SharePoint must retain the notification message or banner on the screen until users take explicit actions to log on to or further access.

From MS SharePoint 2010 Security Technical Implementation Guide

Part of SRG-APP-000069-COL-000052

Associated with: CCI-000050

SV-36431r1_rule SharePoint must retain the notification message or banner on the screen until users take explicit actions to log on to or further access.

Vulnerability discussion

To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner shall prevent further activity on the application unless and until the user executes a positive action to agree by clicking on a box indicating "OK" or agreement with the terms of the banner. The text of this banner should be customizable in the event of future user agreement changes.

Check content

1. Obtain a list of all SharePoint Web applications. 2. Open a Web browser and navigate to the SharePoint Web applications home page. 3. No further access is possible to the SharePoint web application unless a positive action to agree (such as clicking on a box indicating “OK”) is required. 4. If further access to the SharePoint Web application is possible before positive action to agree, this is a finding.

Fix text

Configure the SharePoint Web application home page to not allow any further access until the user executes a positive action to agree.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer