Read the headlines and you will find yet another business that has fallen victim to a data leak. There have even been a couple of headliners that have named SharePoint as the cause or reason behind a data leak. Is it really fair to blame a non-security product for a leak? Let’s point the finger at the real reason behind these leaks: lack of security planning and proper implementation. In the following text, I will discuss some of the major points that should be considered for applying security within a SharePoint environment.
Disclaimer: Any system, or environment, can be hacked, even with proper configurations in place. The goal is to make it difficult and down-right inconvenient for a hacker to pursue your data.
What Do You Know?
Before you can start planning security measures for SharePoint, you need to know what your SharePoint environment will be used for. This is important because it gives you an idea of where and how security should be applied. For example, if your business will be utilizing SharePoint for an external facing website there are a few things to consider such as identifying an authentication method for external access, locking down entry fields to mitigate SQL injections, and configuring the firewall. You will also need to know what type of content will be stored in SharePoint. For example, if you are using SharePoint to store sensitive information such as classified documents, financial information, or personally identifiable information, you will need to ensure those storage locations have stringent access control.
So, how can I apply security to SharePoint without hindering its purpose?
Great question! Yes, SharePoint is all about sharing, but that does not mean its contents are free to distribute outside of set boundaries. Further, it also does not mean that anything can be uploaded. SharePoint has a number of security features that should be enabled to maintain control over the data and minimize exploitation.
Guess what? SharePoint and antivirus are friends! Every version of SharePoint has the capability of integrating with your existing antivirus software. This integration allows for antivirus scanning of documents upon upload and download. It can also attempt to clean or delete infected files. There are other features that are included in the antivirus protection, such as scheduled scans, which should be reviewed and considered when configuring the antivirus settings.
A couple things to keep in mind:
- The antivirus application must be installed on all machines running Windows SharePoint Services.
- Some folders may need to be excluded from scanning to keep from unexpected behaviors, details here: MS Support Article.
For configuration instructions, please check out this TechNet document.
No one needs to tell you how important databases are to the functionality of SharePoint. Don’t let them fall victim to malicious attacks. You can apply security to your SQL databases in a couple of ways. One way is to change the default TCP ports. Hackers know about the default ports, so it is a great idea to change the default listening ports and manually configure the firewall to allow access. Another security measure is to run SQL Server services by using an account with minimal permissions.
No one likes too much overhead administration, but when it means lessening the chance of exploit, it may be worth the extra effort. Implementing Least-Privileged administration requires that accounts are only created with the permissions required to perform its task. The reasoning behind this type of administration is to ensure that no single account can take down the environment. This is accomplished by organizing certain roles to specific accounts. Normally there will be a couple of standard accounts used for the installation and configuration of SharePoint; however, with a Least-Privileged implementation, you will have accounts dedicated to Service Apps, Web Apps, Farm service, and even an account for Crawl.
To increase security across your SharePoint environment you may need to start using AD Federation Service and look at configuring zones in your web applications. AD Federation Service will integrate with your existing AD and expand out to provide claims-based authentication for external users. Forms-based claims are not recommended for authentication due to credentials being sent as plaintext. Plaintext data is very easy for sniffers to capture, so you want to stick with a method that will provide some layer of defense. Regarding zones, it is a good idea to configure additional zones to control paths to your sites. The additional zones available are Intranet, Extranet, Internet, and Custom. The good news is that claims-based authentication works across all zones!
Let me tell you about a little known security measure called IRM. SharePoint offers file security through IRM (Information Rights Management) and it does this by enabling the following features:
- Encrypts downloaded files
- Limits who and what can decrypt files
- Limits user rights to files (example: User can’t print or copy text from the file.)
Implementing IRM for SharePoint does require a server with the Rights Management Service role. IRM can be applied to any Library or List within SharePoint.
Patching & Updates
The last point of interest I want to cover is the good ole patching and updating of the SharePoint environment. Keeping systems up to date is critical to any environment, because it ensures that system flaws are corrected. If you fail to apply critical patches and updates in a timely fashion, you will definitely be leaving your environment open to exploitation. In a SharePoint environment you will need to stay on top of updates for SQL, SharePoint, Windows Server, and any other applicable enterprise software. Keep in mind that these patches and updates should be installed onto a testing environment first prior to applying them to a development or production environment. This will ensure that any breaks due to the patch or upgrade will not affect business operations.
As you can see there are quite a few security measures that can be implemented across a SharePoint environment, and these are not all inclusive. Remember, with SharePoint you can find a way to balance the need for sharing against the need to secure. It is very easy to install SharePoint, but it is quite the opposite to find and cover all the bases in terms of security. I hope this post will get you started in the right direction and also get rid of your SharePoint insecurity!
EPM applications help measure the business performance. This post will help you choose the best EPM solutions for your organization’s needs and objectives.
It’s 2015 and you can now establish totally respectable MS SQL DBA credibility just by mentioning you have been in the game since SQL Server version 9. You may even get the same gasps of shock from some colleagues that used to be reserved for the version 6 veterans.