OWASP Top Ten to Secure SharePoint Public Site (Part 2)
In part 1, I elaborate what was the challenge in SharePoint default configuration and the default response header produced by WFE. Part-2, I will show how to clean response header and add additional layer of protection. From standard SharePoint deployment, we add a reverse proxy that will act as medium between the user (external client) and the SharePoint farm. So our diagram will change as follow: In computer network, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client form one or more servers. These resources are then returned to the client as if they originated from the proxy server itself. In this configuration the reverse proxy will retrieve resources in SharePoint farm on behalf of a client. It can act as load balancer, application firewall to protect against DDoS or DoS and many more. In our scenario, the Reverse Proxy will be responsible to perform following task:
- Redirect request from client using public known DNS to internal host name and port
- Sanitize all response coming from internal network
- Hide the SharePoint farm from direct expose to Internet.
The reverse proxy can be appliance based reverse proxy or software based reverse proxy. For example we can use NGIX , F5 or even IIS . Part 3, we will discuss how to configure IIS as reverse proxy to protect SharePoint server.