Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference

Similar documents
Microsoft SharePoint Server 2013 Plan, Configure & Manage

Texas Regional Infrastructure Security Conference (TRISC) Dan Cornell

Changing face of endpoint security

White Paper. Backup and Recovery Challenges with SharePoint. By Martin Tuip. October Mimosa Systems, Inc.

Improving Security in the Application Development Life-cycle

Advanced Solutions of Microsoft SharePoint Server 2013

Microsoft Core Solutions of Microsoft SharePoint Server 2013

Microsoft SharePoint End User level 1 course content (3-day)

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

20331B: Core Solutions of Microsoft SharePoint Server 2013

Security Readiness Assessment

Advanced Solutions of Microsoft SharePoint Server 2013 Course Contact Hours

Advanced Solutions of Microsoft SharePoint 2013

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

DotNetNuke. Easy to Use Extensible Highly Scalable

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

epldt Web Builder Security March 2017

RiskSense Attack Surface Validation for Web Applications

Integrigy Consulting Overview

Is Your Web Application Really Secure? Ken Graf, Watchfire

Architecture and Governance with SharePoint for Internet Sites. Ashish Bahuguna Kartik Shah

SharePoint Portal Server 2003 Advanced Migration Scenarios

SharePoint 2010 Central Administration/Configuration Training

Security Communications and Awareness

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

CipherCloud CASB+ Connector for ServiceNow

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Cross-Platform Parallels: Understanding SharePoint (Online) Through Notes-colored glasses

W H IT E P A P E R. Salesforce Security for the IT Executive

Page 1. Peers Technologies Pvt. Ltd. Course Brochure. Share Point 2007

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

Hyperion Application Access Control Governor Blueprint for Oracle GRC Applications

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Security Communications and Awareness

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Planning and Administering SharePoint 2016 ( A)

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

COURSE OUTLINE MOC : PLANNING AND ADMINISTERING SHAREPOINT 2016

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Why the cloud matters?

SharePoint: How It s Leveraged and How It Works

SharePoint Migration Cleanup and Pre-Migration Checklist for Success

Cyber security. Strategic delivery: Setting standards Increasing and. Details: Output:

TechNet Home > Products & Technologies > Desktop Products & Technologies > Microsoft Office > SharePoint Portal Server 2003 > Deploy

Envision IT Office 365 Productivity Series Experience, Branding and Navigation. June 24, 2015

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

IT & Networking MICROSOFT SHAREPOINT SERVER. Core Solutions of Microsoft SharePoint Server Κωδικός Σεμιναρίου / Code MS-20331

Information Security Controls Policy

SharePoint SP380: SharePoint Training for Power Users (Site Owners and Site Collection Administrators)

Data Protection and GDPR

CS 356 Operating System Security. Fall 2013

Microsoft Office Programs and SharePoint Products and Technologies Integration Fair, Good, Better, Best

Extranets in SharePoint 2010 and 2013

External Collaboration with Office 365 Project Sites. September 16, 2015

Identity Theft: Enterprise-Wide Strategies for Prevention, Detection and Remediation

Microsoft SharePoint 2010 The business collaboration platform for the Enterprise and the Web. We have a new pie!

SharePoint Best Practices. Presented By: Mark Weinstein

Pro SharePoint 2010 Administration

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Continuously Discover and Eliminate Security Risk in Production Apps

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Oracle WebCenter Interaction: Roadmap for BEA AquaLogic User Interaction. Ajay Gandhi Sr. Director of Product Management Enterprise 2.

2554 : Administering Microsoft Windows SharePoint Services and SharePoint Portal Server 2003

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Configuring and Administering Microsoft SharePoint 2010

Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010 SharePoint Saturday San Diego February 2011 Chris McNulty

TFS for SQL/BI Developers. Dave Fackler Business Intelligence

Checklist: Credit Union Information Security and Privacy Policies

Application. Security. on line training. Academy. by Appsec Labs

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint Server

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Before you start proceeding with this tutorial, we are assuming that you are already aware about the basics of Web development.

CoreMax Consulting s Cyber Security Roadmap

Software Updating: Hitting the Mark

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Planning and Administering SharePoint 2016

IBM SmartCloud Notes Security

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter


Index A Access data formats, 215 exporting data from, to SharePoint, forms and reports changing table used by form, 213 creating, cont

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

EnterpriseLink Benefits

Quick Wins with Data Loss Prevention How to Make DLP Work for You

GUIDE. MetaDefender Kiosk Deployment Guide

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Product Security Briefing

Netwrix Auditor Competitive Checklist

Vulnerability Management

Symantec Network Access Control Starter Edition

Securing Office 365 with SecureCloud

Explorer View document libraries, 165 form library, 183

Using SharePoint 2007 To Deliver Communications and Content Across The Firm

DreamFactory Security Guide

IBM Internet Security Systems Proventia Management SiteProtector

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Transcription:

Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference Dan Cornell Email: dan@denimgroup.comd Twitter: @danielcornell March 26 th, 2009

Agenda Background SharePoint Basics Securing SharePoint Common Approaches Common Blind Spots Questions and Answers 1

Denim Group Background Texas-based consultancy Build and Secure Enterprise Applications Build:.NET, JEE, SharePoint Secure: Assessments, Penetration Tests, Code Reviews, Training, Process Consulting Go-To Gold Partner for.net Security in North America Dan Cornell MCSD, Java 2 Certified Programmer Twitter: danielcornell 2

Key Learning Objectives Understand some of the up-front configurations that you can implement to secure your SharePoint deployment These initial steps are important, but are a starting point for in-depth security maintenance Areas of Emerging Security Coverage Data leakage protection Ongoing external/internal assessments Custom web part security A Comprehensive SharePoint Security strategy must combine an up- front and ongoing security activities that address evolving risks A starting point is a SharePoint security health check to quantify your risks 3

SharePoint Why Worry About Security? SharePoint is used as a front end for an increasing number of activities and systems Collaboration Application Delivery MySites Corporate Social Networking As the amount of data and the value of the data stored in SharePoint increases, the attractiveness of SharePoint to attackers increases SharePoint security is seen as a nice-to-have: http://secprodonline.com/articles/2009/01/27/sharepoint-security.aspx

Two Scenarios Organizations standardize on SharePoint as the platform technology for future IT initiatives Organizations deployed d SharePoint in an ad hoc manner 5

SharePoint as the Platform Often a top-down decision Touches many lines of business Lots of customization and custom software development 6

Ad Hoc Deployments (Viral!) SharePoint deployed on a whim or as a proof-of-concept Virally becomes critical to many business processes Inadequate infrastructure, no controls, etc 7

SharePoint Overview Microsoft Office SharePoint Server (MOSS) Software system used to build portal solutions Fully-packaged ASP.NET application Collaboration, Document Management, Enterprise Search, ECM, BI Adopted throughout enterprise and upper mid-market clients Based on the freely-available Windows SharePoint Services (WSS) Most of this talk probably applies to WSS, but the focus is on Enterprises with MOSS 8

SharePoint Overview 9

Nature of SharePoint as a Web Application A MOSS deployment is essentially a collection of websites Structured in a hierarchal fashion Web parts are the core component that t helps provide functionality and content on a page Can provide simple functionality or Contain items such as document libraries that have additional security capabilities Can be developed as custom software User-provisioned sites Users have the ability to create and edit collaboration sites Do not have to have IT involvement to build capability 10

Nature of SharePoint as a Web Application 11

Approaching SharePoint Security Typical Approach to SharePoint Security: Infrastructure SharePoint Security Features Add-On Products Common Blind Spots Include: Custom Web Part Security Data Security, Compliance, and Enterprise Search

Typical Approaches Secure the Infrastructure Use SharePoint Product Features Deploy Add-On Products Microsoft s Office SharePoint Server Security document: Short: http://is.gd/ohaw Original: http://office.microsoft.com/download/afile.aspx?assetid=am10235994103 13

Infrastructure Security Goal: Identify threats to the system from poorly configured or maintained infrastructure components Assess the security of infrastructure components Available services Service and server configuration Patch levels Assess from multiple vantage points Internet t Corporate network In-DMZ

SharePoint Product Security Features Authentication Authorization Users, Groups 15

Up Front Security for SharePoint Secure Access to SharePoint Deployment Validate a user s access to the site via authentication Most common approach: Windows Authentication via Active Directory (AD) Pump users and groups from AD to SharePoint Can also implement other authentication mechanisms Extranets Internet sites 16

Five Elements of Site Security in MOSS Individual User Permissions SharePoint-specific permission levels User Group Limited Access, Read, Contribute, Design, Full Control Understand d Windows Groups vs. SharePoint Groups Securable Objects Site, List, Library 17

SharePoint Default Groups Administration Site collection administrators Farm administrators Administrators Default groups for sites Restricted readers Style Resource Readers Viewers Home Visitors Home Members (contribute) Quick Deploy Users Approvers Designers Hierarchy Managers Home Owners (Full control) 18

Defining Permissions for SharePoint Can Assign fine-grained Permissions to: Site List or Library Folder Item or Document Permissions Include Limited Access, Read, Contribute, Design, Approve, Manage Hierarchy, Restricted Read, Full Control By Default, permissions within a site are inherited from the parent site 19

Defining Permissions for SharePoint Keys for success: Understand risk Make the schema straightforward Strike a balance between simplicity and security Anti-patterns: Everyone is an Administrator (although this is easy to set up and maintain) Every new site requires a new Active Directory (AD) group 20

Add On Products: Microsoft ForeFront Used to scan content being uploaded to document repositories: Viruses Spyware Other malware Multiple3 rd party engines are included Thanks for buying SharePoint. Now pay $X to secure it.

Common Blind Spots Custom Software on SharePoint is Still Custom Software Appreciating Data Security and Compliance Implications Enterprise Search being a common attack vector 22

Custom Software on SharePoint SharePoint is a platform that can be extended There are many ways to extend its capabilities both 3 rd party and custom-developed components WebParts Workflows

Custom Software on SharePoint Components deployed to SharePoint can be vulnerable to common web application attacks SQL Injection XML Injection Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) XML Injection is particularly interesting and scary SharePoint uses XML-based APIs to communicate internally Custom components with poor security create an excellent window for attackers 24

Why Is This a Problem? Some common ASP.NET protections against XSS are not enabled Often SharePoint development is done outside normal development groups Marketing, Internal Communications, etc not IT/Development Many static analysis tools do not have SharePoint-aware rulesets 25

Security Code Review Goal: Identify threats to the system based on security defects in custom code and 3 rd party extensions Enumerate 3 rd party and custom code components Perform a scan of the source code using best of breed source code analyzer Using a proprietary Denim Group custom ruleset to optimize results for SharePoint components Manually review results Manually review code for additional business logic vulnerabilities

Data Security, Compliance and Enterprise Search Collaboration is good Sort of Questions that t are often unanswered: Who is allowed to create sites What sort of data is allowed in SharePoint How should SharePoint data be protected 27

Data Security, Compliance and Enterprise Search A lot of data finds a home in SharePoint PII, PHI, Credit Card, Financial, etc That is kind of the point SharePoint search has become more better and more powerful over time 28

How Much Better? 29

So What? SharePoint may be indexing sensitive data that it then makes available via search Sites Documents in Document Libraries File Shares Etc. What data is living in SharePoint and who has access to it? 30

Data Security, Compliance, & Enterprise Search Goal: Identify potential ti confidentiality and compliance issues associated with sensitive data being stored in SharePoint data stores When sensitive data is identified, d review the users and groups who have access to determine if this is in-line with organizational data classification policies

Helpful Tools SharePoint web services allows access to Search: http://msdn.microsoft.com/en-us/library/ms470518.aspx Only allows access to SQL-style LIKE and CONTAINS queries Regular Expression Searching http://www.codeplex.com/mossregexsearch 32

Logging and Auditing SharePoint logs to the IIS log files Whoop dee doo SharePoint also has the capability to log and report Done at the Site Collection level (Site Settings -> Configure Audit Settings) Great intro article: http://is.gd/oh0j http://admincompanion.mindsharp.com/billblog/lists/posts/post.aspx?list=2d22afamindsharp com/billblog/lists/posts/post aspx?list=2d22afa 2-592b-471a-9cd1-4e8de8a2abc0&ID=18 Be careful how much logging you enable because you can run into disk space issues 33

3 rd Party SharePoint Auditing Tools Several 3 rd party tools are available to navigate SharePoint audit trails: http://www.syntergy.com/sharepoint/products/current/audit/index.html http://www.invenioworks.com/ http://www.alcero.com/solutions/audit.htm 34

Denim Group SharePoint Auditing Tool VERY early stage Provides a console interface to query SharePoint constructs 35

Need for Ongoing Scrutiny SharePoint is a collaboration technology When (l)users collaborate they change the state of the system New Sites, new documents in Document Libraries, etc What business process now critically depends on SharePoint? 36

Conclusions As SharePoint is used to store an increasing amount of sensitive data, the security of SharePoint systems becomes paramount Traditional approaches to SharePoint security have yet to address certain significant areas of risk A more comprehensive approach to SharePoint security is required Augment SharePoint security efforts with: High level focus on policy, compliance and auditability Low level focus on secure coding for custom extensions

Questions and Answers Dan Cornell Email: dan@denimgroup.com Twitter: @danielcornell Denim Group Phone: (210) 572-4400 Web: www.denimgroup.com Blog: denimgroup.typepad.com Facebook: http://is.gd/oh7f Twitter: @denimgroup 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback