STIGQter: STIG Summary: Microsoft SharePoint 2013 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The SharePoint setup account must be configured with the minimum privileges for the local server.

DISA Rule

SV-223271r612235_rule

Vulnerability Number

V-223271

Group Title

SRG-APP-000516

Rule Version

SP13-00-000180

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the SharePoint setup account with the minimum privileges for the local server.

- On the server(s) where the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups.
- Select the “Member of” tab.
- Configure the SharePoint Setup User as a member of Administrators, WSS_ADMIN_WPG, and IIS_IUSRS groups.
- Remove all other group memberships from this account.
- Select the other tabs in this area and remove other services or permissions configured for this account.

Check Contents

Review the SharePoint server configuration to ensure the setup account is configured with the minimum privileges for the local server.

- On the server(s) where the SharePoint software is installed, navigate to Server Manager >> Local Users and Groups.
- Select the “Member of” tab and verify this account is only a member of the Administrators, WSS_ADMIN_WPG, and IIS_IUSRS groups.
- Select the other tabs in this area to verify no other services or permissions are configured for this account.

If the Setup User account is a member of any other groups than Administrators, WSS_ADMIN_WPG, and IIS_IUSRS on the local server where SharePoint is installed, this is a finding.

Vulnerability Number

V-223271

Documentable

False

Rule Version

SP13-00-000180

Severity Override Guidance

Review the SharePoint server configuration to ensure the setup account is configured with the minimum privileges for the local server.

- On the server(s) where the SharePoint software is installed, navigate to Server Manager >> Local Users and Groups.
- Select the “Member of” tab and verify this account is only a member of the Administrators, WSS_ADMIN_WPG, and IIS_IUSRS groups.
- Select the other tabs in this area to verify no other services or permissions are configured for this account.

If the Setup User account is a member of any other groups than Administrators, WSS_ADMIN_WPG, and IIS_IUSRS on the local server where SharePoint is installed, this is a finding.

Check Content Reference

M

Target Key

4096

Comments