An error occurred:

Check: SP13-00-000130

MS SharePoint 2013 STIG: SP13-00-000130 (in versions v1 r9 through v1 r3)

Title

SharePoint must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. (Cat II impact)

Discussion

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains) controlling access to, and protecting the integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.

Check Content

Review the SharePoint server configuration to ensure security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers are implemented. Check the network location of the Central Administration server. If the server resides in the DMZ, this is a finding. Attempt to access Central Administration without first connecting to a management network VPN. If Central Administration can be accessed over a production network, this is a finding. Attempt to connect directly to a SharePoint server (i.e., via remote desktop) without first connecting to a management network VPN. If a remote desktop session can be established via a production network, this is a finding.

Fix Text

Configure the SharePoint server to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. Configure access to Central Administration to be allowed over a management (OOB) network. Configure Central Administration on a server that resides within the internal network (not on a server in the DMZ). Configure management access (i.e., remote desktop access and local server access) so that it occurs only via a management network (OOB) and not over a production network.

Additional Identifiers

Rule ID: SV-74413r1_rule

Vulnerability ID: V-59983

Group Title: SRG-APP-000238

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001089

The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-3 (5)

Layered Structures