While there was some security documentation for SharePoint 2007, it was general in nature, and it required browsing around several different documents and pages. Microsoft has done us a service with the SharePoint 2010 security hardening documentation that was released around the time the product hit RTM. This documentation includes a secure server snapshot of the services required, and it includes a definitive list of necessary ports for each component. This is a big win for administrators who need to protect the SharePoint server(s) in an isolated network.
The documentation is divided into two parts, web and SQL, and together they provide the big picture for a secure environment. I’ve recently used the documentation to design the security for a SharePoint farm that needs to provide access to multiple outside agencies/partners. It was much easier to use this documentation than what was provided for the previous version. I did find a few areas where the documentation could have been more clear, so I wanted to share my findings and see if anyone else has feedback to make the recommendations stronger.
Web Front-End
I found that in a standard Windows network, NetBIOS over TCP/IP could be disabled, according to Microsoft’s recommendation. The article did not include instructions, but I did find a response on TechNet that describes how it’s done.
The web.config settings could have been described a little more clearly.
- The
PageParserPaths should be empty by default. - Remember that whenever you create a new web application, a new web.config file is created for it, so you will need to verify the settings are still secured.
I couldn’t find any information about this one, and I’d love it if someone who knows could share their thoughts on how to accomplish this suggestion: “Ensure that Web Part limits around maximum controls per zone is set low.” Where is this set, and what would be considered low?
PageParserPaths should be empty by default.
I couldn’t find any information about this one, and I’d love it if someone who knows could share their thoughts on how to accomplish this suggestion: “Ensure that Web Part limits around maximum controls per zone is set low.” Where is this set, and what would be considered low?I wish this documentation had listed the minimum required permissions for each service, as I’m having to discover these myself. For instance, the web analytics service is the one that writes diagnostic logs, and that service account needs access to write to the diagnostic logs directory. It would be great to see a definitive list beyond what was offered in the service accounts documentation.
SQL Back-End
Unless you are using named instances on SQL, it is safe to block access to port UDP/1434. One measure that the documentation did not mention but is critical to protecting SQL servers in general is that the firewall rules should use a default deny for all inbound access to the SQL servers. Only the application server(s), Domain Controllers, and the workstations of the DBAs should be able to reach the SQL servers at all.
Please share any other insights you might have or other resources that can help us secure our SharePoint environments better.