Microsoft SharePoint 2013 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The SharePoint setup account must be configured with the minimum privileges on the SQL server.
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to elimina...Rule Medium Severity -
SRG-APP-000516
Group -
A secondary SharePoint site collection administrator must be defined when creating a new site collection.
If a site reaches its maximum size, users will be denied access until an administrator fixes the problem. Having a secondary administrator reduces the risk of having a Denial-of-Service on a site. ...Rule Low Severity -
SRG-APP-000142
Group -
SRG-APP-000516
Group -
SharePoint-specific malware (i.e. anti-virus) protection software must be integrated and configured.
Configuring anti-virus settings ensures documents will be scanned for viruses upon download from and upload to the SharePoint server. Anti-virus settings are not configured by default, therefore le...Rule Medium Severity -
SRG-APP-000516
Group -
SharePoint server access to the Online Web Part Gallery must be configured for limited access.
Web Part galleries are groupings of Web Parts. There are four Web Part galleries: Closed Web Parts, Site Name Gallery, Server Gallery, and Online Gallery. The Online Gallery is a collection of Micr...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000204
Group -
SharePoint must validate the integrity of security attributes exchanged between systems.
When data is exchanged between information systems, the security attributes associated with said data need to be maintained. Security attributes are an abstraction representing the basic propertie...Rule Medium Severity -
SharePoint must use cryptography to protect the integrity of the remote access session.
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet)....Rule High Severity -
SharePoint must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and w...Rule High Severity -
SharePoint must provide the ability to prohibit the transfer of unsanctioned information in accordance with security policy.
The application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow...Rule Medium Severity -
SharePoint must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific applicat...Rule Medium Severity -
SharePoint must prevent the execution of prohibited mobile code.
Decisions regarding the utilization of mobile code within organizational information systems need to include evaluations that help determine the potential for the code to cause damage to the system...Rule High Severity -
SharePoint must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status...Rule Medium Severity -
SharePoint must employ NSA-approved cryptography to protect classified information.
Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for SharePoint. Different versions of the Windows Server OS and versions of SharePoint wi...Rule High Severity -
SharePoint must employ FIPS-validated cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for SharePoint. Different versions of the Windows Server OS and versions of SharePoint wi...Rule High Severity -
SharePoint must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. When transmitting data, applications need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPSec.
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission....Rule High Severity -
SharePoint must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for SharePoint. Different versions of the Windows Server OS and versions of SharePoint wi...Rule High Severity -
The SharePoint farm service account (database access account) must be configured with minimum privileges on the SQL server.
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to elimina...Rule Medium Severity -
When configuring SharePoint Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements.
During the installation of Microsoft SharePoint, the Central Administration Web site is established on a randomly-assigned TCP port by default. Allowing a randomly-assigned default may result in us...Rule Medium Severity -
The SharePoint farm service account (database access account) must be configured with the minimum privileges for the local server.
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to elimina...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.