Securing Sharepoint platform

SharePoint Securing
Strategy
University of North Carolina

2012 SharePoint Security Strategy
1
1

Agenda

 Introductions
 The Importance of SharePoint Security
 Facets of SharePoint Security
 Resources
 Plan and strategy
 Q&A

2

What is SharePoint?
 Goal
 To create a Secure SharePoint Environment that will SharePoint to be used as a
medium for collaboration

 SharePoint is:
 “A Site-provisioning engine”
 A website
 A series of databases
 An application platform
 An Integration possibility

 SharePoint touches an Can touch:
 Your network
 Your Active Directory
 Your LOB Systems
 Your Organization as whole

 SharePoint is a platform with a large attack surface

3

What are your Next Steps
 What needs/should be done:
 Secure the sites as dictated by Best Practices and Policies
 Eliminate and Expand some of the vagueness in SharePoint Security Policy
 All Departments/Schools need to go through Security SharePoint Harding process
 More intuitive provisioning process for Sites/USERs/AD/OU’s
 Implement Technology solutions as indicated
• Guest ID Management, UAG, Threat Management
 3rd Party solutions for overall Auditing/reporting/compliancy
 Review Department by Department (internally/externally)
• Audit and Assess to make sure best practices are put in place for Security and Risks
 Put a project Plan or Strategy plan in place
 Have individuals take ownership
 Create Security Classificaiton and Metadata Policy for whole UNC Secured SharePoint Site
 Create Workflow and Approval process
 Turn on audits and manage as dicated
 Develop and conduct Training/Education
 Implement overall User Experience
 Review what is available in current environment and check for any sensitive data/content
 Review and optimize where applicable
• Index, Search, Cache, Installed Components
 Upgrade and Update F5

 Cost should be define
 People
 Technology
 Process
 Your Organization as whole

4

SharePoint is Everywhere

 Over 20,000 new SharePoint seats have been added every day for 5 years
 Over 1,500 high profile websites on SharePoint
 SharePoint is becoming increasingly “organizational critical”
 It is great as you want to make it
 Many Universities are using SharePoint as a collaboration mechanism

 SharePoint is commonly and can be used for
 Intranets
 Extranets
 Internet Sites
 Application platforms

 UNC SharePoint sites does not have to UGLY

5

How can you do this

 Choose SharePoint
 This phase involves what you want that is best to deploy either to secure your current
SharePoint Farms, incorporating office 365, or to have another separate SharePoint farm
for sensitive or non-sensitive. Once this is decide you should have a strategy
 Third Party Solutions or assistance
 Look at best practices, look at cost saving where you can get the Biggies ROI, don’t try to re-
invent where it will cost UNC for more development more money in the long run with less
ROI
 Pre-Deployment Planning
 Focus on everything required to prepared for the migration of content
 Deployment
 If you do the above make sure that you communicate, train and define policies and
procedures
 Post Deployment
 Make sure that you adopt and evangelize to consider widespread adoption

6

University of Chicago
Various Related Links:
Security and Best Practices

7

University of Denver Colorado
Policies
Service Requests
Procedures

8

University of Akron
SharePoint Advice

9

University of Louisville

10

Washington University (Medical base)
Reference:

11

Washington State University
Reference:

12

Edinburgh University
Reference:

13

Types of Security Threats

 Threats we’re going to explore today:
 Data disclosure / theft
 Data loss
 System downtime

 Types of attacks:
 Cross-site scripting (XSS)
 Cross-site request forgery (CSRF)
 Click jacking
 Privilege escalation
 “Man in the middle” / replay attacks
 SQL injection

 If it’s a threat to other websites or databases, it’s a threat to
SharePoint

14

Facets of
SharePoint Security

15

Plan for Security

16

Plan UNC Security

 Plan personas and define permission matrices
 Understand content and security contexts
 Determine authentication, SSO, and federation goals
 Use the SharePoint 2013 upgrade as an opportunity to apply
governance in a new platform
 SharePoint RTM release is December 2012
 Don’t expect the default settings to protect you
 Set up Kerberos
 Use Edge Servers
 Continue to validate and check again and thank heck again

17

Anonymous Access
 Carefully decide if SharePoint is the right platform for anonymous access
 Especially consider implications for public blogs and wikis
 Consider what you want for public facing information
 Always use the site lockdown feature
 “Get-SPFeature viewformpageslockdown”
 Further restrict pages using web.config a Edge Servers
 E.g. Unified Access Gateway
 Add SharePoint to your website security testing
 Provide policy statements for external collaboration
 Consider using Third Party tools
 Don’t lock out the /_layouts path altogether
 Define Security Policies and to make sure that it not Vague and map them
accordingly
 Feature, WebParts, Solution, Documents, Records
 If want to have Unsecured area consider
 Office 365
 Separate Farm

18

Authentication and Directory Security

 Synchronize only the AD users relevant for social features
 Don’t bring confidential information into user profiles
 Understand the impacts of third-party federation
 Track and block rogue SharePoint installations with “Service
Connection Points”
 Develop a password change / managed account strategy
 Enterprise SharePoint people search results have no form of
security trimming.
 If a user can see any people results, they can see them all.
 Use Fast Search to incorporate a more Robust security model and Robust
Experience
 Don’t allow SharePoint site owners rely on obfuscation or audience
targeting to try and secure content.

19

Content Security
 Audiences are not security
 Search content rollups make bypassing audiences simple
 Item-level permissions / broken permission inheritance should be the
exception, not the rule
 Avoid using policies to override permissions
 PDFs = Pretty Dangerous Files
 The should be managed and rules should be defined
 Automated PDF from document with proper security should be considered
 Consider Information Rights Management and auditing
 Having the ability to scan content for sensitive data is crucial
 Making sure that Users are responsible
 Change Management is crucial
 Training is crucial
 Any party who can manipulate SharePoint’s HTML directly or
impersonate third party JavaScript can compromise the site.
 This is policy that should also be understood and organization rules should be defined

20

Network Security

 Always use SSL for authenticated access
 Firewall all nonessential public ports
 Host all servers on the same vLAN
 Use IPSec for geo-distributed communication
 Be aware of “loopback check” implications
 Use GPO policies where applicable
 Close ports where applicable
 Update Firmware where appropriate
 E.g. Routers, F5, Firewalls

21

Network Security

22

Application Security

 Never expose SharePoint’s application tier to the internet
 Don’t host Central Administration on a web front-end
 Isolate service accounts and use standard naming conventions
 Use multiple IIS application pools (but not too many)
 Never use Cnames
 Example Security threats
 InfoPath forms service web service proxy caches credentials, allowing for
subsequent users to impersonate preceding users if accessed directly
 Using Access and access services in secured SharePoint environment should use
AD rather than internal groups and permissions
 Secure Store should be defined properly
 Security should be managed for Features and Solutions
 WebParts that are not in use should be purged
 E.g. Fab 40

23

Database Security

 Isolate SharePoint databases from other systems
 Minimize the SQL surface area by disabling unneeded features
 Consider SQL 2008 “Transparent Data Encryption”
 Performance impact, backup size impact, and file stream impacts
 Don’t leave SharePoint backups within the content database or on
web-front ends
 Never Backup using Sharepoint Backup
 SharePoint designer backups are exported to the root of your SharePoint site as
unencrypted CMP packages
 DPM should use encrypted backups and restores and verified
 Consider using SQL server 2012 with more security possibilities

24

Connected System Security

 SharePoint 2010 added a new header called X-HealthScore for
preventing Office client abuse. In public sites, it advertises server
load. All SharePoint versions reveal their version number in a
header by default.
 Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other
identifying headers
 Leverage the Secure Store Service for safely accessing external
systems via BCS
 Avoid reliance on Flash content
 Consider ForeFront UAG endpoint security
 Set policies regarding data being stored offline
 Audit, Report, asses and do it again and
 Provisioning where applicable

25

SharePoint Gaps

 SharePoint activity monitoring lacks an intuitive, easy-to-use
interface for reporting and analytics. Without a third-party solution,
businesses must first decode SharePoint’s internal representation of
log data before they can access meaningful information.
 SharePoint activity auditing does not provide the ability to
automatically analyze access activity and respond with an alert or
block.
 SharePoint does not include Web application firewall protection.
 SharePoint enforces access controls for files using Access Control
Lists (ACLs). What makes native permissions challenging, however,
is that SharePoint lacks an automated way to ensure that ACLs
remain aligned with business needs.

26

Security Data Governance Model

27

UNC Example Farm

Shared Calendars
Discussion Board Blogs Comments
Document Libraries
Podcasting
Versioning
Microblogging
Records Wikis

Task Lists Surveys Tags Profiles
Ratings
Secured Enterprise Not Sensitive Social Communities
Collaboration capabilities Office 365
https://share.unc.edu

University of North Carolina Communities

28

 SharePoint is currently used at UNC as collaboration platform for
the Internal UNC initiatives enterprise
 SharePoint enables UNC to
 Deliver the best productivity experience
 Cut costs with a unified infrastructure
 Rapidly respond to business needs
 Less Dependency on other Departments

 SharePoint does this by providing
capabilities
 Sites, communities, content,
search, insights and composites

29

Jump start UNC efforts

 Get ahead of all SharePoint deployments
 Implement a SharePoint governance policy
 Put security requirements in place when SharePoint instances go live
 Look beyond native SharePoint security features
 Specify what kind of information can be put on SharePoint
 Only use Features that you want include
 Train and Educate
 Implement your SharePoint in Phases and iteratively
 Concentrate on business-critical assets first
 Start with regulated, employee, or proprietary data, and intellectual property
 Streamline access to a “UNC need-to-know” level
 Identify and clean up dormant users and stale data
 Alert on unauthorized access
 Establish a regular review cycle for dormant users, stale data, and excessive
rights

30

Plan the strategy for UNC efforts

 Work with data owners to manage user access
 Locate and define data/content owners
 Create permission reports so data owners and stake holders have visibility into
who can access their data
 Validate with owners that access to data is legitimate
 Create usage reports so owners can see who is accessing their data

 Protect Web sites from external attack
 Identify SharePoint Web applications that work with sensitive data
 Deploy a Web application firewall to monitor and protect sensitive SharePoint
Web sites, portals, and intranets
 Respond to suspicious activity such as external users accessing admin pages
 Monitor with F5, UAG, and Monitoring tools

31

Refine the strategy for UNC Efforts

 Enable auditing for compliance and forensics
 Who owns this data?
 Who accessed this data?
 When and what did they access?
 Have there been repeated failed login attempts?
 Keep rights aligned with business needs.
 Free up storage space and reduce the amount of data that must be actively
managed.
 Streamline and automate regulatory compliance
 Monitor, control, and respond to suspicious activity in real time
 Balance the need for trust and openness with security concerns
 Understand who has access to what data or, conversely, what data any given
user or group can access, and how that access was assigned or inherited.
 Simplify the process of identifying where excessive access rights have been
granted, if there are dormant users, and who owns each item and document.
 Help administrators and data owners establish a baseline snapshot of access
rights and conduct rights reviews.

32

Custom Development Security

 Build security testing into the SDLC for all custom and third-party
components
 Take advantage of CAS policies and the ULS logs
 Utilize sandbox solutions whenever possible
 Minimize use of RunWithElevatedPrivilege()
 With SharePoint 2010, Javascript is now the biggest threat
 Silverlight is a threat
 SharePoint is using HTML 5.0
 Avoid fines associated with noncompliance, and data breaches
 Avoid disclosing breaches for data that is lost or stolen (and which is
encrypted)
 Secure sensitive information of all kinds, including trade secrets, IP,
UNC information, personnel files, healthcare records, PII, FERPA, etc.
 Broaden the usage of SharePoint to include even the most sensitive
content while being assured this sensitive content is strongly protected

33

Security Maintenance and Monitoring

 Keep SharePoint, Windows, and SQL patched to latest service packs
 Make sure any other application that is integrated up to date
 Make sure that 3rd Party tools are up to date
 Make sure a testing system is available
 Deploy server-side virus protection
 E.g. Forefront for Threat Management
 Use to interface with SharePoint for uploading/Downloading
 Use Systems Center Operations Manager with SP health rules to
monitor for performance spikes or errors related to attacks
 Build security assessments and spot checks into other SharePoint
maintenance plans
 Familiarize self with “Site Permissions > Check Permissions”
 Use the best Practices that was defined in your Security Strategy
 Use 3rd Party tools to assist with managing this as well auditing

34

Considerations and Summarizations
 Work with each of your departments/Schools/Organization to quantify
SharePoint Investment
 Use an overall User Experience
 Consider 3rd Party solutions to fortify your Sensitive SharePoint
Environment
 HiSoftware
 Titus
 Quest
 Qumus
 Control
 Metalogix
 Cipher Point
 Create a pristine System and move to it with functionality
 Have a Training Process in Place
 Continue to update the Sharepoint Security Strategy
 Have Change Management Process in Place
 Put a plan in Place and DO IT!

35

Q&A

36

Securing Sharepoint platform

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing Sharepoint platform

Similar to Securing Sharepoint platform (20)

Securing Sharepoint platform

Editor's Notes