I was sent an email about hacking a SharePoint site. That is an interesting concept, but first I did a quick Bing search just to see if this question was in response to a post or tweet, and ran across this older video: http://www.wonderhowto.com/how-to-hack-sharepoint-site-278121
I have a interesting feeling this was the precursor to the email, most emails or calls to me are reactionary to some surfing done on a lunch break.
Now I am not going into this post telling how to hack-proof you SharePoint. That will take me dozens of blog entries and the rest of the year to give you all that information. So stand by.
What I am going to focus on that one particular video as I feel that is the topic. Recommend viewing it before you read more. Also keep in mind his video is about SharePoint 2007.
The interview was done by Hak5, and the person talking was Dan Griffin. I have taken a few minutes and also read thru his other blog postings about security issues with SharePoint (2007). Also keep in mind that these posts and videos were back in 2008. Still relevant though as many of the issues he points out still exist.
Default Security Model
One of the most common issues with any SharePoint deployment is Security. I have to agree and elevate this topic as I point out in my Information Governance talks, security is commonly considered handled by default. Many organizations assume that since they are using AD or Kerberos they are safe. That does lead many organizations to a false sense of security.
Anonymous Access: If you are using SharePoint for anything other than a Public Facing website, you should 99% of the time have this disabled. Give me a reason please, on why you need anyone not authenticated accessing your site. Read Only Permissions: All to often the Visitor’s Group for all SharePoint sites us the bucket all employee can Read. NO.NO. NO. You really need to define your Information Architecture, there is a level where that is acceptable, but you are talking Business Unit Landing pages, Corporate New Sites, Search Sites, Marketing Asset Repositories. Sanity test this theory, go to a departments site and ask the department manager “should everyone in the company see all your data on SharePoint?” if the answer is NO, then you have your rule. If he or she says YES, make sure they understood the question. Internet Facing: I have to agree with Dan on one key point….go to Google and Bing and do searches for data and metadata that is stored in your companies SharePoint. If you see it…..take action.
Misconfiguring SharePoint Groups (Security Groups)
A good security schema is hard to come by in most organizations, the Active Directory has been abused over the years, and you have nested groups, and groups with names no one remembers existing. This translates into SharePoint badly. Here is a few easy ways to tackle this:
Fresh SharePoint: While the best approach is come at this clean to limit risk, I know that going to your company now a days and saying “hey lets start over”, is not going to happen. If your risk is too high, this might be the only real option. You don’t need to jump all in though, look at what is exposed or what is at risk. You might do better at simply migrating the sensitive areas of SharePoint to a new restricted access Web Application or Farm. Consider your benefits. Security Audit: Many times doing a fishing expedition to find the flaws can show you the issue. It might not be as bad as you think, then again……..Doing some simple searches with some test accounts is a good way to start. You can also look at some over the counter tools that provide security management. If you feel you are in bad shape, hiring a firm to do an audit is safe, insured, and they are bonded. The cost to hire some security experts can pay off quickly if you are not compliant. Implement Policy: Now I am the first to say a paper policy has no teeth at nearly any company. Think of the Carrot and the Stick approach. Give them a beneficial reason to fix the issue. Then if they don’t you hopefully have a stakeholder with a big stick.
Like I said I was not going to go into Settings. If you have specific questions about a setting or issue, TWEET me or drop me an email. I am more than happy to add a few more posts on this subject.
I would also like to thank Dan Griffin for trying to put some light on this subject.