Overcoming Security Threats and Vulnerabilities in SharePoint

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

ANTONIO MAIO

PROTIVITI SENIOR MANAGER

MICROSOFT SHAREPOINT MVP

Email: [email protected]: @AntonioMaio2Blog: www.TrustSharePoint.com



3,300professionals

Over 20 countriesin the Americas, Europe, the

Middle East and Asia-Pacific

70+offices

Our revenue:

More than

$743 million in 2015

Protiviti (www.protiviti.com) is a global consulting firm that helps

companies solve problems in finance, technology, operations,

governance, risk and internal audit, and has served more than 40

percent of FORTUNE 1000® and FORTUNE Global 500®

companies.

Protiviti serve clients through a network of more than 70

locations in over 20 countries. Protiviti is a wholly owned

subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert

Half is a member of the S&P 500 index.

WHO ARE WE

AGENDA

Where is the Exposure?

SharePoint On Premise vs Office 365

Online: Security Strategy and Features

On Premise: Security Configuration & Hardening

Information Governance

Final Thoughts & Recommendations



WHERE IS THE EXPOSURE?

The Disorganized

The Lazy The Overcautious

The StressedThe Inexperienced

The Home Worker

The Newcomer

The Industrious

The Partisan

The Spy

The CarelessThe Malicious

Malware



WHY SECURE SHAREPOINT?

• Represents our intranet, collaboration portal, extranet, public facing web site,

line of business, process automation, business analytics…

• SharePoint is our Repository for Corporate Data

• Sensitive Corporate Data

• Many Aspects of our Business Run on SharePoint

• Users Rely on it to Accomplish Day to Day Work

• Critical Business Infrastructure



SHAREPOINT ON PREMISE VS OFFICE 365

SharePoint On PremiseHosted within corporate network (data center, Azure, AWS).

Office 365 - SharePoint OnlineSharePoint infrastructure hosted in Microsoft Data Centers.

• All data and systems is fully within corporate control

• Corporate IT is responsible for:

• All servers/infrastructure – security hardening,

firewall, network security, anti-malware, intrusion

detection, etc

• Regular patching & updates

• System uptime

• TLS (data in motion) & SQL encryption (data at rest)

• Corporate IT & Business responsible for Compliance

• New Services/Solutions – Corporate Dev team responsible

for security design & privacy

• User security controls/Administrative security controls

• You are responsible for security configuration within sites

and information governance policies/procedures

• World class physical data center security (included)

• Microsoft manages:

• Security hardening & network level security

• Regular patching & updates

• SLA ensuring 99.9% uptime

• DR through global network of data centers

• Encryption for data at rest and in motion

• Complies with data privacy standards: HIPAA, HITECH,

CSA Star Registry, EU Model Clauses, ISO27001,

SOC1, SOC2 (included)

• New Services/Solutions – Privacy by Design

• User security controls/Administrative security controls

• You are responsible for security configuration within

sites and information governance policies/procedures



OFFICE 365 DEFENSE IN DEPTH STRATEGY

Facility and Network Security

Automated Operations

Control Admin Access to Data

Security Development Life Cycle

Anti-Malware, Patching, and Config. Management

Data Isolation

Data Integrity

Physical Layer

Logical Layer

Data Layer

Security Features



• Information Rights Management

• Retention Policies

• Activity Monitoring

• Data Loss Prevention

• External Sharing Controls

• SharePoint Permissions

• Audit Reports

• (built in) TLS 1.2 Communication

• (built in) Encrypted Data at Rest

OFFICE 365 SECURITY FEATURES

• Customer Lockbox

• Azure AD Multi-Factor Auth.

• Azure AD Identity Protection

• Bring your Own Key

• Office 365 Trust Center



Question

& Answer

DEMONSTRATIONDATA LOSS PREVENTION IN OFFICE 365



Question

& AnswerSHAREPOINT ON PREMISE

SECURITY CONFIGURATION & SECURITY HARDENING



SECURITY STARTS WITH DEPLOYMENT

• Before deploying, plan and document your service accounts• SQL Server Service Account

• Setup Account

• Farm Service Account

• SharePoint Web Application Pool Account

• SharePoint Service Account (Service App Pool Identity)

• Search Crawl Account

• User Profile Synchronization Account

• Cache Accounts (superreader, superuser)

• SQL Service Analytics & Excel Services Accounts

• Using a Least Privileged Model

• Determine which account farm admin use to login to Central Admin

• Determine which users will have Shell Access (PowerShell)



WEB APPLICATION AND SITE COLLECTION

Farm & Web Application Configuration• Authentication

• Web Application Policies (user & permission policies)

• TLS/SSL Communication

• Anonymous Access

• File Types Permitted

• Web Part Security

• Anti-Virus Configuration

• Thresholds (unique security scopes, list view threshold)

• Establish a strategy for patching and security updates

Site Collection Configuration• Site Collection Administrators

• Site Collection Auditing

• Permission Levels

• Anonymous Access



AUTHENTICATION MODELS

Important to Understand the Options Available

• SharePoint 2010 Options Classic Mode (Integrated Authentication, NTLM, Kerberos)

Claims Based Authentication

Forms Based Authentication - through Claims Based Auth.

• SharePoint 2013 & 2016 Options Claims Based Authentication - Default

Forms Based Authentication

Classic Mode Authentication Deprecated!(only configurable through PowerShell)

• SharePoint Online Only Claims Based Authentication Available

• Other Considerations Trusted Identity Providers

Multi-Factor Authentication



AUTHORIZATION

• SharePoint Permissions - Hierarchical model

• Permissions are inherited from level above

• Break inheritance to apply unique permissions

• Manual process

• Permissive Model

• SharePoint’s “Share” Interface allows easy fine

grained permissions

SharePoint Farm

Web Application

Site Collection Site Collection

Site Site

Library List

Document

Web Application

Item

Site

Document

Document

Item

Demo Members SharePoint Group Edit

Demo Owners SharePoint Group Full Control

Demo Visitors SharePoint Group Read

Finance Team Domain Group Edit

Senior Mgmt Domain Group Full Control

Research Team Domain Group Full Control


Research Team Domain Group Full Control


Antonio.Maio Domain User Full Control



SHAREPOINT PERMISSIONS

• Every time permission inheritance is broken a

new security scope is created

• Security Scope is made up of principles:

• Domain users/groups

• SharePoint users/groups

• Claims

• Be aware of “Limited Access”

• Limitations

• Security Scopes (50K per list)

• Size of Scope (5K principals per scope)

Microsoft SharePoint Boundaries and Limits:

http://technet.microsoft.com/en-us/library/cc262787.aspx

http://technet.microsoft.com/en-us/library/cc262787.aspx



SECURITY HARDENING

• System Updates

• Web Server and Application Server Roles

• Services

• Ports and Protocols

• Database Server Role

• Blocking standard ports; Listening on non-standard ports

• Permissions on SQL Service Accounts

• Service Application Communication

• User Profile Synchronization Service

• Connection to External Servers

• Web.Config



DATA IN MOTION & DATA AT REST

• Protect Data in Motion with TLS/SSL

• Even for Intranets

• IIS Configuration and SharePoint Central Admin

• Protect Data at Rest with SQL TDE Encryption

• Separate keys for Test & Prod

• Understand who you are protecting

system from (DB level access only)



Question

& Answer

INFORMATION GOVERNANCE



Goals

ROLES & RESPONSIBILITIES

Establish and document key administrative roles & responsibilities

• Document each role related to SharePoint and owners

• Each role has a primary and secondary owner

• Define/educate each role on responsibilities & access

requirements

• Include administrative, development and management

roles

• Keep documentation up to date and centrally located

Goal…

Document and educate admins

on the division of duties related to

managing the environment and

who is responsible for each

system.

Enable other users to easily

determine who to go to for

specific tasks/questions/issues.



GoalsGoal…

DATA OWNERSHIP

Establish data owners for each site collection, subsite or collection of subsites

• Typically business users; can be different from site

owners

• Define data owner responsibilities

• Understand sensitivity & regulatory compliance

requirements for the data in areas they own

• Approve/Deny requests for access to data

• Responsible for permission remediation and

certification for their area

• Define & document data owners – ensure they accept

• In all cases, assign a primary & secondary data

owners

Define on a site basis the users

responsible for the compliance

and security requirements of all

types of data.

Facilitate implementation of other

security policies.



Goals

PERMISSION MANAGEMENT

Establish a standard permission management policy

• Determine who manages permissions on sites:

• Delegate to business OR centralize in IT

• IT must support data owners & site owners

• Site Collection Admins are different from Site Owners

• Consider if Full Control is right, even to site owners

• Customize permission levels

• Assist and provide training where necessary

• Create training videos

• Provide one-on-one where necessary

Standardize the method by which

permissions are assigned &

managed.



Goals

PERMISSION REMEDIATION PROCESS

Establish standard process requiring data owners to review

and certify permissions are correct

• Establish regular cadence

• Perform every 6 months or 12 months

• More frequently in areas with sensitive data

• Automate reminders & reports

• Scripts, reports or third party tools

• Provide data owners with reports of current permissions

• Allow data owners to remediate and IT provides support

• Require data owners to provide written certification

On a periodic basis validate that

content is correctly shared and

users are only permitted to access

content necessary to perform their

role.

Facilitate data owners resolving

permission issues.



Goals

PRIVILEGED ACCESS REVIEWS

Establish standard process for access reviews of privileged accounts

• Include IT administrators, Site Collection Admins,

Vendors/Contractors with privileged access

• Establish regular cadence - Recommend Quarterly

• Document and Include Executive Oversight

• Automate where possible (notifications, data

gathering, reports)

• Scripts, BI reports or third party tools

On a periodic basis ensure that

privileged users are permitted to

only access necessary systems.

Facilitate resolution of permission

issues.



Goals

REQUESTING ACCESS TO INFORMATION

Establish standard process for end users to request access

to information

• Create a standard form with fields that must be

provided for all site requests:

• name, purpose, if access must expire?

• Include approvals by IT, data owners and/or

requestor's manager

• Make use of workflows for notifications & approval

requests

• Log all access - don't rely on SharePoint logs

Provide approval process for all

access requests.

Maintain historical record.

Avoid oversharing data internally..



Goals

REQUESTING & CREATING SITES

Establish standard process for end users to request new sites

• Create a standard form with fields that must be

provided for all site requests

• name, purpose, primary & secondary data owners, site

owners (if different), will contain sensitive data?

• Consider centralize site creation process with IT

• Include approval process by IT, data owners, and/or

requestor's manager

• Make use of workflows for notifications & approval

requests

• Log all requests - don't rely on SharePoint logs

Prevent site sprawl.

Help users to use existing sites

instead of always creating new

ones.

Maintain historical record

Provide oversight and centralized

review.



Goals

SITE LIFECYCLE & DECOMMISSIONING

Establish standard processes for site review, archiving & deletion

• Consider:• Scenario 1: site is requested - site is created - site

never gets used

• Scenario 2: site is requested & created - site is used -

all employees having access leave company - site is

forgotten

• Scenario 3: over time number of sites grows to point of

making other governance processes unmanageable

• Process can occur at site collection or subsite level

• Make use of built in attributes: ContentLastModified,

SecurityLastModified

Prevent site sprawl.

Prevent forgotten or unused

sites.



Goals

TAXONOMY & CLASSIFICATION

Establish standard global & departmental taxonomy with

sensitivity metadata

• Keep global taxonomy small - applies to all content

• Include metadata fields for sensitivity classification -

ex. Sensitive, Restricted, Internal Only, Public

• Make use of managed metadata for centralized

management

• Provide end user training (videos, online)

• End user responsibilities, how to classify, what

they mean, distribution & info. handling policies

Enable and/or enforce end users

to easily identify sensitive

documents & items.

Centrally control classification

schema.

Confidential



Goals

SECURITY & GOVERNANCE TRAINING

Establish standard periodic training for employees (annual) & new hires which

educates on security & information governance policies, practices, responsibilities

• Use videos, online training, other low impact tools

• Make it very fast for employees to find out how to do

something

• Ex. declare a record, request a site request

access, manage permissions

Ensure that all employees

understand their responsibilities

and are contributing proactively to

the organization's security

strategy.



Goals

ACTIVITY AUDITING & MONITORING

Make use of Activity Monitoring capabilities for data breach/leak investigation &

automatic alerts

• Build up administrative expertise on using built in

Activity Monitoring capabilities (Office 365)

• Implement automatic alerts for specific key activities:

• Administrative modification of external sharing,

granting access to sites containing sensitive

content, etc.

• Make use of scripts or third party tools

Build expertise to investigate data

breaches.

Ensure all administrators are

aware of key administration

setting changes.



Question

& Answer

DEMONSTRATIONACTIVITY MONITORING IN OFFICE 365



CONDUCT A SHAREPOINT SECURITY ASSESSMENT

• In-depth Security Analysis

• Independent Review

• Impartial Observations & Recommendations

• Detailed

• Reproducible

• Actionable

• Realistic

• Prioritized

• Documented Analysis & Report



FINAL THOUGHTS & RECOMMENDATIONS

• Overcoming threats and vulnerabilities requires both

good security & strong information governance

• Understand the security capabilities available

• Know what data is sensitive & where it lives

• Know who is responsible for sensitive data

• Establish information governance policies/procedures

• Conduct regular independent security assessments



THANK YOU!ANTONIO MAIO

PROTIVITI SENIOR MANAGER

MICROSOFT SHAREPOINT MVP

Email: [email protected]: @AntonioMaio2Blog: www.TrustSharePoint.com

Overcoming Security Threats and Vulnerabilities in SharePoint

Software

Transcript of Overcoming Security Threats and Vulnerabilities in SharePoint