Securing SharePoint: How and Why

SharePoint is one of the easiest applications to deploy and install, but it is not easy to configure with full proof security. Many administrators just perform the basic deployment without much security configuration. There is no set configuration to make it fully secure, since every environment is different and security configuration optimization varies to meet individual requirements. However, there are some basic configurations that need to be applied to make
SharePoint environment secured to the maximum.

Securing SQL Server communication
SQL Server is a very important component of SharePoint: it stores most of configuration settings and libraries in its database. It is recommended to install an SQL Server and SharePoint on different
servers to avoid any kind of surface attacks. Block the standard default ports – 1 433 and 1 434 – on the SQL Server and then to assign static port numbers on the SQL instance to allow SharePoint Server to connect. The simplest way to block these ports is
through a Windows firewall.

Secure user communication
SharePoint is often exposed to Internet users and therefore it is important to secure communication between the server and user through an SSL Web server certificate. The SSL Web server certificate needs to have the subject name that matches the
FQDN of the server. We could use a third-party CA certificate or an internal one. Certificate request can be generated using the Internet Information Services (IIS) Manager, then it has to be send to
an internal CA or external vendor. Once you get the certificate, it needs to be updated to the IIS. Implement records management to data on SharePoint Server. Records management helps protect an edited / deleted form, delete a document with an expired retention, etc.

Disable unnecessary services and ports on SharePoint and SQL Servers
Disable unnecessary services: they can cause a security vulnerability. Only enable those services that are absolutely required for SharePoint and SQL Servers. Given below are the mandatory services which should not be disabled on a
SharePoint server:

– ASP.NET State service (if you use InfoPath Forms Services or Project Server)
– View State service (if you use InfoPath Forms Services)
– World Wide Web Publishing Service
– AppFabric Caching Service
– Claims to Windows Token Service
– SharePoint Administration
– SharePoint Timer Service
– SharePoint Tracing Service
– SharePoint VSS Writer
– SharePoint User Code Host
– SharePoint Search Host Controller
– SharePoint Server Search 1 5
– Forefront Identity Manager service
– Forefront Identity Manager Synchronization service

SQL and SharePoint service accounts and permissions
Service accounts are necessary to configure SharePoint Servers and SQL Servers. Using one or two service accounts for all configuration would be too risky boarding on disaster. It would end in providing unnecessary permissions, which can lead to a security threat. Given below are the details of the service account requirements with necessary permission. It is recommended to use descriptive service accounts to identify the purpose of it and to to change the
password on regularly with needed documenting.

SQL Server
– SQL Admin account to install SQL Server with local admin rights on the server
– SQL Server Agent service account
– SQL Database engine Service account
Setup user accounts
– Install SharePoint Server with local admin rights for installation
– SharePoint Product Configuration wizard
Server farm account or database access
account
– Configure and manage the server farm
– Act as the application pool identity for the SharePoint Central Administration Web site
– Run the Microsoft SharePoint Foundation Workflow Timer Service

And here, to sum up, are the key points of a decent SharePoint security policy:

1. Avoid providing Anonymous and make sure the “limited-access user permission lockdown mode” is activated. SharePoint deployment and permissions need proper planning.

2. Make sure only users with appropriate
permissions manage SharePoint site, and not
everyone on the team.

3. Define the permission model, it provides the right permissions
to the right user and also helps manage SharePoint better with
no performance impact.

4. Never provide permissions at the level of items like calendar, tasks, etc. Managing and changing permissions
will be difficult and can lead to performance issues.

5. Enable auditing to track users to determine what
actions have been taken on SharePoint.

6. Always provide permissions through Active Directory group
membership, and provide only necessary permissions. Give full
control only when necessary. Netwrix-Auditor-for-SharePoint680x120