SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-28241	SHPT-00-000190	SV-37759r1_rule	ECLP-1	Medium

Description
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out the action. Additionally, the person or entity accountable for monitoring the activity must be separate as well. To meet this requirement, applications, when applicable, shall be divided where functionality is based on roles and duties. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles.

Description

Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out the action. Additionally, the person or entity accountable for monitoring the activity must be separate as well. To meet this requirement, applications, when applicable, shall be divided where functionality is based on roles and duties. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles.

STIG	Date
SharePoint 2010 Security Technical Implementation Guide (STIG)	2011-12-20

Details

Check Text ( C-37345r1_chk )
Verify groups for roles are created and assigned correct permissions for each site. The “Web Site Admin” group is a copy of “Full Control” with modifications according to organizationally-defined permission list. The “Web Site Audit” group is a copy of “Full Control” with modifications according to organizational-defined permission list. The “Web Site Managers” group is a copy of “Full Control” with modifications according to organizational-defined permission list. These groups must be configured to produce separation of duties in SharePoint. 1. Log on to SharePoint Central Administration. 2. Click on “Site Actions” and select “Site Permissions”. 3. In the Manage section of the ribbon, click “Permission Levels”. 4. Verify the permissions for “Web Site Admin”, “Web Site Audit”, and “Web Site Manager” are set according to organizationally-defined permissions. 5. Mark as a finding if any of the three groups does not exist. Mark as a finding if permissions for “Web Site Admin”, “Web Site Audit”, and “Web Site Manager” are not set according to organizationally-defined permissions.

Check Text ( C-37345r1_chk )

Verify groups for roles are created and assigned correct permissions for each site. The “Web Site Admin” group is a copy of “Full Control” with modifications according to organizationally-defined permission list. The “Web Site Audit” group is a copy of “Full Control” with modifications according to organizational-defined permission list. The “Web Site Managers” group is a copy of “Full Control” with modifications according to organizational-defined permission list. These groups must be configured to produce separation of duties in SharePoint.

1. Log on to SharePoint Central Administration.
2. Click on “Site Actions” and select “Site Permissions”.
3. In the Manage section of the ribbon, click “Permission Levels”.
4. Verify the permissions for “Web Site Admin”, “Web Site Audit”, and “Web Site Manager” are set according to organizationally-defined permissions.
5. Mark as a finding if any of the three groups does not exist. Mark as a finding if permissions for “Web Site Admin”, “Web Site Audit”, and “Web Site Manager” are not set according to organizationally-defined permissions.

Fix Text (F-32580r1_fix)
Create and/or confirm the three required groups exist and have permissions set according to organizationally-defined permissions. 1. Log on to SharePoint Central Administration. 2. Click on “Site Actions” and select “Site Permissions”. 3. In the Manage section of the ribbon, click “Permission Levels”. 4. Create missing groups by clicking “Add a permission level”. 5. On the Add a Permission Level page, in the Name field, type a name for the new permission level (“Web Site Admin”, “Web Site Audit”, or “Web Site Manager”). 6. In the Description field, type a description of the new permission level. 7. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally-defined permissions from the IAO. 8. Click “Create”.

Fix Text (F-32580r1_fix)

Create and/or confirm the three required groups exist and have permissions set according to organizationally-defined permissions.
1. Log on to SharePoint Central Administration.
2. Click on “Site Actions” and select “Site Permissions”.
3. In the Manage section of the ribbon, click “Permission Levels”.
4. Create missing groups by clicking “Add a permission level”.
5. On the Add a Permission Level page, in the Name field, type a name for the new permission level (“Web Site Admin”, “Web Site Audit”, or “Web Site Manager”).
6. In the Description field, type a description of the new permission level.
7. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally-defined permissions from the IAO.
8. Click “Create”.