So you’ve inherited a SharePoint environment and need it secure, ASAP. The talk explains how to do this in a methodical way, to address all the levels of SharePoint security. This is ideal for the SharePoint administrator who needs to address the server security realm and the security officer who needs to understand SharePoint security.

1. 10 points to make a rogue
SharePoint environment
really, really secure..
Presented By Peter Ward – September 20th
2014
w- www.sohodragon.com
c- 862 220 6080
b-www.wardpeter.com

2. New Jersey SharePoint user group
• Different SharePoint discussions
each month on various topics.
Announced on meetup.com
• Meets 4th Tuesday of every
month
• 6pm – 8pm
• Microsoft Office (MetroPark)
• 101 Wood Ave, Iselin, NJ 08830
• http://www.njspug.com

3. Thank You Event
Sponsors
• Diamond & Platinum sponsors have tables
here in the Fireside Lounge
• Please visit them and inquire about their
products & services
• Also to be eligible for prizes make sure to
get your bingo card stamped

4. Agenda
• Context of the presentation
• Where to start?
• Understanding security permissions and how to apply it
• Create a methodology
• How to avoid data leaks
• Show user activity on all levels
• Creating a game plan

5. Green dot
This indicates an important point

6. Before We Begin
• Q&A – We will have time at the end of the presentation for questions….
But I encourage you to interrupt me and ask
• A copy of this presentation is on my blog

7. Reminder slide
• A copy of this presentation is on my blog
www.wardpeter.com
This means you only need to watch.
There is no need to take notes

9. Context of the presentation
This SharePoint
needs to work
Summary
 2 days to take ownership
 Only Prod environment
 No Dev.
 Rogue former vendor team

10. Takeaways
• Understanding ownership steps
• Confidently applying security
• The little things really matter
• Process and communication is key
• Learn how to refactor an environment
• Good example of reality
SharePoint security planning
Learn learnt: Technology problems aren’t always technology problems

11. Audience
Networking FolksSharePoint Folks
Networking steps
SharePoint steps
Networking steps
SharePoint steps

12. The inherited environment
• Hosted environment
• SharePoint 2010 Enterprise
• 3 months of undocumented code and environment.
• No Visio diagrams
• Hard coded ID and passwords everywhere… and I mean everywhere
• A few URL’s a Service Account ID and password
• SQL Server Reporting Services
• Oh I forgot:
• Can’t use 3rd party tools to run audits of security
• Internal IT department has no real understanding how SharePoint works or what was
deployed or developed

13. Where to start
• Understand SharePoint security
• Business processes
• Create a methodology

14. Understanding security accounts
and how to apply it
Domain
• Active Directory Groups…. Not distribution
• Domain services- Exchange, IIS
Server
• Boxes
SharePoint
• Site Collections
• Sites
• SharePoint groups
Demarcation of
responsibility
Service accounts

15. Business Processes
Talk to end users face to face
Understand their language:
 What they think SharePoint actually is
 A list is a report
 Alert is an email
What, why, when, who

16. Now we can start

17. Create a methodology
Wave 1 Wave 2 Wave 3 Wave 4 Wave 5 Wave 6 Wave 7 Wave 8 Wave 9
Wave
10

18. Wave 1 – Kick off
 Back up the server .. Make sure this is SQL. Ask how long back ups are kept
 Ask for a back up.. To test the internal IT
 Restoring env.
 Notify the user base what is going on and in the communication have a team
member’s email and direct phone number
 Identify all the services are running
 Reboot the servers
 Enforce a change log- SharePoint list. Set up alerts to your team
Key wins:
 Immediately know if services stop… and are not related to the password changes
 Any problems you can blame the previous vendor on the morning you start

19. Wave 2 – Start documentation
• Technical inventory of the following:
• SharePoint, edition, SQL version
• InfoPath- purpose, template location
• Server box names
• Obtain/ create system accounts and password and purpose
• Server boxes
• Architectural diagram
• Env..
• SharePoint collections
• Central Admin
• Installed web parts

20. Wave 2 – continued-
Ask questions
• What’s the source code control? This should be reviewed
• Is there a DR plan for SQL db’s
• Is there a DR plan for SharePoint
• Report names and their purpose
• Understand the integration points

21. Now you need to break ground

22. Wave 3 – Removing access
• VPN access- remove
• Service accounts
• Vendor ids
• Remote access to boxes
• SharePoint env.
• Site collection administrators

23. Wave 4 – Users
• Reset all users passwords in PowerShell
• Ed Wilson and Craig Liebendorfer, Scripting Guys
• Don’t delete the old vendor ID yet. Because they are in code and
workflow

24. Wave 4 – disable unused accounts
• Wait a week for things to settle down
• Note disable.. Not delete

25. Wave- 4 SharePoint permissions
• Do’s
• Use Groups – Either AD or SharePoint
•Don’ts
• Not everyone needs to be Site Collection Admin
• Or Full Control

26. Wave 5 – Service Accounts
• Create a ID inventory file (Excel) with both old and new password
• Stop and restart services
• Restart server for good measure

27. Wave 6 – Firewall account
• Because there could be IP addresses of the boxes made public.
• and there was… therefore you could get to the box, with no VPN
• Use Netstat command to listen to traffic on the ports Link

28. Tea break
• Questions if you want.

29. Wave 6 – Network Traffic

30. Wave 6 – Network Traffic
• Port 443 secure https
• Port 80 Unsure

31. Think again
Think old vendor is locked out…….

32. Wave 7 – Email
• Change emails in AD
• Redirection capture - DNS

33. Wave 7 – Email
• Email forwarding

34. Wave 7 – Workflow
• Impersonation Steps
Create a workflow AD account . Needs to be a site collection administrator

35. Wave 7 – Workflow
• Hard coded email addresses

36. Wave 8- SP Security trimming
 Central Admin
 Internal IP address
 Only accessible via RDP login

37. Wave 9- Quick Sweep
 Check the Service accounts
 Logging

38. Wave 10- Continued
 Add in tracking into the masterpage:
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsOb
ject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1
*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.sr
c=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-
analytics.com/analytics.js','ga');
ga('create', 'UA-4669498-5',
'onecallcm.com');
ga('send', 'pageview');
</script>

41. Wave 10+- Final bit of advice
to client
• Buy password security software
• Stores IDs and passwords
• Audit log of who’s accessing IDs
IT loved this

42. Final bit of advice. Be aware
• Click here

43. This is the end.
This is the part of the presentation when people should clap and cheer

44. Questions?
• e-pw@sohodragon.com
• w-www.sohodragon.com
• b-www.wardpeter.com
• c- 862 220 6080