Plan secure configurations for Windows SharePoint Services features

Applies To: Windows SharePoint Services 3.0

 

Topic Last Modified: 2009-04-15

In this article:

  • Recommendations for Windows SharePoint Services features

Use this article to find recommendations for configuring and managing Windows SharePoint Services 3.0 features in a more secure manner. You will usually perform the recommended configurations in Central Administration, rather than in the network, operating system, Internet Information Services (IIS), or the Microsoft .NET Framework. The recommendations in this article are appropriate for the following security environments:

  • Internal team or department

  • Internal IT-hosted

  • External secure collaboration

  • External anonymous access

For more information about these environments, see Choose your security environment (Windows SharePoint Services).

Recommendations for Windows SharePoint Services features

The following table describes recommendations to help you secure Windows SharePoint Services 3.0 features.

Feature or area Recommendation

Authentication

  • Do not use client-side automatic logon when using the Central Administration site.

  • Allow only front-end Web server computers to perform authentication of users. Do not allow end-user accounts or groups to authenticate against the database server computer.

Authorization

Assign permissions to groups instead of individual accounts.

Permission levels

Assign users the least permissions required to complete their tasks.

Administration

Use access permissions to secure the Central Administration site and allow administrators to connect to the site remotely (as opposed to enabling the Central Administration site for local computer use only). This alleviates the requirement for administrators to log on locally to the computer that is hosting Central Administration. Configuring Terminal Services access to the computer creates a greater security risk than leaving the Central Administration Web site available for remote access.

E-mail integration

  • Configure Windows SharePoint Services 3.0 to accept only e-mail that has been relayed through a dedicated mail server, such as Microsoft Exchange Server, which filters out viruses and unsolicited commercial e-mail, and authenticates the mail sender.

  • When configuring workflow settings, Windows SharePoint Services 3.0 allows you to enable participants who do not have rights to access a document on a site to receive the document as an e-mail attachment instead. In a secure environment, do not select the Allow external users to participate in workflow by sending them a copy of the document option. In Windows SharePoint Services 3.0, this option is not selected, by default.

Web Part storage and security

  • Ensure that you deploy only trusted code to your server farm. All code, XML, or ASP.NET code that you deploy should be from a trusted source, even if you intend to tighten security after deployment with defense-in-depth measures such as code access security.

  • Ensure that the SafeControl list in the Web.config file contains the set of controls and Web Parts that you want to allow.

  • Ensure that custom Web Parts that you plan to reinforce with defense-in-depth measures are installed into the bin directory of the Web application (where partial trust is turned on), with specific permissions for each assembly.

  • Consider removing the Content Editor Web Part from the SafeControl list. This prevents users from adding JavaScript into the page as a Web Part and using JavaScript that is hosted on external servers.

  • Ensure that appropriate people in your organization are granted the Design and Contribute permission levels in your site. A user with the Contribute permission level can upload Active Server Page Extension (ASPX) pages to a library and add Web Parts. Users with the Design permission level, who are allowed to add Web Parts, can modify pages, including the home page on your site (Default.aspx).

Search

  • The Windows SharePoint Services Search service account must not be a member of the Farm Administrators group; otherwise, the Windows SharePoint Services Search service will index unpublished versions of documents.

  • Ensure that additional IFilters and word breakers that you deploy are trusted by your IT team.

  • By default, the search index file is accessible only by members of the Farm Administrators group. Ensure that this file is not accessible to users who do not belong to this group.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable books for Windows SharePoint Services.