Check: SP13-00-000150
MS SharePoint 2013 STIG:
SP13-00-000150
(in versions v1 r9 through v1 r3)
Title
The SharePoint Central Administration site must not be accessible from Extranet or Internet connections. (Cat II impact)
Discussion
SharePoint must prevent the presentation of information system management-related functionality at an interface utilized by general, (i.e., non-privileged), users. The Central Administrator is an application used to manage SharePoint system settings and the settings of the web applications running under SharePoint. The Central Administrator application should both be protected using a defense-in-depth approach. Regular users should not be able to access the Central Administrator as the first line of defense. The second line of defense is regular users do not have user ids defined in the Central Administration application.
Check Content
Review the SharePoint server configuration to ensure Central Administration site is not accessible from Extranet or Internet connections. Check outside access to Central Administration. On an administrative work station, open Central Administration and make note of the URL (i.e., http://sharepointserver:7040). Try to open the Central Administration application on a regular user's workstation. Open a Web browser and type in the URL to Central Administration. If the Central Administration can be opened, this is a finding.
Fix Text
Configure the SharePoint Central Administration site to not be accessible from Extranet or Internet connections. Block outside Central Administrator access. Use an IIS IP address restrictions, firewall, or other filtering solutions to limit access to Central Administration site.
Additional Identifiers
Rule ID: SV-74423r1_rule
Vulnerability ID: V-59993
Group Title: SRG-APP-000212
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001083 |
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. |
Controls
Number | Title |
---|---|
SC-2 (1) |
Interfaces For Non-Privileged Users |