RE: secure sharepoint 2010 design

["Boyd, Chad" <CBoyd () madden com>]

> I'm sorry, the list moderators for the security-basics list have failed to act on your post. Thus, I'm returning it 
> to you.
> If you feel that this is in error, please repost the message or contact a list moderator directly.

---Alright, I'll do that. :)

A few of them are.

Network segmentation - In the event of a compromise, it's always good forethought to segment your network to limit 
resources to only where they are needed. I consider this standard, regardless of the question.

Server separation - I know that on WSS3, if you had search services, database services and the WFE on the same system, 
you would need some good hardware to handle it all. Perhaps that's better in 2010, I don't know. I do know that I have 
only ever set everything up on a single system once. That was in my home lab for testing. There is also a security 
aspect here, but I'd worry about network segmentation first. If you can get that, then by all means put your database 
on another box.

If this is an internal only (Intranet) SharePoint deployment, I would still configure SSL. You can use a local CA for 
this if it's not going to be exposed to the outside world, but I wouldn't communicate with any web service that relies 
on username/passwords over HTTP. That goes double for my domain account (if you're using NTLM auth for this).

Setting the httponly in the web.config isn't that bit of a deal on an Intranet only system, but it can't hurt, and it 
only takes a second to change.

Always harden your web servers. Heck, always harden all of your servers. The NSA guides I provided go over several 
system scenario types and the best ways to secure them. There are sections for web servers, files servers, bastion 
hosts, domain controllers, etc. Almost all of these configs can be done through a GPO.

...and lastly the accounts. If you go to the trouble to segment your network, wouldn't it make equal sense to segment 
your accounts? Give them least privilege. No domain admin "just to get it working".


In all, there's not much that I provided that I wouldn't do on an internal-only system that I would do on an externally 
facing one. Call me paranoid (I am the security guy for my company), but it's easier for me to trust someone out in the 
WWW, then someone in my own network. At least I can filter out the stuff from the web.



-----Original Message-----
From: Dan Lynch [mailto:DLynch () placer ca gov] 
Sent: Tuesday, August 03, 2010 5:49 PM
To: Boyd, Chad; Paul Johnston; security-basics () securityfocus com
Subject: RE: secure sharepoint 2010 design

> In my experience, you should look in to ...

Chad,

Good list, but only applicable if one is exposing Sharepoint to the internet. The OP can correct me, but I don't 
believe that was in his plan. Do you think these steps are (some or all of them) appropriate in a private enterprise 
network only deployment?


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------