Securing Sharepoint platform


Published on


  • Be the first to comment

  • Be the first to like this

Securing Sharepoint platform

  1. 1. SharePoint Securing Strategy University of North Carolina 2012 SharePoint Security Strategy 1 1
  2. 2. Agenda Introductions The Importance of SharePoint Security Facets of SharePoint Security Resources Plan and strategy Q&A 2012 SharePoint Security Strategy 2
  3. 3. What is SharePoint? Goal  To create a Secure SharePoint Environment that will SharePoint to be used as a medium for collaboration SharePoint is:  “A Site-provisioning engine”  A website  A series of databases  An application platform  An Integration possibility SharePoint touches an Can touch:  Your network  Your Active Directory  Your LOB Systems  Your Organization as whole SharePoint is a platform with a large attack surface 2012 SharePoint Security Strategy 3
  4. 4. What are your Next Steps What needs/should be done:  Secure the sites as dictated by Best Practices and Policies  Eliminate and Expand some of the vagueness in SharePoint Security Policy  All Departments/Schools need to go through Security SharePoint Harding process  More intuitive provisioning process for Sites/USERs/AD/OU’s  Implement Technology solutions as indicated • Guest ID Management, UAG, Threat Management  3rd Party solutions for overall Auditing/reporting/compliancy  Review Department by Department (internally/externally) • Audit and Assess to make sure best practices are put in place for Security and Risks  Put a project Plan or Strategy plan in place  Have individuals take ownership  Create Security Classificaiton and Metadata Policy for whole UNC Secured SharePoint Site  Create Workflow and Approval process  Turn on audits and manage as dicated  Develop and conduct Training/Education  Implement overall User Experience  Review what is available in current environment and check for any sensitive data/content  Review and optimize where applicable • Index, Search, Cache, Installed Components  Upgrade and Update F5 Cost should be define  People  Technology  Process  Your Organization as whole 2012 SharePoint Security Strategy 4
  5. 5. SharePoint is Everywhere Over 20,000 new SharePoint seats have been added every day for 5 years Over 1,500 high profile websites on SharePoint SharePoint is becoming increasingly “organizational critical” It is great as you want to make it Many Universities are using SharePoint as a collaboration mechanism SharePoint is commonly and can be used for  Intranets  Extranets  Internet Sites  Application platforms UNC SharePoint sites does not have to UGLY 2012 SharePoint Security Strategy 5
  6. 6. How can you do this Choose SharePoint  This phase involves what you want that is best to deploy either to secure your current SharePoint Farms, incorporating office 365, or to have another separate SharePoint farm for sensitive or non-sensitive. Once this is decide you should have a strategy Third Party Solutions or assistance  Look at best practices, look at cost saving where you can get the Biggies ROI, don’t try to re- invent where it will cost UNC for more development more money in the long run with less ROI Pre-Deployment Planning  Focus on everything required to prepared for the migration of content Deployment  If you do the above make sure that you communicate, train and define policies and procedures Post Deployment  Make sure that you adopt and evangelize to consider widespread adoption 2012 SharePoint Security Strategy 6
  7. 7. University of Chicago Various Related Links: Security and Best Practices 2012 SharePoint Security Strategy 7
  8. 8. University of Denver Colorado Various Related Links: Policies Service Requests Procedures 2012 SharePoint Security Strategy 8
  9. 9. University of Akron Various Related Links: SharePoint Advice 2012 SharePoint Security Strategy 9
  10. 10. University of Louisville Various Related Links: 2012 SharePoint Security Strategy 10
  11. 11. Washington University (Medical base) Reference: 2012 SharePoint Security Strategy 11
  12. 12. Washington State University Reference: 2012 SharePoint Security Strategy 12
  13. 13. Edinburgh University Reference: 2012 SharePoint Security Strategy 13
  14. 14. Types of Security Threats Threats we’re going to explore today:  Data disclosure / theft  Data loss  System downtime Types of attacks:  Cross-site scripting (XSS)  Cross-site request forgery (CSRF)  Click jacking  Privilege escalation  “Man in the middle” / replay attacks  SQL injection If it’s a threat to other websites or databases, it’s a threat to SharePoint 2012 SharePoint Security Strategy 14
  15. 15. Facets ofSharePoint Security 2012 SharePoint Security Strategy 15
  16. 16. Plan for Security2012 SharePoint Security Strategy 16
  17. 17. Plan UNC Security Plan personas and define permission matrices Understand content and security contexts Determine authentication, SSO, and federation goals Use the SharePoint 2013 upgrade as an opportunity to apply governance in a new platform SharePoint RTM release is December 2012 Don’t expect the default settings to protect you Set up Kerberos Use Edge Servers Continue to validate and check again and thank heck again 2012 SharePoint Security Strategy 17
  18. 18. Anonymous Access Carefully decide if SharePoint is the right platform for anonymous access  Especially consider implications for public blogs and wikis  Consider what you want for public facing information Always use the site lockdown feature  “Get-SPFeature viewformpageslockdown” Further restrict pages using web.config a Edge Servers  E.g. Unified Access Gateway Add SharePoint to your website security testing Provide policy statements for external collaboration  Consider using Third Party tools Don’t lock out the /_layouts path altogether Define Security Policies and to make sure that it not Vague and map them accordingly  Feature, WebParts, Solution, Documents, Records If want to have Unsecured area consider  Office 365  Separate Farm 2012 SharePoint Security Strategy 18
  19. 19. Authentication and Directory Security Synchronize only the AD users relevant for social features Don’t bring confidential information into user profiles Understand the impacts of third-party federation Track and block rogue SharePoint installations with “Service Connection Points” Develop a password change / managed account strategy Enterprise SharePoint people search results have no form of security trimming.  If a user can see any people results, they can see them all.  Use Fast Search to incorporate a more Robust security model and Robust Experience Don’t allow SharePoint site owners rely on obfuscation or audience targeting to try and secure content. 2012 SharePoint Security Strategy 19
  20. 20. Content Security Audiences are not security  Search content rollups make bypassing audiences simple Item-level permissions / broken permission inheritance should be the exception, not the rule Avoid using policies to override permissions PDFs = Pretty Dangerous Files  The should be managed and rules should be defined  Automated PDF from document with proper security should be considered Consider Information Rights Management and auditing Having the ability to scan content for sensitive data is crucial Making sure that Users are responsible Change Management is crucial Training is crucial Any party who can manipulate SharePoint’s HTML directly or impersonate third party JavaScript can compromise the site.  This is policy that should also be understood and organization rules should be defined 2012 SharePoint Security Strategy 20
  21. 21. Network Security Always use SSL for authenticated access Firewall all nonessential public ports Host all servers on the same vLAN Use IPSec for geo-distributed communication Be aware of “loopback check” implications Use GPO policies where applicable Close ports where applicable Update Firmware where appropriate  E.g. Routers, F5, Firewalls 2012 SharePoint Security Strategy 21
  22. 22. Network Security2012 SharePoint Security Strategy 22
  23. 23. Application Security Never expose SharePoint’s application tier to the internet Don’t host Central Administration on a web front-end Isolate service accounts and use standard naming conventions Use multiple IIS application pools (but not too many) Never use Cnames Example Security threats  InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly  Using Access and access services in secured SharePoint environment should use AD rather than internal groups and permissions  Secure Store should be defined properly Security should be managed for Features and Solutions WebParts that are not in use should be purged  E.g. Fab 40 2012 SharePoint Security Strategy 23
  24. 24. Database Security Isolate SharePoint databases from other systems Minimize the SQL surface area by disabling unneeded features Consider SQL 2008 “Transparent Data Encryption”  Performance impact, backup size impact, and file stream impacts Don’t leave SharePoint backups within the content database or on web-front ends Never Backup using Sharepoint Backup  SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages DPM should use encrypted backups and restores and verified Consider using SQL server 2012 with more security possibilities 2012 SharePoint Security Strategy 24
  25. 25. Connected System Security SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.  Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers Leverage the Secure Store Service for safely accessing external systems via BCS Avoid reliance on Flash content Consider ForeFront UAG endpoint security Set policies regarding data being stored offline Audit, Report, asses and do it again and Provisioning where applicable 2012 SharePoint Security Strategy 25
  26. 26. SharePoint Gaps SharePoint activity monitoring lacks an intuitive, easy-to-use interface for reporting and analytics. Without a third-party solution, businesses must first decode SharePoint’s internal representation of log data before they can access meaningful information. SharePoint activity auditing does not provide the ability to automatically analyze access activity and respond with an alert or block. SharePoint does not include Web application firewall protection. SharePoint enforces access controls for files using Access Control Lists (ACLs). What makes native permissions challenging, however, is that SharePoint lacks an automated way to ensure that ACLs remain aligned with business needs. 2012 SharePoint Security Strategy 26
  27. 27. Security Data Governance Model 2012 SharePoint Security Strategy 27
  28. 28. UNC Example Farm Shared CalendarsDiscussion Board Blogs Comments Document Libraries Podcasting Versioning Microblogging Records Wikis Task Lists Surveys Tags Profiles Ratings Secured Enterprise Not Sensitive Social Communities Collaboration capabilities Office 365 University of North Carolina Communities 2012 SharePoint Security Strategy 28
  29. 29.  SharePoint is currently used at UNC as collaboration platform for the Internal UNC initiatives enterprise SharePoint enables UNC to  Deliver the best productivity experience  Cut costs with a unified infrastructure  Rapidly respond to business needs  Less Dependency on other Departments SharePoint does this by providing capabilities  Sites, communities, content, search, insights and composites 2012 SharePoint Security Strategy 29
  30. 30. Jump start UNC efforts Get ahead of all SharePoint deployments  Implement a SharePoint governance policy  Put security requirements in place when SharePoint instances go live  Look beyond native SharePoint security features  Specify what kind of information can be put on SharePoint  Only use Features that you want include  Train and Educate  Implement your SharePoint in Phases and iteratively Concentrate on business-critical assets first  Start with regulated, employee, or proprietary data, and intellectual property  Streamline access to a “UNC need-to-know” level  Identify and clean up dormant users and stale data  Alert on unauthorized access  Establish a regular review cycle for dormant users, stale data, and excessive rights 2012 SharePoint Security Strategy 30
  31. 31. Plan the strategy for UNC efforts Work with data owners to manage user access  Locate and define data/content owners  Create permission reports so data owners and stake holders have visibility into who can access their data  Validate with owners that access to data is legitimate  Create usage reports so owners can see who is accessing their data Protect Web sites from external attack  Identify SharePoint Web applications that work with sensitive data  Deploy a Web application firewall to monitor and protect sensitive SharePoint Web sites, portals, and intranets  Respond to suspicious activity such as external users accessing admin pages  Monitor with F5, UAG, and Monitoring tools 2012 SharePoint Security Strategy 31
  32. 32. Refine the strategy for UNC Efforts Enable auditing for compliance and forensics  Who owns this data?  Who accessed this data?  When and what did they access?  Have there been repeated failed login attempts?  Keep rights aligned with business needs.  Free up storage space and reduce the amount of data that must be actively managed.  Streamline and automate regulatory compliance  Monitor, control, and respond to suspicious activity in real time  Balance the need for trust and openness with security concerns  Understand who has access to what data or, conversely, what data any given user or group can access, and how that access was assigned or inherited.  Simplify the process of identifying where excessive access rights have been granted, if there are dormant users, and who owns each item and document.  Help administrators and data owners establish a baseline snapshot of access rights and conduct rights reviews. 2012 SharePoint Security Strategy 32
  33. 33. Custom Development Security Build security testing into the SDLC for all custom and third-party components Take advantage of CAS policies and the ULS logs Utilize sandbox solutions whenever possible Minimize use of RunWithElevatedPrivilege() With SharePoint 2010, Javascript is now the biggest threat  Silverlight is a threat SharePoint is using HTML 5.0 Avoid fines associated with noncompliance, and data breaches Avoid disclosing breaches for data that is lost or stolen (and which is encrypted) Secure sensitive information of all kinds, including trade secrets, IP, UNC information, personnel files, healthcare records, PII, FERPA, etc. Broaden the usage of SharePoint to include even the most sensitive content while being assured this sensitive content is strongly protected 2012 SharePoint Security Strategy 33
  34. 34. Security Maintenance and Monitoring Keep SharePoint, Windows, and SQL patched to latest service packs  Make sure any other application that is integrated up to date  Make sure that 3rd Party tools are up to date  Make sure a testing system is available Deploy server-side virus protection  E.g. Forefront for Threat Management  Use to interface with SharePoint for uploading/Downloading Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks Build security assessments and spot checks into other SharePoint maintenance plans  Familiarize self with “Site Permissions > Check Permissions”  Use the best Practices that was defined in your Security Strategy  Use 3rd Party tools to assist with managing this as well auditing 2012 SharePoint Security Strategy 34
  35. 35. Considerations and Summarizations Work with each of your departments/Schools/Organization to quantify SharePoint Investment Use an overall User Experience Consider 3rd Party solutions to fortify your Sensitive SharePoint Environment  HiSoftware  Titus  Quest  Qumus  Control  Metalogix  Cipher Point Create a pristine System and move to it with functionality Have a Training Process in Place Continue to update the Sharepoint Security Strategy Have Change Management Process in Place Put a plan in Place and DO IT! 2012 SharePoint Security Strategy 35
  36. 36. Q&A2012 SharePoint Security Strategy 36