| 1.1 Ensure access to SharePointEmailws.asmx is limited to only the server farm account | CONFIGURATION MANAGEMENT |
| 1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443 | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth Provider | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Ensure 'Block File Types' is configured to match the enterprise blacklist | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges for the local server. | ACCESS CONTROL |
| 2.3 Ensure the SharePoint setup account is configured with the minimum privileges in Active Directory. | ACCESS CONTROL |
| 2.4 Ensure SharePoint provides the ability to prohibit the transfer of unsanctioned information in accordance with security policy. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2016 objects. | |
| 2.8 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.10 Ensure that the SharePoint Online Web Part Gallery component is configured with limited access | ACCESS CONTROL |
| 3.1 Ensure a secondary SharePoint site collection administrator has been defined on each site collection. | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design. | |
| 3.4 Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Attempt to clean | SYSTEM AND INFORMATION INTEGRITY |
| 3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Scan on download | SYSTEM AND INFORMATION INTEGRITY |
| 3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Scan on upload | SYSTEM AND INFORMATION INTEGRITY |
| 3.6 Ensure that SharePoint is configured with 'Strict' browser file handling settings | CONFIGURATION MANAGEMENT |
| 3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - connectionTimeout | ACCESS CONTROL |
| 3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - maxBandwidth | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - maxConnections | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages. | CONFIGURATION MANAGEMENT |
| 3.9 Ensure that SharePoint application servers are protected by a reverse proxy | |
| 3.10 Ensure SharePoint database servers are segregated from application server and placed in a secure zone. | |
| 3.11 Ensure that the SharePoint Central Administration interface is not hosted in the DMZ. | |
| 4.1 Ensure SharePoint displays an approved system use notification message or banner before granting access to the system. | ACCESS CONTROL |
| 4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4 Ensure Anonymous authentication is denied | ACCESS CONTROL |
| 5.1 Ensure that auditable events and diagnostic tracking settings within SharePoint is consistent with the organization's security plans | AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure that remote sessions for accessing security functions and security-relevant information are audited | |
| 6.2 Ensure SharePoint is configured with HTTPS connections | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded | ACCESS CONTROL |
| 7.1 Ensure that the MaxZoneParts setting for Web Part limits is set to 100. | CONFIGURATION MANAGEMENT |
| 7.2 Ensure that the SafeControls list is set to the minimum set of controls needed for your sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - AllowPageLevelTrace | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - CallStack | SYSTEM AND INFORMATION INTEGRITY |
| CIS_Microsoft_SharePoint_2016_OS_v1.1.0_Level_1.audit from CIS Microsoft SharePoint 2016 Benchmark v1.1.0 | |
