Windows SharePoint Services (WSS)
Make sure that Microsoft SharePoint is running on a secure IIS site.
- At its core, a SharePoint site is simply an IIS Web site, so you can take the standard methods of securing any IIS site and get significant results in increasing overall WSS security.
- Make sure SSL is enabled. Harden the permissions for users to get access to the virtual director that SharePoint runs in, use strong authentication methods (NTLM or Kerberos), and ensure the Web server itself is protected using typical Windows hardening methods.
- A quick search on SearchSecurity.com for "IIS server security" will provide a wealth of information for hardening the environment that SharePoint itself runs in.
Assign application-wide security policies.
- You can use the "Policy for Web Application" feature to enable a greater swath of authentication to your sites. From this page, you can set anonymous access standards and grant control or deny access. These application-wide security policies take precedence over any individual configuration features that have been set up on specific sites.
- These policies also apply to users that reside both within and outside of your firewall's reach.
- To reach the Policy for Web Application feature, open Central Administration, click the Application Management tab and click the Policy for Web Application link. You can begin setting policies from there.
Understand Microsoft SharePoint permission levels to control access for your users.
- Like Windows and NTFS permissions, you assign access to users through permission levels and SharePoint groups. Permissions aren't assigned directly to users; rather, you control availability and access through levels and groups. Users are assigned to levels and groups and thus inherit access controls through that membership.
- You can access the controls for permission levels and SharePoint groups from the Site Actions menu on any page, but first make sure you are logged onto the site with administrative credentials. Click Site Settings from that menu, and then click the Advanced Permissions link under the Users and Permissions section.
- Make sure you assign permissions and levels carefully, as these control what users can read, change, and do on your sites. Treat this as diligently as you treat file system permissions.
Disable anonymous access to your Microsoft SharePoint Services site, if possible.
- If your SharePoint site is designed only for internal users that have accounts on your domain, there is no need to open the site up to users who haven't authenticated. This closes a reasonably significant vector through which information could be leaked.
- To disable anonymous access, open the Central Administration site. From the Start menu, choose Administrative Tools and then click SharePoint 3.0 Central Administration. Then navigate to the Application Management tab and click the Authentication Providers in the Application Security section.
- Click the Default Zone link, and then uncheck the Enable Anonymous Access box, and finally, click Save.
Perform regular backups of your Microsoft SharePoint site.
- Backing up is still an integral and critical part of your security infrastructure. If a compromise were to take place, you would easily be able to restore the data stored in your site after you rebuilt the machine on which the breach took place.
- Remember: Once a cracker gets access to your machine, it isn't your machine any more. So the only safe way to proceed is to flatten the hard drive and rebuild the operating system and application installation from the ground up.
About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at firstname.lastname@example.org.