SharePoint must support the enforcement of logical access restrictions associated with changes to application configuration.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-28145	SHPT-00-000470	SV-37440r1_rule	ECPC-1 ECPC-2	Medium

Description
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications.

Description

When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications.

STIG	Date
SharePoint 2010 Security Technical Implementation Guide (STIG)	2011-12-20

Details

Check Text ( C-37394r1_chk )
Verify groups for roles are created and assigned correct permissions for each site. The “Web Site Admin”, “Web Site Audit”, and “Web Site Managers” groups are a copy of “Full Control” with modifications according to organizational-defined permission list. These groups must be configured to produce separation of duties in SharePoint. 1. Log on to SharePoint Central Administration. 2. Click on “Site Actions” and select “Site Permissions”. 3. In the Manage section of the ribbon, click “Permission Levels”. 4. Verify the permissions for “Web Site Admin”, “Web Site Audit”, and “Web Site Manager” are set according to organizational-defined permissions. If not, this is a finding.

Check Text ( C-37394r1_chk )

Verify groups for roles are created and assigned correct permissions for each site. The “Web Site Admin”, “Web Site Audit”, and “Web Site Managers” groups are a copy of “Full Control” with modifications according to organizational-defined permission list. These groups must be configured to produce separation of duties in SharePoint.
1. Log on to SharePoint Central Administration.
2. Click on “Site Actions” and select “Site Permissions”.
3. In the Manage section of the ribbon, click “Permission Levels”.
4. Verify the permissions for “Web Site Admin”, “Web Site Audit”, and “Web Site Manager” are set according to organizational-defined permissions. If not, this is a finding.

Fix Text (F-32631r1_fix)
Create and/or confirm the three required groups exist and have permissions set according to organizationally-defined permissions. 1. Log on to SharePoint Central Administration. 2. Click on “Site Actions” and select “Site Permissions”. 3. In the Manage section of the ribbon, click “Permission Levels”. 4. Create missing groups by clicking “Add a Permission Level”. 5. On the Add a Permission Level page, in the Name field, type a name for the new permission level (“Web Site Admin”, “Web Site Audit”, or “Web Site Manager”). 6. In the Description field, type a description of the new permission level. 7. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally-defined permissions from the IAO. 8. Click “Create”.

Fix Text (F-32631r1_fix)

Create and/or confirm the three required groups exist and have permissions set according to organizationally-defined permissions.

1. Log on to SharePoint Central Administration.
2. Click on “Site Actions” and select “Site Permissions”.
3. In the Manage section of the ribbon, click “Permission Levels”.
4. Create missing groups by clicking “Add a Permission Level”.
5. On the Add a Permission Level page, in the Name field, type a name for the new permission level (“Web Site Admin”, “Web Site Audit”, or “Web Site Manager”).
6. In the Description field, type a description of the new permission level.
7. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally-defined permissions from the IAO.
8. Click “Create”.