Security Basics mailing list archives
RE: secure sharepoint 2010 design
From: "Boyd, Chad" <CBoyd () madden com>
Date: Tue, 3 Aug 2010 22:02:42 +0000
When designing any web portal or outward facing system, it's always a good idea to segment your front ends from your back ends. In my experience, you should look in to: With a basic SharePoint setup, you should have at minimum two servers. - The Web Front End - This should be segmented from the network in a DMZ. It's also a good idea to put this behind your outward facing proxy, like ISA. Make sure that your backend systems like your DC's, WSUS, and AV systems can communicate with these correctly. - The backend, or database services. We have a separate network segment for database servers and are able to finely control which web front ends (and everything else for that matter) can access the database servers. I consider this a second DMZ (of sorts), because these systems don't need to be fully open to every user on your network either. - You should also ensure that each separate service (content access, search services, setup account, etc.) runs under different usernames with very strong passwords (at least 9 characters, at least 1 upper case, 1 lower case, 1 number, 1 special character, no 1337 speak, no common words, random). - Once your WFE is set up, you should also make sure that you have a good SSL cert on there. - Also, you should make a small change to your web.config file on the WFE: in your system.web section, above the membership provider, I put <httpCookies requireSSL="true" httpOnlyCookies="true" /> The httpCookies element supports the use of HttpOnly cookies. HttpOnly cookies (cookies with the HttpOnly attribute) were introduced in Internet Explorer 6 to help mitigate the risk of cross-site scripting. The HttpOnly attribute prevents cookies from being accessed through client-side script. Any information contained in an HttpOnly cookie is less likely to be disclosed to a hacker or a malicious Web site. From here: http://msdn.microsoft.com/en-us/library/system.web.configuration.httpcookiessection.httponlycookies.aspx While the "help.aspx XSS" vulnerability doesn't affect 2010, setting this may mitigate a future attack....possibly...couldn't hurt. While I know that this is a bit more than most organizations tend to do, it's just my two cents. Also, for all Web Front Ends, make sure you are hardening your systems. NIST has some great guides, as does the NSA (which I use). Links below. NIST - Guidelines on securing public web servers - http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf NSA - Database Configuration - http://www.nsa.gov/ia/guidance/security_configuration_guides/database_servers.shtml NSA - Server 2003 Security Guides - http://www.nsa.gov/applications/search/index.cfm?q=Microsoft%20Windows%20Server%202003 Almost all of the configuration items here still hold for 2008. Wow, that's a lot. If you need any help on this, let me know. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Johnston Sent: Monday, August 02, 2010 4:15 AM To: security-basics () securityfocus com Subject: Re: secure sharepoint 2010 design Hi, The question I would ask is: do existing similar systems in your company have a dedicated, firewalled network? I think you'll find that somewhat more critical systems (e.g. your domain controllers) currently sit on the same network as all your workstations. While there is a security benefit in firewalling sharepoint, it's a bit moot if more critical systems are not firewalled. Paul
just wondering if anyone here has been involved with designing sharepoint 2010 or earlier version from ground up. the consulting people we have working on this are MS or sharepoint people from third party and all seem to think that it's ok to leave your whole sharepoint environment open to corporate lan. according to
-- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: secure sharepoint 2010 design Paul Johnston (Aug 03)
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- Message not available
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 03)
- Message not available
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 10)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 10)
- Re: secure sharepoint 2010 design Ansgar Wiechers (Aug 11)