SharePoint must implement an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions.

From SharePoint 2013 Security Technical Implementation Guide

Part of SRG-APP-000236

Associated with: CCI-000366 CCI-001087

SV-74411r1_rule SharePoint must implement an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions.

Vulnerability discussion

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.

Check content

Review the SharePoint server configuration to ensure an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions are implemented. Log on to the server that hosts the farm's Central Administration website. Open IIS Manager. Expand "Sites" tree view and right-click the web application named "SharePoint Central Administration". Select "Edit Bindings ...". Confirm the site is bound to an out-of-band (OOB) IP address. If the site is bound to a production IP address or not bound to a specific IP address, this is a finding.

Fix text

Configure the SharePoint server to implement an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions. Log on to the server that hosts the farm's Central Administration website. Open IIS Manager. Expand "Sites" tree view and right-click the web application named "SharePoint Central Administration". Select "Edit Bindings ...". Select the site binding record and click "Edit". From the "IP Address" dropdown list, select an OOB IP address. Click "Ok". *NOTE: If the Central Administration site has multiple site bindings, steps will need to be repeated for each site binding.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer