The Central Administration site must not be accessible from Extranet or Internet connections.

From SharePoint 2010 Security Technical Implementation Guide (STIG)

Associated with IA controls: DCPA-1

Associated with: CCI-001083

SV-36741r2_rule The Central Administration site must not be accessible from Extranet or Internet connections.

Vulnerability discussion

SharePoint must prevent the presentation of information system management-related functionality at an interface utilized by general, (i.e., non-privileged), users. Central Administration is an application used to manage SharePoint system settings and the settings of the web applications running under SharePoint. The Central Administration application should be protected using a defense-in-depth approach. Regular users should not be able to access the Central Administration as the first line of defense. The second line of defense is that regular users do not have user ids defined in the Central Administration application.

Check content

Check outside access to Central Administration. 1. On an administrative work station, open Central Administration and make note of the URL (i.e., http://sharepointserver:7040). 2. Try to open the Central Administration application on a regular user’s workstation. Open a Web browser and type in the URL to Central Administration. If Central Administration can be opened, it is a finding.

Fix text

Block outside Central Administration access. Use IIS IP address restrictions, firewall, or other filtering solutions to limit access to the Central Administration site.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.