Checking the impact of particular security baseline to Office SharePoint 2007
There is a SharePoint server farm consists of 2 WFE, 2 SSP and 2 DB servers (cluster). I need to Windows and IIS security baseline on all these 6 servers.
Question:
1) Can I disable default administrative share on the 2 WFE and 2 SSP servers? Any impact? If I cannot disable it, what is the justification?
2) Previously after apply the IIS security baseline as below, all the SharePoint sites were down. Some files in IIS virtual directory were missing. I wonder which security baseline setting was causing that. I wonder also whether IIS security baseline was
the culprit.
Thank you.
August 18th, 2012 4:21am
BASELINE CHECKLIST (IIS CONFIGURATION)
No.
Baseline Setting
Value
Comply
( Y / N )
Remarks
(if not comply)
IIS HTTP SERVICE CONFIGURATION
2.5.
Website: Home Directory: Directory browsing allowed
Uncheck
2.10.
Website: Home Directory: Write access permission
Uncheck
2.15.
Website: Home Directory: Script source access
Uncheck
2.20.
Website: Home Directory: Log visits access permission
Check
2.25.
Website: Home Directory: Enable Parents Path
Uncheck
2.30.
Website: Home Directory: Script mappings
Remove following:
.ida, .htw, .idq, .idc, .shtm, .stm, .shtml, .printer, .cdx, .asa
Remove following if NOT Certificate Authority (CA) server:
.cer
Remove following if NOT Outlook Web Access (OWA) server:
.htr
2.42.
Website: Home Directory: Error Message for Script Errors
Send following text error message to client
2.47.
Website: Home Directory: Enable ASP client-side script debugging
Uncheck
2.52.
Website: Home Directory: Enable ASP server-side script debugging
Uncheck
2.57.
Website: Home Directory: Session timeout
10 minutes
2.62.
Website: Web site:
Connection timeout
120 seconds
2.67.
Website: ISAPI Filter: ISAPI filters
Remove all unnecessary
2.72.
Website: HTTP Headers: MIME type mappings
Remove all unnecessary
2.77.
All sites: Directory: Execution Permissions
Scripts only / None
2.82.
FrontPage Server Extensions
Ensure it is not installed
(except on Sharepoint Server 2003)
2.88.
Website: Web site: Enable Logging
Active log format: W3C Extended Log Format
Log time period: Daily
Advanced: Time, Client IP Address, User Name, Server IP Address, Server Port, Method, URI Stem, HTTP Status, User Agent
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2012 4:22am
BASELINE CHECKLIST (WINDOWS CONFIGURATION)
No.
Baseline Setting
Value
Comply
( Y / N )
Remarks
(if not comply)
IIS CRYPTOGRAPHY AND SECURITY CONFIGURATION
3.5.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
DWORD: Enabled = 0
3.10.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
DWORD: Enabled = 0
3.15.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128
DWORD: Enabled = 0
DWORD: Enabled = 0
DWORD: Enabled = 0
DWORD: Enabled = 0
DWORD: Enabled = 0
DWORD: Enabled = 0
DWORD: Enabled = 0
3.32.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
DWORD: EnableTraceMethod = 0
WINDOWS SERVICES
4.5.
Microsoft Index Server (except for Sharepoint Server)
Disable
WINDOWS REGISTRY
5.5.
%systemroot%\Program Files\Common Files\System\Msadc\msadcs.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls
Remove
5.14.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
DWORD: SSIEnableCmdDrive = 0
WINDOWS FILE SYSTEM
6.5.
%systemroot%\system32\inetsrv
Administrators: Full Control,
SYSTEM: Full Control
6.11.
%systemroot%\system32\logifiles
Administrators: Full Control,
SYSTEM: Full Control
Service Account: Full Control
6.18.
%iisroot%
%iisroot%\AdminScripts
%iisroot%\wwwroot
%iisroot%\ftproot
%iisroot%\news
%iisroot%\nntpfile
%iisroot%\mailroot
Administrators: Full Control,
SYSTEM: Full Control,
Service Account: Full Control
6.31.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters
Administrators: Full Control,
SYSTEM: Full Control
6.38.
%systemroot%\certsrv
Remove
(except on Certificate Authority server)
6.44.
Virtual directory IISSAMPLES
%iisroot%\iissamples
%iisroot%\wwwroot\samples
C:\Program Files\Common Files\System\msadc\Samples
Remove
August 18th, 2012 4:23am