Best practices for securing SharePoint applications in 2018

POSTED BY : Sr. Architect
Tuesday, February 27, 2018

It’s 2018, and most businesses thrive on web-based platforms that inject agility and flexibility into their workflow. Although there are a wide range of collaboration tools available in the marketplace, Microsoft SharePoint is most preferred. It is being leveraged across diverse businesses – small, medium and large, as we speak.

So, what exactly is SharePoint?

SharePoint allows businesses to store, manage and share information from any device; enabling seamless collaboration across an organization. That’s not all. Integrating with Microsoft Office, SharePoint usage varies from organization to organization. Apart from the basic enterprise content and document management, it also includes a variety of business-focused capabilities, such as intranet and social networking, collaborative software, personal cloud, and custom application development. And most of these require detailed configuration and governance.

However, today’s major concern is security. So, the question remains - How secure are SharePoint applications?

Experts believe that businesses, in their attempts to enable collaboration among employees and third parties, often overlook SharePoint’s security aspects. Oftentimes, post implementation, they neglect to lock down the user access and take other steps to secure all their SharePoint instances and repositories. This poses a great risk for the core business, as these instances and repositories might, or most probably will contain sensitive corporate data.

Let’s take an ideal scenario for instance. Administrators often create a single service account and use it throughout the SharePoint installation process. Although the resulting SharePoint server is functional, this approach can be quite risky. Administrators should plan for least-privileged administration and service accounts.

What are the various types of attacks that can disrupt business workflows?

It is true that SharePoint and its associated apps can contain vulnerabilities. However, the product is also prone to some complex forms of attacks such as:

  • Injection
  • Cross-Site Scripting
  • Cross-Site Request Forgery
  • Broken Authentication etc.

These attacks may eventually lead to sensitive data exposure, ideally caused due to:

  • Security misconfiguration
  • Poor endpoint security
  • Usage of components with known vulnerabilities

According to the latest CVE (Common Vulnerabilities and Exposures) listings for SharePoint Server and SharePoint Server 2016, mentioned below are the high severity vulnerabilities:

  • PowerPoint Remote Code Execution Vulnerability (Exec Code Overflow)—exists in Microsoft SharePoint Server 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, and caused when the software fails to properly handle objects in memory
  • Office Remote Code Execution Vulnerability (Exec Code)—exists in Microsoft Office
  • Microsoft Office Memory Corruption Vulnerability (Exec Code Overflow Memory Corruption)—exists in Microsoft SharePoint Server 2013 SP1, Office Word Viewer and SharePoint Enterprise Server 2016
  • Microsoft Office Graphics RCE Vulnerability (Exec Code)—exists in the Windows font library in Microsoft Office 2010 SP2, Word 2010 SP2, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2. It allows remote attackers to execute arbitrary code via a crafted embedded font

To tackle these attacks and vulnerabilities – apart from relying on the basic security model – a wide array of SharePoint components need to be secured with an additional layer of security. This includes the SQL Server database, the Windows services that SharePoint uses and the administrative interfaces. When it comes to SharePoint Servers, administrators should deep dive into Security Planning and Security Hardening.

In an era where data privacy regulations and data breaches are on the rise, enforcing core security and governance becomes imperative. Below mentioned are the best practices for securing SharePoint applications:

1. Formulate an assessment strategy that includes Penetration Testing

Assessment strategies are intended to help SharePoint administrators and security professionals identify vulnerabilities & insecure configurations introduced by SharePoint deployments.

Penetration Testing plays a pivotal role in this, the core steps of which are:

  • Reconnaissance
  • Fingerprinting
  • Application analysis
  • Threat analysis
  • Exploitation

The market is crowded with countless solutions that focus on SharePoint application security. SharePoint Hacking Diggity tools and Shodan computer search engine are few options that organizations like yours can consider. Furthermore, antivirus companies also offer paid security products for SharePoint servers.

2. Audit your external data exposure

Needless to say, having regular audits simply helps you keep a track and control of your data which is exposed to the public. Furthermore, in case of a security event, this step effectively helps you track down the source.

3. Audit for excessive user permissions

Unnecessary permission granted to users may lead to a plethora of problems since it widens the possibility of a potential security event. So, it is crucial to categorize the access levels and make sure that the permissions are limited to admins and authorized officials only.

4. Keep a check on your 3rd party plugins/code

With higher levels of flexibility and agility comes numerous loopholes. 3rd party plugins/codes can be such loopholes that are vulnerable to serious security threats. In fact, these plugins/codes, once compromised can be difficult to resolve.

5. Create a DR and backup policy

As business-critical data holds paramount importance, having a stringent data recovery and backup policy always keeps you on the safer side in case of a security event.

6. Organize user awareness training programs

Lastly, although the above mentioned practices can help you make a headway in securing your SharePoint applications, lack of user awareness can put all those efforts in vain. So, it is crucial to organize user awareness training programs regularly. This will help them stay abreast of SharePoint app features and the crucial security settings.

All things considered

As you can see, securing SharePoint indeed needs a collaborative approach that involves your organization’s top management team, as well as the end users. According to Gartner, “Content services platforms are the next stage of enterprise content management, representing a shift from self-contained systems and repositories to open services.” The research firm also pinpoints that organizations must establish a balance between manageability and ease of use, to seamlessly unlock productivity gains from their business critical data.

Rohit Choudhary
Sr. Architect