STIGQter: STIG Summary: Microsoft SharePoint 2013 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

SharePoint must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

DISA Rule

SV-223251r612235_rule

Vulnerability Number

V-223251

Group Title

SRG-APP-000180

Rule Version

SP13-00-000080

Severity

CAT II

CCI(s)

• CCI-000804 - The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

Weight

10

Fix Recommendation

Configure SharePoint to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

Navigate to Central Administration website.

Click on "Manage web applications".

Click the web application name.

Click the "Authentication Providers" button in the "Web Applications" ribbon.

Click each Zone, and clear the "Enable anonymous access" check box.

Click "Save".

Repeat steps for each web application.

Check Contents

Review the SharePoint configuration to ensure non-organizational users (or processes acting on behalf of non-organizational users) are uniquely identified and authenticated.

Navigate to Central Administration website.

Click on "Manage web applications".

Click the web application name.

Click the "Authentication Providers" button in the "Web Applications" ribbon.

Click each Zone, and verify that the "Enable anonymous access" check box is not selected.

If it is selected and the web application zone is not defined in the system security plan as allowing anonymous access, this is a finding.

Repeat steps for each web application.

Vulnerability Number

V-223251

Documentable

False

Rule Version

SP13-00-000080

Severity Override Guidance

Review the SharePoint configuration to ensure non-organizational users (or processes acting on behalf of non-organizational users) are uniquely identified and authenticated.

Navigate to Central Administration website.

Click on "Manage web applications".

Click the web application name.

Click the "Authentication Providers" button in the "Web Applications" ribbon.

Click each Zone, and verify that the "Enable anonymous access" check box is not selected.

If it is selected and the web application zone is not defined in the system security plan as allowing anonymous access, this is a finding.

Repeat steps for each web application.

Check Content Reference

M

Target Key

4096

Comments