Title

SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands. (Cat II impact)

Discussion

An organization may see fit to define a policy stating certain commands contained within an application require dual authorization before they may be invoked. Dual authorization requires two distinct approving authorities to approve the use of the command prior to being invoked. When the organization defines a set of application related privileged commands requiring dual authorization, the application must support those organizational requirements. Once an information management policy has been created, the metadata and security attributes created can be enforced using a workflow. However, as with most applications, privilege restrictions, such as dual authorizations cannot be set for the super account, Farm Administrator. When adding a workflow to a SharePoint library or list, this enforces a business process on all items in the library or list. A workflow describes the actions the system or users must perform on each item, such as obtain dual approvals. Note: If many documents across different libraries require dual authorization, the site should consider creating a content type and adding this type as part of an information management policy.

Check Content

To view what workflows are associated within Central Administration: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Workflows. 3. Verify there is at least one active workflow configured for dual approval. 4. Mark as a finding if the SSP requires dual approval, but it is not enforced by workflow. 5. Mark as not a finding if dual authorization is not required by the SSP.

Fix Text

Create an approval workflow for document libraries or documents which requires dual authorization. 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Site libraries and lists. 3. On the Site Libraries and Lists page, select a library or list. 4. On the List Settings page, in the Permissions and Management list, click Workflow Settings. 5. On the Workflow Settings page, click Add a workflow. 6. Follow the directions of the workflow wizard to create an approval workflow that requires dual approval for the documents stored in the selected library.

Additional Identifiers

Rule ID: SV-36114r2_rule

Vulnerability ID: V-27996

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.