Securing the SharePoint Platform


Published on

Presentation titled "Securing the SharePoint Platform" presented by Bert Johnson at SharePoint Saturday Chicago

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • [1 minute]
  • [1 minute]
  • [1 minute]
  • [2 minutes]“Application platform” includes custom development, Project Server, SAP Duet, FAST Search, TFS.
  • [1 minute]
  • [2 minutes]
  • [2 minutes]
  • [2 minutes]On one of my first SharePoint assessments, a major firm I was working with had no idea how much data or what kinds of data they had, how many users they had, or how permissions were configured. They estimated a couple thousand people had access to SharePoint. It turned out over 22,000 did.
  • [3 minutes]The farm configuration wizard creates some security gaps by default.
  • [5 minutes]Unless the site feature is activated, standard SharePoint endpoints are available, making data discovery easy./Forms/AllItems.aspx/_layouts/viewlsts.aspx/_vti_bin/sites.asmx
  • [2 minutes]SharePoint people search results have no form of security trimming. If a user can see any people results, they can see them all.
  • [2 minutes]Too often, SharePoint site owners rely on obfuscation or audience targeting to try and secure content.
  • [3 minutes]Any party who can manipulate SharePoint’s HTML directly or impersonate third party Javascript can compromise the site.
  • [2 minutes]The InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly.
  • [3 minutes]SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages.
  • [3 minutes]SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.
  • [4 minutes]Malicious Javascript can be used to manipulate data when another user runs it.
  • [2 minutes]MOSS 2007 below August 2009 has XSS bug in the help pages allowing arbitrary code injection.
  • [1 minute]
  • Securing the SharePoint Platform

    1. 1. Bert Johnson<br />SharePoint Architect and MCM - PointBridge<br />Securing the SharePoint Platform<br />
    2. 2. Bert Johnson<br />SharePoint Architect with PointBridge Solutions<br />Microsoft Certified Master – SharePoint Server 2010<br />Twitter: @SPBert Event Hashtag: #SPSChicago<br />Email:<br />Blog:<br />
    3. 3. About PointBridge<br />By The Numbers:<br />Founded in 2004<br />250+ SharePoint projects<br />350,000+ hours of SharePoint experience <br />30,000+ monthly blog hits<br />2010 Microsoft Midwest District Award for Best Customer Experience<br />2009 Microsoft Central US Partner of the Year<br />2009 SharePoint Conference Award: Multi-Solution Capability<br />2008 Global Partner of the Year finalist: Citizenship<br />2007 Microsoft US Partner of the Year: SharePoint<br />One of 35 Microsoft National Systems Integrators<br />One of 15 members of Microsoft Partner Advisory Council for SharePoint<br />
    4. 4. Agenda<br />The Importance of SharePoint Security<br />Facets of SharePoint Security<br />Resources<br />Q & A<br />
    5. 5. The Importance of SharePoint Security<br />
    6. 6. What is SharePoint?<br />SharePoint is:<br />“A site-provisioning engine”<br />No really, SharePoint is:<br />A website<br />A series of databases<br />An application platform<br />SharePoint touches:<br />Your network<br />Your Active Directory<br />Your LOB Systems<br />SharePoint is a platform with a large attack surface<br />
    7. 7. SharePoint is Everywhere<br />Over 20,000 new SharePoint seats have been added every day for 5 years<br />Over 1,500 high profile websites on SharePoint<br />SharePoint is becoming increasingly “business critical”<br />SharePoint is commonly used for<br />Intranets<br />Extranets<br />Internet Sites<br />Application platforms<br />
    8. 8. Types of Security Threats<br />Threats we’re going to explore today:<br />Data disclosure / theft<br />Data loss<br />System downtime<br />Types of attacks:<br />Cross-site scripting (XSS)<br />Cross-site request forgery (CSRF)<br />Clickjacking<br />Privilege escalation<br />“Man in the middle” / replay attacks<br />SQL injection<br />If it’s a threat to other websites or databases, it’s a threat to SharePoint<br />
    9. 9. Software Security in the News<br />March 17 – RSA SecureID Compromised<br />March 24 - Comodo Security Breach<br />April 4 - Epsilon Data Leak<br />April 12 - Largest Microsoft Patch Tuesday<br />April 20 – PlayStation Network Hack<br />May 30 – LulzSec (PBS, Sony, NHS, etc.) <br />June 9 – Citigroup Accounts Accessed<br />* Concise history of recent Sony hacks<br /><br />
    10. 10. Facets of SharePoint Security<br />
    11. 11. Example:They keep piling up!<br />
    12. 12. Planning for Security<br />
    13. 13. Planning for Security<br />Plan personas and define permission matrices<br />Understand content and security contexts<br />Determine authentication, SSO, and federation goals<br />Use the SharePoint 2010 upgrade as an opportunity to apply governance<br />Don’t expect the default settings to protect you<br />
    14. 14. Example:How’d you build that?<br />
    15. 15. Anonymous Access<br />Carefully decide if SharePoint is the right platform for anonymous access<br />Especially consider implications for public blogs and wikis<br />Always use the site lockdown feature<br />“Get-SPFeatureviewformpageslockdown”<br />Further restrict pages using web.config or UAG<br />Add SharePoint to your website security testing<br />Don’t lock out the /_layouts path altogether<br />
    16. 16. Example:I don’t think we’ve met…<br />
    17. 17. Authentication and Directory Security<br />Synchronize only the AD users relevant for social features<br />Don’t bring confidential information into user profiles<br />Understand the impacts of third-party federation<br />Track and block rogue SharePoint installations with “Service Connection Points”<br />Develop a password change / managed account strategy<br />
    18. 18. Example:Private audience?<br />
    19. 19. Content Security<br />Audiences are not security<br />Search content rollups make bypassing audiences simple<br />Item-level permissions / broken permission inheritance should be the exception, not the rule<br />Avoid using policies to override permissions<br />PDFs = Pretty Dangerous Files<br />Consider Information Rights Management and auditing<br />
    20. 20. Example:The man in the middle…<br />
    21. 21. Network Security<br />Always use SSL for authenticated access<br />Firewall all nonessential public ports<br />Host all servers on the same vLAN<br />Use IPSec for geo-distributed communication<br />Be aware of “loopback check” implications<br />
    22. 22. Network Security<br />
    23. 23. Example:I’m with him…<br />
    24. 24. Application Security<br />Never expose SharePoint’s application tier to the internet<br />Don’t host Central Administration on a web front-end<br />Isolate service accounts and use standard naming conventions<br />Use multiple IIS application pools (but not too many)<br />Never use CNames<br />
    25. 25. Example:Thanks for the backup!<br />
    26. 26. Database Security<br />Isolate SharePoint databases from other systems<br />Minimize the SQL surface area by disabling unneeded features<br />Consider SQL 2008 “Transparent Data Encryption”<br />Performance impact, backup size impact, and file stream impacts<br />Don’t leave SharePoint backups within the content database or on web-front ends<br />
    27. 27. Example:Your health is showing.<br />
    28. 28. Connected System Security<br />Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers<br />Leverage the Secure Store Service for safely accessing external systems via BCS<br />Avoid reliance on Flash content<br />Consider ForeFront UAG endpoint security<br />Set policies regarding data being stored offline<br />
    29. 29. Example:Could you do this for me?<br />
    30. 30. Custom Development Security<br />Build security testing into the SDLC for all custom and third-party components<br />Take advantage of CAS policies and the ULS logs<br />Utilize sandbox solutions whenever possible<br />Minimize use of RunWithElevatedPrivilege()<br />With SharePoint 2010, Javascript is now the biggest threat<br />
    31. 31. Example:You don’t want this help…<br />
    32. 32. Security Maintenance and Monitoring<br />If running WSS/MOSS, patch to October 2010 CU or install MS10-039<br />Keep SharePoint, Windows, and SQL patched to latest service packs<br />Deploy server-side virus protection<br />Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks<br />Build security assessments and spot checks into other SharePoint maintenance plans<br />Familiarize self with “Site Permissions > Check Permissions”<br />
    33. 33. Resources<br />
    34. 34. Resources<br />Downloadable book: Security for Office SharePoint Server 2007<br /><br />Locking down Office SharePoint Server sites<br /><br />Plan for and design security<br /><br />Bert Johnson security blogs<br /><br />
    35. 35. Q & A<br />
    36. 36. Bert Johnson<br />SharePoint Architect with PointBridge Solutions<br />Microsoft Certified Master – SharePoint Server 2010<br />Twitter: @SPBert Event Hashtag: #SPSChicago<br />Email:<br />Blog:<br />
    37. 37. Housekeeping<br />Please remember to submit your session evaluation forms after each session you attend to increase your chances at the raffle<br />Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago<br />
    38. 38. Thanks to Our Sponsors!<br />Premier<br />Gold<br />Silver<br />Bronze<br />Sponsors<br />