• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Securing the SharePoint Platform
 

Securing the SharePoint Platform

on

  • 2,446 views

Presentation titled "Securing the SharePoint Platform" presented by Bert Johnson at SharePoint Saturday Chicago

Presentation titled "Securing the SharePoint Platform" presented by Bert Johnson at SharePoint Saturday Chicago

Statistics

Views

Total Views
2,446
Views on SlideShare
2,446
Embed Views
0

Actions

Likes
0
Downloads
64
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • [1 minute]
  • [1 minute]
  • [1 minute]
  • [2 minutes]“Application platform” includes custom development, Project Server, SAP Duet, FAST Search, TFS.
  • [1 minute]
  • [2 minutes]
  • [2 minutes]
  • [2 minutes]On one of my first SharePoint assessments, a major firm I was working with had no idea how much data or what kinds of data they had, how many users they had, or how permissions were configured. They estimated a couple thousand people had access to SharePoint. It turned out over 22,000 did.
  • [3 minutes]The farm configuration wizard creates some security gaps by default.
  • [5 minutes]Unless the site feature is activated, standard SharePoint endpoints are available, making data discovery easy./Forms/AllItems.aspx/_layouts/viewlsts.aspx/_vti_bin/sites.asmx
  • [2 minutes]SharePoint people search results have no form of security trimming. If a user can see any people results, they can see them all.
  • [2 minutes]Too often, SharePoint site owners rely on obfuscation or audience targeting to try and secure content.
  • [3 minutes]Any party who can manipulate SharePoint’s HTML directly or impersonate third party Javascript can compromise the site.
  • [2 minutes]The InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly.
  • [3 minutes]SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages.
  • [3 minutes]SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.
  • [4 minutes]Malicious Javascript can be used to manipulate data when another user runs it.
  • [2 minutes]MOSS 2007 below August 2009 has XSS bug in the help pages allowing arbitrary code injection.
  • [1 minute]

Securing the SharePoint Platform Securing the SharePoint Platform Presentation Transcript

  • Bert Johnson
    SharePoint Architect and MCM - PointBridge
    Securing the SharePoint Platform
  • Bert Johnson
    SharePoint Architect with PointBridge Solutions
    Microsoft Certified Master – SharePoint Server 2010
    Twitter: @SPBert Event Hashtag: #SPSChicago
    Email: bjohnson@pointbridge.com
    Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
  • About PointBridge
    By The Numbers:
    Founded in 2004
    250+ SharePoint projects
    350,000+ hours of SharePoint experience
    30,000+ monthly blog hits
    2010 Microsoft Midwest District Award for Best Customer Experience
    2009 Microsoft Central US Partner of the Year
    2009 SharePoint Conference Award: Multi-Solution Capability
    2008 Global Partner of the Year finalist: Citizenship
    2007 Microsoft US Partner of the Year: SharePoint
    One of 35 Microsoft National Systems Integrators
    One of 15 members of Microsoft Partner Advisory Council for SharePoint
  • Agenda
    The Importance of SharePoint Security
    Facets of SharePoint Security
    Resources
    Q & A
  • The Importance of SharePoint Security
  • What is SharePoint?
    SharePoint is:
    “A site-provisioning engine”
    No really, SharePoint is:
    A website
    A series of databases
    An application platform
    SharePoint touches:
    Your network
    Your Active Directory
    Your LOB Systems
    SharePoint is a platform with a large attack surface
  • SharePoint is Everywhere
    Over 20,000 new SharePoint seats have been added every day for 5 years
    Over 1,500 high profile websites on SharePoint
    SharePoint is becoming increasingly “business critical”
    SharePoint is commonly used for
    Intranets
    Extranets
    Internet Sites
    Application platforms
  • Types of Security Threats
    Threats we’re going to explore today:
    Data disclosure / theft
    Data loss
    System downtime
    Types of attacks:
    Cross-site scripting (XSS)
    Cross-site request forgery (CSRF)
    Clickjacking
    Privilege escalation
    “Man in the middle” / replay attacks
    SQL injection
    If it’s a threat to other websites or databases, it’s a threat to SharePoint
  • Software Security in the News
    March 17 – RSA SecureID Compromised
    March 24 - Comodo Security Breach
    April 4 - Epsilon Data Leak
    April 12 - Largest Microsoft Patch Tuesday
    April 20 – PlayStation Network Hack
    May 30 – LulzSec (PBS, Sony, NHS, etc.)
    June 9 – Citigroup Accounts Accessed
    * Concise history of recent Sony hacks
    http://attrition.org/security/rants/sony_aka_sownage.html
  • Facets of SharePoint Security
  • Example:They keep piling up!
  • Planning for Security
  • Planning for Security
    Plan personas and define permission matrices
    Understand content and security contexts
    Determine authentication, SSO, and federation goals
    Use the SharePoint 2010 upgrade as an opportunity to apply governance
    Don’t expect the default settings to protect you
  • Example:How’d you build that?
  • Anonymous Access
    Carefully decide if SharePoint is the right platform for anonymous access
    Especially consider implications for public blogs and wikis
    Always use the site lockdown feature
    “Get-SPFeatureviewformpageslockdown”
    Further restrict pages using web.config or UAG
    Add SharePoint to your website security testing
    Don’t lock out the /_layouts path altogether
  • Example:I don’t think we’ve met…
  • Authentication and Directory Security
    Synchronize only the AD users relevant for social features
    Don’t bring confidential information into user profiles
    Understand the impacts of third-party federation
    Track and block rogue SharePoint installations with “Service Connection Points”
    Develop a password change / managed account strategy
  • Example:Private audience?
  • Content Security
    Audiences are not security
    Search content rollups make bypassing audiences simple
    Item-level permissions / broken permission inheritance should be the exception, not the rule
    Avoid using policies to override permissions
    PDFs = Pretty Dangerous Files
    Consider Information Rights Management and auditing
  • Example:The man in the middle…
  • Network Security
    Always use SSL for authenticated access
    Firewall all nonessential public ports
    Host all servers on the same vLAN
    Use IPSec for geo-distributed communication
    Be aware of “loopback check” implications
  • Network Security
  • Example:I’m with him…
  • Application Security
    Never expose SharePoint’s application tier to the internet
    Don’t host Central Administration on a web front-end
    Isolate service accounts and use standard naming conventions
    Use multiple IIS application pools (but not too many)
    Never use CNames
  • Example:Thanks for the backup!
  • Database Security
    Isolate SharePoint databases from other systems
    Minimize the SQL surface area by disabling unneeded features
    Consider SQL 2008 “Transparent Data Encryption”
    Performance impact, backup size impact, and file stream impacts
    Don’t leave SharePoint backups within the content database or on web-front ends
  • Example:Your health is showing.
  • Connected System Security
    Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers
    Leverage the Secure Store Service for safely accessing external systems via BCS
    Avoid reliance on Flash content
    Consider ForeFront UAG endpoint security
    Set policies regarding data being stored offline
  • Example:Could you do this for me?
  • Custom Development Security
    Build security testing into the SDLC for all custom and third-party components
    Take advantage of CAS policies and the ULS logs
    Utilize sandbox solutions whenever possible
    Minimize use of RunWithElevatedPrivilege()
    With SharePoint 2010, Javascript is now the biggest threat
  • Example:You don’t want this help…
  • Security Maintenance and Monitoring
    If running WSS/MOSS, patch to October 2010 CU or install MS10-039
    Keep SharePoint, Windows, and SQL patched to latest service packs
    Deploy server-side virus protection
    Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks
    Build security assessments and spot checks into other SharePoint maintenance plans
    Familiarize self with “Site Permissions > Check Permissions”
  • Resources
  • Resources
    Downloadable book: Security for Office SharePoint Server 2007
    http://technet.microsoft.com/en-us/library/cc262619(office.12).aspx
    Locking down Office SharePoint Server sites
    http://technet.microsoft.com/en-us/library/ee191479(office.12).aspx
    Plan for and design security
    http://technet.microsoft.com/en-us/library/cc262331(office.12).aspx
    Bert Johnson security blogs
    http://blogs.pointbridge.com/Blogs/Johnson_Bert/
  • Q & A
  • Bert Johnson
    SharePoint Architect with PointBridge Solutions
    Microsoft Certified Master – SharePoint Server 2010
    Twitter: @SPBert Event Hashtag: #SPSChicago
    Email: bjohnson@pointbridge.com
    Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
  • Housekeeping
    Please remember to submit your session evaluation forms after each session you attend to increase your chances at the raffle
    Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago
  • Thanks to Our Sponsors!
    Premier
    Gold
    Silver
    Bronze
    Sponsors