1. SharePoint Securing
Strategy
University of North Carolina
2012 SharePoint Security Strategy
1
1
2. Agenda
Introductions
The Importance of SharePoint Security
Facets of SharePoint Security
Resources
Plan and strategy
Q&A
2012 SharePoint Security Strategy
2
3. What is SharePoint?
Goal
To create a Secure SharePoint Environment that will SharePoint to be used as a
medium for collaboration
SharePoint is:
“A Site-provisioning engine”
A website
A series of databases
An application platform
An Integration possibility
SharePoint touches an Can touch:
Your network
Your Active Directory
Your LOB Systems
Your Organization as whole
SharePoint is a platform with a large attack surface
2012 SharePoint Security Strategy
3
4. What are your Next Steps
What needs/should be done:
Secure the sites as dictated by Best Practices and Policies
Eliminate and Expand some of the vagueness in SharePoint Security Policy
All Departments/Schools need to go through Security SharePoint Harding process
More intuitive provisioning process for Sites/USERs/AD/OU’s
Implement Technology solutions as indicated
• Guest ID Management, UAG, Threat Management
3rd Party solutions for overall Auditing/reporting/compliancy
Review Department by Department (internally/externally)
• Audit and Assess to make sure best practices are put in place for Security and Risks
Put a project Plan or Strategy plan in place
Have individuals take ownership
Create Security Classificaiton and Metadata Policy for whole UNC Secured SharePoint Site
Create Workflow and Approval process
Turn on audits and manage as dicated
Develop and conduct Training/Education
Implement overall User Experience
Review what is available in current environment and check for any sensitive data/content
Review and optimize where applicable
• Index, Search, Cache, Installed Components
Upgrade and Update F5
Cost should be define
People
Technology
Process
Your Organization as whole
2012 SharePoint Security Strategy
4
5. SharePoint is Everywhere
Over 20,000 new SharePoint seats have been added every day for 5 years
Over 1,500 high profile websites on SharePoint
SharePoint is becoming increasingly “organizational critical”
It is great as you want to make it
Many Universities are using SharePoint as a collaboration mechanism
SharePoint is commonly and can be used for
Intranets
Extranets
Internet Sites
Application platforms
UNC SharePoint sites does not have to UGLY
2012 SharePoint Security Strategy
5
6. How can you do this
Choose SharePoint
This phase involves what you want that is best to deploy either to secure your current
SharePoint Farms, incorporating office 365, or to have another separate SharePoint farm
for sensitive or non-sensitive. Once this is decide you should have a strategy
Third Party Solutions or assistance
Look at best practices, look at cost saving where you can get the Biggies ROI, don’t try to re-
invent where it will cost UNC for more development more money in the long run with less
ROI
Pre-Deployment Planning
Focus on everything required to prepared for the migration of content
Deployment
If you do the above make sure that you communicate, train and define policies and
procedures
Post Deployment
Make sure that you adopt and evangelize to consider widespread adoption
2012 SharePoint Security Strategy
6
7. University of Chicago
Various Related Links:
Security and Best Practices
2012 SharePoint Security Strategy
7
8. University of Denver Colorado
Various Related Links:
Policies
Service Requests
Procedures
2012 SharePoint Security Strategy
8
9. University of Akron
Various Related Links:
SharePoint Advice
2012 SharePoint Security Strategy
9
14. Types of Security Threats
Threats we’re going to explore today:
Data disclosure / theft
Data loss
System downtime
Types of attacks:
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Click jacking
Privilege escalation
“Man in the middle” / replay attacks
SQL injection
If it’s a threat to other websites or databases, it’s a threat to
SharePoint
2012 SharePoint Security Strategy
14
17. Plan UNC Security
Plan personas and define permission matrices
Understand content and security contexts
Determine authentication, SSO, and federation goals
Use the SharePoint 2013 upgrade as an opportunity to apply
governance in a new platform
SharePoint RTM release is December 2012
Don’t expect the default settings to protect you
Set up Kerberos
Use Edge Servers
Continue to validate and check again and thank heck again
2012 SharePoint Security Strategy
17
18. Anonymous Access
Carefully decide if SharePoint is the right platform for anonymous access
Especially consider implications for public blogs and wikis
Consider what you want for public facing information
Always use the site lockdown feature
“Get-SPFeature viewformpageslockdown”
Further restrict pages using web.config a Edge Servers
E.g. Unified Access Gateway
Add SharePoint to your website security testing
Provide policy statements for external collaboration
Consider using Third Party tools
Don’t lock out the /_layouts path altogether
Define Security Policies and to make sure that it not Vague and map them
accordingly
Feature, WebParts, Solution, Documents, Records
If want to have Unsecured area consider
Office 365
Separate Farm
2012 SharePoint Security Strategy
18
19. Authentication and Directory Security
Synchronize only the AD users relevant for social features
Don’t bring confidential information into user profiles
Understand the impacts of third-party federation
Track and block rogue SharePoint installations with “Service
Connection Points”
Develop a password change / managed account strategy
Enterprise SharePoint people search results have no form of
security trimming.
If a user can see any people results, they can see them all.
Use Fast Search to incorporate a more Robust security model and Robust
Experience
Don’t allow SharePoint site owners rely on obfuscation or audience
targeting to try and secure content.
2012 SharePoint Security Strategy
19
20. Content Security
Audiences are not security
Search content rollups make bypassing audiences simple
Item-level permissions / broken permission inheritance should be the
exception, not the rule
Avoid using policies to override permissions
PDFs = Pretty Dangerous Files
The should be managed and rules should be defined
Automated PDF from document with proper security should be considered
Consider Information Rights Management and auditing
Having the ability to scan content for sensitive data is crucial
Making sure that Users are responsible
Change Management is crucial
Training is crucial
Any party who can manipulate SharePoint’s HTML directly or
impersonate third party JavaScript can compromise the site.
This is policy that should also be understood and organization rules should be defined
2012 SharePoint Security Strategy
20
21. Network Security
Always use SSL for authenticated access
Firewall all nonessential public ports
Host all servers on the same vLAN
Use IPSec for geo-distributed communication
Be aware of “loopback check” implications
Use GPO policies where applicable
Close ports where applicable
Update Firmware where appropriate
E.g. Routers, F5, Firewalls
2012 SharePoint Security Strategy
21
23. Application Security
Never expose SharePoint’s application tier to the internet
Don’t host Central Administration on a web front-end
Isolate service accounts and use standard naming conventions
Use multiple IIS application pools (but not too many)
Never use Cnames
Example Security threats
InfoPath forms service web service proxy caches credentials, allowing for
subsequent users to impersonate preceding users if accessed directly
Using Access and access services in secured SharePoint environment should use
AD rather than internal groups and permissions
Secure Store should be defined properly
Security should be managed for Features and Solutions
WebParts that are not in use should be purged
E.g. Fab 40
2012 SharePoint Security Strategy
23
24. Database Security
Isolate SharePoint databases from other systems
Minimize the SQL surface area by disabling unneeded features
Consider SQL 2008 “Transparent Data Encryption”
Performance impact, backup size impact, and file stream impacts
Don’t leave SharePoint backups within the content database or on
web-front ends
Never Backup using Sharepoint Backup
SharePoint designer backups are exported to the root of your SharePoint site as
unencrypted CMP packages
DPM should use encrypted backups and restores and verified
Consider using SQL server 2012 with more security possibilities
2012 SharePoint Security Strategy
24
25. Connected System Security
SharePoint 2010 added a new header called X-HealthScore for
preventing Office client abuse. In public sites, it advertises server
load. All SharePoint versions reveal their version number in a
header by default.
Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other
identifying headers
Leverage the Secure Store Service for safely accessing external
systems via BCS
Avoid reliance on Flash content
Consider ForeFront UAG endpoint security
Set policies regarding data being stored offline
Audit, Report, asses and do it again and
Provisioning where applicable
2012 SharePoint Security Strategy
25
26. SharePoint Gaps
SharePoint activity monitoring lacks an intuitive, easy-to-use
interface for reporting and analytics. Without a third-party solution,
businesses must first decode SharePoint’s internal representation of
log data before they can access meaningful information.
SharePoint activity auditing does not provide the ability to
automatically analyze access activity and respond with an alert or
block.
SharePoint does not include Web application firewall protection.
SharePoint enforces access controls for files using Access Control
Lists (ACLs). What makes native permissions challenging, however,
is that SharePoint lacks an automated way to ensure that ACLs
remain aligned with business needs.
2012 SharePoint Security Strategy
26
28. UNC Example Farm
Shared Calendars
Discussion Board Blogs Comments
Document Libraries
Podcasting
Versioning
Microblogging
Records Wikis
Task Lists Surveys Tags Profiles
Ratings
Secured Enterprise Not Sensitive Social Communities
Collaboration capabilities Office 365
https://share.unc.edu
University of North Carolina Communities
2012 SharePoint Security Strategy
28
29. SharePoint is currently used at UNC as collaboration platform for
the Internal UNC initiatives enterprise
SharePoint enables UNC to
Deliver the best productivity experience
Cut costs with a unified infrastructure
Rapidly respond to business needs
Less Dependency on other Departments
SharePoint does this by providing
capabilities
Sites, communities, content,
search, insights and composites
2012 SharePoint Security Strategy
29
30. Jump start UNC efforts
Get ahead of all SharePoint deployments
Implement a SharePoint governance policy
Put security requirements in place when SharePoint instances go live
Look beyond native SharePoint security features
Specify what kind of information can be put on SharePoint
Only use Features that you want include
Train and Educate
Implement your SharePoint in Phases and iteratively
Concentrate on business-critical assets first
Start with regulated, employee, or proprietary data, and intellectual property
Streamline access to a “UNC need-to-know” level
Identify and clean up dormant users and stale data
Alert on unauthorized access
Establish a regular review cycle for dormant users, stale data, and excessive
rights
2012 SharePoint Security Strategy
30
31. Plan the strategy for UNC efforts
Work with data owners to manage user access
Locate and define data/content owners
Create permission reports so data owners and stake holders have visibility into
who can access their data
Validate with owners that access to data is legitimate
Create usage reports so owners can see who is accessing their data
Protect Web sites from external attack
Identify SharePoint Web applications that work with sensitive data
Deploy a Web application firewall to monitor and protect sensitive SharePoint
Web sites, portals, and intranets
Respond to suspicious activity such as external users accessing admin pages
Monitor with F5, UAG, and Monitoring tools
2012 SharePoint Security Strategy
31
32. Refine the strategy for UNC Efforts
Enable auditing for compliance and forensics
Who owns this data?
Who accessed this data?
When and what did they access?
Have there been repeated failed login attempts?
Keep rights aligned with business needs.
Free up storage space and reduce the amount of data that must be actively
managed.
Streamline and automate regulatory compliance
Monitor, control, and respond to suspicious activity in real time
Balance the need for trust and openness with security concerns
Understand who has access to what data or, conversely, what data any given
user or group can access, and how that access was assigned or inherited.
Simplify the process of identifying where excessive access rights have been
granted, if there are dormant users, and who owns each item and document.
Help administrators and data owners establish a baseline snapshot of access
rights and conduct rights reviews.
2012 SharePoint Security Strategy
32
33. Custom Development Security
Build security testing into the SDLC for all custom and third-party
components
Take advantage of CAS policies and the ULS logs
Utilize sandbox solutions whenever possible
Minimize use of RunWithElevatedPrivilege()
With SharePoint 2010, Javascript is now the biggest threat
Silverlight is a threat
SharePoint is using HTML 5.0
Avoid fines associated with noncompliance, and data breaches
Avoid disclosing breaches for data that is lost or stolen (and which is
encrypted)
Secure sensitive information of all kinds, including trade secrets, IP,
UNC information, personnel files, healthcare records, PII, FERPA, etc.
Broaden the usage of SharePoint to include even the most sensitive
content while being assured this sensitive content is strongly protected
2012 SharePoint Security Strategy
33
34. Security Maintenance and Monitoring
Keep SharePoint, Windows, and SQL patched to latest service packs
Make sure any other application that is integrated up to date
Make sure that 3rd Party tools are up to date
Make sure a testing system is available
Deploy server-side virus protection
E.g. Forefront for Threat Management
Use to interface with SharePoint for uploading/Downloading
Use Systems Center Operations Manager with SP health rules to
monitor for performance spikes or errors related to attacks
Build security assessments and spot checks into other SharePoint
maintenance plans
Familiarize self with “Site Permissions > Check Permissions”
Use the best Practices that was defined in your Security Strategy
Use 3rd Party tools to assist with managing this as well auditing
2012 SharePoint Security Strategy
34
35. Considerations and Summarizations
Work with each of your departments/Schools/Organization to quantify
SharePoint Investment
Use an overall User Experience
Consider 3rd Party solutions to fortify your Sensitive SharePoint
Environment
HiSoftware
Titus
Quest
Qumus
Control
Metalogix
Cipher Point
Create a pristine System and move to it with functionality
Have a Training Process in Place
Continue to update the Sharepoint Security Strategy
Have Change Management Process in Place
Put a plan in Place and DO IT!
2012 SharePoint Security Strategy
35
“Application platform” includes custom development, Project Server, PeopleSoft, OBIEE, FAST Search, TFS.
Review that it aligns to overall strategyCreate Center of Excellence while making sure resources and team member have a planHave a realistic Budget to cover all costOutline of content requirementsAssessment of how people need SharePointHave an early adopter programImplement Governance and Content Framework
University of North Carolina has assets that they are not sure of and really do not have a MDM Master Data Managed plan with that in some cases may not know how much data or what kinds of data they UNC has, how many users UNC has or can have, how permissions were configured, how it is configured, or managed.
This is a diagram for a plan for your security and the steps needed to be successful
The farm configuration wizard creates some security gaps by default which is why the various documents from the stop gaps should be considered.
This is the continuous wheel needed to incorporate security for UNC with incorporating a governance model around it. This is crucial that much of the tasks to secure your SharePoint environment can’t be done out of the box and a governance strategy is pertinent.
Look how to implement and integrate with 3rd partyOwners – UNC users of Sharepoint and the viewing and ownersPrivacy- ensure personal PII/PHI/HIPPA/Ferpa/ETC unauthorized usersSecurityMetadataBranding – look for incorrect branding that cause harmAccessibilityReview dataDuplicationAutomationConstantly reviewDefine what you want to do with Search, My sites, collaborationPublishing standards