7.2 Ensure that the SafeControls list is set to the minimum set of controls needed for your sites

Information

The Safe Controls list contains the names of controls and Web Parts, specific to your SharePoint site, that server administrators can designate as safe for use on any .aspx page within a site. This list is part of the Web.config file in your Web application root.
Rationale:
A fundamental assumption of the Windows SharePoint Services technology is that 'untrusted users' can upload and create ASPX pages within the system on which Windows SharePoint Services is running. These users should be prevented from adding server-side code within ASPX pages, but there should be a list of approved controls that those untrusted users can use. One way to provide these controls is to create a Safe Controls list.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Copy the <YourWebPartName>.dll assembly in the project's Bin directory to the Bin directory in your Web application root directory. For example: C:\inetpub\wwwroot\wss\VirtualDirectories\80\.
2. Locate the Web.config file in your application root directory and open it for editing.
3. Add the following safe-control entry for your custom assembly to the Web.config file:

<SafeControl Assembly='<YourWebPartName>, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' Namespace='<YourWebPartNamespace>' TypeName='*' Safe='True' AllowRemoteDesigner='True'/>
<YourWebPartName> is the name of the Web Part that is being deployed.
<YourWebPartNamespace> is the namespace that is associated with your Web Part.
Impact:
Malicious users can upload and create ASPX pages.

See Also

https://workbench.cisecurity.org/files/2031

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18b., CSCv6|18

Plugin: Windows

Control ID: a11fe5b3ccaadd2a0fcecb288edeea0ffa88603e25e53ffe3753ec585fd00a49