Oct 20
SharePoint 2010 Group Policy

To maintain a secure SharePoint 2010 and SQL Server 2008 R2 environment I suggest leveraging Active Directory Group Policy so that rules and security settings are applied at the highest level. Using group policy further enables you the ability to audit, create, edit, and ensure proper policies are applied from one location. Most malware, Trojans, bots, spyware, etc. can compromise a systems local integrity thus changing various local security policies that could damage services or worst compromise your server services. Using Active Directory Group Policy further ensures that the policy you specify in the Active Directory are not altered and if they are Group Policy will in most cases refresh and reapply settings that may have been changed. Since these are applied at the highest level via the Domain you can reasonably rest assured that in most cases local policy changes will be overwritten by Group Policy since these settings are not local. This is also very useful when applying who has local rights to interactive sessions of the server which can be used to set the local admins (farm admins) and disable guest accounts via Group Policy.

Hopefully you now see the value of Group Policy and if you already use it, now would be a good time to revisit your settings and make adjustment and additions as necessary.

Whenever I deploy a server there are a few by default policies I always apply for the overall security health of my environment which include.

  • Group Policies I suggest you create that apply for all servers
    • If you use Antivirus such as Forefront Endpoint, use a central server and apply settings via GPO
    • Windows Auto Update "OFF" – The last thing you need is to have every server failing due to some special configuration you have made to your server Farm that the Microsoft security patch has broken. Apply these via WSUS, SCCM, HFNetCHkPro or some other tool that you have live patch deployment control.
    • Disable Computer Browser – why use it?
    • Disable IPv6! If you are using IPv6 then your servers can be accessed from anywhere in the world, there are no good mechanisms to put an IPv6 address on a private network; Use IPv4!!!
    • Disable the guest account – Why have this active?
    • Create a security policy to only allow log on locally for the Administrators – This is a must to secure your servers in the event of a compromise
    • I suggest creating an audit policy with these suggested settings – at minimal and self explanitory
      • Local Policies/Audit Policy
        • Audit account logon events Success, Failure
        • Audit account management Success, Failure
        • Audit directory service access Failure
        • Audit logon events Success, Failure
        • Audit object access Success, Failure
        • Audit policy change Success, Failure
        • Audit system events Success, Failure
      • Event Log
        • Policy Setting
        • Maximum application log size 1000000 kilobytes
        • Maximum security log size 1000000 kilobytes
        • Maximum system log size 1000000 kilobytes
        • Retention method for application log As needed
        • Retention method for security log As needed
        • Retention method for system log As needed
    • Create a policy to allow logging
      • Log dropped packets
      • Log successful connections

Below are the more specific policies with their paths that I suggest you create at a minimal.

Policy Name

IPSEC SP/SQL Server Encryption

  • Policies
    • Windows Settings
      • Security Settings
        • IP Security Policies on Active Directory
          • Server (Request Security)
            • For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request.

Policy Name

Windows Firewall: "On"

  • Computer Configuration
    • Policies
      • Windows Settings
        • Security Settings
          • Windows Firewall with Advanced Security
            • Global Settings
              • Domain Profile Settings
              • Firewall state On
    • Administrative Templates
      • Network/Network Connections/Windows Firewall/Domain Profile
        • Windows Firewall: Protect all network connections Enabled

 

Policy Name

Windows SharePoint Admin Set

  • Computer Configuration (Enabled)
    • Policies
      • Windows Settings
        • Security Settings
          • Restricted Groups
            • Group Members
              • BUILTIN\Administrators "SERVERS_ADMIN"

 

Software Firewalls
For these settings assume that your servers are on the same subnet and behind a physical firewall so that all servers can communicate to each other without the physical firewall preventing access (all ports an protocols open to each of these servers). I suggest using a physical firewall or proxy server to protect the physical servers if you don't have one already in place so that the local NICs IP's cannot access the internet. Use IP's that are specific to the URL namespace, not the same IP as the server.

For example

Server IP is 10.1.1.1 and the IP for the website is 192.1.1.1 (Private vs. Public IP space)

Policy Name

Windows SharePoint CA Firewall: Exception(s)

  • Computer Configuration (Enabled)
    • Policies
      • Administrative Templates
        • Network/Network Connections/Windows Firewall/Domain Profile
          • Policy Setting Comment
            • Windows Firewall: Define inbound port exceptions Enabled
              • Define port exceptions
                • Use a port like 21498:TCP:192.1.1.0/255.255.255.255, 192.1.1.255.255.255.255, 192.1.1.255.255.255.255:enabled:HTTP(S)
                  • The ports 192.1.1.0 would be the client machines IP's that will be accessing the CA via the web.

Policy Name

Windows SharePoint Launcher Service: 8082 Exception

  • Computer Configuration (Enabled)
    • Policies
      • Administrative Templates
        • Network/Network Connections/Windows Firewall/Domain Profile
          • Policy Setting Comment
            • Windows Firewall: Define inbound port exceptions Enabled
              • Define port exceptions
                • Use a port like 8082:TCP:192.1.1.1/255.255.255.255, 192.1.1.1/255.255.255.255, 192.1.1.1/255.255.255.255:enabled:Launcher Service
                  • The IP's 192.1.1.1 would be the SharePoint servers that would be accessing each other using this port (8082).

Policy Name

Windows SharePoint Launcher Service: 8093 Exception

  • Computer Configuration (Enabled)
    • Policies
      • Administrative Templates
        • Network/Network Connections/Windows Firewall/Domain Profile
          • Policy Setting Comment
            • Windows Firewall: Define inbound port exceptions Enabled
              • Define port exceptions
                • Use a port like 8082:TCP:192.1.1.2/255.255.255.255, 192.1.1.2/255.255.255.255, 192.1.1.2/255.255.255.255:enabled:HTTP(S)
                  • The IP's 192.1.1.1 would be the SharePoint servers that would be accessing each other using this port (8093).

SQL Policies

  • You will also want to create policies for port exceptions to and from the SharePoint servers and the ports such as 1434 (default SQL port) and the server Admins access as previously shown for the SharePoint servers.

If Group Policy is new to you, just leave a comment and I would be more than happy to help you build these and provide a more in-depth approach.

Comments

There are no comments for this post.

 ‭(Hidden)‬ Blog Tools