Detections
Analytics

4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2019 farm

Information

Claims-based authentication enables systems and applications to authenticate a user
without requiring the user to disclose more personal information than necessary.
SharePoint continues to offer support for both claims and classic authentication modes.
Claims-based identity is an identity model in SharePoint that includes features such as
authentication across users of Windows-based systems and systems that are not Windows-
based, multiple authentication types, stronger real-time authentication, a wider set of
principal types, and delegation of user identity between applications.

When a user signs in to SharePoint, the user's token is validated and then used to sign in to
SharePoint. The user's token is a security token issued by a claims provider. When you
build claims-aware applications, the user presents an identity to the application as a set of
claims. One claim could be the user's name, another might be an email address. The
external identity system is configured to give your application all the information that it
needs about the user with each request, along with cryptographic assurance that the
identity data received by the application comes from a trusted source.

Rationale:

Claims-based identity allows you to factor out the authentication logic from individual
applications. Instead of the application determining who the user is, it receives claims that
identify the user.

In software, this bundle of claims is called a security token. Each security token is signed by
the issuer who created it. A claims-based application considers users to be authenticated if
they present a valid, signed security token from a trusted issuer which is a lot more secure
than classic authentication.

Solution

1. Navigate to Central Administration website.
2. Under Application Management go to Manage web applications.
3. Click on the site you're planning to verify Claims Based Authentication.
4. Under Web Applications tab click on the Authentication Providers icon.
5. Under the small window pop-up verify if the default value is set to Windows.
6. Create a PowerShell (.ps1) file and paste the following code into it:

$setcba = Get-SPWebApplication 'http://<YourSiteURL>'
$setcba.UseClaimsAuthentication = 1;
$setcba.Update()

7. Save the Code as SetClaimsBasedAuthentication.ps1 on the SharePoint server.
8. Execute the PowerShell script from the SharePoint Management Shell using the
following command ./SetClaimsBasedAuthentication.ps1

Default Value:

Default value is set to Windows.

See Also

https://workbench.cisecurity.org/files/2395

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16.9

Plugin: Windows

Control ID: 8eb0bbb635203def7adad6a5df4c93b10550d2432d8328ce546a8d00d597c0f5