Focus on Microsoft
Re: Hardening Sharepoint 2010 on Win 2008 R2 Dec 20 2010 11:24AM
mamo (mamo74 gmail com) (3 replies)
Re: Hardening Sharepoint 2010 on Win 2008 R2 Mar 01 2011 01:45AM
wt521125 (wt521125 yahoo com cn)
RE: Hardening Sharepoint 2010 on Win 2008 R2 Dec 20 2010 06:05PM
Kurt Dillard (kurtdillard msn com)
Mamo;
I do some consulting work for Microsoft, one of the projects I've been
helping with in recent years is the Security Compliance Manager:
http://technet.microsoft.com/en-us/library/cc677002.aspx. SCM includes
security baselines for Windows Server 2008, Windows Server 2008 R2, SQL
2008, and SQL 2008 R2. You can export the Windows baselines in several
formats including group policy objects which you can than import into AD DS
and apply to your servers. You can also apply them locally to stand alone
servers using the Local Policy Tool that is included with SCM. The SQL
baselines can be applied using PowerShell rather than group policy.

I've been researching SharePoint 2010 extensively for the past few weeks,
I'm hoping to help Microsoft create a security guide and security baseline
for SharePoint 2010 but that project won't kick off until next year, and
only if funding is approved. At this point, nobody has a comprehensive guide
for 2010. DISA has a pretty good checklist for SharePoint 2007, but it mixes
database and OS configuration into the SharePoint checklist and obviously it
doesn't include stuff that's new in 2010 such as claims based
authentication. Neither NSA nor NIST have anything and I don't believe they
are planning on SharePoint 2010 guidance right now. I'm sure that the Center
for Internet Security is considering adding SharePoint 2010 to their list of
checklists but I don't believe that they have started working on it yet.

I suggest that you investigate SCM and if you like what you find that you
join Microsoft Connect and sign up for Beta reviews of future SCM baselines,
that would get you the earliest access to Microsoft's guidance for
SharePoint 2010 should they decide to publish a guide for it. I believe this
is the link for signing up to SCM betas:
https://connect.microsoft.com/site715

My list of links for SharePoint 2010 security:

1. Newly published content (updated weekly)
http://technet.microsoft.com/en-us/library/cc262043.aspx
2. Governance: http://technet.microsoft.com/en-us/sharepoint/ff800826.aspx
3. Security & Protection:
http://technet.microsoft.com/en-us/library/cc263215.aspx
4. Security and protection for SharePoint Foundation 2010:
http://technet.microsoft.com/en-us/library/cc287860.aspx
5. Security & Authentication:
http://technet.microsoft.com/en-us/sharepoint/ff601872.aspx
6. PowerShell: http://technet.microsoft.com/library/ee662539(office.14).aspx
7. IT Pro Training:
http://sharepoint.microsoft.com/en-us/resources/Pages/IT-Pro-Training-Gu
ide.
aspx
8. Main site on TechNet:
http://technet.microsoft.com/en-us/sharepoint/ee263917.aspx#tab=1
9. Blog: http://blogs.msdn.com/b/sharepoint/
10. Forums:
http://social.technet.microsoft.com/Forums/en-US/category/sharepoint2010

11. Security training:
http://technet.microsoft.com/en-us/sharepoint/ff678022.aspx
12. Labs: http://technet.microsoft.com/en-us/virtuallabs/bb512933.aspx

Regards,

Kurt Dillard, CISSP
www.kurtdillard.com

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of mamo
Sent: Monday, December 20, 2010 8:25 AM
To: Anupam Kumar
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Hardening Sharepoint 2010 on Win 2008 R2

Hello.

We have quite complex policy that is not possible to summarize on a mailing
list.
Some important point for me specific for this project (it is a public web
site):
- The front end on internet need to a have a secure in depth configuration
(if one level fail, I don't want to have all site compromised).
I am looking both on configuration to be applied to the front end and to the
backend.
- I want to have a strong auditing level on who does what in changing the
content of the site to be able to analise possible compromise/mistake with
the change functionality.

Thank you.
Mamo

On Mon, Dec 20, 2010 at 8:02 AM, Anupam Kumar <anupam (at) kumargroups (dot) org [email concealed]>
wrote:
> Hi Mamo,
>
> There is no definitive guide that can be given as it depends
> completely on the security policy of your company. I work for Capital
> One and almost everything is disabled due to security. However, I am
> also aware from past experiences that some companies hardly follow any
> hardening procedures. To answer your question better, please let us know
what is your requirement.
> What kind of security are you looking at?
>
> Knowing this is critical before something can be suggested.
>
> Regards
> Anupam Kumar
>
> On Mon, Dec 20, 2010 at 4:02 AM, mamo <mamo74 (at) gmail (dot) com [email concealed]> wrote:
>>
>> Hello.
>>
>> My company is working on the new internet web site.
>> It is going to be based on Sharepoint 2010 on Windows 2008 R2.
>>
>> They are very new platform (very very new for me :-( ). Do you know
>> of any hardening guide for Sharepoint 2010? Can you give me pointers
>> on Windows 2008 Hardening or security checklist?
>>
>> Thank you in advance.
>> Mamo
>
>

[ reply ]
Re: Hardening Sharepoint 2010 on Win 2008 R2 Dec 20 2010 05:26PM
Eduardo Navarro (eduardo navarro live com) (3 replies)
RE: Hardening Sharepoint 2010 on Win 2008 R2 Mar 01 2011 01:45AM
wt521125 (wt521125 yahoo com cn)
RE: Hardening Sharepoint 2010 on Win 2008 R2 Dec 20 2010 07:50PM
Wayne Anderson (wfrazee wynweb net)
Re: Hardening Sharepoint 2010 on Win 2008 R2 Dec 20 2010 07:28PM
Vinicius Brenny (vinicius snts gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus