SharePoint Lockdown – The Easy Way
If you have been tasked with securing SharePoint, there are a lot of considerations to take into account. How do users authenticate? Does part of your farm live in an extranet or DMZ? How do you secure user-to-server communications? How do you secure server-to-server communications? How do you scan for viruses? How do you harden the servers in the farm?
While I cannot answer all of those questions in a single post (the Roadmap to security content for Office SharePoint Server 2007 is a great place to start), I can give you a HUGE leg up on the last question. How do you harden servers in a SharePoint farm? There are a ton of dependencies (on IIS, on SQL, on TCP/IP, potentially on IPSEC, etc) and it is very easy to miss a setting or misconfigure something that will break functionality.
Fortunately, there is a feature that was introduced in Windows Server 2003 SP1 that will make your life much easier…. the Security Configuration Wizard (SCW). In short, the SCW automates the process of hardening SharePoint (or any other type of server) by using security templates that will lock down the server as tight as a drum. Even better, if you choose a wrong setting or somehow break something while configuring security, you can simply un-apply the template and you are back where you started. No more wondering which setting you applied that broke functionality.
The SCW wizard will walk you through configuring settings including:
- Server Roles
- Client Features
- Enabled Services
- Open Ports
- Registry Settings
- Audit Policies
- Anonymous Access
Assuming the generated security policy works well for your needs, it is a simple matter to apply that policy to similar servers (such as all Web Front End servers) in your farm.
The templates used to power the wizard (and generate the security policy) are standard XML files that store all the settings specific to a given component. The SharePoint template, for example, specifies what services SharePoint requires, what ports, that it has a dependency on IIS and ASP.NET, etc. To begin, download the Security Configuration Wizard Manifest for Microsoft Windows SharePoint Services 3.0 here:
If you open up the file, you can see everything that will be configured by applying the template.
The Security Configuration Wizard is not enabled by default, so stop by the Add/Remove Programs control panel, click on “Windows Components” and check the appropriate box.
Once installed, SCW will show up under Administrative Tools.
From there on, just follow the steps in the wizard. It will detect the services and roles you have installed, and most of the defaults should work fine. Most of the screen shots are self explanatory, so I’ll let them speak for themselves.
For more information on the Security Configuration Wizard, there is a page up on TechNet with all the information you may need: