With a Google search and one minute of running one of his SharePoint hacking tools, it doesn’t take long for security researcher Fran Brown to find exposed SharePoint administrative interfaces for a state health and human services department. The exposure – which could allow an attacker to add users and change information -- is far from unusual. Brown, managing partner at security consulting firm Stach & Liu, finds this sort of stuff all the time. “I’m surprised at just how much SharePoint is out there and how much is vulnerable,” he says.
Microsoft’s SharePoint application has become a ubiquitous collaboration tool in the enterprise but securing it can be a tricky process. And all too often, companies fail to properly secure their SharePoint deployments, security experts say. In fact, a survey of SharePoint users released earlier this year by European security vendor Cryptzone showed that lax security practices were rampant among those polled. In this special report, we examine some of the issues surrounding SharePoint security and provide tips on SharePoint security best practices.
You can also read the companion piece to this feature: Three steps for securing SharePoint
Microsoft’s Web-based collaboration tool has become pervasive in the enterprise, but experts say companies often overlook SharePoint security. Eager to enable collaboration among employees and third parties, organizations can neglect to lock down user access and take other steps to secure all their SharePoint instances. Since these SharePoint repositories commonly contain sensitive corporate information, that’s risky business.
“I don’t see SharePoint being secured nearly enough,” says Michael Davis, CEO of Savid Technologies, a Chicago-based IT security consulting firm. “Think about what SharePoint does – by definition it’s where all your crown jewels are.”
Securing SharePoint can be complicated – there are a lot of aspects to it -- but security experts cite several top SharePoint security best practices to focus on, including access control strategies, testing for exposures, and user education.
Collaboration is paramount for businesses today and SharePoint is easy to get up and running, resulting in many instances of it rapidly popping up across an enterprise, says Michelle Waugh, a senior director for the security business at CA Technologies. That’s led to the term “SharePoint sprawl.”
Adam Buenz, consultant at ARB Security Solutions, a Minneapolis-based firm that specializes in SharePoint security services, has seen a lot of SharePoint pilot projects snowball. “Now rather than just a pilot, it’s a vital business system that’s collected this business-critical, sensitive information. It can also assimilate a lot of other systems,” he says.
“Once it gets to that point, defining expectations and assessing performance of the system becomes really difficult,” adds Buenz, a Microsoft MVP. “It’s a lot harder to rope an environment in than it is to start off in a proper state.”
The problem, Davis says, is no one business unit ends up owning SharePoint in the enterprise. “It’s kind of an IT thing, kind of a database thing, kind of a business process thing,” he says. “I call it an octopus – it has tentacles across many areas of the business.”
In addition, the dynamic nature of the collaborative environment makes it difficult to manage, Waugh notes.
“From a security perspective, something that went into SharePoint as a non-sensitive document can in minutes change and become a highly sensitive document by virtue of a purposeful or inadvertent change to the content or movement of the document from one place to another,” she says.
The main problem organizations often have with SharePoint security is managing access to repositories with thousands of documents and hundreds of users, Davis says. Users can wind up with excessive permissions; for example, an employee might get access to an accounting repository that he or she shouldn’t.
“Getting control of that by using proper [user] groups and privileges is the best way to reduce exposure of data,” he says.
However, throw third parties into the mix, and managing access control becomes especially challenging. Today, many organizations are focused on securing SharePoint in extranet collaboration scenarios, according to Neil MacDonald, a vice president and fellow at Gartner.
“How are you going to have these users, who aren’t employees, prove who they are? Are you going to support federation of identities? Are you going to manage these identities yourself? If so, where? You could use Active Directory but maybe you want to use an LDAP-enabled repository,” he says. “It’s a very complex decision with a lot of variables.”
If an organization decides to manage the identities and use Active Directory, it’s faced with additional questions, such as whether to permit self-provisioning and password reset, he says.
“How do you ensure sensitive information isn’t disclosed inadvertently or inappropriately? You get into the governance issue of who takes responsibility for the ongoing management of these external identities, mapping for authorization and de-provisioning,” MacDonald says. “All of the identity-related issues we’ve had internally in the past are just amplified.”
There are a number of third-party tools that can help, such as Web access management products from CA Technologies, Oracle and IBM, he says. Epok Inc. specializes in extranet access governance for SharePoint. A number of vendors offer technology to manage entitlements within SharePoint, including Quest Software, AvePoint, Axceler, Idera, and Lightning Tools’ DeliverPoint.
Earlier this year, CA Technologies updated its SiteMinder Web access management and DataMinder (formerly CA DLP ) products to provide fine-grained control of users’ access to SharePoint content. DataMinder, which includes data classification technology from CA Technology’s acquisition of Orchestria, scans the content and SiteMinder uses the content classification to determine access rights.
Test for exposures
There are a lot of SharePoint components that need to be secured – the SQL Server database, Windows services that SharePoint uses, and administrative interfaces. Microsoft’s guides for securing SharePoint aren’t always straightforward, and it’s easy to make mistakes in terms of permissions and exposed data, says Stach & Liu’s Brown.
In his assessment work, he found there weren’t any good tools to test SharePoint security configurations. “It wasn’t easy to see if you’ve actually locked down everything correctly,” Brown says. About 18 months ago he addressed the problem by developing the SharePoint Hacking Diggity tools, which are freely available SharePoint penetration testing tools for organizations to download and use.
“Our free hacking tools leverage techniques like Google hacking and URL brute-force scanning to identify exposed admin pages in your public SharePoint deployments,” Brown says. “They’re a great way to spot check and have confidence that you’ve locked down your access permissions correctly. Otherwise, you could miss simple misconfiguration issues that may have inadvertently exposed admin functionality to the whole Internet, leaving a huge door open into your SharePoint environments.”
One tool is a dictionary of about 120 preloaded Google queries that assessors can use to find exposed SharePoint administrative pages, Web services and site galleries. Another tool, SharePointURLBrute, automates forceful browsing attacks to help assessors find permissions holes that allow unauthorized users to access SharePoint administrative pages..
Brown says the Shodan computer search engine, which allows users to find devices connected to the Internet, also can help assessors by making it relatively easy to find people using SharePoint and exposed administrative interfaces.
Another tool, a free third-party plug-in called SUSHI, is a good way to check user permissions, Brown says. The tool gives administrators the ability to see all the libraries and galleries a user has access to across a site collection. “It’s a good way to visualize what people have access to,” he says.
In his assessments, Brown has seen a lot of exposed SharePoint deployments belonging to the federal government, which he says he finds particularly concerning. He noted that published reports indicate the WikiLeaks breach involved brute force of exposed government SharePoint services. According to a Wired report, a government digital forensic expert testified that he found scripts on the computer of Army Analyst Bradley Manning, who is accused of leaking classified data to WikiLeaks, which pointed to a SharePoint server holding the documents.
Policy and training
One of the most important steps organizations need to take to secure their SharePoint deployments is to make sure users understand the sensitive nature of the information in the repositories, experts say.
“You need to make sure they understand the data they’re accessing is critical and the risks associated with what they’re going to do with it and where they’re accessing it from,” Davis says. Many times, employees who are in a rush to get work done will download a document like a project plan from SharePoint and upload it to a personal drop box, then access it at home or on vacation, he says.
“That is a big potential issue because you’re moving [the data] from a secured environment to an unsecured environment the company doesn’t know about,” he says.
A survey of 100 SharePoint users released earlier this year by European security vendor Cryptzone showed that even though most of the respondents understand that taking data out of SharePoint makes it less secure, 30 percent were willing to take the risk if it helps them get their jobs done. Thirty-four percent said they didn’t consider the security implications of SharePoint and 13 percent said protecting company data isn’t their responsibility.
Content governance is as important as taking application security steps to reduce the attack surface, says Buenz of ARB Security Solutions. “Controlling access and raising awareness of that information is important,” he says.
Organizations should craft their governance plan early on and not make the mistake of thinking there is a universal template they can use for it, according to Buenz. “Remember there isn’t an industry accepted governance plan – you have to craft one adapted to the business. This plan has to be updated in an organic fashion as the business grows and changes,” he says.
His mantra to clients is to follow three R’s -- record, retain and revise – when dealing with changes to overall SharePoint application security and content governance. “Record every change, retain it and remember it will always be subject to revision,” Buenz says. “All the material you have regarding the actual security has to grow with the environment.”
In the long run, Davis says he expects the corporate collaboration trend to lead to more breaches. The increasing popular centralized Web-based repositories – not just SharePoint, but Google Docs and others – offer business benefits but also could potentially help attackers, he says. “If someone hacks into one thing, they get access to all of it.”
About the author:
Marcia Savage is editor of Information Security. Send comments on this article to firstname.lastname@example.org.