1 - Run the Microsoft Security Assessment Tool & Best Practice Security Analyzer Tool from Microsoft
Too often, we assume we “know” everything already and skip some very basic changes that can help immensely. Check out these two security tools to get you started:
Microsoft Security Assessment Tool
The Microsoft Security Assessment Tool (MSAT) is a risk-assessment application designed to provide information and recommendations about best practices for security within an information technology (IT) infrastructure.
Best Practice Security Analyzer Tool from Microsoft
The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations.
2 - Only enable the required Windows Services where you need them
The fewer Windows Services there are to attack or use to attack your server there are, the better. Disable those that are not required to run your server, remembering that different SharePoint servers may have different needs. Identify those you do not need and stopped them from being used for a security attack.
3 - Only enable the required SharePoint Services where you want them to run
Like the previous mention about Windows Services, the same applies to SharePoint Services. If you do not need to use one of them, then stop it to not only reduce the surface for attacks but also improving SharePoint’s performance.
4 - Create multiple Service Accounts, that do not have Domain or Server Administration Permission
Both SharePoint and Windows Services use accounts to do what they need to do. Some services require more access than others to do what they need. For example, a search account needs at least Read on everything in your SharePoint to successfully crawl. However, it isn’t ideal to grant this kind of power to one specific account. Like this service, along with others like it, create multiple service accounts and grant them just the rights needed to do what they need to do. This way, if one of them is compromised, it is not your entire SharePoint farm at risk. And while we’re on the matter, make sure passwords are not the same for all of them and complex enough not to be guessed.
5 - Use DNS URLs, not Server name for access
Make sure there is no reference to your servers in the url people will use to access SharePoint. Make use of Alternate Access Mapping and ensure everyone and everything is always using DNS names. Giving away the name of your server allows them to better target their attacks.
6 - Only use known ports for access, such as 80 or 443, then control access via Firewalls
Though you may think configuring SharePoint on ports different than the common HTTP and HTTPS defaults will help you, you’re better off letting the firewall do the job.
7 - Do not disable the Windows Server Firewall
Just because it makes it easier does not mean it is “better”. Windows Server Firewall is that built-in software in Windows to protect the server from within; it is an added level of security and works exactly as it’s intended to. The Windows Firewall allows you to set different rules depending on the network profile currently active. Since this is a SharePoint Server and not a laptop, you will always be running on that one, making its configuration relatively easy. You should only allow connections required for SharePoint to work and connect to things like AD and Office Web Apps.
8 - Utilize the “ViewFormPagesLockdown” feature
Let’s look at not turning on this feature first, open your web search engine and look for “View All Site Content”. If your SharePoint sites are made available anonymously, you’re opening up the door for attacks. Bare in mind that it’s a lot easier to attack things we know exist, not locking down your SharePoint admin pages like View All Site Content for anonymous users allows them to know what exists. The ViewFormPagesLockdown feature, active with Publishing Sites by default allows you to do just that, lockdown the view form pages.
9 - Protect external entry points via firewall rules
Because of how vast SharePoint is, it’s important to protect it from any possible and unwanted external connections. Only open the ports necessary for your visitors or SharePoint services if connected with the cloud in a hybrid scenario.
10 - Allow Permissions only at the levels where needed, Farm, Service, Web, Site Collection, Site and Content.
SharePoint is secure by default; it’s what we do to it that turns it unsecure in most situations. There are different Permission Levels and you can create your own as well, these define what kind of access exists. Then, you grant groups these Permission Levels on SharePoint objects that can use them by breaking their permissions inheritance and set their own. In SharePoint, you don’t see what you don’t have access to, but on the flip side you can use Search to see everything you have access to quite easily. It’s important to understand how this works and plan accordingly.
No comments:
Post a Comment