[2 minutes]“Application platform” includes custom development, Project Server, SAP Duet, FAST Search, TFS.
[2 minutes]On one of my first SharePoint assessments, a major firm I was working with had no idea how much data or what kinds of data they had, how many users they had, or how permissions were configured. They estimated a couple thousand people had access to SharePoint. It turned out over 22,000 did.
[3 minutes]The farm configuration wizard creates some security gaps by default.
[5 minutes]Unless the site feature is activated, standard SharePoint endpoints are available, making data discovery easy./Forms/AllItems.aspx/_layouts/viewlsts.aspx/_vti_bin/sites.asmx
[2 minutes]SharePoint people search results have no form of security trimming. If a user can see any people results, they can see them all.
[2 minutes]Too often, SharePoint site owners rely on obfuscation or audience targeting to try and secure content.
[2 minutes]The InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly.
[3 minutes]SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages.
[3 minutes]SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.
[2 minutes]MOSS 2007 below August 2009 has XSS bug in the help pages allowing arbitrary code injection.
Securing the SharePoint Platform
Bert Johnson<br />SharePoint Architect and MCM - PointBridge<br />Securing the SharePoint Platform<br />
About PointBridge<br />By The Numbers:<br />Founded in 2004<br />250+ SharePoint projects<br />350,000+ hours of SharePoint experience <br />30,000+ monthly blog hits<br />2010 Microsoft Midwest District Award for Best Customer Experience<br />2009 Microsoft Central US Partner of the Year<br />2009 SharePoint Conference Award: Multi-Solution Capability<br />2008 Global Partner of the Year finalist: Citizenship<br />2007 Microsoft US Partner of the Year: SharePoint<br />One of 35 Microsoft National Systems Integrators<br />One of 15 members of Microsoft Partner Advisory Council for SharePoint<br />
Agenda<br />The Importance of SharePoint Security<br />Facets of SharePoint Security<br />Resources<br />Q & A<br />
What is SharePoint?<br />SharePoint is:<br />“A site-provisioning engine”<br />No really, SharePoint is:<br />A website<br />A series of databases<br />An application platform<br />SharePoint touches:<br />Your network<br />Your Active Directory<br />Your LOB Systems<br />SharePoint is a platform with a large attack surface<br />
SharePoint is Everywhere<br />Over 20,000 new SharePoint seats have been added every day for 5 years<br />Over 1,500 high profile websites on SharePoint<br />SharePoint is becoming increasingly “business critical”<br />SharePoint is commonly used for<br />Intranets<br />Extranets<br />Internet Sites<br />Application platforms<br />
Types of Security Threats<br />Threats we’re going to explore today:<br />Data disclosure / theft<br />Data loss<br />System downtime<br />Types of attacks:<br />Cross-site scripting (XSS)<br />Cross-site request forgery (CSRF)<br />Clickjacking<br />Privilege escalation<br />“Man in the middle” / replay attacks<br />SQL injection<br />If it’s a threat to other websites or databases, it’s a threat to SharePoint<br />
Software Security in the News<br />March 17 – RSA SecureID Compromised<br />March 24 - Comodo Security Breach<br />April 4 - Epsilon Data Leak<br />April 12 - Largest Microsoft Patch Tuesday<br />April 20 – PlayStation Network Hack<br />May 30 – LulzSec (PBS, Sony, NHS, etc.) <br />June 9 – Citigroup Accounts Accessed<br />* Concise history of recent Sony hacks<br />http://attrition.org/security/rants/sony_aka_sownage.html<br />
Planning for Security<br />Plan personas and define permission matrices<br />Understand content and security contexts<br />Determine authentication, SSO, and federation goals<br />Use the SharePoint 2010 upgrade as an opportunity to apply governance<br />Don’t expect the default settings to protect you<br />
Anonymous Access<br />Carefully decide if SharePoint is the right platform for anonymous access<br />Especially consider implications for public blogs and wikis<br />Always use the site lockdown feature<br />“Get-SPFeatureviewformpageslockdown”<br />Further restrict pages using web.config or UAG<br />Add SharePoint to your website security testing<br />Don’t lock out the /_layouts path altogether<br />
Authentication and Directory Security<br />Synchronize only the AD users relevant for social features<br />Don’t bring confidential information into user profiles<br />Understand the impacts of third-party federation<br />Track and block rogue SharePoint installations with “Service Connection Points”<br />Develop a password change / managed account strategy<br />
Content Security<br />Audiences are not security<br />Search content rollups make bypassing audiences simple<br />Item-level permissions / broken permission inheritance should be the exception, not the rule<br />Avoid using policies to override permissions<br />PDFs = Pretty Dangerous Files<br />Consider Information Rights Management and auditing<br />
Network Security<br />Always use SSL for authenticated access<br />Firewall all nonessential public ports<br />Host all servers on the same vLAN<br />Use IPSec for geo-distributed communication<br />Be aware of “loopback check” implications<br />
Application Security<br />Never expose SharePoint’s application tier to the internet<br />Don’t host Central Administration on a web front-end<br />Isolate service accounts and use standard naming conventions<br />Use multiple IIS application pools (but not too many)<br />Never use CNames<br />
Database Security<br />Isolate SharePoint databases from other systems<br />Minimize the SQL surface area by disabling unneeded features<br />Consider SQL 2008 “Transparent Data Encryption”<br />Performance impact, backup size impact, and file stream impacts<br />Don’t leave SharePoint backups within the content database or on web-front ends<br />
Connected System Security<br />Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers<br />Leverage the Secure Store Service for safely accessing external systems via BCS<br />Avoid reliance on Flash content<br />Consider ForeFront UAG endpoint security<br />Set policies regarding data being stored offline<br />
Security Maintenance and Monitoring<br />If running WSS/MOSS, patch to October 2010 CU or install MS10-039<br />Keep SharePoint, Windows, and SQL patched to latest service packs<br />Deploy server-side virus protection<br />Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks<br />Build security assessments and spot checks into other SharePoint maintenance plans<br />Familiarize self with “Site Permissions > Check Permissions”<br />
Resources<br />Downloadable book: Security for Office SharePoint Server 2007<br />http://technet.microsoft.com/en-us/library/cc262619(office.12).aspx<br />Locking down Office SharePoint Server sites<br />http://technet.microsoft.com/en-us/library/ee191479(office.12).aspx<br />Plan for and design security<br />http://technet.microsoft.com/en-us/library/cc262331(office.12).aspx<br />Bert Johnson security blogs<br />http://blogs.pointbridge.com/Blogs/Johnson_Bert/<br />
Housekeeping<br />Please remember to submit your session evaluation forms after each session you attend to increase your chances at the raffle<br />Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago<br />