Conducting a SharePoint Security Audit

Collaboration tools like SharePoint are excellent for facilitating exchange of information and enabling remote teams to work more effectively. Over the years they have evolved to become much more than a file repository and now enable linking of information across the business and with external collaborators. There are a couple of best practices to put in place when managing and using SharePoint, such as evaluating SharePoint security risks and performing a SharePoint security audit to uncover these risks.

Why does your organization need a SharePoint security audit?

SharePoint quickly becomes a treasure trove of information, but often that information is difficult to find and is buried amongst large volume of data. In many cases no one knows  what information is stored in SharePoint and how much of this information is sensitive. The term “sensitive” broadly refers to any information that could have a negative impact from an uncontrolled disclosure. It could be personally identifiable information (PII), HR records (e.g. a spreadsheet with staff performance reviews), or valuable intellectual property (IP). Sensitive data buried in files and documents (referred to as unstructured data) can be much harder to manage than that in databases or applications (structured data).

This is where the risk comes in. How can the data owner (as distinct from the IT administrator) be sure that sensitive information is only disclosed (with an appropriate level of access) to those who are authorized to see or use it? The purpose of a SharePoint security audit is to provide a relatively objective assessment of the risk of an unauthorized disclosure.

The risk is very tightly linked to the information stored in SharePoint, so the first step in auditing the risk is understanding what data is where. Historically organizations have relied on users to classify and label files based on its contents. Anyone with a background in data loss prevention tools will confirm inconsistencies and subjectivity in this approach can lead to poor quality outcomes and are easily bypassed by users looking for a way to get things done or (more worryingly) looking to circumvent the system.

There are a range of automated discovery and classification tools on the market. Those that are effective combine a range of techniques to enable effective classification in a timely fashion. These techniques include basic metadata analysis and content scanning (keywords, pattern matching, etc.), but also extends to more intelligent tools that can also add protection to the data based on it’s sensitivity. The trick is to be able to combine these techniques to achieve fast and accurate outcomes. Both of these methods are harder than you think!

Once an organization has a foundational understanding of what data is where (i.e. done via an appropriate audit), then risk management becomes both easier and more effective. Data can be managed and protected according to the sensitivity of information contained in the file. Exposures can be prioritized and addressed by focusing on the biggest sources of risk for the most important data. Sensitive data can have appropriate access controls assigned to it as well as protections such as watermarking, read-only access or encryption. It should also be deleted if it is no longer required. It’s also important to meet data privacy requirements. For example, GDPR compliance is much easier if you can easily find and action a Right of Access request made by an individual.

Like most things in life risk levels and appropriate mitigation steps are on a spectrum, with the cost and effort involved in the mitigation needing to be tied to the level of risk. The best approach is to have a clear understanding of what data you have where, who needs to access it and then implement appropriate access control, protection and auditing steps.

Best practices for auditing in SharePoint

It’s recommended to have an actual plan before starting anything within SharePoint – this includes auditing. Setting the goals for your auditing efforts will go a long way and answer questions like these:

• How long do you need the audit data to be stored for?
• What standard do you aim to create compliance for?
• What are the specific events that you need to track through auditing?

Other important things to remember are:

• Auditing a large number of events could cause a strong impact to your overall storage space;
• Your retention policy should be well above 150-200 days, since it’s the average length of time that takes companies to detect data breaches;
• Think about if you want to use the same retention policy for the entire system or to change the rules for areas that don’t deal with sensitive data;

Top 10 tips for better SharePoint security audit

There are several things that you and your company can do, in an attempt to secure your SharePoint environment from the above risks. Let’s go over the top ten of the most important topics:

1. Know what data you have and where it is
   It’s the first step when it comes to data security, since you can’t protect something that you don’t know about. For better rule enforcement you’ll need to first create a list of your data, where it is and what it contains. SharePoint works on the same principles as regular file systems, with the addition of having to manage sites, groups, lists and document libraries. There are no limits to what you can or should learn about your data, including contained content, permissions, location etc. One way to compile such a list is to use PowerShell, but if your organization is not comfortable enough with PowerShell, then products like NC Protect can also help customers audit and classify their sensitive data.
2. Take care of user permission management in SharePoint
   SharePoint permissions are sometimes very difficult to understand and manage even for someone familiar with the system. The human factor is one of the biggest contributors as to why security breaches are still occurring. As an admin, you should never grant too broad permissions to any single user (preferably avoid assigning personal permissions to begin with). If someone’s account isn’t deactivated immediately after they’ve left the company – it is indeed a major security risk, especially if that person’s permissions were on a significant level to begin with. The biggest advice about user permission management is to just stick to group management.
3. Don’t forget about object permissions
   Managing object permissions is even more difficult, mainly due to the total number of objects, folders and list items that you have to manage. The only way to make sure that every document is secured and has the correct permissions, is to check for it manually.
4. Remember about the problematic nature of inheritance breaking
   If you want a specific object to have different permissions in SharePoint than the parent object – you’ll have to break the permission inheritance. Each broken inheritance rule makes it harder for the system, creating unnecessary performance problems and making the overall management of such systems worse. With inheritance permissions broken, it’s also hard to figure out who has access to what inside of your system.
5. Custom permissions are a dangerous necessity
   It’s a common factor for a company to create custom permission groups when they find the standard ones lacking. This part can be both really useful, since you can actually control specific permissions for specific groups of people, but it’s also a problem when you have several people with the ability to modify permission groups. Loose permissions could lead to a potential breach and reputational damage if abused.
6. “Edit” and “Contribute” permission levels
   This part is especially important for someone who’s been working with SharePoint 2010 for a while and recently moved over to 2013. The problem is that one of the automatically created groups that appear when you create a new site has been called “members”, and they only had Contribute permissions in 2010. However in 2013 that same group now has Edit permissions, creating a significant security concern for everyone that’s unaware of this change in permissions.
7. Conduct security audits regularly
   A SharePoint security audit is an option that is already included in SharePoint by default, but many companies tend to forget about it or disable it altogether. The problem is that an audit creates a trail that you can follow to learn the nature of a security risk if it was ever exploited. One major downside to that feature is that it’s very resource intensive and therefore is also disabled by default. When enabling this feature, ensure its properly configured and setup to avoid any downside.
8. External sharing has a lot of security breach potential
   External sharing is a feature that allows you to share objects and documents with people outside of the organization. This brings with it a heightened security risk, due to the nature of external people having access to your information. If such information is confidential in nature and happens to find its way into your externally shared location, then this could result in a potential breach and reputational damage. The best thing that you can do to mitigate this, is to monitor the situation regularly and to educate your employees about the danger that this feature brings with it.
9. Administrator accounts have a lot of permissions, and malicious users can use those
   An administrator is someone that holds all of the power within your SharePoint installation. The nature of this account is a perfect target for any sort of security breach, since an account with administrator permissions would be free to clean up their trace after the breach itself is created. It can be both intentional hackers or even your own employees that may inadvertent or otherwise take information out of the organization. There isn’t much that you can do with this threat, as admins are needed, but you can take steps to ensure admins are not able to access data that they shouldn’t be able to see. Third party products like NC Protect have the ability to restrict admin access, allowing them to see the data exists to manage it, but not view the contents.
10. Access from other devices is a potential threat
    Today SharePoint content can be accessed via the cloud and mobile phones, it is important for the organization to be flexible and ensure that every employee is aware of the risks that come with accessing information on-the-go. Turning this feature off is usually not an option, but employee training about use of their personal devices, especially in a security context, will go a long way in making your entire system safer.

Free SharePoint auditing tools

While it is recommended to work with a comprehensive SharePoint security solution right off the bat – you can also try to use one of the few free security audit tools that exist for SharePoint:

• SharePoint Admin Toolkit is capable of a variety of things, like checking effective permissions;
• SUSHI (SharePoint Utility with a Smart, Helpful Interface) is a good way of accomplishing common SharePoint tasks in the fields of development or administrative control;
• SharePoint Permissions Analyzer is capable of scanning the entire system and creating a permission structure of the site in question;
• PowerShell scripts can do the majority of the tasks, including permission audit, if the user has the necessary grasp of the programming language in question.

If you’re unhappy with the free software’s capabilities, you can also try out one of the full-fledged SharePoint solutions with audit capabilities, like archTIS’s NC Protect.

SharePoint security checklist

A structured checklist to help ensure that nothing is missed and everything is given an appropriate priority. Here is a SharePoint security checklist that we have put together. This list is based on a data centric approach which aims to make the infrastructure level components less critical (but still as relevant as ever in a layered defense model).

1. Use a risk based approach to help focus the organization achieving optimum level of protection for important data
2. Ensure all content is classified according to its contents (ideally a single file can have multiple classifications so that it can cater for real life complexity – e.g. an HR file that also contains PII).
3. Have a SharePoint security policy that ensures all information has an owner and that this owner is accountable for determining who should have access to what data with what level of permission.
4. Make sure IT is accountable for implementing systems that allow these policies to be implemented and enforced including:
   • Access rights
   • Limit access only to authorized users – this can be achieved by using separate repositories, or layering access control and/or encryption solutions.
   • Logging individual file access to create an audit trail to ensure traceability and accountability
   • Authentication and authorization – ensuring a user is who they say they are before they access something they are authorized to see is critical.
   • Adding enhanced protections such as watermarks, restricted read-only access, disabling printing and sharing, etc.
   • Ensure infrastructure is reliable and secure – network security, patching, backup, scalability, etc. all need to be factored into this. From a breach perspective this becomes less critical if encryption is well implemented as compromising the data store is not enough to access the content itself.