• Use a layered approach to security, with more than one mechanism in place to deter attackers.
• After validating in a prototype environment, use the latest patches and updates on SharePoint servers to further protect the server against attack.
• Use the Microsoft Baseline Security Analyzer (MBSA) tool to verify the security of SharePoint servers.
• Use Secure Sockets Layer (SSL) certificates on any SharePoint traffic that traverses a public network such as the Internet.
• Use an internal Public Key Infrastructure (PKI) deployment with Active Directory Certificate Services to generate SSL certificates for SharePoint if third-party certificates are not being used.
• Physically secure SharePoint servers behind locked doors and in secure locations.
• Highly consider the use of IPsec to encrypt traffic between SharePoint servers.
• Use the MSBA to audit the security of SharePoint servers.
• Turn on SQL auditing so that failure attempts or potentially all access is audited.
• Design SharePoint with isolation approaches to security in mind.
• Utilize Server Security templates to secure the Windows Server operating system that SharePoint runs on, but ensure that the security settings are tested in advance.
• Restrict login access to SharePoint servers.
• Consider the use of PKI smartcards for user authentication to SharePoint.
• Consider the use of VPNs to secure remote access to internal SharePoint sites from the Internet.
• Limit anonymous access to SharePoint farms that do not contain any proprietary information.
• Limit console logins on SharePoint servers to select administrators.
• Enable password and account lockout policies on SharePoint servers.