How Vulnerable Is Your SharePoint Farm?



by Dr. Steve Marsh

Use this 9-point checklist to measure your SharePoint security policies

Are your company’s SharePoint security policies protecting your organization from data leaks due to insider threats? Without undergoing a formal assessment, it can be difficult to know. Yet research from Infosec Europe has shown that most of today’s security spending fails to address these insidious risks, despite the fact that many IT professionals are worried about it. If your company is among those that are continuing to overlook the risk of a potential breach, then you won’t be prepared to prevent the damage that can result when people within your own company—sometimes unintentionally—use sensitive content to undermine the organization.

The following checklist of nine key best practices was developed to help companies identify SharePoint security gaps in less than 15 minutes. Based on often-overlooked fundamentals, the checklist measures your current SharePoint security policies specifically to determine how vulnerable your organization is to the risk of insider threats—whether the perpetrators are in-house employees or “external” sources who have gained access to confidential internal information to carry out the breach:

Checkpoint 1: Assigning Direct Permissions to Users
How many of your users have Direct Permissions? Direct Permissions can leave the door open to leaks of sensitive data by exposing critical business content to those who should not see it. Site owners often assign Direct Permissions to quickly grant access, but this is a tactical error that should be avoided at all costs.

Checkpoint 2: Overuse of Granular Permissions
A granular approach to permissions provides flexibility but also creates potential security problems. At the site level, having too many users with Limited Access forces the management of list and item level permissions for each individual. As your farm grows, managing security at such a low level can lead to breaches. Therefore, you must ensure that your permissions are not applied too broadly.

Checkpoint 3: Active Directory Blind Spots
A lack of insight into Active Directory group membership means that SharePoint administrators have a security blind spot. In order to assess risk, it’s critical to know where such groups have access by determining what percentage of domain groups have Direct Permissions to your sites.

Checkpoint 4: Incorrect Use of All Authenticated Users Group
Misuse of permissions for this group can inadvertently give everyone within your organization access to content. Unless you intend for your entire farm to be accessed by all, keep these accounts to a minimum. Check regularly for correct usage and assignments of access, granting users only the minimum amount of permissions required to complete their job. Also check to see if built-in accounts are automatically giving all users in your organization rights to view content.

Checkpoint 5: Separation of Duties for Farm Administrators
Members of the Farm Administrators group in SharePoint have full-control permissions to all servers in the server farm. But Farm Administrator accounts should be used only to manage the SharePoint farm, not the content within it. Failure to separate the access is a common cause of leaks from insiders. It’s important to confirm whether Farm Administrator accounts are also site collection administrators, giving that user rights to all content in that site.

Checkpoint 6: Lack of Proactive Monitoring
Auditing is essential to effective SharePoint security. Tracking security changes—and who made them—alerts IT to exposure risks. The majority of internal and external compliance regulation requires that companies trace this data and store it for a specific period of time. To proactively monitor your farm, ensure that all parts of your farm have auditing enabled on a site collection.

Checkpoint 7: Isolation of Managed Service Accounts
Allowing Managed Service accounts (MSAs) access to sites is an exposure risk to insider threats through misuse of account credentials to access business data. MSAs should never be used for day-to-day access and should not be assigned to sites and other locations beyond the purpose for which they are designed. Check to see if any Managed Service accounts have permissions applied to SharePoint sites.

Checkpoint 8: Broken Inheritance
Permissions inheritance allows administrators to save time and effort by assigning permission levels all at once. However, when a site contains sensitive information that needs protection, the site owner can block inheriting permissions at any level in the hierarchy. A SharePoint security model with a high number of instances of Broken Inheritance often leads to overlooked security settings. To avoid this problem, check the number of instances where unique permissions are applied to a SharePoint object and not inherited from the parent object.

Checkpoint 9: Inconsistent Audit Monitors
SharePoint allows for a multitude of events to be tracked through auditing to ensure optimum data protection. For a full picture of the security of your farm, it’s a best practice to track these events, checking if you have configured SharePoint to collect all key site audit events.

If you require a more detailed, tailored analysis, a free online tool—compatible with SharePoint 2013, 2010, and SharePoint Online in Office 365—is available called the Insider Threat Index. This index gives you the ability to scan your SharePoint environment to help you benchmark your results and gain visibility into specific vulnerabilities and security gaps that your SharePoint farm faces, while providing actionable guidance on filling the gaps.

When you run the Insider Threat Index, you can see information about each of the nine checkpoints above, including:

  • The percentage of your total users with direct permissions
  • Whether your permissions are applied too broadly via the percentage of users with unique permissions, and whether that number is too high
  • Your percentage of domain groups with direct permissions to your sites
  • If built-in accounts are automatically giving all users in your organization rights to view content
  • Whether a farm administrator account is also a site collection administrator, giving that user rights to all content in that site
  • If parts of your farm do not have auditing enabled on a site collection
  • If any Managed Service accounts have permissions applied to SharePoint sites
  • The number of instances where unique permissions are applied to a SharePoint object and not inherited from the parent object
  • Whether you have configured SharePoint to collect all key site audit events to ensure you’re completely protected

For more information or to download the free tool, visit this link.

Dr. Steve Marsh is the director of product marketing  at Metalogix.

Leave a Reply

WWPI – Covering the best in IT since 1980