UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SharePoint 2010 Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (43)
2011-12-20 CAT I (High): 1 CAT II (Med): 40 CAT III (Low): 2
STIG Description
This STIG is applicable to all Microsoft SharePoint 2010 implementations. For complete security protection of any SharePoint implementation, the Windows OS, application server (s) and the database server (s) must also be secured using the applicable STIGs.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-28066 High Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage.
V-30290 Medium SharePoint must protect audit information from unauthorized deletion of trace log files.
V-28170 Medium When configuring Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements.
V-29301 Medium SharePoint sites must not use NTLM.
V-28114 Medium SharePoint must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
V-29363 Medium The “Automatically delete the site collection if use is not confirmed” property must not be enabled for web applications.
V-29306 Medium SharePoint farm service account (Database Access account) must be configured with minimum privileges in Active Directory (AD).
V-28177 Medium Backup of SharePoint system level files for critical systems must be performed when identified as required by the owning organization.
V-28119 Medium The Central Administration Web Application must use Kerberos as the authentication provider.
V-28217 Medium For environments requiring an Internet-facing capability, the SharePoint application server upon which Central Administration is installed, must not be installed in the DMZ.
V-28138 Medium SharePoint managed service accounts must be set to enable automatic password change.
V-28071 Medium SharePoint must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
V-28252 Medium SharePoint clients must be configured to display an approved system use notification message or banner before granting access to the system.
V-27974 Medium SharePoint must allow authorized users to associate security attributes with information.
V-28256 Medium SharePoint must be configured to display the banner, when appropriate, before granting further access.
V-28097 Medium SharePoint must protect audit tools from unauthorized access.
V-28254 Medium SharePoint must retain the notification message or banner on the screen until users take explicit actions to log on to or further access.
V-30282 Medium SharePoint must protect audit information from unauthorized access to the trace data log files.
V-30287 Medium SharePoint must protect audit information from unauthorized modification to trace data logs.
V-29339 Medium SharePoint-specific malware, (i.e., anti-virus), software must be integrated and configured.
V-29338 Medium The Online Web Part Gallery must be configured for limited access.
V-28145 Medium SharePoint must support the enforcement of logical access restrictions associated with changes to application configuration.
V-28144 Medium SharePoint must support the requirement that privileged access is further defined between audit-related privileges and other privileges.
V-28169 Medium To support the requirements and principles of least functionality; SharePoint must support the organizational requirement to provide only essential capabilities.
V-28281 Medium Central Administrator site must not be accessible from Extranet or Internet connections.
V-28026 Medium SharePoint must identify potentially security-relevant error conditions.
V-30365 Medium The SharePoint Setup User domain account must be configured with the minimum privileges in SQL server.
V-30366 Medium The SharePoint Setup User domain account must be configured with the minimum privileges for the local server.
V-27965 Medium SharePoint must support the requirement to initiate a session lock after an organization defined time period of system or application inactivity has transpired.
V-28207 Medium SharePoint must implement security functions as largely independent modules to avoid unnecessary interactions between modules.
V-29367 Medium Access to Central Administration site must be limited to authorized users and groups.
V-29372 Medium The privilege to edit group membership must be restricted to authorized individuals.
V-30368 Medium SharePoint farm service account (Database Access account) must be configured with minimum privileges on the SQL server.
V-29374 Medium "Who can view the membership of the group?" must be set to [Group Members] when creating new site groups.
V-28241 Medium SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations.
V-28089 Medium SharePoint must protect audit information from unauthorized modification of usage and health data collection logs.
V-29399 Medium The SharePoint Setup User domain account must be configured with the minimum privileges in Active Directory.
V-29398 Medium SharePoint Service accounts must be configured for separation of duties.
V-28249 Medium Timer job retries for automatic password change on Managed Accounts must meet DoD password retry policy.
V-28094 Medium SharePoint must protect audit information from unauthorized deletion of usage and health logs.
V-28087 Medium SharePoint must protect audit information from unauthorized access to the usage and health logs.
V-29373 Low A secondary site collection administrator must be defined when creating a new site collection.
V-28184 Low To support audit review, analysis, and reporting, SharePoint must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.