Joel Oleson was preparing for a TechReady (internal Technical Readiness conference) Presentation and for my advanced deployment presentation I really needed to beef it up. Here's a list I put together for a few lockdown slides. This is not meant to be fully comprehensive, but get you started down the right track. All of these may not apply.
1. Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (i.e. outbound HTTP)
2. Secure client communication with trusted SSL certificates (128bit HTTPS)
3. Use IPSEC Require mode between servers (Policy) Especially for secure communication between servers and DCs * Be careful with NLB. You can do also this on your Intranet with request mode, I recommend not using client require mode for non windows and legacy clients (MAC/Unix/Win 98)
4. Enable Kerberos Authentication (Intranet) *Careful with NLB
5. SQL SSL encrypted Traffic + Non Standard Port
6. Configure Central Admin on public internet facing servers on non routable IP (Index Server) Configure 2 factor and double hop access. i.e. 2 Factor auth VPN to TS to administration server to administer farm with specific IP rules to TS box.
7. Restrict IP Traffic on Central Admin and SSP App Pools (IIS)
8. Configure Deny Policies (Not Auth Users) on Content/Admin Web Apps for Applicable Groups/Domains, configure deny policy for Server Admins on all web apps (use Special non privileged accounts for administration of SharePoint farm)
9. Configure ISA Secure Publishing (or reverse hosting) better than Router ACLs (Rejects Invalid Requests and Verbs)
10. Configure at least 1 DMZ aka 2+ Firewalls/Interfaces between corp and publicly addressable Internet (ISA 2006 Recommended)
11. Test/Run Windows R2 Server SCW (Security Configuration Wizard) (Custom Template)
12. Consider Basic over SSL alternatives… SSL with FBA with Expiring Cookies
13. Configure and enforce Auditing Policies on Site Collections (Solution Deployment & Timer job), Enable WSS & MOSS Usage Reporting
14. Remove unused server side extensions (i.e. ASP, HTA, IDX, etc..) and unused .NET extensions and verbs (Debug)
15. Disable the Web Services that are not used. i.e. SSP & Central Admin
16. Ensure that Any Auth traffic is secured between DC & Servers (IPSEC)
17. Ensure inbound email services are configured for auth users, and lock down SMTP/Outbound to allow only specific IPs
18. Stop unused services (this will require testing)
19. Configure Site Collection Quotas
20. Increase blocked file types to include non approved content
21. Install Antivirus Protection (Recommended FrontBridge with Inbound scanning and regular scan of all at a minimum, filter content as well)
22. Monitor for suspicious activity & Review #Failed Login Attempts Security Logs – Use Black Ice or other intrusion Detection software on all servers in the farm with reporting and alerting
23. Lock down SSC (Self Service Creation) to few trusted Support/Service groups
24. Run service accounts with domain accounts, run SSP and Central admin with different service accounts (ensure these accounts have no special rights)
25. Lock down SQL with relevant lockdown/hardening guides, remove server admin role and rights
Cette page a été modifiée pour la dernière fois le mercredi, mars 14, 2007 06:04:42