This presentation outlines a 10 wave methodology for securing a rogue SharePoint environment. It begins with backing up the server, removing old vendor access, resetting all user passwords, disabling unused accounts, updating service accounts, reviewing firewall rules and network traffic, changing email settings, addressing hardcoded values in workflows, applying security trimming, conducting quick security sweeps, and adding analytics tracking. The goal is to systematically document the environment, remove all old access, update accounts and permissions, and put monitoring in place to harden security. Regular communication with end users is also emphasized.

1. 10 points to make a rogue
SharePoint environment
really, really secure..
Presented By Peter Ward – April 3rd 2014
w- www.sohodragon.com
c- 862 220 6080
b-www.wardpeter.com

2. Agenda
• Context of the presentation
• Where to start?
• Understanding security permissions and how to apply it
• Create a methodology
• How to avoid data leaks
• Show user activity on all levels
• Creating a game plan

3. Green dot
This indicates an important point

4. Before We Begin
• Q&A – We will have time at the end of the presentation for questions….
But I encourage you to interrupt me and ask
• A copy of this presentation is on my blog

5. Reminder slide
• A copy of this presentation is on my blog
www.wardpeter.com
This means you only need to watch.
There is no need to take notes

7. Context of the presentation
This SharePoint
needs to work
Summary
 2 days to take ownership
 Only Prod environment
 No Dev.
 Rogue former vendor team

8. Takeaways
• Understanding ownership steps
• Confidently applying security
• The little things really matter
• Process and communication is key
• Learn how to refactor an environment
• Good example of reality
SharePoint security planning
Learn learnt: Technology problems aren’t always technology problems

9. Audience
Networking FolksSharePoint Folks
Networking steps
SharePoint steps
Networking steps
SharePoint steps

10. The inherited environment
• Hosted environment
• SharePoint 2010 Enterprise
• 3 months of undocumented code and environment.
• No Visio diagrams
• Hard coded ID and passwords everywhere… and I mean everywhere
• A few URL’s a Service Account ID and password
• SQL Server Reporting Services
• Oh I forgot:
• Can’t use 3rd party tools to run audits of security
• Internal IT department has no real understanding how SharePoint works or what was
deployed or developed

11. Where to start
• Understand SharePoint security
• Business processes
• Create a methodology

12. Understanding security accounts
and how to apply it
Domain
• Active Directory Groups…. Not distribution
• Domain services- Exchange, IIS
Server
• Boxes
SharePoint
• Site Collections
• Sites
• SharePoint groups
Demarcation of
responsibility
Service accounts

13. Business Processes
Talk to end users face to face
Understand their language:
 What they think SharePoint actually is
 A list is a report
 Alert is an email
What, why, when, who

14. Now we can start

15. Create a methodology
Wave 1 Wave 2 Wave 3 Wave 4 Wave 5 Wave 6 Wave 7 Wave 8 Wave 9
Wave
10

16. Wave 1 – Kick off
 Back up the server .. Make sure this is SQL. Ask how long back ups are kept
 Ask for a back up.. To test the internal IT
 Restoring env.
 Notify the user base what is going on and in the communication have a team
member’s email and direct phone number
 Identify all the services are running
 Reboot the servers
 Enforce a change log- SharePoint list. Set up alerts to your team
Key wins:
 Immediately know if services stop… and are not related to the password changes
 Any problems you can blame the previous vendor on the morning you start

17. Wave 2 – Start documentation
• Technical inventory of the following:
• SharePoint, edition, SQL version
• InfoPath- purpose, template location
• Server box names
• Obtain/ create system accounts and password and purpose
• Server boxes
• Architectural diagram
• Env..
• SharePoint collections
• Central Admin
• Installed web parts

18. Wave 2 – continued-
Ask questions
• What’s the source code control? This should be reviewed
• Is there a DR plan for SQL db’s
• Is there a DR plan for SharePoint
• Report names and their purpose
• Understand the integration points

19. Now you need to break ground

20. Wave 3 – Removing access
• VPN access- remove
• Service accounts
• Vendor ids
• Remote access to boxes
• SharePoint env.
• Site collection administrators

21. Wave 4 – Users
• Reset all users passwords in PowerShell
• Ed Wilson and Craig Liebendorfer, Scripting Guys
• Don’t delete the old vendor ID yet. Because they are in code and
workflow

22. Wave 4 – disable unused accounts
• Wait a week for things to settle down
• Note disable.. Not delete

23. Wave- 4 SharePoint permissions
• Do’s
• Use Groups – Either AD or SharePoint
•Don’ts
• Not everyone needs to be Site Collection Admin
• Or Full Control

24. Wave 5 – Service Accounts
• Create a ID inventory file (Excel) with both old and new password
• Stop and restart services
• Restart server for good measure

25. Wave 6 – Firewall account
• Because there could be IP addresses of the boxes made public.
• and there was… therefore you could get to the box, with no VPN
• Use Netstat command to listen to traffic on the ports Link

26. Tea break
• Questions if you want.

27. Wave 6 – Network Traffic

28. Wave 6 – Network Traffic
• Port 443 secure https
• Port 80 Unsure

29. Think again
Think old vendor is locked out…….

30. Wave 7 – Email
• Change emails in AD
• Redirection capture - DNS

31. Wave 7 – Email
• Email forwarding

32. Wave 7 – Workflow
• Impersonation Steps
Create a workflow AD account . Needs to be a site collection administrator

33. Wave 7 – Workflow
• Hard coded email addresses

34. Wave 8- SP Security trimming
 Central Admin
 Internal IP address
 Only accessible via RDP login

35. Wave 9- Quick Sweep
 Check the Service accounts
 Logging

36. Wave 10- Continued
 Add in tracking into the masterpage:
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsOb
ject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1
*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.sr
c=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-
analytics.com/analytics.js','ga');
ga('create', 'UA-4669498-5',
'onecallcm.com');
ga('send', 'pageview');
</script>

39. Wave 10+- Final bit of advice
to client
• Buy password security software
• Stores IDs and passwords
• Audit log of who’s accessing IDs
IT loved this

40. This is the end.
This is the part of the presentation when people should clap and cheer

41. Questions?
• e-pw@sohodragon.com
• w-www.sohodragon.com
• b-www.wardpeter.com
• c- 862 220 6080