There is a SharePoint server farm consists of 2 WFE, 2 SSP and 2 DB servers (cluster). I need to Windows and IIS security baseline on all these 6 servers. Question: 1) Can I disable default administrative share on the 2 WFE and 2 SSP servers? Any impact? If I cannot disable it, what is the justification? 2) Previously after apply the IIS security baseline as below, all the SharePoint sites were down. Some files in IIS virtual directory were missing. I wonder which security baseline setting was causing that. I wonder also whether IIS security baseline was the culprit. Thank you.

BASELINE CHECKLIST (IIS CONFIGURATION) No. Baseline Setting Value Comply ( Y / N ) Remarks (if not comply) IIS HTTP SERVICE CONFIGURATION 2.5. Website: Home Directory: Directory browsing allowed Uncheck 2.10. Website: Home Directory: Write access permission Uncheck 2.15. Website: Home Directory: Script source access Uncheck 2.20. Website: Home Directory: Log visits access permission Check 2.25. Website: Home Directory: Enable Parents Path Uncheck 2.30. Website: Home Directory: Script mappings Remove following: .ida, .htw, .idq, .idc, .shtm, .stm, .shtml, .printer, .cdx, .asa Remove following if NOT Certificate Authority (CA) server: .cer Remove following if NOT Outlook Web Access (OWA) server: .htr 2.42. Website: Home Directory: Error Message for Script Errors Send following text error message to client 2.47. Website: Home Directory: Enable ASP client-side script debugging Uncheck 2.52. Website: Home Directory: Enable ASP server-side script debugging Uncheck 2.57. Website: Home Directory: Session timeout 10 minutes 2.62. Website: Web site: Connection timeout 120 seconds 2.67. Website: ISAPI Filter: ISAPI filters Remove all unnecessary 2.72. Website: HTTP Headers: MIME type mappings Remove all unnecessary 2.77. All sites: Directory: Execution Permissions Scripts only / None 2.82. FrontPage Server Extensions Ensure it is not installed (except on Sharepoint Server 2003) 2.88. Website: Web site: Enable Logging Active log format: W3C Extended Log Format Log time period: Daily Advanced: Time, Client IP Address, User Name, Server IP Address, Server Port, Method, URI Stem, HTTP Status, User Agent

BASELINE CHECKLIST (WINDOWS CONFIGURATION) No. Baseline Setting Value Comply ( Y / N ) Remarks (if not comply) IIS CRYPTOGRAPHY AND SECURITY CONFIGURATION 3.5. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server DWORD: Enabled = 0 3.10. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server DWORD: Enabled = 0 3.15. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 DWORD: Enabled = 0 3.32. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters DWORD: EnableTraceMethod = 0 WINDOWS SERVICES 4.5. Microsoft Index Server (except for Sharepoint Server) Disable WINDOWS REGISTRY 5.5. %systemroot%\Program Files\Common Files\System\Msadc\msadcs.dll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls Remove 5.14. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters DWORD: SSIEnableCmdDrive = 0 WINDOWS FILE SYSTEM 6.5. %systemroot%\system32\inetsrv Administrators: Full Control, SYSTEM: Full Control 6.11. %systemroot%\system32\logifiles Administrators: Full Control, SYSTEM: Full Control Service Account: Full Control 6.18. %iisroot% %iisroot%\AdminScripts %iisroot%\wwwroot %iisroot%\ftproot %iisroot%\news %iisroot%\nntpfile %iisroot%\mailroot Administrators: Full Control, SYSTEM: Full Control, Service Account: Full Control 6.31. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters Administrators: Full Control, SYSTEM: Full Control 6.38. %systemroot%\certsrv Remove (except on Certificate Authority server) 6.44. Virtual directory IISSAMPLES %iisroot%\iissamples %iisroot%\wwwroot\samples C:\Program Files\Common Files\System\msadc\Samples Remove