CIS Microsoft SharePoint 2019 OS v1.0.0

Audit Details

Name: CIS Microsoft SharePoint 2019 OS v1.0.0

Updated: 4/25/2022

Authority: CIS

Plugin: Windows

Revision: 1.6

Estimated Item Count: 39

File Details

Filename: CIS_Microsoft_SharePoint_2019_OS_v1.0.0_Level_1.audit

Size: 91.2 kB

MD5: e1a30c6239b28931fc743b194033bc67
SHA256: d5b2ad03e7d7d5ca408aad87da81f0fa99732ef3e584770cc65fae5301fe07e3

Audit Items

DescriptionCategories
1.1 Ensure access to SharePointEmailws.asmx is limited to only the server farm account
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPS

SYSTEM AND COMMUNICATIONS PROTECTION

1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are set

SYSTEM AND COMMUNICATIONS PROTECTION

1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Authentication Provider

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Ensure 'Blocked File Types' is configured to match the enterprise blacklist

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges for the local server.

ACCESS CONTROL

2.3 Ensure the SharePoint setup account is configured with the minimum privileges in Active Directory.

ACCESS CONTROL

2.6 Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2019 objects.
2.7 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections

SYSTEM AND COMMUNICATIONS PROTECTION

2.9 Ensure that the SharePoint Online Web Part Gallery component is configured with limited access

ACCESS CONTROL

3.1 Ensure a secondary SharePoint site collection administrator has been defined on each site collection.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions.

SYSTEM AND COMMUNICATIONS PROTECTION

3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

SYSTEM AND COMMUNICATIONS PROTECTION

3.4 Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied.

SYSTEM AND COMMUNICATIONS PROTECTION

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Attempt to clean

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Download Scan

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.5 Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured - Upload Scan

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.6 Ensure that SharePoint is configured with 'Strict' browser file handling settings

CONFIGURATION MANAGEMENT

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds - Connection Timeout

ACCESS CONTROL

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds - Max Bandwidth

SYSTEM AND COMMUNICATIONS PROTECTION

3.7 Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds - Max Connections

SYSTEM AND COMMUNICATIONS PROTECTION

3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages.

CONFIGURATION MANAGEMENT

3.9 Ensure that SharePoint application servers are protected by a reverse proxy
3.10 Ensure SharePoint database servers are segregated from application server and placed in a secure zone.

SYSTEM AND INFORMATION INTEGRITY

3.11 Ensure that the SharePoint Central Administration interface is not hosted in the DMZ.
4.1 Ensure SharePoint displays an approved system use notification message or banner before granting access to the system.

ACCESS CONTROL

4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2019 farm

IDENTIFICATION AND AUTHENTICATION

4.3 Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Ensure Anonymous authentication is denied

ACCESS CONTROL

5.1 Ensure that auditable events and diagnostic tracking settings within the SharePoint system is consistent with the organization's security plans

AUDIT AND ACCOUNTABILITY

5.2 Ensure that remote sessions for accessing security functions and security-relevant information are audited
6.2 Ensure SharePoint is configured with HTTPS connections

SYSTEM AND COMMUNICATIONS PROTECTION

6.3 Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded

ACCESS CONTROL

7.1 Ensure that the MaxZoneParts setting for Web Parts is configured

CONFIGURATION MANAGEMENT

7.2 Ensure that the SafeControls list is set to the minimum set of controls needed for your sites

SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed

SYSTEM AND INFORMATION INTEGRITY

7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - AllowPageLevelTrace

SYSTEM AND INFORMATION INTEGRITY

7.4 Ensure the SharePoint CallStack and AllowPageLevelTrace 'SafeMode' parameters are set to false - CallStack

SYSTEM AND INFORMATION INTEGRITY