| 1.1 Ensure access to SharePointEmailws.asmx is limited to only the server farm account | CONFIGURATION MANAGEMENT |
| 1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443 | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Authentication Provider | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Ensure 'Blocked File Types' is configured to match the enterprise blacklist | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges for the local server. | ACCESS CONTROL |
| 2.3 Ensure the SharePoint setup account is configured with the minimum privileges in Active Directory. | ACCESS CONTROL |
| 2.6 Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2019 objects. | |
| 2.7 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Ensure that the SharePoint Online Web Part Gallery component is configured with limited access | ACCESS CONTROL |
| 3.1 Ensure a secondary SharePoint site collection administrator has been defined on each site collection. | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4 Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Attempt to clean | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Download Scan | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Upload Scan | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.6 Ensure that SharePoint is configured with 'Strict' browser file handling settings | CONFIGURATION MANAGEMENT |
| 3.7 Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds - Connection Timeout | ACCESS CONTROL |
| 3.7 Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds - Max Bandwidth | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds - Max Connections | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages. | CONFIGURATION MANAGEMENT |
| 3.9 Ensure that SharePoint application servers are protected by a reverse proxy | |
| 3.10 Ensure SharePoint database servers are segregated from application server and placed in a secure zone. | SYSTEM AND INFORMATION INTEGRITY |
| 3.11 Ensure that the SharePoint Central Administration interface is not hosted in the DMZ. | |
| 4.1 Ensure SharePoint displays an approved system use notification message or banner before granting access to the system. | ACCESS CONTROL |
| 4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2019 farm | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4 Ensure Anonymous authentication is denied | ACCESS CONTROL |
| 5.1 Ensure that auditable events and diagnostic tracking settings within the SharePoint system is consistent with the organization's security plans | AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure that remote sessions for accessing security functions and security-relevant information are audited | |
| 6.2 Ensure SharePoint is configured with HTTPS connections | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded | ACCESS CONTROL |
| 7.1 Ensure that the MaxZoneParts setting for Web Parts is configured | CONFIGURATION MANAGEMENT |
| 7.2 Ensure that the SafeControls list is set to the minimum set of controls needed for your sites | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - AllowPageLevelTrace | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - CallStack | SYSTEM AND INFORMATION INTEGRITY |
| CIS_Microsoft_SharePoint_2019_OS_v1.0.0_Level_1.audit from CIS Microsoft SharePoint 2019 Benchmark v1.0.0 | |
