UCF STIG Viewer Logo

SharePoint 2010 Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (43)
2014-07-03 CAT I (High): 2 CAT II (Med): 38 CAT III (Low): 3
STIG Description
This STIG is applicable to all Microsoft SharePoint 2010 implementations. For complete security protection of any SharePoint implementation, the Windows OS, application server (s) and the database server (s) must also be secured using the applicable STIGs.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-28066 High Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage.
V-29339 High SharePoint-specific malware (i.e., anti-virus) software must be integrated and configured.
V-30290 Medium SharePoint must protect audit information from unauthorized deletion of trace log files.
V-28087 Medium SharePoint must protect audit information from unauthorized access to the usage and health logs.
V-28170 Medium When configuring Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements.
V-29301 Medium SharePoint sites must not use NTLM.
V-28114 Medium SharePoint must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
V-27996 Medium SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands.
V-29306 Medium SharePoint farm service account (Database Access account) must be configured with minimum privileges in Active Directory (AD).
V-28177 Medium Backup of SharePoint system level files for critical systems must be performed when identified as required by the owning organization.
V-28119 Medium The Central Administration Web Application must use Kerberos as the authentication provider.
V-28217 Medium For environments requiring an Internet-facing capability, the SharePoint application server upon which Central Administration is installed must not be installed in the DMZ.
V-28138 Medium SharePoint managed service accounts must be set to enable automatic password change.
V-28071 Medium SharePoint must terminate the network connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.
V-27974 Medium SharePoint must allow authorized users to associate security attributes with information.
V-28252 Medium SharePoint clients must be configured to display an approved system use notification message or banner before granting access to the system.
V-28254 Medium SharePoint must retain the notification message or banner on the screen until users take explicit actions to log on to or further access.
V-28256 Medium SharePoint must be configured to display the banner, when appropriate, before granting further access.
V-28097 Medium SharePoint must protect audit tools from unauthorized access.
V-28094 Medium SharePoint must protect audit information from unauthorized deletion of usage and health logs.
V-30282 Medium SharePoint must protect audit information from unauthorized access to the trace data log files.
V-30287 Medium SharePoint must protect audit information from unauthorized modification to trace data logs.
V-27968 Medium SharePoint must maintain and support the use of organizationally defined security attributes to stored information.
V-29338 Medium The Online Web Part Gallery must be configured for limited access.
V-28023 Medium The organization must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
V-28169 Medium To support the requirements and principles of least functionality; SharePoint must support the organizational requirement to provide only essential capabilities.
V-28281 Medium The Central Administration site must not be accessible from Extranet or Internet connections.
V-28026 Medium SharePoint must identify potentially security-relevant error conditions.
V-30364 Medium SharePoint information management policies must be created, configured, and maintained to support the use of organizationally defined security attributes.
V-30366 Medium The SharePoint setup user domain account must be configured with the minimum privileges for the local server.
V-28207 Medium SharePoint must implement security functions as largely independent modules to avoid unnecessary interactions between modules.
V-29367 Medium Access to Central Administration site must be limited to authorized users and groups.
V-29363 Medium The “Automatically delete the site collection if use is not confirmed” property must not be enabled for web applications.
V-28089 Medium SharePoint must protect audit information from unauthorized modification of usage and health data collection logs.
V-29399 Medium The SharePoint setup user domain account must be configured with the minimum privileges in Active Directory.
V-29398 Medium SharePoint service accounts must be configured for separation of duties.
V-28144 Medium SharePoint must support the requirement that privileged access is further defined between audit-related privileges and other privileges.
V-28249 Medium Timer job retries for automatic password change on Managed Accounts must meet DoD password retry policy.
V-27965 Medium SharePoint must support the requirement to initiate a session lock after an organizationally defined time period of system or application inactivity has transpired.
V-28241 Medium SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations.
V-28230 Low SharePoint must enable IRM to bind attributes to information to facilitate the organization’s established information flow policy as needed.
V-29373 Low A secondary site collection administrator must be defined when creating a new site collection.
V-28184 Low To support audit review, analysis, and reporting, SharePoint must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.