Sensitive SharePoint sites should adjust their default sharing settings to those best aligning to their sensitivity level
SharePoint allows sharing with users who are outside the agency, which is convenient but may pose a data loss or other information security risk. This working group recommends outside of the default organizational settings agencies should evaluate each created site and adjust sharing settings best aligned to their respective sensitivity level.
- For comprehensive guidance on securing SharePoint Online, refer to the article Managing SharePoint Online Security: A Team Effort on Microsoft Learn.
To limit external sharing by domain, in the SharePoint admin center:
- Select “Sites”.
- Select “Active sites”.
- Select “Site name”.
- Select “Add domains”.
- Select “Policies”.
- Under external sharing, select “Edit“.
- Select permissions aligning to the risk posture associated with the sensitivity of the SharePoint site.
- Select “Save”.
Users shall be prevented from running custom scripts
Allowing users to run custom scripts can potentially allow malicious scripts to run in a trusted environment. For this reason, running custom scripts should not be allowed. Note that this is a legacy setting and is set to deny the running of custom scripts by default.
- For guidance on how to manage custom scripts, see the article Allow or prevent custom script - SharePoint in Microsoft 365 on Microsoft Learn.
In the SharePoint Classic admin center:
- Scroll to the Custom Script setting and select both of the following:
- Prevent users from running custom script on personal sites.
- Prevent users from running custom script on self-service created sites.