An error occurred:

Check: SHPT-00-000195

MS SharePoint 2010 STIG: SHPT-00-000195 (in version v1 r9)

Title

The SharePoint setup user domain account must be configured with the minimum privileges for the local server. (Cat II impact)

Discussion

Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person tasked with implementing the action. This requirement is intended to limit exposure due to users (or entities acting on behalf of users) being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. See TechNet Article cc678863 for information regarding required permission. The setup user administrator account is used during initial creation of the farm, to update the farm servers, and to configure certain farm configuration option. The setup user administrator account must have membership in the local administrators Windows group on each server in the farm (excluding SQL Server and the Exchange server.)

Check Content

1. On the server(s) where the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups -> Groups. 2. Double-click on each group to view membership. 3. Verify the SharePoint setup user domain account is a member of the Administrators and WSS_ADMIN_WPG groups only. 4. Mark as a finding if the setup user account is a member of any other group than Administrators and WSS_ADMIN_WPG on the local server where SharePoint is installed.

Fix Text

1. On the server (s) where the SharePoint software is installed, navigate to Server Manager -> Local Users and Groups -> Groups. 2. Double-click on each group to view membership. 3. Remove the SharePoint setup user account from membership in groups other than Administrators and WSS_ADMIN_WPG.

Additional Identifiers

Rule ID: SV-40025r2_rule

Vulnerability ID: V-30366

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000225

The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6

Least Privilege