STIGQter: STIG Summary: Microsoft SharePoint 2013 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

SharePoint must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

DISA Rule

SV-223261r612235_rule

Vulnerability Number

V-223261

Group Title

SRG-APP-000238

Rule Version

SP13-00-000130

Severity

CAT II

CCI(s)

• CCI-001089 - The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

Weight

10

Fix Recommendation

Configure the SharePoint server to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

Configure access to Central Administration to be allowed over a management (OOB) network.

Configure Central Administration on a server that resides within the internal network (not on a server in the DMZ).

Configure management access (i.e., remote desktop access and local server access) so that it occurs only via a management network (OOB) and not over a production network.

Check Contents

Review the SharePoint server configuration to ensure security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers are implemented.

Check the network location of the Central Administration server.

If the server resides in the DMZ, this is a finding.

Attempt to access Central Administration without first connecting to a management network VPN.

If Central Administration can be accessed over a production network, this is a finding.

Attempt to connect directly to a SharePoint server (i.e., via remote desktop) without first connecting to a management network VPN.

If a remote desktop session can be established via a production network, this is a finding.

Vulnerability Number

V-223261

Documentable

False

Rule Version

SP13-00-000130

Severity Override Guidance

Review the SharePoint server configuration to ensure security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers are implemented.

Check the network location of the Central Administration server.

If the server resides in the DMZ, this is a finding.

Attempt to access Central Administration without first connecting to a management network VPN.

If Central Administration can be accessed over a production network, this is a finding.

Attempt to connect directly to a SharePoint server (i.e., via remote desktop) without first connecting to a management network VPN.

If a remote desktop session can be established via a production network, this is a finding.

Check Content Reference

M

Target Key

4096

Comments