RE: secure sharepoint 2010 design

["Boyd, Chad" <CBoyd () madden com>]

When designing any web portal or outward facing system, it's always a good idea to segment your front ends from your 
back ends.

In my experience, you should look in to:

With a basic SharePoint setup, you should have at minimum two servers.
- The Web Front End - This should be segmented from the network in a DMZ. It's also a good idea to put this behind your 
outward facing proxy, like ISA. Make sure that your backend systems like your DC's, WSUS, and AV systems can 
communicate with these correctly.

- The backend, or database services. We have a separate network segment for database servers and are able to finely 
control which web front ends (and everything else for that matter) can access the database servers. I consider this a 
second DMZ (of sorts), because these systems don't need to be fully open to every user on your network either.

- You should also ensure that each separate service (content access, search services, setup account, etc.) runs under 
different usernames with very strong passwords (at least 9 characters, at least 1 upper case, 1 lower case, 1 number, 1 
special character, no 1337 speak, no common words, random).

- Once your WFE is set up, you should also make sure that you have a good SSL cert on there.

- Also, you should make a small change to your web.config file on the WFE: in your system.web section, above the 
membership provider, I put <httpCookies requireSSL="true" httpOnlyCookies="true" />
The httpCookies element supports the use of HttpOnly cookies. HttpOnly cookies (cookies with the HttpOnly attribute) 
were introduced in Internet Explorer 6 to help mitigate the risk of cross-site scripting. The HttpOnly attribute 
prevents cookies from being accessed through client-side script. Any information contained in an HttpOnly cookie is 
less likely to be disclosed to a hacker or a malicious Web site. From here: 
http://msdn.microsoft.com/en-us/library/system.web.configuration.httpcookiessection.httponlycookies.aspx
While the "help.aspx XSS" vulnerability doesn't affect 2010, setting this may mitigate a future 
attack....possibly...couldn't hurt.

While I know that this is a bit more than most organizations tend to do, it's just my two cents.


Also, for all Web Front Ends, make sure you are hardening your systems. NIST has some great guides, as does the NSA 
(which I use). Links below.
NIST - Guidelines on securing public web servers -  
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
NSA - Database Configuration - http://www.nsa.gov/ia/guidance/security_configuration_guides/database_servers.shtml
NSA - Server 2003 Security Guides - 
http://www.nsa.gov/applications/search/index.cfm?q=Microsoft%20Windows%20Server%202003 Almost all of the configuration 
items here still hold for 2008.


Wow, that's a lot. If you need any help on this, let me know.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Johnston
Sent: Monday, August 02, 2010 4:15 AM
To: security-basics () securityfocus com
Subject: Re: secure sharepoint 2010 design

Hi,

The question I would ask is: do existing similar systems in your company have a dedicated, firewalled network?

I think you'll find that somewhat more critical systems (e.g. your domain controllers) currently sit on the same 
network as all your workstations. While there is a security benefit in firewalling sharepoint, it's a bit moot if more 
critical systems are not firewalled.

Paul


> just wondering if anyone here has been involved with designing 
> sharepoint 2010 or earlier version from ground up.
> the consulting people we have working on this are MS or sharepoint 
> people from third party and all seem to think that it's ok to leave 
> your whole sharepoint environment open to corporate lan.  according to

--
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------