Top 10 Security Mistakes You Probably Made in Your SharePoint Implementation [eBook]
A Publication of AAJ Technologies
Security Mistakes You Probably Made in
Your SharePoint Implementation
A GUIDE TO KEEP YOUR INFORMATION SAFE
By Brett Gillin
ABOUT AAJ TECHNOLOGIES
TABLE OF CONTENTS
Mistake 1 - Improper Security Definition
Mistake 2 - Improper Use of Active Directory vs. SharePoint Groups
Mistake 3 – Not Knowing Who is Accessing Information
Mistake 4 - Poor End Point Security (Not McAfee)
Mistake 5 - Not Using Virus Control for SharePoint
Mistake 6 - Using One Account for Everything
Mistake 7 - Lack of SharePoint Governance Process Oversight
Mistake 8 - Unclear Security Oversight
10. Mistake 9 - Improper Training on SharePoint and Poor Security Training
11. Mistake 10 - Not Encrypting Your SQL Database
The more we move our information online and into the cloud, the more
opportunities exist for cyber criminals to attack and take your critical data. One
of the biggest stories of last year included the Bradley Manning (Now Chelsea
Manning) Wikileaks story; an Army intelligence analyst who was accused of
leaking 250,000 government cables to WikiLeaks)? During testimony, an Army
investigator testified that Manning was stealing his information directly from
SharePoint servers thanks to Wget scripts.
There’s a good chance if those in charge of securing the government’s
SharePoint servers had read an eBook like this, this huge information leak may
have been prevented (at least partially). In this eBook we’ll point out 10 common
mistakes many organizations make in their SharePoint implementations.
If your organization is on an older version of SharePoint, it’s definitely time to
think about upgrading, because there will most likely be even more security
issues than are addressed in this eBook...
How important is it that your organization secures and monitors Microsoft
SharePoint? No matter how robust and secure SharePoint is designed to be,
simple mistakes in its implementation, like the ones we’re about to discuss, can
lead to glaring security issues, which in turn could mean your sensitive
information ends up in the hands of your competitors. Similarly, any business
that relies on SharePoint to store confidential--or even sensitive--information
should know who's accessing that data, and why. What's the best way to make
this happen? Start by avoiding these 10 common SharePoint security mistakes.
Improper Security Definition
Regarding “Security Definitions” in SharePoint, there are two diﬀerent sets of
definitions. The first definition is for SharePoint as a whole, such as databases,
farms, and technical environments. The second example, focuses on the other
side of the “Security Definitions” coin; security definitions for users. The security
definition in SharePoint is a designation of what a certain user can and cannot
access in SharePoint. There will be a user or a group of users who will have
complete control and access to everything in SharePoint. However, you must be
diligent in properly designating security definitions of the other, non-admin”
users. You’re not going to want, for example, a marketing employee whose sole
responsibility is to update content to have the ability to change system settings
or assign new roles. Lapses in security definition could mean major security
Take for example the story of a multi-million dollar company who has about a
dozen users with complete “Administrator” access to SharePoint; essentially, each
of these users can change any aspect of SharePoint whenever they please. If one
of these employees is fired and the account is not deactivated, the user can still
log in to SharePoint site with their still-valid credentials, and delete thousands of
vital documents. The surprising part of this story is that the guy who went in and
deleted all these documents was a sales
representative for the company, not a technical
resource for SharePoint. This employee should have
never had this level of access to the SharePoint
environment in the first place.
Luckily, the company in this story was regularly
backing up their information, and was able to restore
most of the deleted documents, but this is just one
example of why your company needs to make sure that
users only have the access that they need to your
Improper Use of Active Directory vs. SharePoint Groups
In SharePoint, there are two types of groups that administrators can place users
into. One of them is based on Active Directory (AD), and the other is based
strictly inside of SharePoint. The improper use of these groups is widespread,
especially since “best practices” has changed recently. Microsoft used to always
recommend using Active Directory groups inside SharePoint groups, but this
guidance has changed, with Microsoft now recommending:
"We do not recommend SharePoint groups to assign permissions to sites. When
a SharePoint group is used to assign permissions, a full crawl of the index occurs.
Instead, we recommend Active Directory Domain Services (AD DS) groups."
Microsoft Best Practices state that you’ll
now want to reuse AD groups within
SharePoint groups whenever you can.
SharePoint groups should be used for
precise control of unique access. Microsoft
also recommends that you sync your
SharePoint group to an AD email
distribution group whenever you can; this
is done by enabling SharePoint Directory
Not Knowing Who is Accessing Information
You’d be surprised how often companies set up their SharePoint environment,
assign users, and then never look to see who is accessing what. From a security
perspective, this is a cardinal sin. In order to ensure that your organization is not
at risk, controlling access to SharePoint content is critical. This is even more
important if you allow mobile users or mobile devices to access your SharePoint
To protect your sensitive corporate information, businesses should always
implement critical security mechanisms and access control policies within your
IT departments need to pay attention to their authorization policies so that you
know who is accessing information. Just as importantly, your organization needs
to have a record as to what type of data or information these users are accessing,
as well as the “where and when.”
To achieve this, there needs to be proper site governance of both the content
and structure of the SharePoint site.
Note that this goes both
ways; content created and
changed on mobile
devices need to follow the
same set of authorization
policies as those of the on
premises SharePoint site.
Poor End Point Security (Not McAfee)
We won’t spend too much time on this particular point, because it’s pretty selfexplanatory. Your SharePoint environment needs to have strong EndPoint
security, especially with the widespread use of SharePoint Workspaces, which
allows users to synch their data with SharePoint libraries. This is a very useful
tool, allowing your users to have access to their SharePoint content even if
they’re not online, but it also opens up a vulnerability point.
Simple things like disk encryption can help prevent security breaches and keep
your content where it should be.
Not Using Virus Control for SharePoint
The vast majority of companies take special care to install virus scanning
software on every device they allow to access their internal networks. In fact, it’s
relatively rare that a SharePoint site isn’t protected, at least from a base level, via
a virus control program. But you might be surprised at how many companies
leave a gaping hole in their virus control for SharePoint by not properly scanning
their content libraries and the files that are uploaded there by users in real time.
Even if there is a daily virus scan of the entire SharePoint environment, if there is
not active scanning of the databases and content libraries, your organization
could be open to malware or virus attacks. Many viruses only need a few
minutes to infect an entire database, and with a program like SharePoint that
allows for the widespread sharing of documents and information, a virus or
malware problem could quickly become out of control.
Take, for example, the recent problems companies have had with the
CryptoLocker virus. Cryptolocker is a Trojan horse-style virus which can infect
files stored on local and mounted network drives. This virus locks up data,
making it inaccessible to users, then asks for a sort of ransom to provide the key
to unlock the data. Can you imagine what would happen if a virus like this
infected your SharePoint content libraries? The results could be catastrophic.
Using One Account for Everything
The common SharePoint mistakes discussed in this eBook are typically
attributed to one thing: shortcuts. It’s natural to try to find the quickest way to
implement software, especially when there’s pressure from every angle to move
fast and get it operational. But as we’re seeing here, taking little shortcuts can
lead to huge headaches in the future.
One shortcut that you must avoid is using one single account for everything. So
many companies use the Domain Administrator account to do just about
everything they need in SharePoint. But this causes an enormous problem. For
example, if there’s one account that can control everything, and multiple people
who know the password use the account, there’s quite simply no accountability
in SharePoint anymore. You completely lose control of figuring out who made
what changes to SharePoint. And if a worst-case scenario happens and that
account or account password is compromised, you might be looking at a
lengthy downtime for your SharePoint environment while you fix the issue.
Here’s another scenario: many of you may work in buildings that use security
cards to access doors. Each of these security cards is coded with your name and
identifications numbers. This is done so that it’s easy to keep track of who
accesses diﬀerent parts of the building. Often times, the card will only let you
open certain doors, and leave you denied access to other areas of the building.
But think about what would happen if everyone was using the
same master card for building access! It would be a nightmare
trying to figure out where people were going in the building
or restricting access to certain areas. Plus, the first time an
employee leaves the company and doesn’t turn in the key,
either every single employee must be granted new access
cards, or that now-ex-employee will be able to make after
hours visits to the oﬃce whenever they want, and no one will know the diﬀerence.
So make sure that you’re using multiple accounts in SharePoint. And while
you’re at it, you might want to be sure that your security badge is still working.
Lack of SharePoint Governance Process Oversight
Do you know how your content is managed today? Do you know who is
responsible for managing what content goes where? Do you know who
approves the content, or even who approves the proper places to store that
content? If you don’t know, then you have a problem.
That problem could be a few things. First, it could mean you don’t have a
SharePoint governance policy in the organization. If that’s the case, immediate
steps should be taken to at least begin drafting one. If you don’t, your SharePoint
environment could quickly turn into “The Wild West,” with a bunch of diﬀerent
people creating new sites and pages in SharePoint, creating and editing web
parts on their own, or placing those ever important sales presentations or
expense reports in whatever folder they deem most convenient at the time.
Another issue could be that you have a SharePoint
Governance policy but you’re not familiar with it.
This is a major problem too, as the policy is only as good
as its use. In short, everyone who has access to SharePoint
should be familiar with the Governance
policy, and have access to a document
which carefully spells that out for their
reference. Doing this will save you
possible massive headaches in the future.
Unclear Security Oversight
Let’s assume that you’ve got all of your ducks in a row already, and your
company isn’t suﬀering from any of the aforementioned problems. But let me
bring up another point that is often overlooked when it comes to SharePoint
security - oversight.
Who is responsible for SharePoint security in your organization? Most of the
time, this is something that is handled by your in-house IT administrators, but an
alarming amount of the time, people can’t actually answer this simple question!
When it comes down to the people who are working in SharePoint every single
day, power-users, administrators, developers and architects and the like they
may not know who holds that grand security key.
Do you know who is responsible from the business side for SharePoint security
in your organization? How about from the technical side? Do you know the last
time these responsibilities were updated and reviewed? To ensure the security of
your internal information, make sure you know who is responsible for what, and
who is “Watching the Watchers”.
Improper Training on SharePoint and Poor Security Training
Let’s take a quick moment to think back to your SharePoint training. Can you
remember the portions where your trainer covered major security issues like the
ones we’re mentioning here?
Unfortunately, the answer to this question is often either, “Wow, we didn’t even
really have SharePoint security training” “We didn’t have SharePoint training at
all” or “I don’t remember going over security in detail during my training.”
For example, you might know how to add or delete content in your SharePoint
environment, like uploading a document, deleting it, or even editing it on
SharePoint. But do you know how to secure that document? Have you been
trained on how to ensure that a document doesn’t fall into the wrong hands, or
that only the people that need to see it have access to it? If you don’t, you may
need a refresher on your security training in SharePoint.
Not Encrypting Your SQL Database
The last crucial mistake so many people make when it comes to SharePoint
implementation is a lack of encryption.
Did you know that the out of the box, SharePoint's SQL database is not
encrypted? And did you know that adding encryption to that SQL database can
be a major pain and lead to some heavy performance issues? Despite the fact
that it’s not always the easiest thing to implement, and if done improperly can
definitely cause some performance lags, leaving your SQL database
unencrypted, you’re inviting unwelcome guests to an “inside information”
bonanza. If you’re dealing with any sort of sensitive data, and it’s awfully hard to
find a company that isn’t, you need to make sure that your database is
By now, you should have a good understanding of the typical security mistakes
found in SharePoint. The good news is that none of these issues are impossible
to overcome, especially if you have SharePoint security experts guiding you
through the process.
If your company has any of the ten issues
described earlier, or you suspect that security
might not be as tight as it needs to be in your
organization, AAJ Technologies is here to help.
You’ll find on our website a couple of great
options for analyzing your SharePoint
environments, performing a “Health Check,”
and even helping you to upgrade to the latest
version of SharePoint.
REGISTER FOR OUR NEXT WEBINAR
10 Optimization Mistakes You
Probably Made in Your
SharePoint Service Oﬀerings
Please view our service oﬀerings
VIEW NOW >>
VIEW NOW >>
Like what you read? Share with