SharePoint Sharpener

Obsessively Sharpening SharePoint

Hardening Your MOSS 2007 WCM Application

with 4 comments


This is a re-post of a still relevant post from my old blog at SharePointBlogs.com:

Today Last year at the SharePoint Conference in Berlin, Ben Robb of cScape Ltd gave a talk about configuring internet-facing web sites running MOSS 2007/WCM.

He brought up some interesting points about securing the application against unauthorised content editing and attacks from hackers.

Make sure your installation check list contains a least the following items:

1. Enable firewalls and standard network security
Fairly standard stuff, but necessary all the same.

2. Disable SMTP and incoming mail
In essence, you shouldn’t be running services on the server that aren’t necessary for MOSS. Also, close any ports that MOSS doesn’t need.

3. Secure the Central Administration site
Surprisingly, it is very common to leave this entry point wide open. The admin site should be accessible only via an SSL connection .

4. Use lockdown mode
Use this stsadm command to activate lockdown mode:
stsadm –o activatefeature –url <url> -filename ViewFormPagesLockdown\feature.xml
Read more about ViewFormPagesLockdown.

5. Restricted reader role
The anonymous user should have a restricted reader role which only enables viewing of pages, documents and images.

6. Policies
Constrain the maximum access per web application and deny all write access via http://sitename:80.

7. Content deployment
Use different servers for authoring and the actual internet-facing web application. Content generated on the authoring server (typically within the intranet) should be pushed out to the public site using scheduled content deployment jobs.

To many administrators the above bullets merely point out the obvious and do feel free to leave comments if you have any additions to the list.

Thanks to Ben Robb for providing 99% of the info for this post.

Advertisements

Written by Thomas Sondergaard

February 18, 2009 at 9:54 am

4 Responses

Subscribe to comments with RSS.

  1. I’m Nigel Tomm, thanks for info.

    Nigel Tomm

    February 18, 2009 at 11:19 am

  2. SharePoint Link Love 20-Feb-2009…

    Kristian Kalsing: EP/MOSS portal technology strategi ……

  3. Lock down NTLM access for internet zone by removing any access to login.aspx

    That could be an ISA rule or just a script that removes integrated and anonymous access to that file in LAYOUTS

    You would be surprised how many high profile MOSS sites out there that will give you a NTML login prompt to play with 🙂

    Anders Rask

    February 23, 2009 at 11:07 pm

  4. Hi Thomas, this is really helpful thanks. I’ll be looking at this in a bit more detail for a potential project and hadn’t considered many of these.

    msshushu

    March 26, 2009 at 11:35 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: