In this post I will share how to secure SharePoint public site and follows the recommendation of OWAPS Top Ten. OWASP Top Ten is a powerful awareness document for web application security. It represents a broad consensus about what the most critical web application security flaws are.
The goal here is to apply the changes to SharePoint standard installation as minimal as possible, so that the security rules will be applied independently.
So let’s start to see standard SharePoint deployment, where user will access Web Front End of the farm.
By default, the response from SharePoint WFE will contains lot of header that shows too much information about the server, version etc.
As we can see in the example above, it reveals following information:
- IIS Server is using IIS 8.5
- AspNet version 4.0.30319
- SharePoint version 15.0.4849
Without changing default SharePoint installation, how can we sanitize all response header information and make our SharePoint server secure? See in part 2.