SlideShare a Scribd company logo
Bert Johnson SharePoint Architect and MCM - PointBridge Securing the SharePoint Platform
Bert Johnson SharePoint Architect with PointBridge Solutions Microsoft Certified Master – SharePoint Server 2010 Twitter: @SPBert			Event Hashtag: #SPSChicago Email: bjohnson@pointbridge.com Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
About PointBridge By The Numbers: Founded in 2004 250+ SharePoint projects 350,000+ hours of SharePoint experience  30,000+ monthly blog hits 2010 Microsoft Midwest District Award for Best Customer Experience 2009 Microsoft Central US Partner of the Year 2009 SharePoint Conference Award:  Multi-Solution Capability 2008 Global Partner of the Year finalist:  Citizenship 2007 Microsoft US Partner of the Year:  SharePoint One of 35 Microsoft National Systems Integrators One of 15 members of Microsoft Partner Advisory Council for SharePoint
Agenda The Importance of SharePoint Security Facets of SharePoint Security Resources Q & A
The Importance of SharePoint Security
What is SharePoint? SharePoint is: “A site-provisioning engine” No really, SharePoint is: A website A series of databases An application platform SharePoint touches: Your network Your Active Directory Your LOB Systems SharePoint is a platform with a large attack surface
SharePoint is Everywhere Over 20,000 new SharePoint seats have been added every day for 5 years Over 1,500 high profile websites on SharePoint SharePoint is becoming increasingly “business critical” SharePoint is commonly used for Intranets Extranets Internet Sites Application platforms
Types of Security Threats Threats we’re going to explore today: Data disclosure / theft Data loss System downtime Types of attacks: Cross-site scripting (XSS) Cross-site request forgery (CSRF) Clickjacking Privilege escalation “Man in the middle” / replay attacks SQL injection If it’s a threat to other websites or databases, it’s a threat to SharePoint
Software Security in the News March 17 – RSA SecureID Compromised March 24 - Comodo Security Breach April 4 - Epsilon Data Leak April 12 - Largest Microsoft Patch Tuesday April 20 – PlayStation Network Hack May 30 – LulzSec (PBS, Sony, NHS, etc.)  June 9 – Citigroup Accounts Accessed * Concise history of recent Sony hacks http://attrition.org/security/rants/sony_aka_sownage.html
Facets of SharePoint Security
Example:They keep piling up!
Planning for Security
Planning for Security Plan personas and define permission matrices Understand content and security contexts Determine authentication, SSO, and federation goals Use the SharePoint 2010 upgrade as an opportunity to apply governance Don’t expect the default settings to protect you
Example:How’d you build that?
Anonymous Access Carefully decide if SharePoint is the right platform for anonymous access Especially consider implications for public blogs and wikis Always use the site lockdown feature “Get-SPFeatureviewformpageslockdown” Further restrict pages using web.config or UAG Add SharePoint to your website security testing Don’t lock out the /_layouts path altogether
Example:I don’t think we’ve met…
Authentication and Directory Security Synchronize only the AD users relevant for social features Don’t bring confidential information into user profiles Understand the impacts of third-party federation Track and block rogue SharePoint installations with “Service Connection Points” Develop a password change / managed account strategy
Example:Private audience?
Content Security Audiences are not security Search content rollups make bypassing audiences simple Item-level permissions / broken permission inheritance should be the exception, not the rule Avoid using policies to override permissions PDFs = Pretty Dangerous Files Consider Information Rights Management and auditing
Example:The man in the middle…
Network Security Always use SSL for authenticated access Firewall all nonessential public ports Host all servers on the same vLAN Use IPSec for geo-distributed communication Be aware of “loopback check” implications
Network Security
Example:I’m with him…
Application Security Never expose SharePoint’s application tier to the internet Don’t host Central Administration on a web front-end Isolate service accounts and use standard naming conventions Use multiple IIS application pools (but not too many) Never use CNames
Example:Thanks for the backup!
Database Security Isolate SharePoint databases from other systems Minimize the SQL surface area by disabling unneeded features Consider SQL 2008 “Transparent Data Encryption” Performance impact, backup size impact, and file stream impacts Don’t leave SharePoint backups within the content database or on web-front ends
Example:Your health is showing.
Connected System Security Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers Leverage the Secure Store Service for safely accessing external systems via BCS Avoid reliance on Flash content Consider ForeFront UAG endpoint security Set policies regarding data being stored offline
Example:Could you do this for me?
Custom Development Security Build security testing into the SDLC for all custom and third-party components Take advantage of CAS policies and the ULS logs Utilize sandbox solutions whenever possible Minimize use of RunWithElevatedPrivilege() With SharePoint 2010, Javascript is now the biggest threat
Example:You don’t want this help…
Security Maintenance and Monitoring If running WSS/MOSS, patch to October 2010 CU or install MS10-039 Keep SharePoint, Windows, and SQL patched to latest service packs Deploy server-side virus protection Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks Build security assessments and spot checks into other SharePoint maintenance plans Familiarize self with “Site Permissions > Check Permissions”
Resources
Resources Downloadable book: Security for Office SharePoint Server 2007 http://technet.microsoft.com/en-us/library/cc262619(office.12).aspx Locking down Office SharePoint Server sites http://technet.microsoft.com/en-us/library/ee191479(office.12).aspx Plan for and design security http://technet.microsoft.com/en-us/library/cc262331(office.12).aspx Bert Johnson security blogs http://blogs.pointbridge.com/Blogs/Johnson_Bert/
Q & A
Bert Johnson SharePoint Architect with PointBridge Solutions Microsoft Certified Master – SharePoint Server 2010 Twitter: @SPBert			Event Hashtag: #SPSChicago Email: bjohnson@pointbridge.com Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
Housekeeping Please remember to submit your session evaluation forms after each session you attend to increase your chances at the raffle Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago
Thanks to Our Sponsors! Premier Gold Silver Bronze Sponsors

More Related Content

What's hot

Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013
AntonioMaio2
 
K Ziai Share Point At Ut
K Ziai Share Point At UtK Ziai Share Point At Ut
K Ziai Share Point At Ut
Art Upton
 
Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance
Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance
Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance
Albert Hoitingh
 
Share point 2010
Share point 2010Share point 2010
Share point 2010
Humayun Rashed
 
Office 365 security new innovations from microsoft ignite - antonio maio
Office 365 security   new innovations from microsoft ignite - antonio maioOffice 365 security   new innovations from microsoft ignite - antonio maio
Office 365 security new innovations from microsoft ignite - antonio maio
AntonioMaio2
 
What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...
Vignesh Ganesan I Microsoft MVP
 
Best practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013   publishedBest practices for security and governance in share point 2013   published
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & DrewMicrosoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Drew Madelung
 
Seminar On Share Point By Maroof Ahmad
Seminar On Share Point By Maroof AhmadSeminar On Share Point By Maroof Ahmad
Seminar On Share Point By Maroof Ahmad
MaroofAhmad
 
SPUnite17 Information Management and Data Governance in Office365
SPUnite17 Information Management and Data Governance in Office365SPUnite17 Information Management and Data Governance in Office365
SPUnite17 Information Management and Data Governance in Office365
NCCOMMS
 
Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015
Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015
Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015
Gina Montgomery, V-TSP
 
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity LabelsSecuring SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
Drew Madelung
 
Microsoft Office SharePoint Server 2007
Microsoft Office SharePoint Server 2007Microsoft Office SharePoint Server 2007
Microsoft Office SharePoint Server 2007
Derek Punaro
 
Fast-Tracking your BI Career (one Dashboard at a time)
Fast-Tracking your BI Career (one Dashboard at a time)Fast-Tracking your BI Career (one Dashboard at a time)
Fast-Tracking your BI Career (one Dashboard at a time)
BI Brainz Group
 
Social computing with share point 2010
Social computing with share point 2010Social computing with share point 2010
Social computing with share point 2010
Andrew Clark
 
Security and Compliance in Office 365
Security and Compliance in Office 365Security and Compliance in Office 365
Security and Compliance in Office 365
Joel Jeffery
 
From Trashy to Classy: How The SharePoint 2013 App Model Changes Everything
From Trashy to Classy: How The SharePoint 2013 App Model Changes EverythingFrom Trashy to Classy: How The SharePoint 2013 App Model Changes Everything
From Trashy to Classy: How The SharePoint 2013 App Model Changes Everything
Andrew Clark
 
Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017
Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017
Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017
Drew Madelung
 
SPS Detroit 2016 - Sharepoint 2016 and new hybrid scenarios
SPS Detroit 2016 - Sharepoint 2016 and new hybrid scenariosSPS Detroit 2016 - Sharepoint 2016 and new hybrid scenarios
SPS Detroit 2016 - Sharepoint 2016 and new hybrid scenarios
Nicolas Georgeault
 
30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...
30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...
30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...
Drew Madelung
 

What's hot (20)

Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013Best practices for Security and Governance in SharePoint 2013
Best practices for Security and Governance in SharePoint 2013
 
K Ziai Share Point At Ut
K Ziai Share Point At UtK Ziai Share Point At Ut
K Ziai Share Point At Ut
 
Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance
Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance
Microsoft 365 Security & Compliance User Group - Microsoft Teams compliance
 
Share point 2010
Share point 2010Share point 2010
Share point 2010
 
Office 365 security new innovations from microsoft ignite - antonio maio
Office 365 security   new innovations from microsoft ignite - antonio maioOffice 365 security   new innovations from microsoft ignite - antonio maio
Office 365 security new innovations from microsoft ignite - antonio maio
 
What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...
 
Best practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013   publishedBest practices for security and governance in share point 2013   published
Best practices for security and governance in share point 2013 published
 
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & DrewMicrosoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
 
Seminar On Share Point By Maroof Ahmad
Seminar On Share Point By Maroof AhmadSeminar On Share Point By Maroof Ahmad
Seminar On Share Point By Maroof Ahmad
 
SPUnite17 Information Management and Data Governance in Office365
SPUnite17 Information Management and Data Governance in Office365SPUnite17 Information Management and Data Governance in Office365
SPUnite17 Information Management and Data Governance in Office365
 
Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015
Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015
Enhancing Relevancy & User Experience with SharePoint Search - SPSBMORE 2015
 
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity LabelsSecuring SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
 
Microsoft Office SharePoint Server 2007
Microsoft Office SharePoint Server 2007Microsoft Office SharePoint Server 2007
Microsoft Office SharePoint Server 2007
 
Fast-Tracking your BI Career (one Dashboard at a time)
Fast-Tracking your BI Career (one Dashboard at a time)Fast-Tracking your BI Career (one Dashboard at a time)
Fast-Tracking your BI Career (one Dashboard at a time)
 
Social computing with share point 2010
Social computing with share point 2010Social computing with share point 2010
Social computing with share point 2010
 
Security and Compliance in Office 365
Security and Compliance in Office 365Security and Compliance in Office 365
Security and Compliance in Office 365
 
From Trashy to Classy: How The SharePoint 2013 App Model Changes Everything
From Trashy to Classy: How The SharePoint 2013 App Model Changes EverythingFrom Trashy to Classy: How The SharePoint 2013 App Model Changes Everything
From Trashy to Classy: How The SharePoint 2013 App Model Changes Everything
 
Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017
Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017
Essentials for the SharePoint Power User - SharePoint Engage Raleigh 2017
 
SPS Detroit 2016 - Sharepoint 2016 and new hybrid scenarios
SPS Detroit 2016 - Sharepoint 2016 and new hybrid scenariosSPS Detroit 2016 - Sharepoint 2016 and new hybrid scenarios
SPS Detroit 2016 - Sharepoint 2016 and new hybrid scenarios
 
30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...
30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...
30 on Thursday - Your Digitial Workplace: Store, Share & Sync with Microsoft ...
 

Viewers also liked

By Michał M.
By Michał M.By Michał M.
By Michał M.
etwinning
 
Σχορτσιανίτης
ΣχορτσιανίτηςΣχορτσιανίτης
Σχορτσιανίτηςhaddadhlias
 
Storytelling i tecnologia
Storytelling i tecnologiaStorytelling i tecnologia
Storytelling i tecnologia
JMSG_333
 
Оценка эффективности трансплантации клеток
Оценка эффективности трансплантации клетокОценка эффективности трансплантации клеток
Оценка эффективности трансплантации клетокkulibin
 
The simple-power-of-the-doodle
The simple-power-of-the-doodleThe simple-power-of-the-doodle
The simple-power-of-the-doodle
slashdot
 
Open Id
Open IdOpen Id
Sw walentin 1
Sw walentin 1Sw walentin 1
ppt.sejarah di/tii aceh sman 1 kejayan kab pasuruan
ppt.sejarah di/tii aceh sman 1 kejayan kab pasuruanppt.sejarah di/tii aceh sman 1 kejayan kab pasuruan
ppt.sejarah di/tii aceh sman 1 kejayan kab pasuruan
liadatulafidah
 
What is an account?
What is an account?What is an account?
What is an account?
Subbu Pullela
 
Property key terms you may not know
Property key terms you may not knowProperty key terms you may not know
Property key terms you may not know
Chelsea Aston
 
Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...
Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...
Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...
iosrjce
 
Interpreting CES 2014
Interpreting CES 2014Interpreting CES 2014
Interpreting CES 2014
What's Next
 
자궁경부암 소개
자궁경부암 소개자궁경부암 소개
자궁경부암 소개
Jiyoung Kim
 
Ahmed Mohamed Maher Shafik
Ahmed Mohamed Maher ShafikAhmed Mohamed Maher Shafik
Ahmed Mohamed Maher Shafik
Ahmed Shafik
 
Introduction to Chemoinformatics
Introduction to ChemoinformaticsIntroduction to Chemoinformatics
Introduction to Chemoinformatics
SSA KPI
 
2 - SynCH: The rationale behing an FPGA-based implementation
2 - SynCH: The rationale behing an FPGA-based implementation2 - SynCH: The rationale behing an FPGA-based implementation
2 - SynCH: The rationale behing an FPGA-based implementation
SynCH - Synergically controlled hand
 
Brave New World Characters
Brave New World CharactersBrave New World Characters
Brave New World Characters
Sam
 
Ey hot topic_robotics
Ey hot topic_roboticsEy hot topic_robotics
Ey hot topic_robotics
EY Perú
 

Viewers also liked (20)

By Michał M.
By Michał M.By Michał M.
By Michał M.
 
Σχορτσιανίτης
ΣχορτσιανίτηςΣχορτσιανίτης
Σχορτσιανίτης
 
επικουρικος
επικουρικοςεπικουρικος
επικουρικος
 
Storytelling i tecnologia
Storytelling i tecnologiaStorytelling i tecnologia
Storytelling i tecnologia
 
Оценка эффективности трансплантации клеток
Оценка эффективности трансплантации клетокОценка эффективности трансплантации клеток
Оценка эффективности трансплантации клеток
 
The simple-power-of-the-doodle
The simple-power-of-the-doodleThe simple-power-of-the-doodle
The simple-power-of-the-doodle
 
Open Id
Open IdOpen Id
Open Id
 
Sw walentin 1
Sw walentin 1Sw walentin 1
Sw walentin 1
 
προσ δημο κω
προσ δημο κωπροσ δημο κω
προσ δημο κω
 
ppt.sejarah di/tii aceh sman 1 kejayan kab pasuruan
ppt.sejarah di/tii aceh sman 1 kejayan kab pasuruanppt.sejarah di/tii aceh sman 1 kejayan kab pasuruan
ppt.sejarah di/tii aceh sman 1 kejayan kab pasuruan
 
What is an account?
What is an account?What is an account?
What is an account?
 
Property key terms you may not know
Property key terms you may not knowProperty key terms you may not know
Property key terms you may not know
 
Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...
Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...
Neglected Tendo-Achilles Rupture Repair by Fhl Augmentation Using Bio-Screw a...
 
Interpreting CES 2014
Interpreting CES 2014Interpreting CES 2014
Interpreting CES 2014
 
자궁경부암 소개
자궁경부암 소개자궁경부암 소개
자궁경부암 소개
 
Ahmed Mohamed Maher Shafik
Ahmed Mohamed Maher ShafikAhmed Mohamed Maher Shafik
Ahmed Mohamed Maher Shafik
 
Introduction to Chemoinformatics
Introduction to ChemoinformaticsIntroduction to Chemoinformatics
Introduction to Chemoinformatics
 
2 - SynCH: The rationale behing an FPGA-based implementation
2 - SynCH: The rationale behing an FPGA-based implementation2 - SynCH: The rationale behing an FPGA-based implementation
2 - SynCH: The rationale behing an FPGA-based implementation
 
Brave New World Characters
Brave New World CharactersBrave New World Characters
Brave New World Characters
 
Ey hot topic_robotics
Ey hot topic_roboticsEy hot topic_robotics
Ey hot topic_robotics
 

Similar to Securing the SharePoint Platform

SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
AntonioMaio2
 
D Cornell Securing Share Point
D Cornell Securing Share PointD Cornell Securing Share Point
D Cornell Securing Share Point
Art Upton
 
Managesp 160805190411
Managesp 160805190411Managesp 160805190411
Managesp 160805190411
Danielle Jennings
 
Webinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration Platform
Webinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration PlatformWebinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration Platform
Webinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration Platform
Edureka!
 
Microsoft SharePoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft SharePoint 2013 : The Ultimate Enterprise Collaboration PlatformMicrosoft SharePoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft SharePoint 2013 : The Ultimate Enterprise Collaboration Platform
Edureka!
 
Microsoft Sharepoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft Sharepoint 2013 : The Ultimate Enterprise Collaboration PlatformMicrosoft Sharepoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft Sharepoint 2013 : The Ultimate Enterprise Collaboration Platform
Edureka!
 
Microsoft SharePoint - Edureka Webinar
Microsoft SharePoint - Edureka WebinarMicrosoft SharePoint - Edureka Webinar
Microsoft SharePoint - Edureka Webinar
Edureka!
 
KMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nyc
KMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nycKMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nyc
KMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nyc
Knowledge Management Associates, LLC
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013
AntonioMaio2
 
SharePoint 2010 public facing sites
SharePoint 2010 public facing sitesSharePoint 2010 public facing sites
SharePoint 2010 public facing sites
Chris Riley ☁
 
Chris McNulty: ECM/WCM Planning, Implementation and Migration Strategies
Chris McNulty: ECM/WCM Planning, Implementation and Migration StrategiesChris McNulty: ECM/WCM Planning, Implementation and Migration Strategies
Chris McNulty: ECM/WCM Planning, Implementation and Migration Strategies
SharePoint Saturday NY
 
Office 365 Deployment Strategies 2.0
Office 365 Deployment Strategies 2.0Office 365 Deployment Strategies 2.0
Office 365 Deployment Strategies 2.0
Bert Johnson
 
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS DeckFabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams
 
Enhancing Relevancy & User Experience with #SharePoint Search sps-philly 2015
Enhancing Relevancy & User Experience with #SharePoint Search   sps-philly 2015Enhancing Relevancy & User Experience with #SharePoint Search   sps-philly 2015
Enhancing Relevancy & User Experience with #SharePoint Search sps-philly 2015
Gina Montgomery, V-TSP
 
Saa s webinar slides final rlh - 3-31
Saa s webinar slides   final rlh - 3-31Saa s webinar slides   final rlh - 3-31
Saa s webinar slides final rlh - 3-31
neerajarasmussen
 
Sharepoint 2010 architecture, ha and dr (tig)
Sharepoint 2010 architecture, ha and dr (tig)Sharepoint 2010 architecture, ha and dr (tig)
Sharepoint 2010 architecture, ha and dr (tig)
Tihomir Ignatov
 
Spstc2011 Getting the Most from SharePoint's User Profiles
Spstc2011   Getting the Most from SharePoint's User ProfilesSpstc2011   Getting the Most from SharePoint's User Profiles
Spstc2011 Getting the Most from SharePoint's User Profiles
Michael Oryszak
 
MicroSoft Sharepoint Online Training in Canada
MicroSoft Sharepoint Online Training in Canada MicroSoft Sharepoint Online Training in Canada
MicroSoft Sharepoint Online Training in Canada
BoundTechS
 
Office 365 SUGUK march 2011
Office 365 SUGUK march 2011Office 365 SUGUK march 2011
Office 365 SUGUK march 2011
pearce.alex
 
SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0
SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0
SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0
Tony Maddin
 

Similar to Securing the SharePoint Platform (20)

SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
 
D Cornell Securing Share Point
D Cornell Securing Share PointD Cornell Securing Share Point
D Cornell Securing Share Point
 
Managesp 160805190411
Managesp 160805190411Managesp 160805190411
Managesp 160805190411
 
Webinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration Platform
Webinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration PlatformWebinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration Platform
Webinar: Microsoft SharePoint-The Ultimate Enterprise Collaboration Platform
 
Microsoft SharePoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft SharePoint 2013 : The Ultimate Enterprise Collaboration PlatformMicrosoft SharePoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft SharePoint 2013 : The Ultimate Enterprise Collaboration Platform
 
Microsoft Sharepoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft Sharepoint 2013 : The Ultimate Enterprise Collaboration PlatformMicrosoft Sharepoint 2013 : The Ultimate Enterprise Collaboration Platform
Microsoft Sharepoint 2013 : The Ultimate Enterprise Collaboration Platform
 
Microsoft SharePoint - Edureka Webinar
Microsoft SharePoint - Edureka WebinarMicrosoft SharePoint - Edureka Webinar
Microsoft SharePoint - Edureka Webinar
 
KMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nyc
KMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nycKMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nyc
KMA Deck -C. McNulty discusses ecm wcm-upgrades2010 - nyc
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013
 
SharePoint 2010 public facing sites
SharePoint 2010 public facing sitesSharePoint 2010 public facing sites
SharePoint 2010 public facing sites
 
Chris McNulty: ECM/WCM Planning, Implementation and Migration Strategies
Chris McNulty: ECM/WCM Planning, Implementation and Migration StrategiesChris McNulty: ECM/WCM Planning, Implementation and Migration Strategies
Chris McNulty: ECM/WCM Planning, Implementation and Migration Strategies
 
Office 365 Deployment Strategies 2.0
Office 365 Deployment Strategies 2.0Office 365 Deployment Strategies 2.0
Office 365 Deployment Strategies 2.0
 
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS DeckFabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS Deck
 
Enhancing Relevancy & User Experience with #SharePoint Search sps-philly 2015
Enhancing Relevancy & User Experience with #SharePoint Search   sps-philly 2015Enhancing Relevancy & User Experience with #SharePoint Search   sps-philly 2015
Enhancing Relevancy & User Experience with #SharePoint Search sps-philly 2015
 
Saa s webinar slides final rlh - 3-31
Saa s webinar slides   final rlh - 3-31Saa s webinar slides   final rlh - 3-31
Saa s webinar slides final rlh - 3-31
 
Sharepoint 2010 architecture, ha and dr (tig)
Sharepoint 2010 architecture, ha and dr (tig)Sharepoint 2010 architecture, ha and dr (tig)
Sharepoint 2010 architecture, ha and dr (tig)
 
Spstc2011 Getting the Most from SharePoint's User Profiles
Spstc2011   Getting the Most from SharePoint's User ProfilesSpstc2011   Getting the Most from SharePoint's User Profiles
Spstc2011 Getting the Most from SharePoint's User Profiles
 
MicroSoft Sharepoint Online Training in Canada
MicroSoft Sharepoint Online Training in Canada MicroSoft Sharepoint Online Training in Canada
MicroSoft Sharepoint Online Training in Canada
 
Office 365 SUGUK march 2011
Office 365 SUGUK march 2011Office 365 SUGUK march 2011
Office 365 SUGUK march 2011
 
SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0
SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0
SharePoint Saturday Columbus,Ohio Tony Maddin SharePoint Diagnostic Studio 3.0
 

Recently uploaded

Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 

Recently uploaded (20)

Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 

Securing the SharePoint Platform

  • 1. Bert Johnson SharePoint Architect and MCM - PointBridge Securing the SharePoint Platform
  • 2. Bert Johnson SharePoint Architect with PointBridge Solutions Microsoft Certified Master – SharePoint Server 2010 Twitter: @SPBert Event Hashtag: #SPSChicago Email: bjohnson@pointbridge.com Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
  • 3. About PointBridge By The Numbers: Founded in 2004 250+ SharePoint projects 350,000+ hours of SharePoint experience 30,000+ monthly blog hits 2010 Microsoft Midwest District Award for Best Customer Experience 2009 Microsoft Central US Partner of the Year 2009 SharePoint Conference Award: Multi-Solution Capability 2008 Global Partner of the Year finalist: Citizenship 2007 Microsoft US Partner of the Year: SharePoint One of 35 Microsoft National Systems Integrators One of 15 members of Microsoft Partner Advisory Council for SharePoint
  • 4. Agenda The Importance of SharePoint Security Facets of SharePoint Security Resources Q & A
  • 5. The Importance of SharePoint Security
  • 6. What is SharePoint? SharePoint is: “A site-provisioning engine” No really, SharePoint is: A website A series of databases An application platform SharePoint touches: Your network Your Active Directory Your LOB Systems SharePoint is a platform with a large attack surface
  • 7. SharePoint is Everywhere Over 20,000 new SharePoint seats have been added every day for 5 years Over 1,500 high profile websites on SharePoint SharePoint is becoming increasingly “business critical” SharePoint is commonly used for Intranets Extranets Internet Sites Application platforms
  • 8. Types of Security Threats Threats we’re going to explore today: Data disclosure / theft Data loss System downtime Types of attacks: Cross-site scripting (XSS) Cross-site request forgery (CSRF) Clickjacking Privilege escalation “Man in the middle” / replay attacks SQL injection If it’s a threat to other websites or databases, it’s a threat to SharePoint
  • 9. Software Security in the News March 17 – RSA SecureID Compromised March 24 - Comodo Security Breach April 4 - Epsilon Data Leak April 12 - Largest Microsoft Patch Tuesday April 20 – PlayStation Network Hack May 30 – LulzSec (PBS, Sony, NHS, etc.) June 9 – Citigroup Accounts Accessed * Concise history of recent Sony hacks http://attrition.org/security/rants/sony_aka_sownage.html
  • 13. Planning for Security Plan personas and define permission matrices Understand content and security contexts Determine authentication, SSO, and federation goals Use the SharePoint 2010 upgrade as an opportunity to apply governance Don’t expect the default settings to protect you
  • 15. Anonymous Access Carefully decide if SharePoint is the right platform for anonymous access Especially consider implications for public blogs and wikis Always use the site lockdown feature “Get-SPFeatureviewformpageslockdown” Further restrict pages using web.config or UAG Add SharePoint to your website security testing Don’t lock out the /_layouts path altogether
  • 16. Example:I don’t think we’ve met…
  • 17. Authentication and Directory Security Synchronize only the AD users relevant for social features Don’t bring confidential information into user profiles Understand the impacts of third-party federation Track and block rogue SharePoint installations with “Service Connection Points” Develop a password change / managed account strategy
  • 19. Content Security Audiences are not security Search content rollups make bypassing audiences simple Item-level permissions / broken permission inheritance should be the exception, not the rule Avoid using policies to override permissions PDFs = Pretty Dangerous Files Consider Information Rights Management and auditing
  • 20. Example:The man in the middle…
  • 21. Network Security Always use SSL for authenticated access Firewall all nonessential public ports Host all servers on the same vLAN Use IPSec for geo-distributed communication Be aware of “loopback check” implications
  • 24. Application Security Never expose SharePoint’s application tier to the internet Don’t host Central Administration on a web front-end Isolate service accounts and use standard naming conventions Use multiple IIS application pools (but not too many) Never use CNames
  • 26. Database Security Isolate SharePoint databases from other systems Minimize the SQL surface area by disabling unneeded features Consider SQL 2008 “Transparent Data Encryption” Performance impact, backup size impact, and file stream impacts Don’t leave SharePoint backups within the content database or on web-front ends
  • 28. Connected System Security Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers Leverage the Secure Store Service for safely accessing external systems via BCS Avoid reliance on Flash content Consider ForeFront UAG endpoint security Set policies regarding data being stored offline
  • 29. Example:Could you do this for me?
  • 30. Custom Development Security Build security testing into the SDLC for all custom and third-party components Take advantage of CAS policies and the ULS logs Utilize sandbox solutions whenever possible Minimize use of RunWithElevatedPrivilege() With SharePoint 2010, Javascript is now the biggest threat
  • 31. Example:You don’t want this help…
  • 32. Security Maintenance and Monitoring If running WSS/MOSS, patch to October 2010 CU or install MS10-039 Keep SharePoint, Windows, and SQL patched to latest service packs Deploy server-side virus protection Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks Build security assessments and spot checks into other SharePoint maintenance plans Familiarize self with “Site Permissions > Check Permissions”
  • 34. Resources Downloadable book: Security for Office SharePoint Server 2007 http://technet.microsoft.com/en-us/library/cc262619(office.12).aspx Locking down Office SharePoint Server sites http://technet.microsoft.com/en-us/library/ee191479(office.12).aspx Plan for and design security http://technet.microsoft.com/en-us/library/cc262331(office.12).aspx Bert Johnson security blogs http://blogs.pointbridge.com/Blogs/Johnson_Bert/
  • 35. Q & A
  • 36. Bert Johnson SharePoint Architect with PointBridge Solutions Microsoft Certified Master – SharePoint Server 2010 Twitter: @SPBert Event Hashtag: #SPSChicago Email: bjohnson@pointbridge.com Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
  • 37. Housekeeping Please remember to submit your session evaluation forms after each session you attend to increase your chances at the raffle Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago
  • 38. Thanks to Our Sponsors! Premier Gold Silver Bronze Sponsors

Editor's Notes

  1. [1 minute]
  2. [1 minute]
  3. [1 minute]
  4. [2 minutes]“Application platform” includes custom development, Project Server, SAP Duet, FAST Search, TFS.
  5. [1 minute]
  6. [2 minutes]
  7. [2 minutes]
  8. [2 minutes]On one of my first SharePoint assessments, a major firm I was working with had no idea how much data or what kinds of data they had, how many users they had, or how permissions were configured. They estimated a couple thousand people had access to SharePoint. It turned out over 22,000 did.
  9. [3 minutes]The farm configuration wizard creates some security gaps by default.
  10. [5 minutes]Unless the site feature is activated, standard SharePoint endpoints are available, making data discovery easy./Forms/AllItems.aspx/_layouts/viewlsts.aspx/_vti_bin/sites.asmx
  11. [2 minutes]SharePoint people search results have no form of security trimming. If a user can see any people results, they can see them all.
  12. [2 minutes]Too often, SharePoint site owners rely on obfuscation or audience targeting to try and secure content.
  13. [3 minutes]Any party who can manipulate SharePoint’s HTML directly or impersonate third party Javascript can compromise the site.
  14. [2 minutes]The InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly.
  15. [3 minutes]SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages.
  16. [3 minutes]SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.
  17. [4 minutes]Malicious Javascript can be used to manipulate data when another user runs it.
  18. [2 minutes]MOSS 2007 below August 2009 has XSS bug in the help pages allowing arbitrary code injection.
  19. [1 minute]