| DISA_STIG_SharePoint_2010_v1r9.audit from DISA SharePoint 2010 v1r9 | |
| SHPT-00-000007 - SharePoint must support the requirement to initiate a session lock after an organizationally defined time period of system or application inactivity has transpired. | ACCESS CONTROL |
| SHPT-00-000009 - SharePoint information management policies must be created, configured, and maintained to support the use of organizationally defined security attributes. | CONFIGURATION MANAGEMENT |
| SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information - Document Library' | ACCESS CONTROL |
| SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information. | ACCESS CONTROL |
| SHPT-00-000040 - SharePoint must allow authorized users to associate security attributes with information. | ACCESS CONTROL |
| SHPT-00-000100 - SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands. | ACCESS CONTROL |
| SHPT-00-000127 - The 'Automatically delete the site collection if use is not confirmed' property must not be enabled for web applications. | CONFIGURATION MANAGEMENT |
| SHPT-00-000130 - For environments requiring an Internet-facing capability, the SharePoint application server upon which Central Administration is installed must not be installed in the DMZ. | ACCESS CONTROL |
| SHPT-00-000165 - SharePoint must enable IRM to bind attributes to information to facilitate the organization's established information flow policy as needed. | ACCESS CONTROL |
| SHPT-00-000190 - SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations. | ACCESS CONTROL |
| SHPT-00-000191 - SharePoint farm service account (Database Access account) must be configured with minimum privileges in Active Directory (AD). | ACCESS CONTROL |
| SHPT-00-000193 - The SharePoint setup user domain account must be configured with the minimum privileges in Active Directory. | ACCESS CONTROL |
| SHPT-00-000195 - The SharePoint setup user domain account must be configured with the minimum privileges for the local server. | ACCESS CONTROL |
| SHPT-00-000197 - A secondary site collection administrator must be defined when creating a new site collection. | CONFIGURATION MANAGEMENT |
| SHPT-00-000199 - SharePoint service accounts must be configured for separation of duties. | ACCESS CONTROL |
| SHPT-00-000210 - Timer job retries for automatic password change on Managed Accounts must meet DoD password retry policy. | ACCESS CONTROL |
| SHPT-00-000235 - SharePoint clients must be configured to display an approved system use notification message or banner before granting access to the system. | ACCESS CONTROL |
| SHPT-00-000240 - SharePoint must retain the notification message or banner on the screen until users take explicit actions to log on to or further access. | ACCESS CONTROL |
| SHPT-00-000245 - SharePoint must be configured to display the banner, when appropriate, before granting further access. | ACCESS CONTROL |
| SHPT-00-000315 - SharePoint must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000405 - To support audit review, analysis, and reporting, SharePoint must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000430 - SharePoint must protect audit information from unauthorized access to the usage and health logs. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000431 - SharePoint must protect audit information from unauthorized access to the trace data log files. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000435 - SharePoint must protect audit information from unauthorized modification of usage and health data collection logs. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000436 - SharePoint must protect audit information from unauthorized modification to trace data logs. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000440 - SharePoint must protect audit information from unauthorized deletion of usage and health logs. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000441 - SharePoint must protect audit information from unauthorized deletion of trace log files. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000445 - SharePoint must protect audit tools from unauthorized access - 'Verify Site Collection Administrators' | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000445 - SharePoint must protect audit tools from unauthorized access - 'Verify Users and Groups with Full Control' | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000465 - SharePoint must support the requirement that privileged access is further defined between audit-related privileges and other privileges. | AUDIT AND ACCOUNTABILITY |
| SHPT-00-000475 - To support the requirements and principles of least functionality; SharePoint must support the organizational requirement to provide only essential capabilities. | CONFIGURATION MANAGEMENT |
| SHPT-00-000480 - When configuring Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements. | CONFIGURATION MANAGEMENT |
| SHPT-00-000495 - Backup of SharePoint system level files for critical systems must be performed when identified as required by the owning organization. | CONTINGENCY PLANNING |
| SHPT-00-000530 - The Central Administration Web Application must use Kerberos as the authentication provider. | IDENTIFICATION AND AUTHENTICATION |
| SHPT-00-000531 - SharePoint sites must not use NTLM - SharePoint sites must not use NTLM. | IDENTIFICATION AND AUTHENTICATION |
| SHPT-00-000600 - SharePoint managed service accounts must be set to enable automatic password change. | IDENTIFICATION AND AUTHENTICATION |
| SHPT-00-000640 - Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage. | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000645 - SharePoint must terminate the network connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity - 'FormDigestSettings.Enabled = True' | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000682 - The Online Web Part Gallery must be configured for limited access. | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000683 - SharePoint-specific malware (i.e., anti-virus) software must be integrated and configured - 'Scan Documents on Download is enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000683 - SharePoint-specific malware (i.e., anti-virus) software must be integrated and configured - 'Scan Documents on Upload is enabled' | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000683 - SharePoint-specific malware (i.e., anti-virus) software must be integrated and configured. | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000690 - The Central Administration site must not be accessible from Extranet or Internet connections. | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000692 - Access to Central Administration site must be limited to authorized users and groups. | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000760 - SharePoint must implement security functions as largely independent modules to avoid unnecessary interactions between modules - Central Administration is a separate App Pool | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000760 - SharePoint must implement security functions as largely independent modules to avoid unnecessary interactions between modules - Internet & Extranet assigned to diff App Pools | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000760 - SharePoint must implement security functions as largely independent modules to avoid unnecessary interactions between modules - No Applications assigned to Default App Pool | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000805 - The organization must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000810 - SharePoint must identify potentially security-relevant error conditions. | SYSTEM AND INFORMATION INTEGRITY |
