CIS compliancy: SharePoint

  • Last update on September 27th, 2024

Sensitive SharePoint sites should adjust their default sharing settings to those best aligning to their sensitivity level

SharePoint allows sharing with users who are outside the agency, which is convenient but may pose a data loss or other information security risk. This working group recommends outside of the default organizational settings agencies should evaluate each created site and adjust sharing settings best aligned to their respective sensitivity level.

To limit external sharing by domain, in the SharePoint admin center:

  1. Select “Sites”.
  2. Select “Active sites”.
  3. Select “Site name”.
  4. Select “Add domains”.
  5. Select “Policies”.
  6. Under external sharing, select “Edit“.
  7. Select permissions aligning to the risk posture associated with the sensitivity of the SharePoint site.
  8. Select “Save”.
 
 

Users shall be prevented from running custom scripts

Allowing users to run custom scripts can potentially allow malicious scripts to run in a trusted environment. For this reason, running custom scripts should not be allowed. Note that this is a legacy setting and is set to deny the running of custom scripts by default.

In the SharePoint Classic admin center:

  1. Scroll to the Custom Script setting and select both of the following:
    1. Prevent users from running custom script on personal sites. 
    2. Prevent users from running custom script on self-service created sites.