locked
Checking the impact of particular security baseline to Office SharePoint 2007 RRS feed

  • Question

  • There is a SharePoint server farm consists of 2 WFE, 2 SSP and 2 DB servers (cluster). I need to Windows and IIS security baseline on all these 6 servers.

    Question:

    1) Can I disable default administrative share on the 2 WFE and 2 SSP servers? Any impact? If I cannot disable it, what is the justification?

    2) Previously after apply the IIS security baseline as below, all the SharePoint sites were down. Some files in IIS virtual directory were missing. I wonder which security baseline setting was causing that. I wonder also whether IIS security baseline was the culprit.


    Thank you.
    • Edited by JPOlas Monday, August 13, 2012 8:47 AM
    Monday, August 13, 2012 8:45 AM

All replies

  • BASELINE CHECKLIST (IIS CONFIGURATION)

    No.

    Baseline Setting

    Value

    Comply

    ( Y / N )

    Remarks

    (if not comply)

    1.  

    IIS HTTP SERVICE CONFIGURATION

     

     

     

    2.5.                

    Website: Home Directory: Directory browsing allowed

    Uncheck

     

     

    2.10.             

    Website: Home Directory: Write access permission

    Uncheck

     

     

    2.15.             

    Website: Home Directory: Script source access

    Uncheck

     

     

    2.20.             

    Website: Home Directory: Log visits access permission

    Check

     

     

    2.25.             

    Website: Home Directory: Enable Parents Path

    Uncheck

     

     

    2.30.             

    Website: Home Directory: Script mappings

    Remove following:

    .ida, .htw, .idq, .idc, .shtm, .stm, .shtml, .printer, .cdx, .asa

     

    Remove following if NOT Certificate Authority (CA) server:

    .cer

     

    Remove following if NOT Outlook Web Access (OWA) server:

    .htr

     

     

    2.42.             

    Website: Home Directory: Error Message for Script Errors

    Send following text error message to client

     

     

    2.47.             

    Website: Home Directory: Enable ASP client-side script debugging

    Uncheck

     

     

    2.52.             

    Website: Home Directory: Enable ASP server-side script debugging

    Uncheck

     

     

    2.57.             

    Website: Home Directory: Session timeout

    10 minutes

     

     

    2.62.             

    Website: Web site:  Connection timeout

    120 seconds

     

     

    2.67.             

    Website: ISAPI Filter: ISAPI filters

    Remove all unnecessary

     

     

    2.72.             

    Website: HTTP Headers: MIME type mappings

    Remove all unnecessary

     

     

    2.77.             

    All sites: Directory: Execution Permissions

    Scripts only / None

     

     

    2.82.             

    FrontPage Server Extensions

    Ensure it is not installed

    (except on Sharepoint Server 2003)

     

     

    2.88.             

    Website: Web site: Enable Logging

    Active log format: W3C Extended Log Format

    Log time period: Daily

    Advanced: Time, Client IP Address, User Name, Server IP Address, Server Port, Method, URI Stem, HTTP Status, User Agent

     

     

     

     

     

     

     

     

     

     

     

     

    Monday, August 13, 2012 8:46 AM
  • BASELINE CHECKLIST (WINDOWS CONFIGURATION)

    No.

    Baseline Setting

    Value

    Comply

    ( Y / N )

    Remarks

    (if not comply)

    1.  

    IIS CRYPTOGRAPHY AND SECURITY CONFIGURATION

     

     

     

    3.5.                

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

    DWORD: Enabled = 0

     

     

    3.10.             

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server

    DWORD: Enabled = 0

     

     

    3.15.             

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128

    DWORD: Enabled = 0

    DWORD: Enabled = 0

    DWORD: Enabled = 0

    DWORD: Enabled = 0

    DWORD: Enabled = 0

    DWORD: Enabled = 0

    DWORD: Enabled = 0

     

     

    3.32.             

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

    DWORD: EnableTraceMethod = 0

     

     

     

     

     

     

     

    1.  

    WINDOWS SERVICES

     

     

     

    4.5.                

    Microsoft Index Server (except for Sharepoint Server)

    Disable

     

     

     

     

     

     

     

    1.  

    WINDOWS REGISTRY

     

     

     

    5.5.                

    %systemroot%\Program Files\Common Files\System\Msadc\msadcs.dll

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls

    Remove

     

     

     

    5.14.             

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

    DWORD: SSIEnableCmdDrive = 0

     

     

     

     

     

     

     

    1.  

    WINDOWS FILE SYSTEM

     

     

     

    6.5.                

    %systemroot%\system32\inetsrv

    Administrators: Full Control,

    SYSTEM: Full Control

     

     

    6.11.             

    %systemroot%\system32\logifiles

    Administrators: Full Control,

    SYSTEM: Full Control

    Service Account: Full Control

     

     

    6.18.             

    %iisroot%

    %iisroot%\AdminScripts

    %iisroot%\wwwroot

    %iisroot%\ftproot

    %iisroot%\news

    %iisroot%\nntpfile

    %iisroot%\mailroot

    Administrators: Full Control,

    SYSTEM: Full Control,

    Service Account: Full Control

     

     

    6.31.             

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters

    Administrators: Full Control,

    SYSTEM: Full Control

     

     

    6.38.             

    %systemroot%\certsrv

    Remove

    (except on Certificate Authority server)

     

     

    6.44.             

    Virtual directory ‘IISSAMPLES’

    %iisroot%\iissamples

    %iisroot%\wwwroot\samples

    C:\Program Files\Common Files\System\msadc\Samples

    Remove

     

     

     

    Monday, August 13, 2012 8:47 AM