CIS Microsoft SharePoint 2016 OS v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft SharePoint 2016 OS v1.0.0

Updated: 12/3/2018

Authority: CIS

Plugin: Windows

Revision: 1.1

Estimated Item Count: 42

File Details

Filename: CIS_Microsoft_SharePoint_2016_OS_v1.0.0_Level_1.audit

Size: 81.6 kB

Audit Items

DescriptionCategories
1.1 Ensure access to SharePointEmailws.asmx is limited to only the server farm account
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPS

SYSTEM AND COMMUNICATIONS PROTECTION

1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are set

SYSTEM AND COMMUNICATIONS PROTECTION

1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth Provider

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Ensure 'Block File Types' is configured to match the enterprise blacklist

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges for the local server.

ACCESS CONTROL

2.3 Ensure the SharePoint setup account is configured with the minimum privileges in Active Directory.

ACCESS CONTROL

2.4 Ensure SharePoint provides the ability to prohibit the transfer of unsanctioned information in accordance with security policy.

ACCESS CONTROL

2.7 Ensure only the server farm account has access to SharePointEmailws.asmx
2.8 Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2016 objects.
2.9 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections

SYSTEM AND COMMUNICATIONS PROTECTION

2.11 Ensure that the SharePoint Online Web Part Gallery component is configured with limited access

ACCESS CONTROL

3.1 Ensure a secondary SharePoint site collection administrator has been defined on each site collection.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions.

SYSTEM AND COMMUNICATIONS PROTECTION

3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design.
3.4 Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains.

ACCESS CONTROL

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Attempt to clean

SYSTEM AND INFORMATION INTEGRITY

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Scan on download

SYSTEM AND INFORMATION INTEGRITY

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Scan on upload

SYSTEM AND INFORMATION INTEGRITY

3.6 Ensure that SharePoint is configured with 'Strict' browser file handling settings

CONFIGURATION MANAGEMENT

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - connectionTimeout

ACCESS CONTROL

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - maxBandwidth

SYSTEM AND COMMUNICATIONS PROTECTION

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - maxConnections

SYSTEM AND COMMUNICATIONS PROTECTION

3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages.

CONFIGURATION MANAGEMENT

3.9 Ensure that the default SharePoint database server ports are changed and/or disabled

CONFIGURATION MANAGEMENT

3.10 Ensure that SharePoint application servers are protected by a reverse proxy
3.11 Ensure SharePoint database servers are segregated from application server and placed in a secure zone.
3.12 Ensure that the SharePoint Central Administration interface is not hosted in the DMZ.
4.1 Ensure SharePoint displays an approved system use notification message or banner before granting access to the system.

ACCESS CONTROL

4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm

IDENTIFICATION AND AUTHENTICATION

4.3 Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Ensure Anonymous authentication is denied

ACCESS CONTROL

5.1 Ensure that auditable events and diagnostic tracking settings within SharePoint is consistent with the organization's security plans

AUDIT AND ACCOUNTABILITY

5.2 Ensure that remote sessions for accessing security functions and security-relevant information are audited
6.2 Ensure HTTPS binding: TCP 32844 is used

SYSTEM AND COMMUNICATIONS PROTECTION

6.3 Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded

ACCESS CONTROL

7.1 Ensure that the MaxZoneParts setting for Web Part limits is set to 100.

CONFIGURATION MANAGEMENT

7.2 Ensure that the SafeControls list is set to the minimum set of controls needed for your sites

SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed

SYSTEM AND INFORMATION INTEGRITY

7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - AllowPageLevelTrace

SYSTEM AND INFORMATION INTEGRITY

7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - CallStack

SYSTEM AND INFORMATION INTEGRITY