SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands.

From MS SharePoint 2010 Security Technical Implementation Guide

Part of SRG-APP-000034-COL-000025

Associated with: CCI-000021

SV-36114r2_rule SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands.

Vulnerability discussion

An organization may see fit to define a policy stating certain commands contained within an application require dual authorization before they may be invoked. Dual authorization requires two distinct approving authorities to approve the use of the command prior to being invoked. When the organization defines a set of application related privileged commands requiring dual authorization, the application must support those organizational requirements. Once an information management policy has been created, the metadata and security attributes created can be enforced using a workflow. However, as with most applications, privilege restrictions, such as dual authorizations cannot be set for the super account, Farm Administrator. When adding a workflow to a SharePoint library or list, this enforces a business process on all items in the library or list. A workflow describes the actions the system or users must perform on each item, such as obtain dual approvals.Note: If many documents across different libraries require dual authorization, the site should consider creating a content type and adding this type as part of an information management policy.

Check content

To view what workflows are associated within Central Administration: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Workflows. 3. Verify there is at least one active workflow configured for dual approval. 4. Mark as a finding if the SSP requires dual approval, but it is not enforced by workflow. 5. Mark as not a finding if dual authorization is not required by the SSP.

Fix text

Create an approval workflow for document libraries or documents which requires dual authorization. 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Site Administration list, click Site libraries and lists. 3. On the Site Libraries and Lists page, select a library or list. 4. On the List Settings page, in the Permissions and Management list, click Workflow Settings. 5. On the Workflow Settings page, click Add a workflow. 6. Follow the directions of the workflow wizard to create an approval workflow that requires dual approval for the documents stored in the selected library.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer