SharePoint 2010 MS Best Practices vs CIS Benchmarks RRS feed

  • Question

  • Does anyone know of a comparison btwn Microsoft's SharePoint 2010 Best Practices and CIS Benchmarks?  Like, does MS address everything in the Benchmark, conflicting recommendations, and do they map it to any industry/government standards (NIST, etc...)? 

    It looks like CISecurity.org may only have a benchmark for SharePoint 2007, so a second part of this question is: what features/issues should be addressed while baselining SharePoint 2010 if using the benchmark for SharePoint 2007...assuming a 2010 CIS Benchmark doesn't exist?

    I will be deploying SharePoint 2010 to my extranet to collaborate better with an outside customer; however, it looks like there is limited info for baselining SharePoint 2010.

    - Thanx, Mike in VA

    Thursday, September 6, 2012 1:58 PM

All replies

  • I doubt what you're looking for exists, at least not as published documentation from Microsoft. The Center for Internet Security is an organization whose members provide security recommendations for numerous products. From what I understand a security benchmark is created by a team that reviews the configurations of a product and comes up with recommended guidelines. Microsoft has no obligation to acknowledge these benchmarks exist.

    While Microsoft doesn't usually publicly publish this sort of thing, it's possible this information exists. Remember, they need to win government contracts so they would need to comply with certain standards and be able to prove this through documentation, but getting your hands this type of information might be difficult unless you can make a business case for needing it. For example, if you were a large government organization or customer looking to implement SharePoint in an extranet, your vendor (a  Microsoft partner) or your Microsoft account manager (if you have one) would be able to track this info down (again, assuming it exists).

    That the SharePoint 2007 benchmark was published in 2011 suggests to me that this benchmark process takes a significant amount of time (4-5 years since the SharePoint 2007 was released). It's therefore not surprising to me that a SharePoint 2010 benchmark is not available. And while we're here, SharePoint 2013 should be released soon so a 2010 benchmark won't apply to the latest version.

    As far as official security hardening recommendations go, your best bet is to consult the following TechNet articles:

    Jason Warren
    Infrastructure Architect

    Thursday, September 6, 2012 6:10 PM
  • Jason, thank you.  That response was the one I was unfortunately expecting.  I searched around and didn't see any mapping between MS' best practice and other industry standards and wanted to post the question on TechNet.   I did find the TechNet articles you posted the links for; just not sure how they compare to CIS Benchmarks...I might try and do an analysis over the next couple months (in my copious :) spare time) just to see how they compare.
    Thursday, September 6, 2012 7:24 PM