Remove From My Forums

Checking the impact of particular security baseline to Office SharePoint 2007

Question
0

Sign in to vote
There is a SharePoint server farm consists of 2 WFE, 2 SSP and 2 DB servers (cluster). I need to Windows and IIS security baseline on all these 6 servers.

Question:

1) Can I disable default administrative share on the 2 WFE and 2 SSP servers? Any impact? If I cannot disable it, what is the justification?

2) Previously after apply the IIS security baseline as below, all the SharePoint sites were down. Some files in IIS virtual directory were missing. I wonder which security baseline setting was causing that. I wonder also whether IIS security baseline was the culprit.

Thank you.
- Edited by JPOlas Monday, August 13, 2012 8:47 AM
Monday, August 13, 2012 8:45 AM

All replies

No.	Baseline Setting	Value	Comply ( Y / N )	Remarks (if not comply)
	IIS HTTP SERVICE CONFIGURATION
2.5.	Website: Home Directory: Directory browsing allowed	Uncheck
2.10.	Website: Home Directory: Write access permission	Uncheck
2.15.	Website: Home Directory: Script source access	Uncheck
2.20.	Website: Home Directory: Log visits access permission	Check
2.25.	Website: Home Directory: Enable Parents Path	Uncheck
2.30.	Website: Home Directory: Script mappings	Remove following: .ida, .htw, .idq, .idc, .shtm, .stm, .shtml, .printer, .cdx, .asa Remove following if NOT Certificate Authority (CA) server: .cer Remove following if NOT Outlook Web Access (OWA) server: .htr
2.42.	Website: Home Directory: Error Message for Script Errors	Send following text error message to client
2.47.	Website: Home Directory: Enable ASP client-side script debugging	Uncheck
2.52.	Website: Home Directory: Enable ASP server-side script debugging	Uncheck
2.57.	Website: Home Directory: Session timeout	10 minutes
2.62.	Website: Web site: Connection timeout	120 seconds
2.67.	Website: ISAPI Filter: ISAPI filters	Remove all unnecessary
2.72.	Website: HTTP Headers: MIME type mappings	Remove all unnecessary
2.77.	All sites: Directory: Execution Permissions	Scripts only / None
2.82.	FrontPage Server Extensions	Ensure it is not installed (except on Sharepoint Server 2003)
2.88.	Website: Web site: Enable Logging	Active log format: W3C Extended Log Format Log time period: Daily Advanced: Time, Client IP Address, User Name, Server IP Address, Server Port, Method, URI Stem, HTTP Status, User Agent

Monday, August 13, 2012 8:46 AM

BASELINE CHECKLIST (WINDOWS CONFIGURATION)

No.	Baseline Setting	Value	Comply ( Y / N )	Remarks (if not comply)
	IIS CRYPTOGRAPHY AND SECURITY CONFIGURATION
3.5.	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server	DWORD: Enabled = 0
3.10.	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server	DWORD: Enabled = 0
3.15.	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128	DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0
3.32.	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters	DWORD: EnableTraceMethod = 0

	WINDOWS SERVICES
4.5.	Microsoft Index Server (except for Sharepoint Server)	Disable

	WINDOWS REGISTRY
5.5.	%systemroot%\Program Files\Common Files\System\Msadc\msadcs.dll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls	Remove
5.14.	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters	DWORD: SSIEnableCmdDrive = 0

	WINDOWS FILE SYSTEM
6.5.	%systemroot%\system32\inetsrv	Administrators: Full Control, SYSTEM: Full Control
6.11.	%systemroot%\system32\logifiles	Administrators: Full Control, SYSTEM: Full Control Service Account: Full Control
6.18.	%iisroot% %iisroot%\AdminScripts %iisroot%\wwwroot %iisroot%\ftproot %iisroot%\news %iisroot%\nntpfile %iisroot%\mailroot	Administrators: Full Control, SYSTEM: Full Control, Service Account: Full Control
6.31.	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters	Administrators: Full Control, SYSTEM: Full Control
6.38.	%systemroot%\certsrv	Remove (except on Certificate Authority server)
6.44.	Virtual directory ‘IISSAMPLES’ %iisroot%\iissamples %iisroot%\wwwroot\samples C:\Program Files\Common Files\System\msadc\Samples	Remove

Monday, August 13, 2012 8:47 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

Checking the impact of particular security baseline to Office SharePoint 2007

Question

All replies