Maximizing SharePoint Security Whitepaper v2.0

1/2018

This technical whitepaper describes how to protect SharePoint Servers

and Websites, in addition to what is the best practices to maximize the

SharePoint Security controls.

Fadi Abdulwahab

CSSLP, MCC, MCITP

2 | P a g e

Author

Author for SharePoint 2013 book and many SharePoint

whitepapers including Search, Variation and Availability

topics, focus on building secure web applications.

Achieved many projects with Microsoft Technologies since

2006 for banks, universities, and ministries.

Experienced in SharePoint Administration, Infrastructure,

Development, Governance, and Disaster Recovery.

Specialties: SharePoint Server, AWS/Azure, ASP.NET/C#, OWASP Top 10, SQL Server

Administration and High Availability Solutions.

Recognized as Microsoft Community Contributor in July 2013

(ISC) 2 - CSSLP® Certified Secure Software Lifecycle Professional in July 2015

AWS Solutions Architect – Associate certification in April 2017

My Blog:

https://fabdulwahab.com

My Twitter Account:

https://twitter.com/fadi_abdulwahab

My LinkedIn account:

https://www.linkedin.com/in/fadiabdulwahab

My MSDN Profile:

https://social.msdn.microsoft.com/profile/fadi%20abdulwahab/

My SharePoint Book (Advanced Topics in SharePoint 2013 in Arabic language):

http://www.neelwafurat.com/itempage.aspx?id=lbb229815-208246&search=books

3 | P a g e

Disclaimer

This document is provided "As is", therefore test any changes before go live.

Product or company names mentioned in this document may be the trademarks of their

respective owners.

You can use this whitepaper for your websites and other needs.

Fadi Abdulwahab © 2018, all right reserved.

I will be happy with your feedback because your feedback is very important, if you have

comments or new points please send it to me @ fabdulwahab@outlook.com

Version logs

Version No. Date Notes

1.0 20/12/2015 First release

1.1 4/12/2016 Added CIS SharePoint benchmark

Added link for more security headers like HTTP Public Key Pinning

Added more security controls in SharePoint configurations

Fixed Search Crawl Rules

2.0 24/1/2018 Added CIS SharePoint 2016 benchmark Added New features of SharePoint 2016 which related to security like

Data Loss Prevention

Outgoing SMTP Encryption

TLS 1.2 support

Patching with Zero downtime

New changes for SharePoint 2016 service accounts

…

4 | P a g e

Table of Contents Author ......................................................................................................................... 2

Disclaimer .................................................................................................................... 3

Version logs ................................................................................................................. 3

Why Maximizing SharePoint Security .............................................................................. 7

Introduction ................................................................................................................. 8

HTTPs everywhere ........................................................................................................ 9

General Best Practices and Tips ............................................................................................ 9

Configuring SSL/TLS for SharePoint ..................................................................................... 10

Redirect from HTTP to HTTPs .............................................................................................. 16

Server Name Indication (SNI) .............................................................................................. 17

HTTP and HTTPs in AAM ...................................................................................................... 18

SSL Server Test ..................................................................................................................... 18

Mixed Content Mode .......................................................................................................... 24

HTTPs on Login Page only .................................................................................................... 25

Secure cookies ..................................................................................................................... 25

HTTPOnly cookies ................................................................................................................ 26

HSTS ..................................................................................................................................... 26

https://scotthelme.co.uk/hardening-your-http-response-headers/ .................................. 29

End to End Secure Channels ................................................................................................ 29

Extended Validation Certificate (EV) ................................................................................... 29

Performance vs. Security ..................................................................................................... 29

100% security coverage ....................................................................................................... 30

Recommended Reference ................................................................................................... 30

References ........................................................................................................................... 30

Response Headers ...................................................................................................... 31

Version Disclosure (ASP.NET) .............................................................................................. 31

ASP.NET Identified ............................................................................................................... 31

Version Disclosure (IIS) ........................................................................................................ 32

Version Disclosure (SharePoint) .......................................................................................... 33

Clickjacking .......................................................................................................................... 33

ViewState is not encrypted .......................................................................................... 35

Sensitive resources ..................................................................................................... 36

Accessing _layout/ folder .................................................................................................... 36

_vti_inf.html, _vti_bin , _vti_pvt and _vti_bin/spsdisco.aspx ............................................. 36

Web.config configurations ........................................................................................... 37

5 | P a g e

Stack Trace and Errors Disclosure (ASP.NET) ...................................................................... 37

Validation Request .............................................................................................................. 37

Patching .................................................................................................................... 38

ASP.NET Security Vulnerabilities ......................................................................................... 39

Persistent XSS flaw in SharePoint 2013 ............................................................................... 39

SharePoint configurations ............................................................................................ 40

Secure SharePoint’s Components ........................................................................................ 40

Plan for administrative and service accounts in SharePoint ............................................... 40

Central Administration Site ................................................................................................. 40

Manage blocked file types in SharePoint ............................................................................ 41

Set Security Validation to On............................................................................................... 41

Do Not Crawl Sensitive Content .......................................................................................... 41

Crawl Rules in Search .......................................................................................................... 42

Default content access account .......................................................................................... 43

Max Upload Document / Max Request length .................................................................... 43

Health Check ........................................................................................................................ 44

Require Use Remote Interfaces permission ........................................................................ 45

Enable Client Integration ..................................................................................................... 45

Separation of duties ............................................................................................................ 45

SharePoint Anti-Virus .......................................................................................................... 47

Windows configurations .............................................................................................. 49

Disable loopback check ....................................................................................................... 49

TCP/IP Ports of SharePoint 2013/2016 ............................................................................... 49

Data Loss Prevention in SharePoint 2016 ........................................................................... 51

Outgoing SMTP Encryption ................................................................................................. 51

Google Hacking .......................................................................................................... 53

Preferences .......................................................................................................................... 53

Advanced Operators ............................................................................................................ 53

Hacking Your Website ......................................................................................................... 54

Robots.txt configuration...................................................................................................... 59

Caching ............................................................................................................................ 59

Snippet ............................................................................................................................. 59

No Index .......................................................................................................................... 60

Remove Pages from Google's Index .................................................................................... 60

Tools .................................................................................................................................... 60

GHDB ............................................................................................................................... 60

6 | P a g e

WIKTO .............................................................................................................................. 61

SearchDiggity ................................................................................................................... 64

SHODAN ........................................................................................................................... 67

Recommended Reference ................................................................................................... 68

SharePoint Support ..................................................................................................... 69

Metasploit ................................................................................................................. 70

ASafaWeb .................................................................................................................. 71

CIS SharePoint benchmark ........................................................................................... 73

7 | P a g e

Why Maximizing SharePoint Security

Security is becoming an increasingly important concern during the lifecycle of developing

operationally hacker-resilient application also as application become accessible over the

internet.

Maximizing because security is about degrees (There is no 100% security!).

I try in this version to recover the most common issues and security controls which related

to on-premises SharePoint 2010/2013 and 2016.

Finally, treat security as continuous process, it's not just about "set and forget".

8 | P a g e

Introduction This document helps SharePoint developers and administrators to protect SharePoint

Applications and portals from common security issues which they are frequently reported by

the Health checker and Penetration testing tools. Most of these issues related to disclosing

information , which is related to No.6 "Sensitive Data Exposure" and also consider the No.9

"Using Components with known Vulnerabilities" risks in OWASP Top 10 2013 because

SharePoint is a product or framework "Secure by default" therefor rarely to find risks like

Injection or broken Sessions in SharePoint Server applications unless if you develop custom

applications and host those applications in SharePoint as web parts or by any way of hosting

custom applications inside SharePoint, then you need to consider the other risks .

Unfortunately, many of testing tools report False Positive risks ,for instance I read Security

testing report and one of the issue was “MongoDB NoSQL Injection”… all of us know that

SharePoint uses SQL Server only as back-end system (you can’t install SharePoint in other

RDBMS so How it can be with NoSQL Databases !!).

Most of these issues and their mitigation already published in the internet but here I will try

to put them in one place to make it easy to me and others to review the SharePoint Security

risks.

Finally, before I list the points, I want to clarify that I will not mention points related to best

practices for installation, proper configuration, planning … etc. I assume you follow the right

implementation during building your SharePoint Farm.

9 | P a g e

HTTPs everywhere It's a top priority to have a secure connection for your websites in order to protect your

information in transit by using SSL/TLS protocol and protect users from common attacks like

DNS poisoning and others. HTTPs (represents the top layer of SSL/TLS protocol) which

provides your websites with the following objectives:

1. Confidentiality to protect the data in transit from sniffing by using tools like fiddler, Wireshark, hijacking or MITM attacks (Main goal).

2. Integrity by protecting the data from tampering during transition, so it will reject the request if anyone in the middle of transit modified the packets.

3. Authenticity by telling and giving the visitors assurance about your domain and who your visitors are talking to.

4. Ranking Signal, Google try to encourage the people to make the internet safer and more secure, in addition to increase the website ranking in Google search engine.

General Best Practices and Tips Here some of most important tips to be considered when deploying HTTPs:

Decide the kind of certificate: single, multi-domain or wildcard certificate and make

sure they cover all your hostnames.

Use 2048 bit private keys and if you still have 1024 bit RSA keys, replace them as

soon as possible.

Don't use self-signed certificate in production servers and use valid certificates from

valid Certificate Authorities like DigiCert, Godaddy or even free SSL Certificate from

StartSSL or CloudFlare.

Protect the Private Key and keep it as secret asset.

Use complex password with the private key certificate.

Avoid invalid certificate warning due to date expiration or other reasons, which will

confuse the users and weaken their trust against your website (Authenticity).

Replace SHA1 certificates with strong certificate algorithm like SHA256.

Deploy certificates with valid certificate chains.

TLS v1.2 should be your main protocol and disable the old protocols like SSL v3 and

v2.

Note

Check your client browser version because IE 6 on Windows XP doesn't support new secured

hashing like SHA256.

10 | P a g e

Configuring SSL/TLS for SharePoint Here I will explain to you how to configure SSL/TLS for SharePoint 2013 and you could follow

the same steps in SharePoint 2010.

Notes: Previous versions of SharePoint only supported TLS 1.0 but SharePoint 2016 support

TLS 1.2

Use SSL Bridging instead of SSL Offloading because it is more secure and HTTPs is not

any more against the performance but maybe it’s faster than HTTP especially when

it’s compared to HTTP/2 protocol, try this site https://www.httpvshttps.com/ .

Prerequisites:

1. IIS 8

2. SharePoint Server 2013 Farm

3. Windows Server 2012

4. Web Application on Port 80

5. Administrator privilege in the server

Steps:

1. Create Self Signed Certificate on IIS 8 2. Import Self Signed Certificate to SharePoint Certificate store(Optional) 3. Add Self Signed Certificate to trust management in Central Administration(Optional) 4. Configure IIS Binding 5. Configure AAM

11 | P a g e

Step 1: Create Self Signed Certificate on IIS 8

Open IIS Manager and then go to Server name and choose IIS Section “Server Certificates”

Click on Create Self-Signed Certificate... on Actions pane

Specify any name like “SharePointSelfSignedCert” and click Ok

Double click on this created Certificate and go to details Tab and click copy to file...

12 | P a g e

Click Next (Welcome…),

Select No, do not export the private key and click next,

Select DER encoded binary and click next,

Specify the location for the certificate and Click Next and then finish.

Step 2: Import Self Signed Certificate to SharePoint Certificate store (Optional)

Open Manage Compute Certificate on Windows Server 2012 and go to SharePoint node and then right click All tasks >> import …

Click next and then specify the location of exported certificate in previous step and then Click Next

Make sure Certificate store is SharePoint and Click Next and then finish (Exported)

13 | P a g e

Step 3: Add Self Signed Certificate to trust management in Central Administration (Optional)

Go to Central Administration >> Security >> Manage Trust (to inform SharePoint to trust this certificate also).

And Click New

And a name and specify the location for the certificate and Click Ok.

Step 4: Configure IIS Binding

Go to IIS Manager and choose your web application and then click on Binding in Actions pane

14 | P a g e

Click Add...

Type: Https

SSL Certificate: SharePointSlefSignedCert (which created previously).

Click Ok.

Step 5: Configure AAM

Go Central Administration >> Alternate Access Mapping and Choose your web application

And click on Edit Public URLs and then add HTTPs URL

15 | P a g e

And Click Save.

Now try to browse your website with HTTPs URL

Notes

1. If you add the Self-Signed Certificate to Trusted Root Certification Authorities in Client PC, then the Certification error or warning in the browser will disappear.

2. In production servers, you need to use a valid certificate and in this case you need to import PKCS#12 or PFX formatted certificate.

16 | P a g e

3. Sometime, you need tools to convert the certificate to .pfx format like OpenSSL or DigiCert Certificate Utility SSL tools.

4. It's recommended to disable "Allow this certificate to be exported" to make it difficult to extract it from the server.

Redirect from HTTP to HTTPs It's not enough to enable HTTPs but you need also to force the users to go with HTTPs. First

you need to install IIS Rewrite extension to all SharePoint Web servers (Frontend Servers),

follow this URL to install the extension

http://www.iis.net/downloads/microsoft/url-rewrite

Then go to Web application's web.config and add the following section under

<system.webServer>

<rewrite>

<rules>

<rule name="HTTP to HTTPS redirect" stopProcessing="true">

<match url="(.*)" />

17 | P a g e

<conditions>

<add input="{HTTPS}" pattern="off" ignoreCase="true" />

</conditions>

<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />

</rule>

</rules>

</rewrite>

Note

Because the redirection roundtrip, we still have a minor vulnerability which it's open to

MITM attack before the Redirection take place and for this issue we will see how HSTS

response header can mitigate this risk.

Server Name Indication (SNI) This is new extension added to TLS protocol which enabled in IIS 8 to allow IIS 8 to host

multiple SSL websites and certificates on a single IP Address based on the Host Headers.

Let me give you a real example:

Assume that we have two web applications as following:

https://intranet.domain.com = Host for Intranet SharePoint Web application

https://*.apps.intranet.domain.com = Host for SharePoint Apps

In this case, you need two certificates, one for the intranet portal with this SNI name

intranet.domain.com and one for the SharePoint Apps as wildcard certificate because each

time the user adds SharePoint Apps to SharePoint store it will assign a specific prefix sub

domain to each Apps for example app-432524352345.apps.intranet.domain.com

The case before SNI extension, you need to have two IPs, one IP for each certificate but with

the SNI, the client will send the hostname header when he is establishing the connection

with the server so you can use one IP address with multiple different certificates.

18 | P a g e

Note

Windows XP and some Android version don't support it.

HTTP and HTTPs in AAM If login with HTTPs URL and then redirect the user to HTTP, the browser will ask the user to

login again with HTTP URL (Always use HTTPs).

How to fix it:

Go to Central Administration

Open Alternate Access Mapping (AAM)

Select your will application from the dropdown menu on top right side

Click on Edit Public URLs and remove HTTPS URL

Click on Add Internal URLs and then add HTTPs URL and select the same zone as HTTP URL

Notes

1. It's recommended to have only HTTPs zone in case you want to publish your website

with HTTPs only

2. Maybe the above case is valid if you configure the HTTPs on load balancer only and

then internally you want to access the site as HTTP.

SSL Server Test SSL/TLS protocol like other frameworks has features, extensions and also Bugs. Installing and

configuring your website with HTTPs is not enough because you could have HTTPs website

but in reality, behaves like HTTP website because for example the certificate use weak

19 | P a g e

hashing or encryption or you don't disable old protocols which consider nowadays to be

insecure.

"Qualys SSL Labs" has many important projects and one of them is "SSL Server Test" which

provide the following testing steps:

1. Validating the Certificate

2. Validating server configuration including

a. Protocol support

b. Key exchange support

c. Cipher support

According to above test steps, it will grant your website grades as following:

Server Certificate testing include the following issues:

Domain name mismatch

Certificate not yet valid

Certificate expired

Use of a self-signed certificate

Use of a certificate that is not trusted (unknown CA or some other validation error)

Use of a revoked certificate

Insecure certificate signature (MD2 or MD5)

Insecure key

Protocol Support testing include the following issues:

Check existing of SSL/TLS Protocols

o SSL v2, v3, TLS 1.0, TLS 1.1 and TLS 1.2

At lease make sure to disable SSL v2 and v3 because these protocols considered insecure

and have many weaknesses and vulnerabilities like POODLE attack.

Key exchange testing includes the following issues:

Check key exchange without authentication issue

Weak key exchange procedure

Cipher Strength testing include checking symmetric cipher if it’s weak or strong and also

check the key length.

You can find more about the SSL Server rating and testing in the references sections in this

document.

20 | P a g e

To test your HTTPs implementation, go to https://www.ssllabs.com/ssltest/ and add your

domain name in the textbox and click submit

Because most of the Certificate Authorities CAs try to enhance the security controls on their

certificates and stop using weak ciphers so they update their certificates with strong

encryption and hashing. In this case, most of issues that appear when you have updated

certificate, belong to SSL Protocols in Windows servers.

Let us see the result of two websites:

This is the first website with the right implementation (not 100%)

Certificate testing part was valid and the certificate is updated with secure ciphers.

21 | P a g e

SSL Protocols testing part only support the secure protocols and it disabled the SSLv2 and v3

which considered insecure protocols.

Let us see the second website with the misconfiguring SSL protocols

22 | P a g e

As the above result, this website has the following issues:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

This server is vulnerable to the POODLE TLS attack. Patching required. Grade set to

F.

This server uses SSL 3, which is obsolete and insecure. Grade capped to B.

The server supports only older protocols, but not the current best TLS 1.2. Grade

capped to C.

This server accepts RC4 cipher, but only with older protocol versions. Grade capped

to B.

The server does not support Forward Secrecy with the reference browsers.

We can summarize these issues into 3 points, if we fix these 3 points then we will pass the

test assessment with Grade "A" and the fixes for these issues are very easy.

The reason for these issues is results in that the Windows Server still support or accept

connections using the old protocols which they are SSL v2 and v3 and these protocols have

deprecated and have many vulnerabilities and issues like POODLE attack. In addition that the

server supports weak ciphers encryption like RC4 which is considered insecure.

Disabling these old protocols and week ciphers which are existed in the registry in this key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders

\SCHANNEL\Protocols

You can follow these steps to disable SSL v2 and v3:

1. Open regedit. 2. In Registry Editor, locate the following registry key/folder:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.

4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

5. Enter Enabled as the name and hit Enter.

23 | P a g e

6. Ensure that it shows 0x00000000 (0) under the Data column. 7. Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then

click Key. Name the new folder Server. 8. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit)

Value. 9. Enter Enabled as the name and hit Enter. 10. Ensure that it shows 0x00000000 (0) under the Data column. 11. Restart the computer.

The RC4 cipher can be completely disabled on Windows platforms by setting the "Enabled"

(REG_DWORD) entry to value 00000000 in the following registry locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\C

iphers\RC4 128/128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\C

iphers\RC4 40/128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\C

iphers\RC4 56/128

Then restart the servers.

In addition, you can use many free tools like IIS Crypto or script which can help you to

automate the process. I suggest to use the following PowerShell script which help you to

disable these protocols and weak ciphers.

Visit this URL https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-

tls-12 and then download the recommended ps1 file and run it in the web servers.

Notes

1. Take backup from Registry before run the above scripts

2. POODLE TLS attack according to Wikipedia:

"The POODLE attack (which stands for "Padding Oracle on Downgraded Legacy

Encryption") is a man-in-the-middle exploit which takes advantage of Internet and

security software clients' fallback to SSL 3.0. If attackers successfully exploit this

vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one

byte of encrypted messages."

3. Forward Secrecy according to Ivan Ristić:

"With forward secrecy, every connection to your site is individually protected, using

24 | P a g e

different key. Without forward secrecy, the security of all connections effectively

depends on the server’s private key. If that key is ever broken or stolen, all previous

communication can be decrypted."

Mixed Content Mode

Again, not because the website has valid HTTPs certificate that means you can exchange the

secure sessions safely.

If you see one of the above indicators in your browser, then this means the current website

has issue called "Mixed Content Mode" which can give the attacker possibility to steal your

session by sniffing the HTTP context because cookie attached with each request include the

images and JavaScript files along with HTTPs requests.

The fix for this issue, to make sure there is no HTTP content in your page and only deals with

HTTPs requests.

Note

Sometime we have to go with Mixed Content mode because of using third parties which

may they are only supported with HTTP context so be aware of this risk and make sure to

only transit your sensitive data through secure channels.

25 | P a g e

HTTPs on Login Page only Some developers go with very bad practice to serve their website performance by only

implementing HTTPs on Login page and then redirect the user to HTTP communication.

In this way, they prevent the leakage of username and password to be sniffed but still the

attacker can use the token which in most cases stored in cookie or as a value in the header.

Using tool like Fiddler or built-in Web developer tools in the browsers like chrome can help

you to recognize this issue, try to login to any Form authentication website and copy the

Auth cookie value (Name of Cookie can be changed).

Then try to open new session without to login to the website, open the console windows in

the chrome browser and run this command document.cookie="FedAuth=[cookie Value]"

Refresh the page, you are now login to the website without need to know the username or

password.

Secure cookies Make sure to use secure cookies in case you have sensitive data stored in cookies like Auth

cookie in form or identity authentications.

To make sure the cookie is only transit in HTTPs channels even if the website support HTTP

connections, set the following attribute in web application's web.config

You can check if the cookie is secure by using Chrome's web developer tool and check the

"Secure" column"

26 | P a g e

HTTPOnly cookies

In General, it's always recommended to set HttpOnly attribute with cookies to prevent XSS script risk against these cookies like Auth Token Cookie which then it can be used in hijacking and other attacks.

In SharePoint if you are using Form authentication then by default SharePoint flag Auth Token with HttpOnly but there are some cookies in SharePoint not flagged with HttpOnly like "wss_keepsessionauthenticated".

Add these setting to web application's web.config

<system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" />

Notes

1. Also, make sure to use requireSSL="true" with other cookies to make sure these

cookies are transit in secure channels.

2. If you have cookies need to be access by the JavaScript, then make these cookies

explicitly flagged with no HTTPOnly flag or consider to use local storage in HTML5.

3. Avoid URI-based cookies and make sure to use cokieless="UseCookies".

4. It will cause an error when you are creating out of the box SharePoint workflows so

in this case it’s better to extend the site and only apply it in extended site.

HSTS Using HTTP Strict Transport Security (HSTS) helping to force the browser to browse the site

to a certain time (based on Max age value) in HTTPs without need to send redirection

request to the server so the risk of redirection from HTTP to HTTPs will be minimized

(minimized because first time request will go to the server and then based on return

response header, it will be implemented in the client browser).

Also, this header will prevent the user to pass through warning showed by the browser

when the certificate is invalid due to date expiration, self-signed certificates or others.

Try to open Google search engine with invalid certificate and check the behavior of the

browser

27 | P a g e

The disadvantage of this header that it's not supported in all browsers and if you are using it

then users can't return back to HTTP until the time expired or user remove it from the

browser explicitly. But still you can consider it additional defense in your website and

security enhancement.

To add HSTS to your website, you can follow these steps:

1. Open IIS, Go to your site.

2. Double click on HTTP Response Headers.

3. In the HTTP Response Headers pane, click Add... in the Actions pane.

4. In the Add Custom HTTP Response Header dialog box

Name: Strict-Transport-Security

Value: max-age= 31536000 (in seconds = 365 days)

28 | P a g e

Notes

1. You can include includeSubDomains parameter to include also new or existing sub

domains but again be careful, these sub domains should be browsed with HTTPs.

2. You can use preload parameter to make your website included in the preload list of

Google (to solve the first time request issue to be in secure connection).

3. This header will increase the performance because the redirection of HTTP to HTTPs

has gone (301 redirect request).

4. This header implementation will increase the grade of "SSL Server Test" by Qualys

SSL Labs.

29 | P a g e

You can find more security headers like HTTP Public Key Pinning and others in the

following URL

https://scotthelme.co.uk/hardening-your-http-response-headers/

End to End Secure Channels If a certain website using HTTPs and it shows green color HTTPs icon, this does not mean the

website has implemented from end to end using secure channels because in some cases

these websites only implemented the HTTPs to load balancer level and for internal requests,

they redirect the requests using HTTP communication.

It's recommended to use end to end HTTPs including internal communication and this

maybe make the managing of these servers or certificate more complex but more secure

from internal hijacking or sniffing activities.

Extended Validation Certificate (EV) It's highly recommended for High secure and valuable websites to use this kind of certificate

which has some special confirmation processes, but it gives the user more trust especially

for websites like banks.

You can indicate if the website has this kind of certificate from the address bar which show

the organization name in green color as the below image.

Performance vs. Security The answer for this question in the Title of this post "TLS has exactly one performance

problem: it is not used widely enough."

https://istlsfastyet.com/?utm_source=wmx_blog&utm_medium=referral&utm_campaign=tl

s_en_post

30 | P a g e

100% security coverage Nothing is perfect in security term. Even if your implementation is perfect you still have

many risks like

New SSL/TLS errors or known vulnerabilities.

Your data travel across many hops in many countries, even if it's encrypted, for

passive attacks can be useful in future when they break the encryption.

Many cases of Certificate Authorities compromised like DigiNotar.

Delay in propagating revocation information list.

Tricking the CA to issue a certificate like what happened with VeriSign or Thawte

… Unlimited .

Recommended Reference Bulletproof SSL and TLS book by Ivan Ristić

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

References 1. https://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-

signal.html

2. https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf

3. https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf

4. http://www.troyhunt.com/2015/06/understanding-http-strict-transport.html

31 | P a g e

Response Headers

Many information can be found in the Response Headers which can help the attacker to

build profile against your website which then can search for common public issues from

websites like "National Vulnerability Database" https://web.nvd.nist.gov/view/vuln/search

or others for zero-day attacks.

We can categories them by the following headers:

Version Disclosure (ASP.NET)

Again, this information could be helpful in hacking phase but it doesn't mean your website

will be exploited.

To remove this header, you can follow these steps:

Add this attribute inside the <system.web> element in web application's web.config

<httpRuntime enableVersionHeader="false" />

ASP.NET Identified

To remove this header, you can follow these steps:

Add this setting in your web application's web.config <httpProtocol> <customHeaders> <remove name="X-Powered-By" />

32 | P a g e

Version Disclosure (IIS)

To remove this header, you can follow these steps:

Create custom HTTP Module as following:

namespace MyNamespace

{

public class HttpHeadersCleanup : IHttpModule

{

public void Init(HttpApplication context)

{

context.PreSendRequestHeaders += PreSendRequestHeaders;

}

private static void PreSendRequestHeaders(object sender, EventArgs e)

{

HttpContext.Current.Response.Headers.Remove("Server");

}

public void Dispose()

{

}

}

}

Then add this setting in web application's web.config

<system.webServer> <modules> <add name="HttpHeadersCleanup " type="MyNamespace.HttpHeadersCleanup, MyAssembly"/>

33 | P a g e

Version Disclosure (SharePoint)

The most important one is MicrosoftSharePointTeamServices. It's not recommended to

remove this header and it's better to accept the risk in this case because this header will

affect the SharePoint search crawling and other features like InfoPath.

Note

In this case, it's better to extend Web application to keep the default website for crawling

and the extended web application for anonymous access with limited features so then you

can remove this header by adding to web application's web.config

Check this KB article https://support.microsoft.com/en-us/kb/2728313

Clickjacking Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple

transparent or opaque layers to trick a user into clicking on a button or link on another page

when they were intending to click on the top-level page. Thus, the attacker is "hijacking"

clicks meant for their page and routing them to another page, most likely owned by another

application, domain, or both.

34 | P a g e

The easiest fix for this risk to add this header X-Frame-Options to HTTP Response but remember this way is not supported in all browsers.

To configure IIS to add an X-Frame-Options header to all responses for a given website, follow these steps:

1. Open Internet Information Services (IIS) Manager. 2. In the Connections pane on the left side, expand the Sites folder and select the site

that you want to protect. 3. Double-click the HTTP Response Headers icon in the feature list in the middle. 4. In the Actions pane on the right side, click Add. 5. In the dialog box that appears, type X-Frame-Options in the Name field

and type SAMEORIGIN in the Value field. 6. Click OK to save your changes.

Note

By default, SharePoint 2013/2016 configured with this header response.

35 | P a g e

ViewState is not encrypted SharePoint doesn't use Viewstate to store any sensitive data such as user tokens or other so

just give your security department justification that Viewstate is required to be existing in

the SharePoint because it's built on top of ASP.NET Web forms.

Note

In case you have custom code using Viewstate, make sure to avoid storing sensitive data in

Viewstate because it's readable and represented by base64 encoding. In case you use it then

make sure to enable Encryption and MAC encoding for integrity.

Try to use ASP.NET ViewState Decoder, copy any value of _VIEWSTATE from HTML source

code

Then decode the binary string

36 | P a g e

Sensitive resources For anonymous SharePoint website, it's better to prevent users from accessing sensitive

resources which may disclose some critical information or grant the user access to admin

pages like application pages in SharePoint which they exist under _layout folder like

/layouts/Viewlsts.aspx.

Accessing _layout/ folder By default, Publishing SharePoint Site template has enabled with feature called

"ViewFormPagesLockDown" which prevent anonymous users from accessing application

pages. In case it's disabled then you can activate it by the following command:

Enable-SPFeature ViewFormPagesLockDown -Url http://youSite

_vti_inf.html, _vti_bin , _vti_pvt and _vti_bin/spsdisco.aspx If your SharePoint application is anonymously accessible then it's recommended to consider

implementing authorization rules to restrict access to web services, or resources under

_vti_bin, _vti_pvt , _vti_bin/spsdisco.aspx ... to at least prevent attacker from accessing

these resources to gain information like SharePoint version or FrontPage configuration

information ... etc.

Add these rules setting to web application's web.config

<location path="_vti_inf.html"> <system.web> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> </location> <location path="_vti_pvt"> <system.web> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> </location> <location path="_vti_bin"> <system.web> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> </location>

37 | P a g e

Web.config configurations We can categories them by the following sections:

Stack Trace and Errors Disclosure (ASP.NET) It's recommended to stop disclosing information because of unhandled errors, trace and

debug. With easy steps, you can prevent leaking this information which might help an

attacker to gain more information and potentially focus on the development of further

attacks. Also, some of these configuration help in increasing the website performance like

debug setting.

Change these settings in web application's web.config file

Set <customErrors mode="On" on web.config Remove or set <trace enabled="false" (by default is not enabled) Set <compilation debug=”false” /> Set <SafeMode CallStack="false"

Also, do the same in the web.config file which it's under _layout folder.

Validation Request Request validation, a feature in ASP.NET since version 1.1, prevents the server from

accepting content containing un-encoded HTML. This feature is designed to help prevent

some script-injection attacks whereby client script code or HTML can be unknowingly

submitted to a server, stored, and then presented to other users.

SharePoint like other .NET content management systems which has a lot of places where

rich text needs to be submitted to the server. By default, Microsoft disable ValidateRequest

in web.config and if you try to enable it then you will not able to create pages with HTML

contents. In this case, you need to accept the risk and keep this feature disabled but you

need take care of your SharePoint and make sure it's patched with up-to-date fixes and in

case you have custom code, make sure to validate and encode the input at the client and

server sides using libraries like AntiXSS and others.

38 | P a g e

Patching

SharePoint is prone to exploitation since new threats are discovered so there is a need to fix the vulnerabilities and security problems.

SharePoint patches can be in three form:

1. Service Pack: include previous and new fixes and also may has new features. 2. Cumulative Update (CU): include fixes that have been reported by the customer in

context of support cases (monthly release). 3. Hot fix, Public Update or Quick Fix engineering (QFE): include security fixes or fixes

for problems affected by a certain customer.

Patching process needs to be planned and it will cause to bring your farm down so it's recommended to have Backup or Disaster Recovery farm.

Some tips to be considered when patching your SharePoint farm:

Stop Automatic Window Update in SharePoint and SQL Servers. Check for updates and fixes from this site.

http://blogs.technet.com/b/stefan_gossner/ and https://technet.microsoft.com/library/dn789211(v=office.14)

Check for the SharePoint Build version from these sites. o SharePoint 2010.

http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=224 o SharePoint 2013.

http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=346 o SharePoint 2016.

http://www.toddklindt.com/blog/Builds/SharePoint-2016-Builds.aspx Check this blog which provide good articles related to patching.

http://blogs.msdn.com/b/sambetts/archive/tags/patching/ To patch SharePoint 2016 with zero downtime then you need to fulfill a specific

condition, for more information. https://fabdulwahab.com/2018/01/11/recommendations-for-patching-sharepoint-2016/

Check for SharePoint version using PowerShell: (Get-SPFarm).BuildVersion. Notify your users because it will cause the SharePoint to be down. Test the patching in testing Farm before go live (consider using the Virtual machine

and no need to be identical farm as the production servers). Documentation for SharePoint Farm and Rollback plan.

o You can use this power shell https://gallery.technet.microsoft.com/office/Inventory-SharePoint-Farm-dc11fc28/view/Discussions or others scripts in CodePlex site to document your SharePoint farm.

Identify the maintenance time. Test the farm after patching process. Monitor it.

39 | P a g e

ASP.NET Security Vulnerabilities

Any security vulnerabilities apply to ASP.NET, it will be applied to SharePoint because SharePoint built on top of ASP.NET framework.

These are some of Common security vulnerabilities:

1. Padding oracle vulnerability: (ASP.NET v1.0 to v3.5), most probably this vulnerability exists in non-patched SharePoint 2010 and older versions. To know about this vulnerability you can check http://weblogs.asp.net/scottgu/important-asp-net-security-vulnerability or http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html To avoid this issue , update your SharePoint with the latest new version of CU to address this and other issues or you can install the direct fix from https://technet.microsoft.com/library/security/ms10-070

2. Hash DoS vulnerability: (resolved with the release of .NET 4.5), allows an attacker to make a POST request with a very large number of parameters constructed to cause hash collisions when parsed by ASP.NET. To know about this vulnerability you can check http://www.troyhunt.com/2011/12/has-hash-dos-patch-been-installed-on.html To avoid this issue , Update your SharePoint with the latest new version of CU to address this and other issues or you can install the direct fix https://technet.microsoft.com/library/security/ms11-100

Persistent XSS flaw in SharePoint 2013 This particular vulnerability, CVE-2015-2522, is caused by insufficiently sanitizing user-

supplied input in a number of input points like notes, keywords, and comments.

For more details, you can check this link

http://blog.fortinet.com/post/sharepoint-2013-xss-vulnerability-discovered

To avoid this issue, update your SharePoint with the latest new version of CU to address this and other issues.

Note

Only SharePoint 2013 with version build 15.0.4571.1502 and before should be updated to avoid this XSS risk.

40 | P a g e

SharePoint configurations We can categories them by the following sections:

Secure SharePoint’s Components Secure Host Operating System and other servers like Active directory, SQL server and IIS

because SharePoint depends on these components heavily and any miss or weak in these

components could break your SharePoint farm.

You can find CIS benchmark documents for each of these components in this URL

http://benchmarks.cisecurity.org/

Plan for administrative and service accounts in SharePoint To install SharePoint 2013, you have to have appropriate administrative and service

accounts on servers running SharePoint 2013 and SQL Server, also to make sure you are

applying least privilege principle.

General good practices need to be considered:

Verify a Least Privileged permission, for example Setup account doesn’t need to be

domain administrator or belong to SQL Server local administrator group

Use a separate domain User account especially in services which they are shared

between more than one web applications like Search or User profile or with services

connect to external sources like Excel service and application pools

Avoid built-in service accounts like local service or Network service and use least

privileged service account

Because of Forefront Identity Manager is removed from SharePoint Server 2016,

farm service account no longer requires Local Administrator rights on any

SharePoint server

Claims to Windows Token Service account is now the only account that continues to

require Local Administrator rights (only servers running C2WTS services)

Plan for administrative and service accounts in SharePoint 2013

https://technet.microsoft.com/en-us/library/cc263445.aspx

Plan for administrative and service accounts (SharePoint Server 2010)

https://technet.microsoft.com/en-us/library/cc263445(v=office.14).aspx

Plan for administrative and service accounts (SharePoint Server 2016)

https://technet.microsoft.com/en-us/library/cc263445(v=office.16).aspx

Central Administration Site There are many best practices related to Central administration site to secure it because you

can manage all SharePoint farm from this website.

General good practices need to be considered:

41 | P a g e

Don’t host it in frontend or web servers

Block external access to the Central Administration site using firewall

Enable Secure Sockets Layer (SSL) on the Central Administration site

You can find more information in how to configure SSL for Central administration site in this

URL

http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-

SharePoint-2013.aspx

Manage blocked file types in SharePoint SharePoint can be configured to disallows uploads that end in specific file extensions.

This feature of SharePoint prevents specified file types from being saved or retrieved

from any site on the server

The following URL shows the file types that are blocked by default and their corresponding file name extensions. https://technet.microsoft.com/en-us/library/cc262496.aspx

Set Security Validation to On

Enabling validation reduces the chance that a page will be accessed by an unauthorized

user while an authenticated user is absent. This setting forces the user to reauthenticate

after a specified inactivity period is exceeded

By Default, this option is On but make sure to set it to expire after 30 minutes

Do Not Crawl Sensitive Content

The listing of restricted content in search results can lead to information disclosure, to

avoid this issue, make sure to configure SharePoint list to exclude it from the search

result.

42 | P a g e

Crawl Rules in Search Some contents or pages like http://*allitems.aspx should not be accessed by the public user

in SharePoint search result because they could disclose some important information.

To avoid this issue, we can create Crawl Rules to hide them from the search result and by

creating the following crawl rules:

http://*editform.aspx

http://*dispform.aspx

http://*my-sub.aspx

http://*mod-view.aspx

http://*itemsonhomepage.aspx

http://*thumbnails.aspx

Note

Consider to create crawl rules for sub sites with limited access like admin or others to be secured from anonymous access and crawling.

43 | P a g e

Default content access account SharePoint Search service uses this account for crawling the contents. Avoid grant this

service account Full Control permission.

To avoid this issue, this service account needs full read access to each web application. Under "User Policy" of a Web application, make sure this account only has only "Full Read" permission.

Max Upload Document / Max Request length It's recommended to decrease the amount/size in these settings "Maximum Upload Size"

and "maxRequestLength" to limit the impacts of the load, response time and data capacity

in the server especially in the case of DDoS attacks.

You can follow these steps (make sure these values meet your business requirements):

To setup the maximum upload size, follow these steps:

1. Click Start, point to All Programs, point to Administrative Tools, and then

click SharePoint Central Administration.

2. Click Application Management.

3. Under SharePoint Web Application Management, click Web application general settings.

4. On the Web Application, General Settings page, click the web application that you want

to change.

5. Under Maximum upload size, type the maximum file size in megabytes that you want,

and then click OK. You can specify a maximum file size up to 2,047 megabytes.

To setup the Maximum Request length, follow these steps:

1. Open the Web.config file in Notepad for the following path Program Files\Common

Files\Microsoft Shared\Web server extensions\14\TEMPLATE\LAYOUTS

Note: 15\TEMPLATE\LAYOUTS in case of SharePoint 2013

44 | P a g e

2. Add the value that you want.

<httpRuntime executionTimeout="999999" maxRequestLength="2097151" />

3. Click File, and then click Save.

4. Open the web application Web.config file in Notepad, for the following path

Inetpub\wwwroot\wss\VirtualDirectories\VirtualDirectoryFolder

5. Change the following line in the file.

<httpRuntime executionTimeout="999999" maxRequestLength="51200" />

6. Click File, and then click Save.

Health Check SharePoint Health Analyzer is a feature that enables administrators to schedule regular,

automatic checks for potential configuration, performance, and usage problems in the

SharePoint server farm.

SharePoint has four Health check rules related to Security as following:

1. Accounts used by application pools or service identities are in the local machine

Administrators group.

2. Business Data Connectivity connectors are currently enabled in a partitioned

environment.

3. Web Applications using Claims authentication require an update.

4. The server farm account should not be used for other services.

Most of these rules are best practices to be implemented. You can ignore them but make

sure to have a good reason.

1. Fix for Point 1 https://technet.microsoft.com/en-us/library/hh344224.aspx

2. Fix for Point 2 https://technet.microsoft.com/en-us/library/jj891123.aspx

3. Fix for Point 3 https://technet.microsoft.com/en-us/library/ff686815.aspx

4. Fix for Point 4 https://technet.microsoft.com/en-

us/library/ff805056(v=office.14).aspx

For the point 4, it's very important point and need to be implemented in the right way.

The account used for the SharePoint timer service and the central administration site, is

highly privileged and should not be used for any other services on any machines in the

server farm. In SharePoint Health Analyzer, you could find similar warning like Accounts

used by application pools or service identities are in the local machine Administrators group

or others warnings and all related to inappropriate setup service accounts.

To avoid this issue, you have to have appropriate administrative and service accounts on

servers running SharePoint and SQL Server.

Check "Plan for administrative and service accounts in SharePoint 2013"

https://technet.microsoft.com/en-us/library/cc263445.aspx

and “Plan for administrative and service accounts (SharePoint Server 2016)”

https://technet.microsoft.com/en-us/library/cc263445(v=office.16).aspx

45 | P a g e

Require Use Remote Interfaces permission

It's recommended to prevent Anonymous user from accessing Client Object Model interfaces. When this option is checked, it simply means that the user must possess the Use Remote Interfaces permission which allows access to SOAP, Web DAV and Client Object Model.

Enable Client Integration

It's recommended to disable Client integration in case of anonymous website but it will effectively block SharePoint from being a useful collaboration tool, and block all Office client interaction with SharePoint and also prevent you to work with SharePoint Designer and using Windows Explorer View.

Note

Don't go with this option except you evaluate the client business requirements and you extended the SharePoint website to work with SharePoint Designer and other client features.

Separation of duties

Separation of Duties is a security principle which it's the process of separate sharing of more

than one individual in one single task to prevent fraud and errors. In case of anonymous

46 | P a g e

websites this policy it can be very important and it can apply in SharePoint in many ways for

examples:

Content deployment is a feature in SharePoint that can use to deploy content from

a source website to a destination website. By this way you can stop the

authentication process from the production server. Also, consider to place

SharePoint production servers in different zone like DMZ.

You can find more information about it in

https://technet.microsoft.com/en-us/library/cc262004(v=office.14).aspx

Extending SharePoint web application by having two IIS websites, one for

anonymous access and one for admin which it can be only accessible from local or

by certain people with different authentication process and also give you the ability

to enable client integration features in more secure way.

You can find more information about it in

https://technet.microsoft.com/en-us/library/cc261698(v=office.14).aspx

47 | P a g e

SharePoint Anti-Virus You can configure SharePoint to scan documents on uploading or downloading because

these documents could contain malware. In this case, you need compatible Anti-Virus

scanners to be hosted in your SharePoint Farm. There are many options from Microsoft and

other companies, from Microsoft we can use Microsoft Forefront Protection 2010 for

SharePoint (FPSP) to scan the documents stored in document libraries and lists for viruses,

as well as whether you want to attempt to clean infected documents, but this product is

discontinued. You can check other products like Symantec Protection for SharePoint,

McAfee Security for SharePoint …

Check this reference for the available options

http://www.harbar.net/archive/2013/02/22/Antivirus-and-SharePoint-2013.aspx

In addition, from SharePoint Central Administration, you can configure General settings

related to Anti-Virus settings.

These settings are as following:

48 | P a g e

Scan documents on upload Specifies whether to scan a file that is being uploaded to the SharePoint server.

Scan documents on download Specifies whether to scan a file that is being downloaded from the SharePoint server.

Allow users to download infected documents

If enabled, this setting permits the downloading of documents known to be infected.

Attempt to clean infected documents If enabled, this setting permits the real-time scan to clean infected documents, if possible.

Antivirus Time Out To modify how long, in seconds, the real-time scan should run before timing out.

Antivirus Threads To modify the number of execution threads that the real-time scan can use.

49 | P a g e

Windows configurations We can categories them by the following sections:

Disable loopback check When you use the fully qualified domain name (FQDN) or a custom host header to browse a

local Web site that is hosted on a computer that is running Microsoft Internet Information

Services (IIS) 5.1 or a later version, you may receive an error message that resembles the

following:

HTTP 401.1 - Unauthorized: Logon Failed

This issue occurs when the Web site uses Integrated Authentication and has a name that is

mapped to the local loopback address. People go around this issue by wrong way (even me)

because Microsoft consider this as a security feature.

Don't use "DisableLoopbackCheck" and instead of that fix it using the following registry key

"BackConnectionHostNames".

To specify the host names that are mapped to the loopback address and can connect to Web

sites on your computer, follow these steps:

1. Set the DisableStrictNameChecking registry entry to 1. Click Start, click Run,

type regedit, and then click OK.

2. In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

3. Right-click MSV1_0, point to New, and then click Multi-String Value.

4. Type BackConnectionHostNames, and then press ENTER.

5. Right-click BackConnectionHostNames, and then click Modify.

6. In the Value data box, type the host name or the host names for the sites that are

on the local computer, and then clickOK.

7. Quit Registry Editor, and then restart the IISAdmin service.

Note

You can go with "DisableLoopbackCheck" option in the development and testing servers.

TCP/IP Ports of SharePoint 2013/2016 List of ports used by SharePoint 2013/2016 and its related services. This table built by

Thomas from his blog http://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

50 | P a g e

Protocol Port Usage Comment

TCP 80 http Client to SharePoint web server traffic

(SharePoint – Office Web Apps

communication)

TCP 443 https/ssl Encrypted client to SharePoint web

server traffic

(Encrypted SharePoint – Office Web

Apps communication)

TCP 1433 SQL Server default

communication port.

May be configured to use custom port

for increased security

UDP 1434 SQL Server default port used

to establish connection

May be configured to use custom port

for increased security

TCP 445 SQL Server using named

pipes

When SQL Server is configured to listen

for incoming client connections by using

named pipes over a NetBIOS session,

SQL Server communicates over TCP

port 445

TCP 25 SMTP for e-mail integration Cannot be configured

TCP 16500-

16519

Ports used by the search

index component

Intra-farm only

Inbound rule Added to Windows firewall

by SharePoint

TCP 22233-

22236

Ports required for the

AppFabric Caching Service

Distributed Cache…

TCP 808 Windows Communication

Foundation communication

WCF

TCP 32843 Communication between Web

servers and service

applications

http (default) To use custom port, see

references section

Inbound rule Added to Windows firewall

by SharePoint

TCP 32844 Communication between Web

servers and service

applications

https

Inbound rule Added to Windows firewall

by SharePoint

TCP 32845 net.tcp binding: TCP 32845

(only if a third party has

implemented this option for a

service application)

Custom Service Applications

Inbound rule Added to Windows firewall

by SharePoint

TCP 32846 Microsoft SharePoint

Foundation User Code

Inbound on all Web Servers

Inbound rule Added to Windows firewall

51 | P a g e

Service (for sandbox

solutions)

by SharePoint

Outbound on all Web and App servers

with service enabled.

TCP 5725 User Profile Synchronization

Service(FIM)

Synchronizing profiles between

SharePoint 2013 and Active Directory

Domain Services (AD DS) on the server

that runs the Forefront Identity

Management agent

SharePoint 2013 only

TCP +

UDP

389 User Profile Synchronization

Service(FIM)

LDAP Service

SharePoint 2013 only

TCP +

UDP

88 User Profile Synchronization

Service(FIM)

Kerberos

SharePoint 2013 only

TCP +

UDP

53 User Profile Synchronization

Service(FIM)

DNS

UDP 464 User Profile Service(FIM) Kerberos change password

SharePoint 2013 only

TCP 809 Office Web Apps Intra-farm Office Web Apps

communication.

Data Loss Prevention in SharePoint 2016 Microsoft included Data Loss Prevention (DLP) in SharePoint 2016 in order to identify,

monitor, and automatically protect sensitive information in documents across your site

collections. It can find about more than 50 information types like credit cards, Social Security

Numbers ... etc.

You can find more information like how to configure it and use it to block sensitive

information from wrong users in this link:

Overview of data loss prevention in SharePoint Server 2016

https://support.office.com/en-us/article/overview-of-data-loss-prevention-in-sharepoint-

server-2016-80f907bb-b944-448d-b83d-8fec4abcc24c

Outgoing SMTP Encryption Microsoft introduces encryption in outgoing emails using TLS 1.2 when possible, you need to

select YES in Use Secure Sockets Layer (SSL) option.

52 | P a g e

53 | P a g e

Google Hacking By using advanced search operators in Google search engine, we can expose some sensitive

information which related to SharePoint or read it from the Google cache even if the

website's owner added access control to these pages but after the Google has crawled these

documents.

Hackers use Google Search engine to scan your website passively without sending any

request to your website to increase the anonymity.

Always keep this in your mind "To be secure, Keep sensitive data away from public search

engines".

Preferences Before we can test the SharePoint websites, it's recommended to setup some settings or

preferences in Google search engine.

Go to https://www.google.com.sa/preferences and turn off SafeSearch Filters so we can

know if the website has violent or adult content during our testing assessment.

Advanced Operators The following table show the most common operators used with Google Search engine

Note

Remember, Keywords and terms used during the Search in Google is not case sensitive

except for "or", it must be "OR" to be used as an operator.

54 | P a g e

Hacking Your Website Start with "site" operator to get only results for your domain or IP. For example, to get

results from www.microsoft.com domain only

Also, this search helps you to recognize the top high ranking pages in your websites.

What if you want to check if this domain has subdomains then you can go with this example

To decrease the search result, you can exclude some common extensions like .aspx

extension by using this expression

To only search for specific extension(s) you can go with this example

55 | P a g e

To see the cache version for specific document then click the cache link

Note

If you try to open the cache link, any external resources like images or flash, they will be

requested from the original website except the text of page.

In this case to anonymity the request, copy the cache link without opening the URI and paste

it to another browser tab with adding at the end of this URI this query string &strip=1 or use

Internet proxy.

Many website owners forget to disable the Directory listing pages which can disclose many

information like website folders and framework version. This page is disabled by default in

IIS 7+

56 | P a g e

Try to search for sensitive data inside files like logs, web.config,… for example

Try to search for application pages under SharePoint website like _layouts/settings.aspx

Try common title or text content in SharePoint like "All Site content"

57 | P a g e

Remember in this case SharePoint knowledge is the power.

To search for login pages, you can go with this example

Note

Try many synonyms like "Login" or "Logon" and you combine them in one search action.

Search for sensitive data like emails, accounts and phones by using part of their patterns for

example to search for email try this example

58 | P a g e

Search for the common words used by the frameworks like "Powered By" or search for

common errors which related to ASP.NET or SharePoint, in this case for example

Search for critical words like password (again use synonyms), admin or .bak, for example

Also, Google search engine can help in hijacking attack by searching for Auth cookies which

used with form authentication applications, for example

59 | P a g e

Finally try these tips:

Try to combine between these operators with the site operator to narrow the result

Exclude the common public resources from your search result like (.aspx , doc)

Again, your Knowledge in SharePoint is the power with Google Hacking

Robots.txt configuration Robots.txt instruct the crawlers to allow or disallow crawling specific paths. This file should

be in the root of your website.

The below configurations help the webmaster to control the way of crawling of your

websites.

Caching To prevent Google search engine and other crawlers from caching your pages, add this Meta

tag to your website pages

<META NAME="ROBOTS" CONTENT="NOARCHIVE">

To prevent only Google crawler then use this Meta tag

<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">

Snippet To remove the cache pages and the text showed in the Google search result as description,

use this Meta tag

< META NAME=" GOOGLEBOT " CONTENT="nosnippet">

This good for admin pages or user management pages.

For more information, check this link http://noarchive.net/meta/

60 | P a g e

No Index To prevent crawlers from indexing the content of a page, use this Meta tag

<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">

Remove Pages from Google's Index To remove pages from Google search index, you can follow steps in this URI

https://www.google.com/webmasters/tools/url-removal

Tools Instead of doing manual Google hacking, there are many free tools help you to automate the

process with predefined queries dictionary which help to find a list of admin, application or

sensitive URIs related to SharePoint.

GHDB Google Hacking Database (GHDB) is source for common queries used with Google search

engine to find sensitive data, vulnerable servers and other disclosing information.

This database integrated with the Exploit Database which has several of exploits to help the

tester to test web applications against public exploits, identify error messages, access

sensitive files and logs.

Go to https://www.exploit-db.com/google-hacking-database/

61 | P a g e

Try to search for queries related to SharePoint

Try to look deeply into these common queries and try to test them

WIKTO WIKTO is a Windows based tool (like NIKTO in Kali Linux) which help the tester or hacker to

find vulnerabilities in a website by scanning common server misconfigurations and

unpatched systems. This tool has many features but the most important part of this tool, the

ability to locate vulnerabilities by applying queries from Google Hacking Database (GHDB).

It’s simply import the latest GHDB vulnerability list and then use these queries against

Google search engine to find holes in your website.

62 | P a g e

Steps

Download it from https://github.com/sensepost/wikto

Open WIKTO tool

Go to Google Hacking tab

Click "Load Google Hack Database" to download the last version of GHDB in your PC

Wait until you get confirmation like this

63 | P a g e

Enter the domain name to test

And click start

It will try many common patterns exists in GHDB

But in my case I didn't work and I think the reason because Google prevent such tool from

automate the search actions using Google search engine.

64 | P a g e

SearchDiggity Another automated tool which try to find disclosing information and exposed vulnerabilities

by using Google hacking.

This tool is more accurate because it has predefined dictionary for SharePoint websites by to

hack your SharePoint website using search engines like Google or Bing.

You can download the tool from http://www.bishopfox.com/resources/tools/google-

hacking-diggity/attack-tools/

Open Search Diggity tool

In this case, we will go with Bing Hacking, go to Bing tab

Enter the target site and check for SharePoint Diggity from right side which has list of queries

applicable to SharePoint websites

Then click Scan button

Check the output, it will tell you how many resources match the queries

65 | P a g e

To use Google hacking, you need workaround because Google prevent this tool from

automation the process of search.

Let us try this workaround which described in this URI

http://www.bishopfox.com/blog/2014/08/searchdiggity-avoid-bot-detection-issues-

leveraging-google-bing-shodan-apis/

Go to Google Developers Console https://code.google.com/apis/console

Enable API

66 | P a g e

Then go to Credentials

Choose API Key

I created API key based on Server option

Enter this key to Search Diggity tool and then click scan

67 | P a g e

Check the output, it will tell you how many resources match the queries

Note

Bing or Google need API Key to enable the user to automate the search process and this Key

also limited to quota per day and in some cases, it will cost you money.

SHODAN Use Shodan to discover which of your devices are connected to the Internet, where they are

located and who is using them. In this case I will show you how response headers are risky.

Go to https://www.shodan.io/

Enter the following search term: MicrosoftSharePointTeamServices country:US

68 | P a g e

It returns all websites which has the above SharePoint response header in US country in

their website, not only the websites but also you can filter based on Windows or IIS versions.

Recommended Reference Google Hacking for Penetration Testers, Third Edition

By Johnny Long, Bill Gardner, Justin Brown

69 | P a g e

SharePoint Support Because SharePoint is a Product developed and created by Microsoft, product Support need

to be maintain to make sure you can have Hotfix Support and Updates for bugs and security

issues.

For SharePoint 2010, there is no more service packs so make sure to upgrade to SharePoint

2013. Security related hotfixes will be created for SharePoint 2010 and any other problems

in SharePoint product will not be fixed (except for customers who purchased Extended

Hotfix Support through Premier Support).

You can find more information in this URI

https://blogs.technet.microsoft.com/stefan_gossner/2015/10/14/still-on-sharepoint-2010-

second-edition/

70 | P a g e

Metasploit For security professionals, this tool is one of the most important testing tool. You can

consider this tool as framework (collection of tools or tool integrated with many other tools)

to perform many things like scanting ports, exploits against Windows, SQL Server,

SharePoint and other products.

You can download the tool from this URI http://www.metasploit.com/

In my case, I run this tool from Kali 2 which has Metasploit community version installed by

default.

Run this command from Terminal: Msfconsole

To search for SharePoint exploits run the following command

search sharepoint

Till now it has only one exploit for SharePoint 2007 and this is make it for SharePoint 2010 or

2013 not useful testing tool but this doesn't mean we can't use this tool to test our

SharePoint environment because it's still has good exploits against other products like

Windows, SQL Server, Active directory … etc.

71 | P a g e

ASafaWeb Automated Security Analyzer for ASP.NET Websites (ASafaWeb) is online testing tool created

by smart person "Troy Hunt" to scan your website by sending HTTP requests and see how

the site responds.

This tool helps you to find common misconfiguration vulnerabilities live in ASP.NET websites,

these configurations are:

Tracing

Custom errors

Stack Trace

Request validation

HTTP to HTTPs redirect

Hash DoS patch

ELMAH logs

Excessive headers

HTTPOnly cookies

Secure cookies

Clickjacking

Viewstate MAC

You can find more information about the scanning in this URI

https://asafaweb.com/Home/Scans

Because SharePoint built on top of ASP.NET, this tool will be helpful to scan your SharePoint

websites to find the misconfiguration settings.

Go to https://asafaweb.com/ and enter your website and click scan

After scanning your website, it will show you the scanning result in simple way with the tips

to fix these issues.

72 | P a g e

All the above points except the ELMAH log can be applied to SharePoint, even ELMAH add-

on can be used with custom applications hosted in SharePoint for custom error logging and

handling.

All these issues I explained how to fix them in this whitepaper but there are three points

need to be considered from the above results.

First point "Request validation: Fail”, SharePoint like other .NET content management

systems which has a lot of places where rich text needs to be submitted to the server so By

default Microsoft disable ValidateRequest in web.config and if you try to enable it then you

will not able to create pages with Html contents. In this case, you need to accept the risk and

keep this feature disabled but take care for your SharePoint and make sure it's patched with

up to date fixes and in case you have custom code, make sure to validate and encode the

input at the client and server sides using libraries like AntiXSS and others.

For second point "Hash DoS patch: Not tested", only make sure, Your SharePoint farm has

updated with latest Service pack and Cumulative updates.

For last point "HTTP to HTTPs: Warning", no technical action needs, it just about user

awareness and education.

73 | P a g e

CIS SharePoint benchmark CIS benchmark document is currently available for SharePoint 2007 but still there are

many security controls can be applied to SharePoint 2010/2013, this checklist includes

only what is applicable to new versions.

You can find the details and steps in this URL

https://benchmarks.cisecurity.org/downloads/benchmarks/

Security Control Set Correctly

Yes No

Accounts

Verify a Least Privileged Setup Account

Verify a Least Privileged Office SharePoint Server Search Account

Verify a Dedicated Excel Services Unattended Service Domain Account

Verify a Least Privileged Separate Domain User Account for Each Application Pool

Verify a Least Privileged SQL Server Service Account

Verify a Least Privileged Dedicated Server Farm Domain Account

Verify a Least Privileged Dedicated Default Content Access account

Verify a Dedicated Least Privileged Profile Import Default Access Account

Installation and Configuration

Secure Windows Host Operating System

Secure IIS Components

Secure Microsoft SQL Components

SharePoint Server Hotfixes and Service Packs

Central Administration Site Location (not hosted on a front-end)

Central Administration Site Access (using Firewall)

Enable Secure Sockets Layer (SSL) on the Central Administration site

Limit Intranet IP Address in External DNS

Central Administration

Enable Secure Sockets Layer (SSL)

Block potentially dangerous uploads

Pluggable Authentication Provider

Configure antivirus settings

Disable Self-Service Site Creation

Set List, Site and Personal Permissions as Appropriate

Set Access Rights per Zone

Disable Anonymous Access

Enable SSL for Web Applications

Use quota Templates

Set Security Validation to On

Define a Secondary Site Collection Administrator

Set SMTP Mail Server

Specify Search "exclude" Crawl Rules

Site Administration

Do Not Crawl Sensitive Content

Set the "Auto-accept requests?" property to [No]

Allow only Group Owners to Edit Group Membership

74 | P a g e

Restrict who can View Group Membership

Backup and Recovery

Configure document versioning

Two-stage Recycle Bin

Back up SharePoint

Backup IIS Configurations

Enable Recycle Bin

Back up critical sites

Recycle Bin Retention Period

Logging and Reporting

Diagnostic Logging

SharePoint Extensions

Use Strong-names for Web.config [SafeControl] Entries

Permissions on ASP.NET Applications

Also CIS Microsoft SharePoint 2016 Benchmark released on 8-2017 (version 1.0) and the

below is the list of security controls:

https://www.cisecurity.org/benchmark/microsoft_sharepoint/

Security Control Set Correctly

Yes No

Settings

Ensure access to SharePointEmailws.asmx is limited to only the server farm account

Ensure that the SharePoint Central Administration Site is TLS-enabled

Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are set

Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Authentication Provider

Access and Permissions

Ensure 'Block File Types' is configured to match the enterprise blacklist

Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges for the local server

Ensure the SharePoint setup account is configured with the minimum privileges in Active Directory

Ensure SharePoint provides the ability to prohibit the transfer of unsanctioned information in accordance with security policy

Ensure the SharePoint setup account is configured with the minimum privileges on the SQL server

Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges on the SQL server

Ensure only the server farm account has access to SharePointEmailws.asmx

Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2016 objects

Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections

75 | P a g e

Ensure Dbcreator and Securityadmin roles are only used as needed

Ensure that the SharePoint Online Web Part Gallery component is configured with limited access

Secure Infrastructure Design

Ensure a secondary SharePoint site collection administrator has been defined on each site collection

Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions

Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers

Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied

Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured

Ensure that SharePoint is configured with "Strict" browser file handling settings

Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds

Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages

Ensure that the default SharePoint database server ports are changed and/or disabled

Ensure that SharePoint application servers are protected by a reverse proxy

Ensure SharePoint database servers are segregated from application server and placed in a secure zone

Ensure that the SharePoint Central Administration interface is not hosted in the DMZ

Authentication Ensure SharePoint displays an approved system use notification message or banner before granting access to the system

Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm

Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol

Ensure Anonymous authentication is denied

Auditing Ensure that auditable events and diagnostic tracking settings within the SharePoint system is consistent with the organization's security plans

Ensure that remote sessions for accessing security functions and security-relevant information are audited

Services and Connections Ensure that the SQL Server component to SharePoint is set to listen on non-default ports, with the defaults (UDP 1434 and TCP 1433) disabled

Ensure HTTPS binding: TCP 32844 is used

Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded

76 | P a g e

Web.Config Configuration Ensure that the MaxZoneParts setting for Web Part limits is set to 100

Ensure that the SafeControls list is set to the minimum set of controls needed for your sites

Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed

Ensure the SharePoint CallStack and AllowPageLevelTrace "SafeMode" parameters are set to false

77 | P a g e

Thank You Thanks for reading this Whitepaper. Again, I really hope this has been informative and that

will help you to maximizing SharePoint Security. For any questions or comments, send me

an email @ fabdulwahab@outlook.com .