and all other aspects that contribute to the successful operation of the SharePoint deployment. Other recommendations in this chapter deal with recovery in more detail.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:31 File: sp2007-ocil.xml

3. SharePoint Recovery Planning Documentation

Document the infrastructure that supports the SharePoint 2007 deployment as part of the recovery plan.

Rationale
Hardware, software, and network components that support the SharePoint 2007 deployment can fail. Administrators of supporting systems can be unavailable during a crisis. Proper documentation provides the information needed to successfully recover from a disaster.

How-To
Documentation must include information about network and system administrators, operating systems, third-party software, and network components that support the SharePoint deployment. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Documenting Your Infrastructure and Plan for Disaster" in Reference 1.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:32 File: sp2007-ocil.xml

4. Server Farm Recovery Planning Documentation

Document the server farm configuration as part of the recovery plan.

Rationale
A particular configuration has its own complexities and dependencies that, if not adequately documented, make it difficult or impossible to recover properly from a disaster.

How-To
Consider at least the following items in documenting the configuration: central administration server, web front-end servers, search server, shared services providers, and Excel calculation services, as appropriate for the installation. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Documenting Your Server Farm Configuration" in Reference 1.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:33 File: sp2007-ocil.xml

5. SharePoint Server Configuration Documentation

Document the SharePoint Servers' configurations in complete detail.

Rationale
Documenting the configurations in detail is essential for troubleshooting and remedying in the event of failure.

How-To
Consider all configuration information associated with a SharePoint Server such as the hardware configuration, web front-end customizations, all software additions such as hot fixes and service packs, and so on. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Documenting Your Farm Installation" in Reference 1.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:34 File: sp2007-ocil.xml

6. Recovery Plan Test Scheduling

Test the comprehensive recovery plan annually.

Rationale
A recovery plan that does not work is useless. It must be tested to ensure that it will work. Also, it must be tested at least annually because changes to the deployment are almost certain to have occurred since the last test.

How-To
Carry out a simulation of the plan annually. Refer to the appropriate Microsoft documentation. For example, see Chapter 30, section "Understanding and Documenting Your Environment", subsection "Testing Your Disaster Recovery Plan" in Reference 1.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:35 File: sp2007-ocil.xml

7. SharePoint 2007 Backup and Restore Methods

Become familiar with the methods available for backing up and restoring SharePoint Server 2007 content and choose the combination of methods best suited to the deployment.

Rationale
No single method is likely to cover all contingencies. Choosing the right combination of methods ensures proper coverage.

How-To
Refer to the appropriate Microsoft documentation. An excellent source of information is Reference 3. Also, see Table 30-1 "Disaster Recovery Methods for SharePoint Server 2007" in Reference 1.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:36 File: sp2007-ocil.xml

8. Content Recovery Methods

Use content recovery methods in preference to larger scale methods when feasible.

Rationale
Content recovery methods tend to be quicker and easier than site or disaster recovery methods, enabling more rapid return to service. Using a content recovery method lessens the impact on other users. For example, using a site collection restore method for a single user's deleted file overwrites everyone else's content as well. Using a disaster recovery method when a content recovery method suffices can result in data loss and unnecessarily longer time to recovery.

How-To
Three tools are available with SharePoint to restore content to a usable state: document versioning, the Recycle Bin, and the stsadm.exe command-line tool using the -o [import | export] command-line options. See recommendations 5.9, 5.10, and 5.11 for more details about these methods.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:37 File: sp2007-ocil.xml

9. SharePoint Document Versioning

Enable document versioning on document libraries that require an additional layer of defense against data corruption.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9966-3
( http://cce.mitre.org ) CCE-10243-4
( http://cce.mitre.org ) CCE-10239-2

Rationale
Document versioning is the native versioning functionality for document libraries in SharePoint Server 2007. Enabling this feature provides a layer of defense against data corruption and erroneous changes made by users. Document versioning creates a history for a document each time a document is saved by saving a copy. Therefore, a document that becomes corrupted can be restored to a previous version. Note, however, that document versioning neither prevents deletion of documents nor protects the content of documents. In addition, under conditions of heavy use, such as many users creating many edited versions of many documents, document versioning consumes resources.

How-To
SharePoint Server 2007 offers options for versions. These option settings can be controlled separately for each document library. They are located on the Versioning Settings page under Document Library Settings. Reference 1 (Managing Document Versioning, page 318) suggests that a best practice is to configure site templates to have predefined document libraries with the versioning options preset according to organizational policy. Modifying a site and saving it as a new template is one method. Using SharePoint Designer 2007 is another method: its features enable more flexible deployment of functionality within SharePoint; Master Pages make changing the look and feel of sites in SharePoint easy. The Document Center template, provided with SharePoint 2007, has versioning set to track both major and minor versions.
1: Select the Document Center tab on the home site.
2: In the left pane (Site Hierarchy), select Documents.
3: Select a document library.
4: Navigate to Settings > Document Library Settings > General Settings.
5: Select Versioning settings.
6: Depending on business needs, select either Create major versions or Create major and minor (draft) versions.
7: Set the number of versions to retain. Keep as few versions as possible to minimize storage needs.
8: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:69 File: sp2007-ocil.xml

10. Recycle Bin Two-Stage Feature

Verify that the two-stage feature of the recycle bin is not disabled.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10336-6

Rationale
The first-stage, aka user-stage, Recycle Bin provides an undelete feature that allows end users with appropriate permissions to recover accidentally deleted files, documents, list items, lists, and document libraries from a site. The second-stage, aka site-collection, Recycle Bin is located at the site collection administrator level. When an item is deleted from the first-stage Recycle Bin, it can only be recovered by a site collection administrator from the second-stage Recycle Bin. The two-stage recycle bin is a convenient, easy to use method for restoring deleted files. It is enabled by default. If disabled, all content in the recycle bin is removed, freeing up the disk space, which may help in case storage space is too low.

How-To
Follow steps to verify options for the two-stage recycle bin.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Web application general settings.
4: Select a Web Application.
5: Scroll down to the options for the recycle bin.
6: Verify Recycle Bin Status option is [On].
7: Verify Second stage Recycle Bin option is not [Off].
8: Repeat steps 4-7 for each web application.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-90:def:1 File: sp2007-oval.xml

11. Back up the SharePoint 2007 deployment

Back up the SharePoint 2007 deployment.

Rationale
Having a backup of the SharePoint deployment is critical for disaster recovery. Without an appropriate backup, the SharePoint deployment would have to be reconstituted practically from scratch and much or all of the former content could be lost.

How-To
Follow steps 1-7 for the entire farm. Office SharePoint Server provides two built-in backup and recovery tools: Central Administration and the stsadm.exe command-line tool. Third-party tools are also available. Central Administration provides an easy way to back up the Office SharePoint Server system at various levels, the highest being the entire farm and the lowest being a content database. The stsadm.exe command-line tool offers options to back up an entire farm, a site collection, or an item. This method of backup and recovery is processor intensive, may use large amounts of storage, and does not scale well. Follow steps 9-12. However, for a single server or for small farms it is a reasonable line of defense for disaster recovery. Also, refer to documentation on stsadm.exe; for example, see Command-Line Operations in the Windows SharePoint Services Administrator's Guide at http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsk01.mspx?mfr=true Also, see the example in Reference 1, Chapter 30, page 1086.
1: Login to Central Administration.
2: Navigate to Operations > Backup and Restore.
3: Select Perform a backup.
4: Select Farm.
5: Select Continue to Backup Options.
6: Specify the type of backup (full or differential) and the backup location.
7: Select OK
8:
9: Open a command window on the server.
10: Change directory to the location of stsadm.exe (e.g., cd C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN).
11: To display all operations available in the tool type "stsadm.exe -help".
12: To get help on backup type "stsadm.exe -help backup".

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:38 File: sp2007-ocil.xml

12. Farm Backups

Perform a complete, farm level backup periodically.

Rationale
Circumstances conceivably could arise in which only a complete restoration of the entire SharePoint deployment can restore operations. Clearly, then, a complete backup must be available and relevant. However, doing a complete farm level backup is an intensive operation that can interfere with operations. A full backup should only be performed when: One has never been created, prior to installing a service pack or update, after installing a service pack or update, or a new Web application or content database has been added to the farm.

How-To
For complete farm level backup:stsadm.exe -o backup -directory <UNC path> -backupmethod <full | differential>[-item <created path from tree>][-percentage <integer between 1 and 100>][-backupthreads <integer between 1 and 10>][-showtree][-quiet]A simple example is:stsadm.exe -o backup -directory \\backupservername\backups\ -backupmethod full

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:39 File: sp2007-ocil.xml

13. Content Database Backups

Backup the SQL Server that hosts the content databases.

Rationale
Backing up this server preserves all content from site collections. It provides a substantial recovery capability even though no other backups have been performed.

How-To
The SQL Server backup can be done through farm-level backup with stsadm.exe or through direct SQL Server backup. Refer to appropriate documentation for these methods. See, for example, the Backup Procedures section of Reference 3, which discusses both stsadm farm-level backup and SQL Server backup.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:40 File: sp2007-ocil.xml

14. IIS Metabase Backups

Backup SharePoint-related Internet Information Services (IIS) Metabases regularly.

Rationale
The Metabase contains the IIS configuration data, which supports Intranet/Internet-related SharePoint activity. Thus, regular backups are important to continuity of operations.

How-To
Although the Metabase is included in system-state backups done with the Windows Server Backup/Restore Wizard, the restoration action restores the entire system, including the system registry. This is unacceptable if only the Metabase needs to be restored. For Metabase backups, use a script that is scheduled to run regularly. See, for example, the batch file definition in Reference 1, Chapter 30, page 1093.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:41 File: sp2007-ocil.xml

15. SharePoint Fault Tolerance Planning

Implement fault tolerance appropriate for the SharePoint deployment.

Rationale
Fault tolerance measures can reduce the time required to restore operation in case of failures. Such measures range from very simple to very extensive and vary widely in cost. The extent of measures needed depends largely on how long the enterprise can tolerate denial of service. Fault tolerance measures support restoration methods by reducing the time needed to restore operation. For example, a hot standby database server would be able to take over operation in an extremely short time should the main database server fail. Thus, even though it may take 6 hours to restore the main database server, the SharePoint system can continue operation during those six hours.

How-To
Consult guidance available from Microsoft and third-party vendors. See, for example, the discussion in Reference 1, Chapter 30, subsection "Implementing Fault Tolerance", page 1094.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:42 File: sp2007-ocil.xml

16. SSO Database Backups

Backup the SSO database after the initial install and then again each time the credentials are reencrypted if the Microsoft SSO service is enabled in the SharePoint deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9975-4

Rationale
Creating backups will help prevent a denial of service if the SSO database becomes corrupt. If the database is not backed up after reencrypting credentials, restoring the database will result in bad credentials.

How-To
Follow Steps below.
1: Login to Central Administration.
2: Navigate to Operations > Backup and Restore.
3: Select Perform a backup.
4: Check the SSO box.
5: Select Continue to Backup Options.
6: Select Full or Differential for the Type of Backup.
7: Enter the Backup location.
8: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:20 File: sp2007-ocil.xml

17. Storing SSO Backup Media

Do not store the backup media for the Single Sign-On (SSO) encryption key in the same location as the backup media for the SSO database if the Microsoft SSO service is enabled in the SharePoint deployment.

Rationale
If a user obtains a copy of both the SSO database and the encryption key, the credentials stored in the database could be compromised.

How-To
Self-explanatory.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:21 File: sp2007-ocil.xml

18. Offsite SharePoint Backups

Maintain a copy of the SharePoint backups in an offsite location.

Rationale
In order to recover from a catastrophic event, one copy of the backups should be kept offsite in a properly controlled environment. The offsite backups can protect the organization against the loss of critical data.

How-To
Self-explanatory.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:43 File: sp2007-ocil.xml

19. Data Recovery Testing

Perform a trial data recovery operation every two months.

Rationale
Performing a trial data recovery will verify that files are being backed up properly. If the backup is not being performed correctly, an organization will not be able to recover critical data.

How-To
Self-explanatory. Ensure this is completed on a non-operational system(s). If this is not possible, check the backup settings for the particular backup operation being tested.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:44 File: sp2007-ocil.xml

20. SharePoint Recycle Bin

Ensure that the recycle bin is [On].

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9243-7

Rationale
The recycle bin helps to prevent the loss of erroneously deleted data. By default, the recycle bin is [On] and has "Delete items in the Recycle Bin:" set to [After 30 days]. When the recycle bin is turned [On] in a Web application, each site in this application has its own separate recycle bin. To prevent uncontrolled growth of disk space consumed by recycle bins, a retention period must be specified at the Web application level. See recommendation "Ensure an appropriate value for the recycle bin retention period is set based on available disk space."

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Web application general settings.
4: Select Web Application.
5: Navigate to the Recycle Bin section.
6: Under Recycle Bin Status select [On].
7: Under Delete items in the Recycle Bin select [After] and enter the appropriate value for the retention period.
8: Select OK.
9: Repeat steps 2-6 for each web application.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-100:def:1 File: sp2007-oval.xml

21. Site Collection Backups

Perform a backup of a site collection before deleting the site collection.

Rationale
When a site collection is deleted, all the data for the site collection is removed from the system. A current backup is critical if the site that was deleted ever needs to be restored. If no backup exists then critical data could be lost.

How-To
Follow the procedures for backing up a site in the Backup and Recovery Chapter of this document.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:45 File: sp2007-ocil.xml

22. Site Backups

Back up critical sites.

Rationale
Backing up sites for which loss of content must be avoided is a good defense against loss of items that have been emptied from the second-stage recycle bin and loss of web pages that have been deleted from a site collection. Having a backup of a site would make it possible to recover the site quickly instead of having to do a full farm level restore.

How-To
Administrators can use Office SharePoint Designer 2007, Microsoft IT Site Delete Capture 1.0, a database snapshot, or the stsadm.exe tool to back up and recover Web sites.Office SharePoint Designer 2007 is a Microsoft product that can be purchased. See the Designer home page at http://office.microsoft.com/en-us/sharepointdesigner/FX100487631033.aspx. Office SharePoint Designer 2007 provides the ability to back up and restore site collections, down to the individual file level. Backing up a Web site with this tool creates a content migration package (.cmp file). NOTE: The backup file does not include objects in the Recycle Bin.MSIT Site Delete Capture 1.0 is a free tool available at http://go.microsoft.com/fwlink/?LinkID=92682&clcid=0x409. When a site is deleted, Office SharePoint Server generates a Web Delete event. Microsoft IT (MSIT) created Microsoft IT Site Delete Capture feature 1.0 to detect and act on the Web Delete event. When a Web Delete event is detected, the feature archives the site to a file share before it is removed from the configuration and content databases. NOTE: This tool is not part of Office SharePoint Server, and may not be updated. This tool is built on supported Microsoft technologies, but it is not supported by Microsoft.A SQL Server snapshot is a read-only view of a database as the database existed at the time that the snapshot was created. For more information about using snapshots with Office SharePoint Server, see this article in the Microsoft Knowledge Base: "How to use SQL Server to take a snapshot of a Windows SharePoint Services 3.0 content database" (http://go.microsoft.com/fwlink/?LinkID=99636&clcid=0x409). NOTE: The snapshot version of a Web site does not have full functionality; for example, files cannot be written or uploaded to the snapshot version.The stsadm.exe tool is part of SharePoint 2007. The stsadm.exe tool can be used to backup and recover small farms using its backup and recover options. This method of backup and recover is processor intensive, may use large amounts of storage, and does not scale well. However, for small farms it is a reasonable line of defense for disaster recovery.To use this tool:1. Open a command window on the server.2. Change directory to the location of stsadm.exe (e.g., cd C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN).3. To display all operations available in the tool type "stsadm.exe -help".4. To get help on backup type "stsadm.exe -help backup". Also, refer to documentation on stsadm.exe; for example, see Command-Line Operations in the Windows SharePoint Services Administrator's Guide athttp://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsk01.mspx?mfr=trueAlso, see the example in Reference 1, Chapter 30, page 1086.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:46 File: sp2007-ocil.xml

23. Recycle Bin Retention Period

Ensure an appropriate value for the recycle bin retention period is set based on available disk space.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9535-6

Rationale
The recycle bin helps to prevent the loss of erroneously deleted data. By default, the recycle bin is [On] and has "Delete items in the Recycle Bin:" set to [After 30 days]. When the recycle bin is turned [On] in a Web application, each site in this application has its own separate recycle bin. To prevent uncontrolled growth of disk space consumed by recycle bins, a retention period must be specified at the Web application level.

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Application Management > SharePoint Web Application Management.
3: Select Web application general settings.
4: Select Web Application.
5: Navigate to the Recycle Bin section.
6: Under Recycle Bin Status select [On].
7: Under Delete items in the Recycle Bin select [After] and enter the appropriate value for the retention period.
8: Select OK.
9: Repeat steps 2-6 for each web application.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:611 File: sp2007-ocil.xml

1. SharePoint Diagnostic Logging Thresholds

Set the diagnostic logging thresholds appropriately for the particular SharePoint deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9245-2

Rationale
The diagnostic logging feature in Central Administration sets thresholds for logging and reporting events associated with user activities. On the one hand, having as much logged information as possible helps in tracking down problems or discovering trends. On the other hand, capturing everything will have a detrimental effect on performance.

How-To
Follow steps below to set the logging thresholds.
1: Login to Central Administration.
2: Navigate to Operations > Logging and Reporting.
3: Select Diagnostic logging.
4: Select appropriate Event Throttling options.
5: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:610 File: sp2007-ocil.xml

2. Diagnostic Logging

Periodically review events in the logs created by diagnostic logging.

Rationale
Reviewing the logs may provide clues to improving performance and eliminating errors being experienced by users and may also highlight problems that are not currently interfering with operations but may be indicators of future serious problems.

How-To
The Server Event Logs interface enables viewing of error events generated from the Diagnostic Logging settings. Access to this interface is as follows. Alternately, use Start > All Programs > Administrative Tools > Event Viewer.
1: On the server machine, select Start.
2: Select Run.
3: Enter eventvwr.msc in the Open: textbox.
4: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:47 File: sp2007-ocil.xml

3. Information Management Policy Usage Reports

Enable the information management policy usage reports.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9246-0

Rationale
Information management policy usage reports can contribute to an understanding of how records management is being managed and whether users are complying with policy. This is especially relevant for organizations that must comply with legal or regulatory requirements. For example, a Human Resources policy, used in an organization to ensure that employee records are handled in accordance with legally recommended guidelines, could include the features such as auditing, retention period, and labels for physical copies. If policies are not relevant to the organization's activities and records management, the information management policy usage reports may be superfluous.

How-To
Follow steps below to enable. Note: Information management policies are defined by site administrators. To create an information management policy on a site:1. Login to or open the top-level site.2. Select Site Actions.3. Select Site Settings.4. Select Modify All Site Settings.5. Navigate to Site Collection Administration.6. Select Site collection policies.7. Select Create.8. Enter Name, Administrative Description, and Policy Statement text.9. Check one or more of the policy enabling checkboxes, such as Enable Labels:, as appropriate for the policy being created and complete the specific entries needed for the checked items.10. Select OK.
1: Login to Central Administration.
2: Navigate to Operations > Logging and Reporting.
3: Select Information management policy usage reports.
4: Select a Web Application.
5: Navigate to Schedule Recurring Reports.
6: Check the box for "Enable recurring policy usage reports".
7: Set the options here appropriately for the intended SharePoint operations.
8: Navigate to Report File Location.
9: Enter an appropriate URL in the Report file location: textbox.
10: Navigate to Report Template and specify the template to use for creating reports.
11: Select OK.
12: Repeat steps 2 through 11 for each Web Application.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:2105 File: sp2007-ocil.xml

4. Error Reporting

Ensure that the "Ignore errors and don't collect information" error reporting radio button is selected.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9384-9

Rationale
Enabling the "Ignore errors and don't collect information" option disables sending error reports to Microsoft and its partners whenever errors are detected. If this option was not disabled, there is the possibility of reports unintentionally containing sensitive information being sent to Microsoft and its partners. In addition, the mere presence of these reports can alert eavesdroppers to the existence of a problem. This will, at the very least, alert them as to possibly advantageous timing to mount an attack. In addition, the reports may provide them with information as to which aspects of SharePoint are causing problems and might be vulnerable (or at least sensitive) to attack.

How-To
Follow the instructions below:
1: Login to Central Administration.
2: Navigate to Operations > Logging and Reporting.
3: Select Diagnostic Logging.
4: Check the Collect error reports checkbox.
5: Select OK.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:48 File: sp2007-ocil.xml

5. Single Sign-On (SSO) Logging

Enable logging for the Single Sign-On (SSO) service if the Microsoft SSO service is enabled in the SharePoint deployment.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9930-9

Rationale
Logging SSO events is important for accountability as well as for determining suspicious activity on a system. If SSO events are not logged and changes are made to the SSO database, there is no way to determine who made the changes. In order to review the SSO events that have been logged, follow the recommendation "Periodically review events in the logs created by diagnostic logging".

How-To
Follow steps below.
1: Login to Central Administration.
2: Navigate to Operations > Logging and Reporting.
3: Select Diagnostic logging.
4: Navigate to Event Throttling.
5: Select SSO in the Select a category dropdown list.
6: Select an appropriate level in the Least critical event to report to the event log dropdown list.
7: Select an appropriate level in the Least critical event to report to the trace log dropdown list.
8: Select OK.

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: ocil:mitre.org:questionnaire:2107 File: sp2007-ocil.xml

1. SharePoint Extensions Code Development Policy

Enforce a policy for developers of code used to extend SharePoint functionality to ensure that the software runs with the minimum amount of privileges needed to provide its functionality.

Rationale
Software that runs with more privileges than required is more likely to perform potentially dangerous operations than properly constrained software, which can cause loss of data, loss of data integrity, and denial of service.

How-To
Demand detailed documentation from developers regarding the minimum amount of privileges required to run the software. Assuming that the software appears to have been designed and implemented appropriately with regard to privileges, test the software to the extent possible to verify the documented claims before deploying it in a production environment.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:49 File: sp2007-ocil.xml

2. SharePoint Extensions Evidence

Specify the use of content-based evidence instead of origin-based evidence for local program code used to extend SharePoint functionality.

Rationale
Origin-based evidence is independent of the content of an assembly. The .NET common language runtime (CLR) considers only the source of an assembly, such as current application directory or URL. With content-based evidence, the .NET CLR examines the content of an assembly for evidence in the form of strong names, publisher identity, and assembly hash codes. Content-based evidence is more accurate, providing higher assurance that code is safe to run.

How-To
Developers should refer to Visual Studio .NET and other Microsoft documentation concerning code access security. Visual Studio 2005, for example, provides capability to sign assemblies with strong names.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:50 File: sp2007-ocil.xml

3. Third-Party Software Privileges

With any third-party software products used to extend SharePoint functionality, ensure that the software runs with the minimum amount of privileges needed to provide its functionality.

Rationale
Software that runs with more privileges than required is more likely to perform potentially dangerous operations than properly constrained software. Over-privileged software can cause loss of data, loss of data integrity, and denial of service.

How-To
Demand detailed documentation from the software vendor regarding the minimum amount of privileges required to run the software. Assuming that the software appears to have been designed and implemented appropriately with regard to privileges, test the software to the extent possible to verify the documented claims before deploying it in a production environment.

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:51 File: sp2007-ocil.xml

4. Web.config SafeControl Entries

When adding a [SafeControl] entry to the Web.config file, use fully qualified assembly names.

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10001-6

Rationale
The Web.config file gives the administrator control over which assemblies are permitted to run on a virtual server. Only assemblies identified by a <SafeControl> entry are allowed. A partially qualified assembly name identifies only the name of the assembly. A fully qualified assembly name also identifies version number, culture, and developer identity. Using fully qualified assembly names in a <SafeControl> entry provides important information that can be used in security policies based on content-based evidence.

How-To
See Microsoft documentation that describes the requirements for fully qualified assembly names. See, for example, http://msdn2.microsoft.com/en-us/library/k8xx4k69.aspx (.NET Framework Developer's Guide: Assembly Names).

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-111:def:1 File: sp2007-oval.xml

5. ASP.NET Application Trust Levels

Do not set the trust level to Full for ASP.NET applications running on the SharePoint server.

Question: Have custom ASP.Net applications running on the SharePoint server been granted no more than the minimimum permissions they need to execute correctly?

Standard Identifier(s):
( http://cce.mitre.org ) CCE-9895-4

Rationale
By default, SharePoint applications (web parts) run under the WSS_Minimal trust level policy. This policy and the WSS_Medium trust level policy ship with SharePoint. Specifying the Full trust level for ASP.NET applications enables them to perform all operations, making the SharePoint installation less secure.

How-To
For ASP.NET applications needing more than the permissions allowed under WSS_Minimal, create a custom security policy file that provides only the permissions needed. See Microsoft documentation for creating an appropriate .config file. For more information about ASP.NET configuration files and editing a Web.config file, see ASP.NET Configuration at http://msdn2.microsoft.com/en us/library/Aa719558(VS.71).aspx

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-112:def:1 File: sp2007-oval.xml

6. Application Trust Attributes

Set the "processRequestInApplicationTrust" attribute of the [trust] element to [false].

Standard Identifier(s):
( http://cce.mitre.org ) CCE-10155-0

Rationale
This attribute of the <trust> element controls whether an application's PermitOnly stack walk modifiers will be in effect during execution. When set to [true], the Page class uses the PermitOnly stack walk modifier on the ASP.NET permission set. In this case, granting more extensive permissions via a policy file is made useless. The default setting for SharePoint environments is [false] while the default setting for ASP.NET is [true]. Setting the attribute to [false] enables the use of custom security policy files.

How-To
In the <trust> element of a Web.config file, set the attribute to [false] (that is, processRequestInApplicationTrust="false")

1. Check Summary:

System: http://oval.mitre.org/XMLSchema/oval-definitions-5

Check Reference:
Name: oval:mitre.org.sp-2-113:def:1 File: sp2007-oval.xml

7. Permissions On ASP.Net Applications

Grant ASP.Net applications the minimum permissions necessary.

Rationale
ASP.Net applications running on the SharePoint server run at a default permission level of WSS_Minimal which provides only the minimum permissions necessary to run effectively on the SharePoint system. However, administrators or application developers can install custom-developed ASP.Net applications and assign a custom trust level to those applications. If the trust level assigned to these applications is greater than necessary, malicious individuals could use these trusted applications to gain unauthorized access to (or perform undesirable actions on) the rest of the SharePoint system.

How-To
Self-explanatory

1. Check Summary:

System: http://scap.nist.gov/schema/ocil/2

Check Reference:
Name: ocil:mitre.org:questionnaire:52 File: sp2007-ocil.xml

SharePoint Server 2007 Security Guide

Notice

Table of Contents

Notice

Front Matter

Guidance

Rear Matter

References

Profiles

Front Matter

Guidance

1. Accounts

2. Installation and Configuration

3. Central Administration

4. Site Administration

5. Backup and Recovery

6. Logging and Reporting

7. SharePoint Extensions

Rear Matter

Notes and Warnings

References

1. Reference

2. Reference

3. Reference

Profiles

1. sp-profile