7.2.5 Ensure that SharePoint guest users cannot share items they don't own

Information

SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.

Rationale:

Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.

Impact:

The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content.

Solution

To remediate using the UI:

Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint

Click to expand Policies then select Sharing.

Expand More external sharing settings, uncheck Allow guests to share items they don't own.

Click Save.

To remediate using PowerShell:

Connect to SharePoint Online service using Connect-SPOService.

Run the following SharePoint Online PowerShell command:

Set-SPOTenant -PreventExternalUsersFromResharing $True

Default Value:

Checked (False)

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: microsoft_azure

Control ID: 2935f1d4fa7ab7b22cbcad9d533fa435747f1f9f76a011352b0354987e5486f5