So you’ve inherited a SharePoint environment and need it secure, ASAP. The talk explains how to do this in a methodical way, to address all the levels of SharePoint security. This is ideal for the SharePoint administrator who needs to address the server security realm and the security officer who needs to understand SharePoint security.
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
10 points to make a rogue SharePoint environment really, really secure..
1. 10 points to make a rogue
SharePoint environment
really, really secure..
Presented By Peter Ward – September 20th
2014
w- www.sohodragon.com
c- 862 220 6080
b-www.wardpeter.com
2. New Jersey SharePoint user group
• Different SharePoint discussions
each month on various topics.
Announced on meetup.com
• Meets 4th Tuesday of every
month
• 6pm – 8pm
• Microsoft Office (MetroPark)
• 101 Wood Ave, Iselin, NJ 08830
• http://www.njspug.com
3. Thank You Event
Sponsors
• Diamond & Platinum sponsors have tables
here in the Fireside Lounge
• Please visit them and inquire about their
products & services
• Also to be eligible for prizes make sure to
get your bingo card stamped
4. Agenda
• Context of the presentation
• Where to start?
• Understanding security permissions and how to apply it
• Create a methodology
• How to avoid data leaks
• Show user activity on all levels
• Creating a game plan
6. Before We Begin
• Q&A – We will have time at the end of the presentation for questions….
But I encourage you to interrupt me and ask
• A copy of this presentation is on my blog
7. Reminder slide
• A copy of this presentation is on my blog
www.wardpeter.com
This means you only need to watch.
There is no need to take notes
8.
9. Context of the presentation
This SharePoint
needs to work
Summary
2 days to take ownership
Only Prod environment
No Dev.
Rogue former vendor team
10. Takeaways
• Understanding ownership steps
• Confidently applying security
• The little things really matter
• Process and communication is key
• Learn how to refactor an environment
• Good example of reality
SharePoint security planning
Learn learnt: Technology problems aren’t always technology problems
12. The inherited environment
• Hosted environment
• SharePoint 2010 Enterprise
• 3 months of undocumented code and environment.
• No Visio diagrams
• Hard coded ID and passwords everywhere… and I mean everywhere
• A few URL’s a Service Account ID and password
• SQL Server Reporting Services
• Oh I forgot:
• Can’t use 3rd party tools to run audits of security
• Internal IT department has no real understanding how SharePoint works or what was
deployed or developed
13. Where to start
• Understand SharePoint security
• Business processes
• Create a methodology
14. Understanding security accounts
and how to apply it
Domain
• Active Directory Groups…. Not distribution
• Domain services- Exchange, IIS
Server
• Boxes
SharePoint
• Site Collections
• Sites
• SharePoint groups
Demarcation of
responsibility
Service accounts
15. Business Processes
Talk to end users face to face
Understand their language:
What they think SharePoint actually is
A list is a report
Alert is an email
What, why, when, who
18. Wave 1 – Kick off
Back up the server .. Make sure this is SQL. Ask how long back ups are kept
Ask for a back up.. To test the internal IT
Restoring env.
Notify the user base what is going on and in the communication have a team
member’s email and direct phone number
Identify all the services are running
Reboot the servers
Enforce a change log- SharePoint list. Set up alerts to your team
Key wins:
Immediately know if services stop… and are not related to the password changes
Any problems you can blame the previous vendor on the morning you start
19. Wave 2 – Start documentation
• Technical inventory of the following:
• SharePoint, edition, SQL version
• InfoPath- purpose, template location
• Server box names
• Obtain/ create system accounts and password and purpose
• Server boxes
• Architectural diagram
• Env..
• SharePoint collections
• Central Admin
• Installed web parts
20. Wave 2 – continued-
Ask questions
• What’s the source code control? This should be reviewed
• Is there a DR plan for SQL db’s
• Is there a DR plan for SharePoint
• Report names and their purpose
• Understand the integration points
22. Wave 3 – Removing access
• VPN access- remove
• Service accounts
• Vendor ids
• Remote access to boxes
• SharePoint env.
• Site collection administrators
23. Wave 4 – Users
• Reset all users passwords in PowerShell
• Ed Wilson and Craig Liebendorfer, Scripting Guys
• Don’t delete the old vendor ID yet. Because they are in code and
workflow
24. Wave 4 – disable unused accounts
• Wait a week for things to settle down
• Note disable.. Not delete
25. Wave- 4 SharePoint permissions
• Do’s
• Use Groups – Either AD or SharePoint
•Don’ts
• Not everyone needs to be Site Collection Admin
• Or Full Control
26. Wave 5 – Service Accounts
• Create a ID inventory file (Excel) with both old and new password
• Stop and restart services
• Restart server for good measure
27. Wave 6 – Firewall account
• Because there could be IP addresses of the boxes made public.
• and there was… therefore you could get to the box, with no VPN
• Use Netstat command to listen to traffic on the ports Link
34. Wave 7 – Workflow
• Impersonation Steps
Create a workflow AD account . Needs to be a site collection administrator
35. Wave 7 – Workflow
• Hard coded email addresses
36. Wave 8- SP Security trimming
Central Admin
Internal IP address
Only accessible via RDP login
37. Wave 9- Quick Sweep
Check the Service accounts
Logging
38. Wave 10- Continued
Add in tracking into the masterpage:
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsOb
ject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1
*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.sr
c=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-
analytics.com/analytics.js','ga');
ga('create', 'UA-4669498-5',
'onecallcm.com');
ga('send', 'pageview');
</script>
39.
40.
41. Wave 10+- Final bit of advice
to client
• Buy password security software
• Stores IDs and passwords
• Audit log of who’s accessing IDs
IT loved this