How to protect my SharePoint site from attack

Question

I have a new SharePoint site with anonymous access enabled and plan for it to be published over the internet.

I have heard the anonymous is very risky and exposes you to attacks, is that correct?

Could you please tell me how can I protect the SharePoint site from attacks?

Any thoughts?

Answer 1

By default, SharePoint is secure! Generally, your farm should be up to date with security fixes that bundled with the MU or the CU.

Sharegate wrote a good article about How to make SharePoint Secure. that summarized as the following:

• Run the Microsoft Security Assessment Tool & Best Practice Security Analyzer Tool from Microsoft
• Only enable the required Windows Services where you need them.
• Only enable the required SharePoint Services where you want them to run.
• Create multiple Service Accounts, that do not have Domain or Server Administration Permission
• Use DNS URLs, not Server name for access
• Only use known ports for access, such as 80 or 443, then control access via Firewalls
• Do not disable the Windows Server Firewall
• Utilize the “ViewFormPagesLockdown” feature
• Protect external entry points via firewall rules
• Allow Permissions only at the levels where needed, Farm, Service, Web, Site Collection, Site, and Content,.

Also check the below good references

• Thinking like a Hacker to help Secure SharePoint
• 6 SharePoint Security Challenges