SharePoint sites must not use NTLM.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-29301	SHPT-00-000531	SV-37822r1_rule	IAIA-1 IAIA-2	Medium

Description
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonce's or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators. SharePoint must not use NTLM in the authentication process.

Description

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonce's or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators. SharePoint must not use NTLM in the authentication process.

STIG	Date
SharePoint 2010 Security Technical Implementation Guide (STIG)	2011-12-20

Details

Check Text ( C-37023r1_chk )
SharePoint must be configured to not use NTLM. 1. Using IIS Manager (IIS 7), navigate to view the SharePoint site collections. 2. Select a SharePoint site collection to review. 3. View the features of the site collection. 4. In the IIS section, double-click “Authentication” and select “Windows Authentication”. 5. Right-click on “Windows Authentication” and select “Providers”. 6. If Negotiate:NTLM is listed in the “Enabled Providers” box, this is a finding.

Check Text ( C-37023r1_chk )

SharePoint must be configured to not use NTLM.
1. Using IIS Manager (IIS 7), navigate to view the SharePoint site collections.
2. Select a SharePoint site collection to review.
3. View the features of the site collection.
4. In the IIS section, double-click “Authentication” and select “Windows Authentication”.
5. Right-click on “Windows Authentication” and select “Providers”.
6. If Negotiate:NTLM is listed in the “Enabled Providers” box, this is a finding.

Fix Text (F-32291r1_fix)
1. Using IIS Manager (IIS 7), navigate to view the SharePoint site collections. 2. Select a SharePoint site collection to review. 3. View the features of the site collection. 4. In the IIS section, double-click “Authentication” and select “Windows Authentication”. 5. Right-click on “Windows Authentication” and select “Providers”. 6. Add Negotiate:Kerberos to the list in the “Enabled Providers” box. 7. Remove Negotiate:NTLM from the list in the “Enabled Providers” box.

Fix Text (F-32291r1_fix)

1. Using IIS Manager (IIS 7), navigate to view the SharePoint site collections.
2. Select a SharePoint site collection to review.
3. View the features of the site collection.
4. In the IIS section, double-click “Authentication” and select “Windows Authentication”.
5. Right-click on “Windows Authentication” and select “Providers”.
6. Add Negotiate:Kerberos to the list in the “Enabled Providers” box.
7. Remove Negotiate:NTLM from the list in the “Enabled Providers” box.