Securing Sharepoint platform

2012 SharePoint Security Strategy1

1

SharePoint Securing Strategy

University of North Carolina


Agenda

Introductions The Importance of SharePoint Security Facets of SharePoint Security Resources Plan and strategy Q & A


What is SharePoint?

Goal To create a Secure SharePoint Environment that will SharePoint to be used as a medium

for collaboration

SharePoint is: “A Site-provisioning engine” A website A series of databases An application platform An Integration possibility

SharePoint touches an Can touch: Your network Your Active Directory Your LOB Systems Your Organization as whole

SharePoint is a platform with a large attack surface


What are your Next Steps

What needs/should be done: Secure the sites as dictated by Best Practices and Policies Eliminate and Expand some of the vagueness in SharePoint Security Policy All Departments/Schools need to go through Security SharePoint Harding process More intuitive provisioning process for Sites/USERs/AD/OU’s Implement Technology solutions as indicated

• Guest ID Management, UAG, Threat Management 3rd Party solutions for overall Auditing/reporting/compliancy Review Department by Department (internally/externally)

• Audit and Assess to make sure best practices are put in place for Security and Risks Put a project Plan or Strategy plan in place Have individuals take ownership Create Security Classificaiton and Metadata Policy for whole UNC Secured SharePoint Site Create Workflow and Approval process Turn on audits and manage as dicated Develop and conduct Training/Education Implement overall User Experience Review what is available in current environment and check for any sensitive data/content Review and optimize where applicable

• Index, Search, Cache, Installed Components Upgrade and Update F5

Cost should be define People Technology Process Your Organization as whole


SharePoint is Everywhere

Over 20,000 new SharePoint seats have been added every day for 5 years Over 1,500 high profile websites on SharePoint SharePoint is becoming increasingly “organizational critical” It is great as you want to make it Many Universities are using SharePoint as a collaboration mechanism

SharePoint is commonly and can be used for Intranets Extranets Internet Sites Application platforms

UNC SharePoint sites does not have to UGLY


How can you do this

Choose SharePoint This phase involves what you want that is best to deploy either to secure your current

SharePoint Farms, incorporating office 365, or to have another separate SharePoint farm for sensitive or non-sensitive. Once this is decide you should have a strategy

Third Party Solutions or assistance Look at best practices, look at cost saving where you can get the Biggies ROI, don’t try to re-

invent where it will cost UNC for more development more money in the long run with less ROI

Pre-Deployment Planning Focus on everything required to prepared for the migration of content

Deployment If you do the above make sure that you communicate, train and define policies and

procedures Post Deployment

Make sure that you adopt and evangelize to consider widespread adoption


University of Chicago

Various Related Links:Security and Best Practices

https://itservices.uchicago.edu/

https://answers.uchicago.edu/search.php?q=sharepoint


University of Denver Colorado

Various Related Links:PoliciesService RequestsProcedures

http://www.ucdenver.edu/about/departments/WebServices/Pages/default.aspx

http://www.ucdenver.edu/about/departments/WebServices/Policies/WebIdentityStandards/Pages/default.aspx

http://www.ucdenver.edu/about/departments/WebServices/services/Pages/ServiceRequests.aspx

http://www.ucdenver.edu/about/departments/WebServices/Policies/Pages/uws.aspx


University of Akron

Various Related Links:SharePoint Advice

https://www.uakron.edu/

https://www.uakron.edu/ce/sharepoint.dot?com.dotmarketing.htmlpage.language=1&host_id=5ce88b4e-45bc-4870-bd1e-3cb8399a11a1


University of Louisville

Various Related Links:

http://louisville.edu/


Washington University (Medical base)

Reference:

http://publichealth.wustl.edu/Pages/default.aspx


Washington State University

Reference:

http://www.business.wsu.edu/Pages/index.aspx


Edinburgh University

Reference:

http://www.napier.ac.uk/Pages/home.aspx


Types of Security Threats

Threats we’re going to explore today: Data disclosure / theft Data loss System downtime

Types of attacks: Cross-site scripting (XSS) Cross-site request forgery (CSRF) Click jacking Privilege escalation “Man in the middle” / replay attacks SQL injection

If it’s a threat to other websites or databases, it’s a threat to SharePoint


Facets ofSharePoint Security


Plan for Security


Plan UNC Security

Plan personas and define permission matrices Understand content and security contexts Determine authentication, SSO, and federation goals Use the SharePoint 2013 upgrade as an opportunity to apply

governance in a new platform SharePoint RTM release is December 2012 Don’t expect the default settings to protect you Set up Kerberos Use Edge Servers Continue to validate and check again and thank heck again


Anonymous Access

Carefully decide if SharePoint is the right platform for anonymous access Especially consider implications for public blogs and wikis Consider what you want for public facing information

Always use the site lockdown feature “Get-SPFeature viewformpageslockdown”

Further restrict pages using web.config a Edge Servers E.g. Unified Access Gateway

Add SharePoint to your website security testing Provide policy statements for external collaboration

Consider using Third Party tools Don’t lock out the /_layouts path altogether Define Security Policies and to make sure that it not Vague and map them

accordingly Feature, WebParts, Solution, Documents, Records

If want to have Unsecured area consider Office 365 Separate Farm


Authentication and Directory Security

Synchronize only the AD users relevant for social features Don’t bring confidential information into user profiles Understand the impacts of third-party federation Track and block rogue SharePoint installations with “Service

Connection Points” Develop a password change / managed account strategy Enterprise SharePoint people search results have no form of

security trimming. If a user can see any people results, they can see them all. Use Fast Search to incorporate a more Robust security model and Robust

Experience Don’t allow SharePoint site owners rely on obfuscation or audience

targeting to try and secure content.


Content Security

Audiences are not security Search content rollups make bypassing audiences simple

Item-level permissions / broken permission inheritance should be the exception, not the rule

Avoid using policies to override permissions PDFs = Pretty Dangerous Files

The should be managed and rules should be defined Automated PDF from document with proper security should be considered

Consider Information Rights Management and auditing Having the ability to scan content for sensitive data is crucial Making sure that Users are responsible Change Management is crucial Training is crucial Any party who can manipulate SharePoint’s HTML directly or

impersonate third party JavaScript can compromise the site. This is policy that should also be understood and organization rules should be defined


Network Security

Always use SSL for authenticated access Firewall all nonessential public ports Host all servers on the same vLAN Use IPSec for geo-distributed communication Be aware of “loopback check” implications Use GPO policies where applicable Close ports where applicable Update Firmware where appropriate

E.g. Routers, F5, Firewalls


Network Security


Application Security

Never expose SharePoint’s application tier to the internet Don’t host Central Administration on a web front-end Isolate service accounts and use standard naming conventions Use multiple IIS application pools (but not too many) Never use Cnames Example Security threats

InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly

Using Access and access services in secured SharePoint environment should use AD rather than internal groups and permissions

Secure Store should be defined properly Security should be managed for Features and Solutions WebParts that are not in use should be purged

E.g. Fab 40


Database Security

Isolate SharePoint databases from other systems Minimize the SQL surface area by disabling unneeded features Consider SQL 2008 “Transparent Data Encryption”

Performance impact, backup size impact, and file stream impacts Don’t leave SharePoint backups within the content database or on

web-front ends Never Backup using Sharepoint Backup

SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages

DPM should use encrypted backups and restores and verified Consider using SQL server 2012 with more security possibilities


Connected System Security

SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.

Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers

Leverage the Secure Store Service for safely accessing external systems via BCS

Avoid reliance on Flash content Consider ForeFront UAG endpoint security Set policies regarding data being stored offline Audit, Report, asses and do it again and Provisioning where applicable


SharePoint Gaps

SharePoint activity monitoring lacks an intuitive, easy-to-use interface for reporting and analytics. Without a third-party solution, businesses must first decode SharePoint’s internal representation of log data before they can access meaningful information.

SharePoint activity auditing does not provide the ability to automatically analyze access activity and respond with an alert or block.

SharePoint does not include Web application firewall protection. SharePoint enforces access controls for files using Access Control

Lists (ACLs). What makes native permissions challenging, however, is that SharePoint lacks an automated way to ensure that ACLs remain aligned with business needs.


Security Data Governance Model


UNC Example Farm

University of North Carolina Communities

Not Sensitive Social CommunitiesOffice 365

Secured Enterprise Collaboration capabilitieshttps://share.unc.edu

Shared CalendarsDiscussion Board

Task Lists Surveys

Versioning

Document Libraries

Podcasting

Comments

Microblogging

Blogs

Tags Profiles

Wikis

Ratings

Records


SharePoint is currently used at UNC as collaboration platform for the Internal UNC initiatives enterprise

SharePoint enables UNC to Deliver the best productivity experience Cut costs with a unified infrastructure Rapidly respond to business needs Less Dependency on other Departments

SharePoint does this by providingcapabilities

Sites, communities, content,search, insights and composites

Communities

Search

Sites

Composites

ContentInsights


Jump start UNC efforts

Get ahead of all SharePoint deployments Implement a SharePoint governance policy Put security requirements in place when SharePoint instances go live Look beyond native SharePoint security features Specify what kind of information can be put on SharePoint Only use Features that you want include Train and Educate Implement your SharePoint in Phases and iteratively

Concentrate on business-critical assets first Start with regulated, employee, or proprietary data, and intellectual property Streamline access to a “UNC need-to-know” level Identify and clean up dormant users and stale data Alert on unauthorized access Establish a regular review cycle for dormant users, stale data, and excessive

rights


Plan the strategy for UNC efforts

Work with data owners to manage user access Locate and define data/content owners Create permission reports so data owners and stake holders have visibility into

who can access their data Validate with owners that access to data is legitimate Create usage reports so owners can see who is accessing their data

Protect Web sites from external attack Identify SharePoint Web applications that work with sensitive data Deploy a Web application firewall to monitor and protect sensitive SharePoint

Web sites, portals, and intranets Respond to suspicious activity such as external users accessing admin pages Monitor with F5, UAG, and Monitoring tools


Refine the strategy for UNC Efforts

Enable auditing for compliance and forensics Who owns this data? Who accessed this data? When and what did they access? Have there been repeated failed login attempts? Keep rights aligned with business needs. Free up storage space and reduce the amount of data that must be actively

managed. Streamline and automate regulatory compliance Monitor, control, and respond to suspicious activity in real time Balance the need for trust and openness with security concerns Understand who has access to what data or, conversely, what data any given

user or group can access, and how that access was assigned or inherited. Simplify the process of identifying where excessive access rights have been

granted, if there are dormant users, and who owns each item and document. Help administrators and data owners establish a baseline snapshot of access

rights and conduct rights reviews.


Custom Development Security

Build security testing into the SDLC for all custom and third-party components

Take advantage of CAS policies and the ULS logs Utilize sandbox solutions whenever possible Minimize use of RunWithElevatedPrivilege() With SharePoint 2010, Javascript is now the biggest threat

Silverlight is a threat SharePoint is using HTML 5.0 Avoid fines associated with noncompliance, and data breaches Avoid disclosing breaches for data that is lost or stolen (and which is

encrypted) Secure sensitive information of all kinds, including trade secrets, IP, UNC

information, personnel files, healthcare records, PII, FERPA, etc. Broaden the usage of SharePoint to include even the most sensitive

content while being assured this sensitive content is strongly protected


Security Maintenance and Monitoring

Keep SharePoint, Windows, and SQL patched to latest service packs Make sure any other application that is integrated up to date Make sure that 3rd Party tools are up to date Make sure a testing system is available

Deploy server-side virus protection E.g. Forefront for Threat Management Use to interface with SharePoint for uploading/Downloading

Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks

Build security assessments and spot checks into other SharePoint maintenance plans

Familiarize self with “Site Permissions > Check Permissions” Use the best Practices that was defined in your Security Strategy Use 3rd Party tools to assist with managing this as well auditing


Considerations and Summarizations

Work with each of your departments/Schools/Organization to quantify SharePoint Investment

Use an overall User Experience Consider 3rd Party solutions to fortify your Sensitive SharePoint Environment

HiSoftware Titus Quest Qumus Control Metalogix Cipher Point

Create a pristine System and move to it with functionality Have a Training Process in Place Continue to update the Sharepoint Security Strategy Have Change Management Process in Place Put a plan in Place and DO IT!


Q & A