SharePoint Security Best Practices Guide

The overall push to move to the cloud has been a top priority for many organizations due to the massive advantages in terms of convenience, effectiveness, and cost. Not all businesses are keen to move to the Cloud because of security concerns. However, the transition to remote work during the COVID-19 pandemic was a lot easier for companies that were already begun digital migration to the cloud. The benefits of the cloud far outweighed the risk in order to keep business humming along without interruption or loss of productivity. Post-pandemic, businesses are continuing to reap the advantages of cloud collaboration platforms like Microsoft 365 and SharePoint Online (SharePoint).

Document management and collaboration platforms like SharePoint that allow users to effectively collaborate, share and control company data have become business-critical. However, that same ease of access and collaboration also poses new security risks.  It’s almost impossible to think through every possible way that users may deliberately or inadvertently breach the SharePoint environment using static security policies. To assist we’ve put together some SharePoint security best practices in this short guide to help organizations mitigate the most prevalent risks.

SharePoint Security Basics

Understanding Out-of-the-Box Permissions

SharePoint as a system is quite complex when it comes to what kind of permissions you can assign to someone. Those permissions include, but are not limited to, the following:

• Read – Can only view and download documents, as well as see previous versions of a single document
• Edit – Creating, reading and deleting permissions when it comes to lists, items and documents
• Restricted read – “Read” without the ability to view previous document versions or user permissions in general
• View only – Viewing access to documents, items and pages, downloading is only for those files that can’t be viewed using web browser
• Contribute – “Edit” with some limitations, allows the user to create, delete, view and change list items or single documents
• Approve – Partial administrator rights, provides the ability to edit and/or approve list items, documents or pages
• Design – The ability to create document libraries and lists, as well as making aesthetic changes to the site or sites, not assigned to anyone by default (aside from people with “Full Access”)
• Limited access – Access to a specific file or a single site page, automatically assigned when specified access to a specific item or document
• Full control – A basic “all-in-one” package, access to anything and everything within the system, gained by default to everyone in the “Owners” group
• Manage hierarchy – Another partial administrator role that allows the user to edit pages/items/documents and even create sites

There are a lot of different permissions within SharePoint as a platform. It is worth noting that permissions with administrator rights (Full control, approve and manage hierarchy) should only be given out after substantial consideration, as it also makes admins bigger targets for hackers and data breaches in general.

SharePoint Best Practices Guide

A SINGLE ADMINISTRATOR PER SITE COLLECTION

Every site or site group should have only one administrator to minimize both the number of possible targets in the event of data leaks, as well as limit the number of people having access to literally everything within that site. Additionally, administrator accounts naturally create overprivileged users. You may also want to prevent admins, or any privileged user with admin or sub-admin rights, from using their permission levels to view sensitive information that they should not have access to. For example, if they open a sensitive file by accident or with some sort of malicious intent. Limiting admin access also prevents a hacker from being able to use stolen admin credentials to exfiltrate sensitive data. Third party products like NC Protect can help limit what admins can see and/or open while still allowing them to manage the data in their care.

USE ITEM-LEVEL VS FOLDER BASED PERMISSIONS

There are two methods of applying security in SharePoint, folder based which applies the same permissions to all documents in a folder or file based which applies permissions to individual files for more granular control. While folder-level security may seem easier to manage, file-level security ensures only the right users can access the information if a file is placed in the wrong location, a common mistake. Managing file-level policies does not have to be resource-draining. Instead, look for add-on solutions that support dynamic policies that automatically adjust file access permissions based on the content’s sensitivity and the security context of the user. This allows you to address multiple security scenarios using fewer policies, making policies easier to manage and providing more effective data protection.

CONTROL USER PERMISSIONS USING GROUPS & SECURITY SCOPES

While SharePoint is able to assign different permissions on several levels, from a group of sites down to a single document or item – one should not give everyone access to everything. At the same time, applying permission rights to singular users is generally not recommended due to the amount of work needed when it comes to changing several people’s permissions at a time. That’s why SharePoint has the ability to assign permissions in groups.

Using groups is recommended since it makes working with permissions in general that much easier – Administrators don’t need to change each person’s permissions one at a time but can do this in groups unless there is an exception. This also helps simplify the process of assigning necessary permissions to each and every new person in the system – Admins can just add users to a specific group and they’ll be given necessary permissions automatically.

Add-on solutions can also help automate this process in Teams using Security Scopes: a set of information protection rules that can automatically be applied to Teams based on the team member, chat or file content and context to prevent accidental data leaks. Security scopes can automatically apply rule sets to multiple Teams or sites as content or member attributes change (e.g. If a guest user is added a Team can be automatically moved to a new scope and rules applied).

“SHARE” PERMISSION IS A HUGE RISK

Sharing in general is such a commonplace activity that no one even thinks about it most of the time. However, SharePoint’s “Share” permission is different. It allows you to share a single item within SharePoint – with anyone –  via a single link. It is an extremely big security risk, and it should be handled with a lot of consideration given to the potential risks. Organizations and admins can very easily lose oversight of all the different sharing permissions that have been set on the various levels within SharePoint or other content collaboration platforms. NC Protect can proactively prevent the sharing of content with unauthorized parties, both internal and external. It augments SharePoint security with dynamic policies to control access, sharing rights and can limit actions that can be taken (print, save, edits, etc.) when sensitive documents are shared with other users, guests and third parties. Capabilities also extend to files shared with Exchange email to protect data at rest and in motion.

DATA ENCRYPTION

Data encryption can be split into two categories – in transit and at rest. Both automatically protect files using the most advanced cryptographic technologies possible, preferably AES-256 encryption.

Microsoft provides many out-of-the-box features that can make encrypting SharePoint content that much easier. However, consider using other means of protection as well, since built-in encryption services aren’t perfect. For example, SharePoint data encryption relies solely on MS Azure as the only data storage for most of its features, which makes it potentially vulnerable at the same time. At the same time, admins are also not prevented from accessing internal sensitive information.

You may also want to automatically apply encryption based on the sensitivity of a document, or only under certain scenarios, such as a sensitive file being emailed. Or you may have sensitive data exposed in your SharePoint lists that you want to encrypt. This can’t be done natively. Lastly, key management is a concern as organizations aim to achieve digital sovereignty and want to separate their keys from their data management tools. If any of these are a concern or requirement, NC Protect provides dynamic encryption, SharePoint list encryption and independent key management capabilities as well as integrations with leading platforms such as Thales CipherTrust Manager so you can maintain control of your encryption keys.

Virus Detection for File Uploads

Virus detection is an automated feature that checks every file that is uploaded to a SharePoint document library/site. It uses a highly sophisticated anti-malware engine to scan files for viruses and other contaminants. If any user tries to download an infected file – they’ll get a warning message about a possible infection within the file and the download is blocked with a warning message. The user is given a choice to download that file and attempt to fix it with their own standalone antivirus software or discard the download altogether.

There are limitations, as not all files are automatically scanned. Only triggered only if the file meets certain criteria is the virus detection engine engaged. Third party tools like NC Protect can augment this function with file integrity checks to ensure a file is not malicious, corrupted or maliciously encrypted as files are uploaded to SharePoint. It can block or deny file upload, quarantine for manual review and generate a SIEM alert in Microsoft Sentinel or Splunk for further investigation.

USE AUDIT REVIEWS

Audit functionality in an organization’s SharePoint system should be enabled as soon as possible. Audits allow admins to track a variety of information within your website or site group, as well as a history of actions of a specific person. It can be used to look for suspicious activity beforehand or find out which account was the cause of a security breach or data loss. With these features, organizations will have an easier time meeting stricter compliance requirements and have a better understanding of how their information is used, with the aim of detecting anomalies. Third party tools can also automatically synch user activity logs to Microsoft Sentinel for further analysis, and to apply upstream actions and trigger alerts.

Manage access on personal devices

SharePoint has quite a lot of different security features, but they cannot cover every possible problem or issue, which is why it is also important for end users to be aware of how they can protect themselves from causing security breaches or inadvertently corrupting data by going into various cybersecurity traps. As such, there are some measures that only users themselves can take, and most of them are not even that complicated.

Today, literally everyone has at least one smartphone or a tablet – it’s quite important to remember to secure BYOD and personal devices. While securing employee laptops is standard, personal mobile devices are vulnerable without proper protections in place. Gaining access to mobile apps such as SharePoint Newsfeed or OneDrive for Business could lead to a potential breach without the attacker needing to access a workstation. That’s why it is recommended to use password protection, MFA or better yet some form of MDM solution or similar to protect access using personal devices.

Also, third party tools like NC Protect can be used to create and apply dynamic policies that automatically adjust access rights based on the device. For example, access to sensitive information can be completely denied from a mobile device even if the same user has full access from their company laptop. Or the user can be presented with a secure, read-only view of the file with a watermark that automatically stamps the date, time, location device and user name all over the document for security purposes.

Use strong passwords

One of the most basic security practices is to have a strong password for all of your important accounts. A strong password should be at least eight characters and include the use of both lower-case and upper-case letters, as well as symbols and numbers. Changing your password several times a year and avoiding using the same password for multiple accounts are also good practices for password management. Additionally, change passwords for shared business accounts every time an employee leaves, avoid storing passwords either digitally or physically, and avoid using dictionary words.

Enforce multi-factor authentication

While a personalized identity check would always be a better option, it is not always possible to have it enabled for each and every one of your SharePoint users. Multi-factor authentication (MFA) which demands two or more separate proofs of a person’s identity for login into an application or system is an effective option. For example, in addition to their password, a user must confirm their identity using a second method such as a pin provided via text message,  phone call, or mobile app. MFA has to be configured for each user specifically, but the overall security benefits are greater than the initial inconvenience during setting up. MFA acts as a great additional “perimeter” security measure, which is necessary when you’re dealing with sensitive data.

Keep track of Your Microsoft Secure Score

There are two main versions of security reporting that Microsoft 365 has – one is called Microsoft Security Score and is a part of SharePoint security, while the other is referred to as Identity Security Score and is a part of Azure AD (Active Directory). Both of these operations are capable of running regular environmental scans to check for various improvements that could be made to improve overall security. There is a lot of information that one could gain from the results of these processes, including potential threats, ways to counter them, and so on. These tools are also continuously improving based on Microsoft’s own research data and the results of real-time monitoring of a multitude of systems.

Restrict library synchronization for important files and directories

A data loss event does not have to be malicious in its nature – there are many different ways for important data to be lost purely because of the “human error”. Simple negligence, mistakes and other circumstances often lead to accidents with important data being lost, shared with unauthorized parties or corrupted. Keeping library synchronization turned on for your directories with sensitive data leads to cloud data overwriting your local version of said data, which can often lead to entire files and folders being lost at once. Restricting this feature is a good way to prevent accidents like these.

There are also several other file security and sharing tips that can be found on our website under this link.

CONCLUSION

Everyone in the organization should be aware of their responsibilities in the overall corporate risk profile, especially when it comes to sensitive data. Well-thought-out and executed SharePoint security best practices are paramount for all organizations, irrespective of their size.

Despite all the security parameters in place, the possibility of a security breach through a disgruntled administrator or employee, and more commonly negligent users (insider threats) can be difficult hard to mitigate. This is where dynamic security policies can be extremely helpful.

archTIS NC Protect product provides complimentary security features to enhance your security posture in SharePoint Online, SharePoint Server on-premises and hybrid environments with dynamic attribute-based access control (ABAC) and data-centric protection policies. It adds unique capabilities including dynamic watermarks, read-only access, redaction, CUI markings, plus advanced encryption and key management. It can also assist with data discovery and classification, use your existing Microsoft Purview Information Protection labels or use classifications from third party applications to build dynamic policies that control access and apply file-level, contextual protection using a combination of user and data attributes such as classification.

NC Protect’s integrations with the Microsoft 365 suite are vetted as part of our membership in the Microsoft Security Association (MISA) and have been recognized with a Microsoft Security Excellence Awards Compliance and Privacy Trailblazer Finalist award. NC Protect enhances Microsoft security with dynamic policy-enforced capabilities you won’t find anywhere else.