Historically, security was the job of IT administrators alone. With SharePoint, however, comes a significant paradigm shift: Ensuring SharePoint security is a joint responsibility shared by IT and end users. SharePoint is one of the most popular platforms for collaborative working and sharing of content, and many organizations utilize it extensively. Therefore, maintaining proper security is critical, whether you’re talking about an intranet, an extranet, team sites or a public-facing site. Here are six ways to better secure your SharePoint, on premises or in the cloud.
Use groups to manage user permissions
For many years, there has been a debate around how best to control access and authorization. On the one hand, assigning individual permissions means granular control and often stricter permissions, but from a management perspective, security groups are easier to control.
For SharePoint, the best practice has always been to assign permissions at the highest level, which would be an end user, folder or a file. Set permissions on either a SharePoint site group or an Active Directory group. In environments where Active Directory is not the core authentication mechanism, then it could be a Forms Authentication Role or even an attribute from a Security Assertion Markup Language (SAML) claim.
The security boundary object defined in SharePoint is always the SharePoint group. Permission levels in SharePoint are assigned to SharePoint groups; by default, site permissions consist of specific SharePoint groups with their default permission levels, making a group the perfect container.
Using groups for permission assignment helps ensure permissions are in line with the least-privilege principle. It comes down to the inheritance of permissions for end users based on their group memberships. As users change roles or leave the organization, removing them from security groups instantly removes their access to sites, their subsites, and all files and folders in the hierarchy. In contrast, when access rights are assigned at the user level, permissions are rarely revoked in those situations, putting your content at unnecessary risk.
Minimize the use of item-level permissions
Though SharePoint assigning unique item-level permissions can address a need quickly, it will make your life harder in the long run. Item-level access should be a fallback — used only if all other options are too complicated for management and implementation.
We find broken inheritance and unique permissions again and again on files in file shares, which leads to NTFS or share permissions being allocated and then never removed. However, unlike file servers, SharePoint does not provide an easy way to identify unique permissions and remedy them easily, so they put the security of SharePoint at risk.
Using higher-level containers like libraries or folders instead of files to assign permissions helps you achieve limited user access and control. Components such as Information Rights Management (IRM) can reduce the need for item-level permissions. Once permissions are broken and individual users directly granted access, the SharePoint attack surface increases, even if the users are able to only view items, let alone if they were assigned “full control” permissions.
Another area where item-level permissions have a significant impact is SharePoint search. One of the items retrieved as part of the search mechanism is the Access Control List (ACL) for an object. If inheritance is broken and item-level permissions have been added, then the search crawl engine has to iterate that before it can access the content. The more item-level permissions, the longer it can take to crawl, which can delay critical investigations.
Use separate site collections for external sharing
SharePoint is all about collaboration and sharing of as documents, files and other content. Sometimes, users need to share content externally for legitimate business reasons. That capability is now built into the product, though its implementation is different depending on whether you are using on-premises SharePoint or SharePoint Online. The online version requires all users to authenticate using the Microsoft authentication stack using an Azure Active Directory account or Windows Live ID. The on-premises configuration is much more complicated because the organization controls and maintains the authentication component, such as Active Directory Federated Services (ADFS) or a comparable third-party solution.
No matter what authentication mechanism is in use, protecting the sharing of content with external users is vitally important to the business. The best practice approach to information protection here is to block external sharing unless there is a business reason for it and to isolate all external sharing sites into a single site collection, so you can control what can and cannot be shared externally.
This approach reduces the risk of privilege misuse and attacks on the information on your other sites. Over the past year, we have seen an increase in attacks where content that is shared externally incorrectly allows unknown actors to access other content that they should not have access to. Limiting external sharing to a specific site collection and training employees on how to use external sharing will help keep SharePoint secure and ensure a better security posture.
Disable anonymous sharing
Having the ability to share content outside of the organization quickly and not require any authentication is appealing to users, especially if the organization is restricting email attachments. Most document synchronization cloud platforms, such as Dropbox, Box, OneDrive, OneDrive for Business and Google Drive, enable users to share content anonymously. SharePoint provides this ability also, in both the on-premises and online versions: Users can easily send anyone a link that allows them to download and even edit the file.
In both on-premises and SharePoint Online, it is possible to disable anonymous sharing. This is recommended to mitigate the risk of internal users sharing content externally that shouldn’t be shared. In addition, in the event of a data security breach, you need to be able to see the whole picture, and anonymously shared content is much harder to identify.
Classify the data in SharePoint
Most organizations understand the need to classify data, whether merely by assigning tags to content or by classifying it and assigning policies to control its use. SharePoint now provides the ability to inspect the content, metadata and location of data and then apply security policies to protect sensitive data such as personal data, company trade secrets or employee records. Data Loss Prevention (DLP) can scan content during the search crawling process, identify sensitive data, and then block or allow access to the content according to your policies. DLP is integrated into all Office 365 services to help control access to content, including data that is leaving the organization via email.
For on-premises SharePoint, there are many solutions out there that enable classification of sensitive information to ensure a high level of protection. There are too many data breaches each year that expose sensitive information. To ensure this does not happen to you, identify the sensitive and confidential data on your SharePoint sites and apply appropriate controls to this data. When combined with external sharing controls, this will protect the data that flows from your organization stopping any sensitive data and protecting against potential data leaks.
Monitor SharePoint for changes and access events
Many IT organizations implement SharePoint at the request of the business and then leave it alone to grow and work. From the many audits we have performed for clients, it is evident that SharePoint settings, data growth and security changes do not get reviewed. In fact, in most instances, SharePoint is never looked at until users report a problem. In training sessions, we often ask when IT last looked at the logs except to resolve a support ticket; the answer is usually “never.”
It’s critical to monitor SharePoint services, server hardware, virtual hardware, and security and permission settings for changes so you can quickly spot issues. Without a full picture of your environment, you are not able to ensure appropriate level of information security in your SharePoint environment and prove regulatory compliance.
Most security professionals understand that monitoring for anomalies and changes can go a long way to better protecting systems. Using both inbuilt features and third-party monitoring tools will help you protect your SharePoint and perform an investigation if you do suffer a data breach.
Keeping your SharePoint environment secure requires dedication, planning and collaboration between IT and end users. Implementing the six steps detailed here will help your improve your SharePoint security and go a long way toward mitigating security