SharePoint must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-59975	SP13-00-000110	SV-74405r1_rule		High

Description
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addresses man-in-the-middle attacks, including session hijacking or insertion of false information into a session. This control is only implemented where deemed necessary by the organization (e.g., sessions in service-oriented architectures providing web-based services).

Description

This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addresses man-in-the-middle attacks, including session hijacking or insertion of false information into a session. This control is only implemented where deemed necessary by the organization (e.g., sessions in service-oriented architectures providing web-based services).

STIG	Date
SharePoint 2013 Security Technical Implementation Guide	2015-09-29

Details

Check Text ( C-60665r1_chk )
Review the SharePoint server configuration to ensure SSL Mutual authentication of both client and server during the entire session. In SharePoint Central Administration, click Application Management. On the Application Management page, in the Web Applications list, click Manage web applications. On the Web Applications Management page, verify that each Web Application URL begins with https. If the URL does not begin with https, this is a finding. If SharePoint communications between all components and clients are protected by alternative physical measures that have been approved by the AO, this is not a finding.

Check Text ( C-60665r1_chk )

Review the SharePoint server configuration to ensure SSL Mutual authentication of both client and server during the entire session.

In SharePoint Central Administration, click Application Management.

On the Application Management page, in the Web Applications list, click Manage web applications.

On the Web Applications Management page, verify that each Web Application URL begins with https.

If the URL does not begin with https, this is a finding.

If SharePoint communications between all components and clients are protected by alternative physical measures that have been approved by the AO, this is not a finding.

Fix Text (F-65385r2_fix)
Configure the SharePoint server to ensure SSL Mutual authentication of both client and server during the entire session. Open IIS Manager. In the Connections pane, expand Sites. Click the Web Application site. In the Actions pane, click Bindings. In the Site Bindings window, click Add. In the Add Site Binding window, change Type to https, and select the site's SSL certificate. Click OK, and then click Close.

Fix Text (F-65385r2_fix)

Configure the SharePoint server to ensure SSL Mutual authentication of both client and server during the entire session.

Open IIS Manager.

In the Connections pane, expand Sites.

Click the Web Application site.

In the Actions pane, click Bindings.

In the Site Bindings window, click Add.

In the Add Site Binding window, change Type to https, and select the site's SSL certificate.

Click OK, and then click Close.