CIS Microsoft SharePoint 2016 OS v1.1.0

Audit Details

Name: CIS Microsoft SharePoint 2016 OS v1.1.0

Updated: 4/25/2022

Authority: CIS

Plugin: Windows

Revision: 1.9

Estimated Item Count: 40

File Details

Filename: CIS_Microsoft_SharePoint_2016_OS_v1.1.0_Level_1.audit

Size: 88.9 kB

MD5: d35c66545d0b6cd4b3844f0b0ba2b6bf
SHA256: c9d47f21e24ea552aa1bff7767e90058692b1d5b3e15c17396a367bd4a3acb50

Audit Items

DescriptionCategories
1.1 Ensure access to SharePointEmailws.asmx is limited to only the server farm account
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPS

SYSTEM AND COMMUNICATIONS PROTECTION

1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are set

SYSTEM AND COMMUNICATIONS PROTECTION

1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth Provider

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Ensure 'Block File Types' is configured to match the enterprise blacklist

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges for the local server.

ACCESS CONTROL

2.3 Ensure the SharePoint setup account is configured with the minimum privileges in Active Directory.

ACCESS CONTROL

2.4 Ensure SharePoint provides the ability to prohibit the transfer of unsanctioned information in accordance with security policy.

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2016 objects.
2.8 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections

SYSTEM AND COMMUNICATIONS PROTECTION

2.10 Ensure that the SharePoint Online Web Part Gallery component is configured with limited access

ACCESS CONTROL

3.1 Ensure a secondary SharePoint site collection administrator has been defined on each site collection.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions.

SYSTEM AND COMMUNICATIONS PROTECTION

3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design.
3.4 Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains.

SYSTEM AND COMMUNICATIONS PROTECTION

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Attempt to clean

SYSTEM AND INFORMATION INTEGRITY

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Scan on download

SYSTEM AND INFORMATION INTEGRITY

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Scan on upload

SYSTEM AND INFORMATION INTEGRITY

3.6 Ensure that SharePoint is configured with 'Strict' browser file handling settings

CONFIGURATION MANAGEMENT

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - connectionTimeout

ACCESS CONTROL

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - maxBandwidth

SYSTEM AND COMMUNICATIONS PROTECTION

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above traffic volume thresholds - maxConnections

SYSTEM AND COMMUNICATIONS PROTECTION

3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages.

CONFIGURATION MANAGEMENT

3.9 Ensure that SharePoint application servers are protected by a reverse proxy
3.10 Ensure SharePoint database servers are segregated from application server and placed in a secure zone.
3.11 Ensure that the SharePoint Central Administration interface is not hosted in the DMZ.
4.1 Ensure SharePoint displays an approved system use notification message or banner before granting access to the system.

ACCESS CONTROL

4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm

IDENTIFICATION AND AUTHENTICATION

4.3 Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Ensure Anonymous authentication is denied

ACCESS CONTROL

5.1 Ensure that auditable events and diagnostic tracking settings within SharePoint is consistent with the organization's security plans

AUDIT AND ACCOUNTABILITY

5.2 Ensure that remote sessions for accessing security functions and security-relevant information are audited
6.2 Ensure SharePoint is configured with HTTPS connections

SYSTEM AND COMMUNICATIONS PROTECTION

6.3 Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded

ACCESS CONTROL

7.1 Ensure that the MaxZoneParts setting for Web Part limits is set to 100.

CONFIGURATION MANAGEMENT

7.2 Ensure that the SafeControls list is set to the minimum set of controls needed for your sites

SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed

SYSTEM AND INFORMATION INTEGRITY

7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - AllowPageLevelTrace

SYSTEM AND INFORMATION INTEGRITY

7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - CallStack

SYSTEM AND INFORMATION INTEGRITY