Review the secure topology design checklists (Office SharePoint Server)
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
In this article:
Server topology design checklist
Networking topology design checklist
Logical architecture design checklist
Operating system design checklist
In Microsoft Office SharePoint Server 2007, successful server hardening depends on a server topology and logical architecture that are designed for targeted isolation and secure communication.
Previous planning articles address topology and logical architecture in depth. This article provides checklists that you can use to ensure that your plans meet the criteria for a secure design.
Use the secure topology design checklists with the following security environments:
Internal IT hosted
External secure collaboration
External anonymous access
Server topology design checklist
Review the following checklist to ensure that your plans meet the criteria for a secure server topology design.
[ ] |
The topology incorporates dedicated front-end Web servers. |
[ ] |
Servers that host application server roles and database server roles are protected from direct user access. |
[ ] |
The SharePoint Central Administration site is hosted on a dedicated application server, such as the index server. |
Networking topology design checklist
Review the following checklist to ensure that your plans meet the criteria for a secure networking topology design.
[ ] |
All servers within the farm reside within a single data center and on the same vLAN. |
[ ] |
Access is allowed through a single point of entry, which is a firewall. |
[ ] |
For a more secure environment, the farm is separated into three tiers (front-end Web, application, and database), which are separated by routers or firewalls at each vLAN boundary. |
Logical architecture design checklist
Review the following checklist to ensure that your plans meet the criteria for a secure logical architecture design.
[ ] |
At least one zone in each Web application uses NTLM authentication. This is required for the search account to crawl content within the Web application. For more information, see Plan authentication methods (Office SharePoint Server). |
[ ] |
Web applications are implemented by using host names instead of the randomly generated port numbers that are automatically assigned. Do not use Internet Information Services (IIS) host header bindings if the Web application will be hosting host-named site collections. |
[ ] |
Consider using separate Web applications for the following circumstances:
|
[ ] |
In a reverse proxy environment, consider using the default port for the public-facing network while using a nondefault port on your internal network. This can help prevent simple port attacks on your internal network that assume HTTP will always be on port 80. |
[ ] |
When deploying custom Web Parts, only trustworthy Web Parts are deployed within Web applications that host sensitive or secure content. This protects the sensitive content against intradomain scripting attacks. |
[ ] |
Separate application pool accounts are used for central administration and for each unique Web application. |
Operating system design checklist
Review the following checklist to ensure that your plans meet the criteria for a secure operating system design.
[ ] |
The server operating system is configured to use the NTFS file system. |
[ ] |
Clocks on all servers within the farm are synchronized. |
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for Office SharePoint Server 2007.