locked
Securing RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We are in the process of securing our environment so we are running vulnerability scans on the SharePoint servers.  Below is the vulnerability we are receiving and the recommendation is to secure the file.  Unfortunately this file seems to be a virtual file so we are unable to secure it.   We are using SharePoint 2010 SP1 and IIS 7.5.  Any recommendations? 

    The file "_vti_inf.html" was retrieved. This file contains basic configuration information for the Web server FrontPage Extensions.

    Tuesday, September 30, 2014 8:53 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    In order to get the "cannot/should not", you would need to raise a PSS case with Microsoft. SharePoint has its own mechanism to secure the farm (with regards to permissions). This generally is not documented (e.g. ACLs are not documented). 3rd party scanning software is generally unaware of SharePoint, it's requirements, and so forth. If you're unable to ascertain a specific vulnerability, then there is no actionable item. If you can identify a specific vulnerability, then it should be reported to the Microsoft Security Response Center.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Victoria Xia Monday, October 6, 2014 9:48 AM
    Wednesday, October 1, 2014 8:16 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    HI Scott,I would recommend not to secure the file because the functionality that depends on this file will stop working.see any dependencies on the file and check if any issues with it to secure first.

    Anil Avula[MCP,MCSE,MCSA,MCTS,MCITP,MCSM] See Me At: http://expertsharepoint.blogspot.de/

    Wednesday, October 1, 2014 4:01 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Vulnerability scans from 3rd party products need to be evaluated for accuracy, capabilities, and so on. Their suggestions should not be blanket-implemented, as you may break the product, or you may put yourself out of support for the vendor of the product.

    You should not be modifying security directly on files within the 14 hive, etc.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, October 1, 2014 4:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Trevor, 

    The "_vti_inf.html" file does not actually reside in the 14 hive and seems to be a virtual file rendered when necessary. 

    I am hoping via this forum to determine if this file does in fact need to be secured as recommended and if not the provide documentation as to why it cannot or should not be secured.  Any suggestions would be appreciated.

    Wednesday, October 1, 2014 3:54 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    In order to get the "cannot/should not", you would need to raise a PSS case with Microsoft. SharePoint has its own mechanism to secure the farm (with regards to permissions). This generally is not documented (e.g. ACLs are not documented). 3rd party scanning software is generally unaware of SharePoint, it's requirements, and so forth. If you're unable to ascertain a specific vulnerability, then there is no actionable item. If you can identify a specific vulnerability, then it should be reported to the Microsoft Security Response Center.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Victoria Xia Monday, October 6, 2014 9:48 AM
    Wednesday, October 1, 2014 8:16 PM