Check: SHPT-00-000190
MS SharePoint 2010 STIG:
SHPT-00-000190
(in version v1 r9)
Title
SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations. (Cat II impact)
Discussion
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out the action. Additionally, the person or entity accountable for monitoring the activity must be separate as well. To meet this requirement, applications, when applicable, shall be divided where functionality is based on roles and duties. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles.
Check Content
Verify permission levels for roles are created and assigned correct permissions for each site. The Web Site Admin permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Audit permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Managers permission level is a copy of Full Control with modifications according to organizationally defined permission list. These permission levels must be configured to produce separation of duties in SharePoint. 1. On a site home page, click Site Actions and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Verify the permissions for Web Site Admin, Web Site Audit, and Web Site Manager are set according to organizationally defined permissions. 4. Mark as a finding if any of the three permission levels do not exist. Mark as a finding if permissions for Web Site Admin, Web Site Audit, and Web Site Manager are not set in accordance with organizationally defined permissions.
Fix Text
Create and/or confirm the three required permission levels exist and have permissions in accordance with organizationally defined permissions. 1. On a site home page, click Site Actions, and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Create missing permission levels by clicking Add a Permission Level. 4. On the Add a Permission Level page, in the Name field, type a name for the new permission level (Web Site Admin, Web Site Audit, or Web Site Manager). 5. In the Description field, type a description of the new permission level. 6. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally defined permissions from the IAO. 7. Click Create.
Additional Identifiers
Rule ID: SV-37759r2_rule
Vulnerability ID: V-28241
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002220 |
The organization defines information system access authorizations to support separation of duties. |
Controls
Number | Title |
---|---|
AC-5 |
Separation Of Duties |