25 Tips to Lockdown Your SharePoint Environment

I was preparing for a TechReady (internal Technical Readiness conference) Presentation and for my advanced deployment presentation I really needed to beef it up. Here's a list I put together for a few lockdown slides. This is not meant to be fully comprehensive, but get you started down the right track. All of these may not apply.

1. Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (i.e. outbound HTTP)

2. Secure client communication with trusted SSL certificates (128bit HTTPS)

3. Use IPSEC Require mode between servers (Policy) Especially for secure communication between servers and DCs * Be careful with NLB. You can do also this on your Intranet with request mode, I recommend not using client require mode for non windows and legacy clients (MAC/Unix/Win 98)

4. Enable Kerberos Authentication (Intranet) *Careful with NLB

5. SQL SSL encrypted Traffic + Non Standard Port

6. Configure Central Admin on public internet facing servers on non routable IP (Index Server) Configure 2 factor and double hop access. i.e. 2 Factor auth VPN to TS to administration server to administer farm with specific IP rules to TS box.

7. Restrict IP Traffic on Central Admin and SSP App Pools (IIS)

8. Configure Deny Policies (Not Auth Users) on Content/Admin Web Apps for Applicable Groups/Domains, configure deny policy for Server Admins on all web apps (use Special non privileged accounts for administration of SharePoint farm)

9. Configure ISA Secure Publishing (or reverse hosting) better than Router ACLs (Rejects Invalid Requests and Verbs)

10. Configure at least 1 DMZ aka 2+ Firewalls/Interfaces between corp and publicly addressable Internet (ISA 2006 Recommended)

11. Test/Run Windows R2 Server SCW (Security Configuration Wizard) (Custom Template)

12. Consider Basic over SSL alternatives… SSL with FBA with Expiring Cookies

13. Configure and enforce Auditing Policies on Site Collections (Solution Deployment & Timer job), Enable WSS & MOSS Usage Reporting

14. Remove unused server side extensions (i.e. ASP, HTA, IDX, etc..) and unused .NET extensions and verbs (Debug)

15. Disable the Web Services that are not used. i.e. SSP & Central Admin

16. Ensure that Any Auth traffic is secured between DC & Servers (IPSEC)

17. Ensure inbound email services are configured for auth users, and lock down SMTP/Outbound to allow only specific IPs

18. Stop unused services (this will require testing)

19. Configure Site Collection Quotas

20. Increase blocked file types to include non approved content

21. Install Antivirus Protection (Recommended FrontBridge with Inbound scanning and regular scan of all at a minimum, filter content as well)

22. Monitor for suspicious activity & Review #Failed Login Attempts Security Logs – Use Black Ice or other intrusion Detection software on all servers in the farm with reporting and alerting

23. Lock down SSC (Self Service Creation) to few trusted Support/Service groups

24. Run service accounts with domain accounts, run SSP and Central admin with different service accounts (ensure these accounts have no special rights)

25. Lock down SQL with relevant lockdown/hardening guides, remove server admin role and rights

TechNet: Plan Security , Plan Server Hardening (Lockdown) - More detail on locking down SQL ports, securing the web services (from the file system), RPC end point for DCOM communication (excellent recommendation), list of SharePoint NT services.

<Update> Came across a few more and a few ideas that I liked...

Configure and/or lock down Excel safe locations. This will give you more control over calc perf.
Consider Extranet Mode (limited UI mode/prevents SOAP interaction and depricates UI)
Remove people picker AD lookups on extranet (stsadm -o setproperty peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode)
Secure LDAPs (636) over SSL
Lock down web services to the service accounts that need them (going to the files on the file system and changing file system security)
Ensure outbound is restricted to only what is needed. Need to consume (outbound) XML web services or RSS feeds?
Configure RPC DCOM server communication end points to static high ports
Ensure Web Front Ends can talk to all Query boxes (even if they are on other web front ends)
Disable Anonymous auth throughout the farm (off by default)
Ensure policy against using authenticated users is well communicated and policed
Thinking about email archiving and email enabled lists... I'd recommend not using it when internet/extranet facing. Configuration allowing anonymous email is in the site collection/list level.
I'd also recommend against anonymous blog comments, there are way too many spammers out there. There isn't any approval mechanism without enabling workflows and there are a lot of potential opportunities for spammers. Overall anonymous contribution scenarios should be highly thought out.
Web Based Forms and Forms Server does have some great scenarios, but if you aren't using it, lock down the anonymous posting services (disabled by default)
Considering SQL auth to the SQL box in a separate locked down area? I'm a long time fan of getting the data/SQL in a separated isolated behind a firewall with no outbound holes and no service from the public DMZ accounts. I think I already mentioned it, but I'm a fan of non standard SQL ports even more than SQL traffic over SSL. If the traffic is bad who cares if it's encypted bad traffic. Maybe I'm not the only one who spent some time with slammer.
Your SharePoint farm should be on Non Routable IPs, which goes to say... not directly in DNS.