SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations.

From MS SharePoint 2010 Security Technical Implementation Guide

Part of SRG-APP-000062-COL-000046

Associated with: CCI-002220

SV-37759r2_rule SharePoint must enforce organizational requirements to implement separation of duties through assigned information access authorizations.

Vulnerability discussion

Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out the action. Additionally, the person or entity accountable for monitoring the activity must be separate as well. To meet this requirement, applications, when applicable, shall be divided where functionality is based on roles and duties. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles.

Check content

Verify permission levels for roles are created and assigned correct permissions for each site. The Web Site Admin permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Audit permission level is a copy of Full Control with modifications according to an organizationally defined permission list. The Web Site Managers permission level is a copy of Full Control with modifications according to organizationally defined permission list. These permission levels must be configured to produce separation of duties in SharePoint. 1. On a site home page, click Site Actions and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Verify the permissions for Web Site Admin, Web Site Audit, and Web Site Manager are set according to organizationally defined permissions. 4. Mark as a finding if any of the three permission levels do not exist. Mark as a finding if permissions for Web Site Admin, Web Site Audit, and Web Site Manager are not set in accordance with organizationally defined permissions.

Fix text

Create and/or confirm the three required permission levels exist and have permissions in accordance with organizationally defined permissions. 1. On a site home page, click Site Actions, and then click Site Permissions. 2. In the Manage section of the ribbon, click Permission Levels. 3. Create missing permission levels by clicking Add a Permission Level. 4. On the Add a Permission Level page, in the Name field, type a name for the new permission level (Web Site Admin, Web Site Audit, or Web Site Manager). 5. In the Description field, type a description of the new permission level. 6. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally defined permissions from the IAO. 7. Click Create.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer