A Publication of AAJ Technologies

Top 10 Security Mistakes You Probably Made in

Your SharePoint Implementation

A GUIDE TO KEEP YOUR INFORMATION SAFE

WWW.AAJTECH.COM

By Brett Gillin

ABOUT AAJ TECHNOLOGIES

WWW.AAJTECH.COM

AAJ  Technologies  is  a  cloud  and  mobile  applica4on  developer  and  system  integrator  who  specializes  in  SharePoint  implementa4ons.    

 

TABLE OF CONTENTS

1.  Introduction

2.  Mistake 1 - Improper Security Definition

3.  Mistake 2 - Improper Use of Active Directory vs. SharePoint Groups

4.  Mistake 3 – Not Knowing Who is Accessing Information

5.  Mistake 4 - Poor End Point Security (Not McAfee)

6.  Mistake 5 - Not Using Virus Control for SharePoint

7.  Mistake 6 - Using One Account for Everything

8.  Mistake 7 - Lack of SharePoint Governance Process Oversight

9.  Mistake 8 - Unclear Security Oversight

10.  Mistake 9 - Improper Training on SharePoint and Poor Security Training

11.  Mistake 10 - Not Encrypting Your SQL Database

WWW.AAJTECH.COM

The more we move our information online and into the cloud, the more opportunities exist for cyber criminals to attack and take your critical data. One of the biggest stories of last year included the Bradley Manning (Now Chelsea Manning) Wikileaks story; an Army intelligence analyst who was accused of leaking 250,000 government cables to WikiLeaks)? During testimony, an Army investigator testified that Manning was stealing his information directly from SharePoint servers thanks to Wget scripts. There’s a good chance if those in charge of securing the government’s SharePoint servers had read an eBook like this, this huge information leak may have been prevented (at least partially). In this eBook we’ll point out 10 common mistakes many organizations make in their SharePoint implementations. If your organization is on an older version of SharePoint, it’s definitely time to think about upgrading, because there will most likely be even more security issues than are addressed in this eBook... How important is it that your organization secures and monitors Microsoft SharePoint? No matter how robust and secure SharePoint is designed to be, simple mistakes in its implementation, like the ones we’re about to discuss, can lead to glaring security issues, which in turn could mean your sensitive information ends up in the hands of your competitors. Similarly, any business that relies on SharePoint to store confidential--or even sensitive--information should know who's accessing that data, and why. What's the best way to make this happen? Start by avoiding these 10 common SharePoint security mistakes.

WWW.AAJTECH.COM

Introduction

1

Mistake 1

WWW.AAJTECH.COM

Improper Security Definition  

2

Regarding “Security Definitions” in SharePoint, there are two different sets of definitions. The first definition is for SharePoint as a whole, such as databases, farms, and technical environments. The second example, focuses on the other side of the “Security Definitions” coin; security definitions for users. The security definition in SharePoint is a designation of what a certain user can and cannot access in SharePoint. There will be a user or a group of users who will have complete control and access to everything in SharePoint. However, you must be diligent in properly designating security definitions of the other, non-admin” users. You’re not going to want, for example, a marketing employee whose sole responsibility is to update content to have the ability to change system settings or assign new roles. Lapses in security definition could mean major security issues. Take for example the story of a multi-million dollar company who has about a dozen users with complete “Administrator” access to SharePoint; essentially, each of these users can change any aspect of SharePoint whenever they please. If one of these employees is fired and the account is not deactivated, the user can still log in to SharePoint site with their still-valid credentials, and delete thousands of vital documents. The surprising part of this story is that the guy who went in and deleted all these documents was a sales representative for the company, not a technical resource for SharePoint. This employee should have never had this level of access to the SharePoint environment in the first place. Luckily, the company in this story was regularly backing up their information, and was able to restore most of the deleted documents, but this is just one example of why your company needs to make sure that users only have the access that they need to your SharePoint environment.

Mistake 2

WWW.AAJTECH.COM

Improper Use of Active Directory vs. SharePoint Groups   http://blogs.msdn.com/b/kaevans/archive/2013/05/06/clarifying-guidance-on-sharepoint-security-groups-versus-active-directory-domain-services-groups.aspx  

3

  In SharePoint, there are two types of groups that administrators can place users into. One of them is based on Active Directory (AD), and the other is based strictly inside of SharePoint. The improper use of these groups is widespread, especially since “best practices” has changed recently. Microsoft used to always recommend using Active Directory groups inside SharePoint groups, but this guidance has changed, with Microsoft now recommending:   "We do not recommend SharePoint groups to assign permissions to sites. When a SharePoint group is used to assign permissions, a full crawl of the index occurs. Instead, we recommend Active Directory Domain Services (AD DS) groups."  

Microsoft Best Practices state that you’ll now want to reuse AD groups within SharePoint groups whenever you can. SharePoint groups should be used for precise control of unique access. Microsoft also recommends that you sync your SharePoint group to an AD email distribution group whenever you can; this is done by enabling SharePoint Directory Management Service).

Mistake 3   You’d be surprised how often companies set up their SharePoint environment, assign users, and then never look to see who is accessing what. From a security perspective, this is a cardinal sin. In order to ensure that your organization is not at risk, controlling access to SharePoint content is critical. This is even more important if you allow mobile users or mobile devices to access your SharePoint environment.   To protect your sensitive corporate information, businesses should always implement critical security mechanisms and access control policies within your SharePoint environments.   IT departments need to pay attention to their authorization policies so that you know who is accessing information. Just as importantly, your organization needs to have a record as to what type of data or information these users are accessing, as well as the “where and when.”   To achieve this, there needs to be proper site governance of both the content and structure of the SharePoint site.  

WWW.AAJTECH.COM

Not Knowing Who is Accessing Information  

4

Note that this goes both ways; content created and changed on mobile devices need to follow the same set of authorization policies as those of the on premises SharePoint site.

Mistake 4   We won’t spend too much time on this particular point, because it’s pretty self-explanatory. Your SharePoint environment needs to have strong EndPoint security, especially with the widespread use of SharePoint Workspaces, which allows users to synch their data with SharePoint libraries. This is a very useful tool, allowing your users to have access to their SharePoint content even if they’re not online, but it also opens up a vulnerability point.   Simple things like disk encryption can help prevent security breaches and keep your content where it should be.    

WWW.AAJTECH.COM

Poor End Point Security (Not McAfee)  

5

Not McAfee?

SharePoint Workspaces Disk Encryption

Mistake 5   The vast majority of companies take special care to install virus scanning software on every device they allow to access their internal networks. In fact, it’s relatively rare that a SharePoint site isn’t protected, at least from a base level, via a virus control program. But you might be surprised at how many companies leave a gaping hole in their virus control for SharePoint by not properly scanning their content libraries and the files that are uploaded there by users in real time.   Even if there is a daily virus scan of the entire SharePoint environment, if there is not active scanning of the databases and content libraries, your organization could be open to malware or virus attacks. Many viruses only need a few minutes to infect an entire database, and with a program like SharePoint that allows for the widespread sharing of documents and information, a virus or malware problem could quickly become out of control.   Take, for example, the recent problems companies have had with the CryptoLocker virus. Cryptolocker is a Trojan horse-style virus which can infect files stored on local and mounted network drives. This virus locks up data, making it inaccessible to users, then asks for a sort of ransom to provide the key to unlock the data. Can you imagine what would happen if a virus like this infected your SharePoint content libraries? The results could be catastrophic.  

WWW.AAJTECH.COM

Not Using Virus Control for SharePoint  

6

Mistake 6   The common SharePoint mistakes discussed in this eBook are typically attributed to one thing: shortcuts. It’s natural to try to find the quickest way to implement software, especially when there’s pressure from every angle to move fast and get it operational. But as we’re seeing here, taking little shortcuts can lead to huge headaches in the future. One shortcut that you must avoid is using one single account for everything. So many companies use the Domain Administrator account to do just about everything they need in SharePoint. But this causes an enormous problem. For example, if there’s one account that can control everything, and multiple people who know the password use the account, there’s quite simply no accountability in SharePoint anymore. You completely lose control of figuring out who made what changes to SharePoint. And if a worst-case scenario happens and that account or account password is compromised, you might be looking at a lengthy downtime for your SharePoint environment while you fix the issue. Here’s another scenario: many of you may work in buildings that use security cards to access doors. Each of these security cards is coded with your name and identifications numbers. This is done so that it’s easy to keep track of who accesses different parts of the building. Often times, the card will only let you open certain doors, and leave you denied access to other areas of the building.

WWW.AAJTECH.COM

Using One Account for Everything  

7

But think about what would happen if everyone was using the same master card for building access! It would be a nightmare trying to figure out where people were going in the building or restricting access to certain areas. Plus, the first time an employee leaves the company and doesn’t turn in the key, either every single employee must be granted new access cards, or that now-ex-employee will be able to make after

So make sure that you’re using multiple accounts in SharePoint. And while you’re at it, you might want to be sure that your security badge is still working.

hours visits to the office whenever they want, and no one will know the difference.

Mistake 7   Do you know how your content is managed today? Do you know who is responsible for managing what content goes where? Do you know who approves the content, or even who approves the proper places to store that content? If you don’t know, then you have a problem.   That problem could be a few things. First, it could mean you don’t have a SharePoint governance policy in the organization. If that’s the case, immediate steps should be taken to at least begin drafting one. If you don’t, your SharePoint environment could quickly turn into “The Wild West,” with a bunch of different people creating new sites and pages in SharePoint, creating and editing web parts on their own, or placing those ever important sales presentations or expense reports in whatever folder they deem most convenient at the time.   Another issue could be that you have a SharePoint Governance policy but you’re not familiar with it. This is a major problem too, as the policy is only as good as its use. In short, everyone who has access to SharePoint should be familiar with the Governance policy, and have access to a document which carefully spells that out for their reference. Doing this will save you possible massive headaches in the future.  

WWW.AAJTECH.COM

Lack of SharePoint Governance Process Oversight  

8

Mistake 8 Let’s assume that you’ve got all of your ducks in a row already, and your company isn’t suffering from any of the aforementioned problems. But let me bring up another point that is often overlooked when it comes to SharePoint security - oversight. Who is responsible for SharePoint security in your organization? Most of the time, this is something that is handled by your in-house IT administrators, but an alarming amount of the time, people can’t actually answer this simple question! When it comes down to the people who are working in SharePoint every single day, power-users, administrators, developers and architects and the like they may not know who holds that grand security key. Do you know who is responsible from the business side for SharePoint security in your organization? How about from the technical side? Do you know the last time these responsibilities were updated and reviewed? To ensure the security of your internal information, make sure you know who is responsible for what, and who is “Watching the Watchers”.

WWW.AAJTECH.COM

Unclear Security Oversight  

9

Mistake 9 Let’s take a quick moment to think back to your SharePoint training. Can you remember the portions where your trainer covered major security issues like the ones we’re mentioning here? Unfortunately, the answer to this question is often either, “Wow, we didn’t even really have SharePoint security training” “We didn’t have SharePoint training at all” or “I don’t remember going over security in detail during my training.” For example, you might know how to add or delete content in your SharePoint environment, like uploading a document, deleting it, or even editing it on SharePoint. But do you know how to secure that document? Have you been trained on how to ensure that a document doesn’t fall into the wrong hands, or that only the people that need to see it have access to it? If you don’t, you may need a refresher on your security training in SharePoint.

WWW.AAJTECH.COM

Improper Training on SharePoint and Poor Security Training  

10

Mistake 10 The last crucial mistake so many people make when it comes to SharePoint implementation is a lack of encryption. Did you know that the out of the box, SharePoint's SQL database is not encrypted? And did you know that adding encryption to that SQL database can be a major pain and lead to some heavy performance issues? Despite the fact that it’s not always the easiest thing to implement, and if done improperly can definitely cause some performance lags, leaving your SQL database unencrypted, you’re inviting unwelcome guests to an “inside information” bonanza. If you’re dealing with any sort of sensitive data, and it’s awfully hard to find a company that isn’t, you need to make sure that your database is encrypted.   By now, you should have a good understanding of the typical security mistakes found in SharePoint. The good news is that none of these issues are impossible to overcome, especially if you have SharePoint security experts guiding you through the process. If your company has any of the ten issues described earlier, or you suspect that security might not be as tight as it needs to be in your organization, AAJ Technologies is here to help. You’ll find on our website a couple of great options for analyzing your SharePoint environments, performing a “Health Check,” and even helping you to upgrade to the latest version of SharePoint.

WWW.AAJTECH.COM

Not Encrypting Your SQL Database  

11

REGISTER FOR OUR NEXT WEBINAR

WWW.AAJTECH.COM

10 Optimization Mistakes You Probably Made in Your

SharePoint Implementation Wednesday,  February  26,  2014  1:30  

PM  -­‐  2:00  PM  EST  

Register

WWW.AAJTECH.COM

SharePoint Service Offerings Please view our service offerings

VIEW NOW >> VIEW NOW >>

Like what you read? Share with your friends!

WWW.AAJTECH.COM

www.aajtech.com