Export (0) Print
Expand All

Review the secure topology design checklists (Office SharePoint Server)

Office 2007

Updated: April 23, 2009

Applies To: Office SharePoint Server 2007

Updated: 2009-04-23

In this article:

In Microsoft Office SharePoint Server 2007, successful server hardening depends on a server topology and logical architecture that are designed for targeted isolation and secure communication.

Previous planning articles address topology and logical architecture in depth. This article provides checklists that you can use to ensure that your plans meet the criteria for a secure design.

Use the secure topology design checklists with the following security environments:

  • Internal IT hosted

  • External secure collaboration

  • External anonymous access

Server topology design checklist

Review the following checklist to ensure that your plans meet the criteria for a secure server topology design.

[ ]

The topology incorporates dedicated front-end Web servers.

[ ]

Servers that host application server roles and database server roles are protected from direct user access.

[ ]

The SharePoint Central Administration site is hosted on a dedicated application server, such as the index server.

Networking topology design checklist

Review the following checklist to ensure that your plans meet the criteria for a secure networking topology design.

[ ]

All servers within the farm reside within a single data center and on the same vLAN.

[ ]

Access is allowed through a single point of entry, which is a firewall.

[ ]

For a more secure environment, the farm is separated into three tiers (front-end Web, application, and database), which are separated by routers or firewalls at each vLAN boundary.

Logical architecture design checklist

Review the following checklist to ensure that your plans meet the criteria for a secure logical architecture design.

[ ]

At least one zone in each Web application uses NTLM authentication. This is required for the search account to crawl content within the Web application. For more information, see Plan authentication methods (Office SharePoint Server).

[ ]

Web applications are implemented by using host names instead of the randomly generated port numbers that are automatically assigned. Do not use Internet Information Services (IIS) host header bindings if the Web application will be hosting host-named site collections.

[ ]

Consider using separate Web applications for the following circumstances:

  • Your company policy requires process isolation for content and applications.

  • You are implementing sites that integrate with external data sources where the content provided by these data sources is sensitive or requires greater security.

[ ]

In a reverse proxy environment, consider using the default port for the public-facing network while using a nondefault port on your internal network. This can help prevent simple port attacks on your internal network that assume HTTP will always be on port 80.

[ ]

When deploying custom Web Parts, only trustworthy Web Parts are deployed within Web applications that host sensitive or secure content. This protects the sensitive content against intradomain scripting attacks.

[ ]

Separate application pool accounts are used for central administration and for each unique Web application.

Operating system design checklist

Review the following checklist to ensure that your plans meet the criteria for a secure operating system design.

[ ]

The server operating system is configured to use the NTFS file system.

[ ]

Clocks on all servers within the farm are synchronized.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for Office SharePoint Server 2007.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft