locked
How to Secure a sharepoint server? RRS feed

  • Question

  • Hi everyone, i have recently been hired to secure an IT environment that has a sharepoint-server. No one that works here was involved in the setup of the server and no one is really familiar with sharepoint. One of my first tasks is to go through each server and try to limit the attack surface. I am now at the sharepoint server and has identified som potential unnessesary services but want to make sure that I am not breaking anything when disabling them. 

    Here is my list:

    The server is listening on port 21. Action: Disable the FTP service

    The server has the MS ESMTP service running. Action: Disable it.

    RPC is running. Disable RPC

    The server listens on port 1433 MS SQL. Action: No idea. Is it a problem?

    There are a number of hidden shares. Action: Disable them by "registry hack"

    Of course only port 80 and 443 is allowed in trough the FW.

    Do you think i would break any of the sharepoint functionality if I make any of the suggested actions? 

     

    Regards, 

    Jonas

    • Edited by Mike Walsh FIN Thursday, January 6, 2011 10:48 AM - advice removed from Title. Title changed into a question.
    Thursday, January 6, 2011 10:27 AM

Answers

  • Hi Jonas,

    From network point of view it is quite secure

    here are some more suggestions

    • Make sure that Microsoft SharePoint is running on a secure IIS site.
    • At its core, a SharePoint site is simply an IIS Web site, so you can take the standard methods of securing any IIS site and get significant results in increasing overall WSS security.
    • Make sure SSL is enabled. Harden the permissions for users to get access to the virtual director that SharePoint runs in, use strong authentication methods (NTLM or Kerberos), and ensure the Web server itself is protected using typical Windows hardening methods.

    Other reference

    http://it.toolbox.com/blogs/programming-life/an-introduction-to-implementing-a-secure-sharepoint-portal-environment-11903


    Regards, Pratik Vyas | SharePoint Consultant | http://sharepointpratik.blogspot.com/
    • Marked as answer by Jonas Haglund Friday, January 7, 2011 8:43 AM
    Thursday, January 6, 2011 10:56 AM

All replies

  • >  i have recently been hired to secure an IT environment that has a sharepoint-server.

    As there are many different products of different generations called sharepoint server or variations of that name please specify exactly which SharePoint Server you are running.


    SP 2010 "FAQ" (mainly useful links): http://wssv4faq.mindsharp.com/default.aspx
    WSS3/MOSS FAQ (FAQ and Links) http://wssv3faq.mindsharp.com/default.aspx
    Both also have links to extensive book lists and to (free) on-line chapters
    Thursday, January 6, 2011 10:50 AM
  • Hi Jonas,

    From network point of view it is quite secure

    here are some more suggestions

    • Make sure that Microsoft SharePoint is running on a secure IIS site.
    • At its core, a SharePoint site is simply an IIS Web site, so you can take the standard methods of securing any IIS site and get significant results in increasing overall WSS security.
    • Make sure SSL is enabled. Harden the permissions for users to get access to the virtual director that SharePoint runs in, use strong authentication methods (NTLM or Kerberos), and ensure the Web server itself is protected using typical Windows hardening methods.

    Other reference

    http://it.toolbox.com/blogs/programming-life/an-introduction-to-implementing-a-secure-sharepoint-portal-environment-11903


    Regards, Pratik Vyas | SharePoint Consultant | http://sharepointpratik.blogspot.com/
    • Marked as answer by Jonas Haglund Friday, January 7, 2011 8:43 AM
    Thursday, January 6, 2011 10:56 AM
  • Pratik,

    While your advice is good here as always, please - if a poster has been asked which particular product he is using, - *wait* for his reply before you comment in the forum.

    I don't always ask which product but when I do there *is* a reason for me asking.

    Moderator

     

    P.S. Nowhere for instance in his post does the poster say even that the server is accessible from the Internet. There are a lot of missing items in his post before we can start issuing such important things as security recommendations.


    SP 2010 "FAQ" (mainly useful links): http://wssv4faq.mindsharp.com/default.aspx
    WSS3/MOSS FAQ (FAQ and Links) http://wssv3faq.mindsharp.com/default.aspx
    Both also have links to extensive book lists and to (free) on-line chapters
    • Edited by Mike Walsh FIN Thursday, January 6, 2011 11:07 AM P.S. added
    Thursday, January 6, 2011 11:04 AM
  • Oh I always miss something :-)

     

    It's a WSS 3.0 installation on a server 2003 sp2 

     

    Thanks,

    Jonas

    Thursday, January 6, 2011 1:04 PM
  • Hi Patrik, and thanks for your suggestions! 

     

    Have I understand you correctly that it is not neccessary to take any of the actions that i suggested in my original post? 

    Talking about securing IIS, i have understood that the NTFS permissions is of essence. And for a sharepoint site the folders of interest are:

     

    • C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
    • C:\Inetpub\Wwwroot\wss\VirtualDirectories\80

    correct?

    Would it be sufficent to follow these instructions when securing the folders http://support.microsoft.com/kb/812614?

    And last, would you recommend using URL scan 3.1 for sharepoint WSS 3.0? 

     

    Regards,

    Jonas

    Thursday, January 6, 2011 3:38 PM
  • Jonas,

    you have mentioned steps which are fine for network security (hardware / physical security)

    I agree with all those steps. :)

    I have just mentioned you additional steps which will give you quite secure env.

    http://support.microsoft.com/kb/812614 link is perfect for webfolders and IIS 6.0 security

    URLscan will again give you more secure env.

     


    Regards, Pratik Vyas | SharePoint Consultant | http://sharepointpratik.blogspot.com/
    Thursday, January 6, 2011 3:46 PM
  • Well, then I know how to spend the day, thanks! 

     

    /Jonas

    Friday, January 7, 2011 8:46 AM