In today’s world, it’s very common to see a weekly security incident or breach in the news. Due to this, data protection is an issue that should be monitored by all staff, and not just by traditional IT administrators. Business owners are increasingly held accountable as the data owners of information.
There are platforms like SharePoint that allow users to effectively collaborate, share and control company data. Even the most intricate security policy of a single organization would probably fail to think through every possible way that users may deliberately or inadvertently breach your SharePoint environment.
There are several general SharePoint security best practices that we’ve put other in this short guide. This security guide should help organizations mitigate the most prevalent risks when it comes to SharePoint security. Let’s go through some of them in more detail:
1. A single administrator per site collection
Nowadays there are a lot of different tools for creating websites, and most of them are easy to implement and control, like SharePoint. At the same time, every site or site group should have only one administrator at a time to minimize both the amount of possible targets in the event of data leaks, as well as limit the amount of people having access to literally everything within that website or site group.
It’s also a good idea to have an administrator’s contact details right on the landing page of a site, so the users would know where to go asking for help. An additional tip here is to also blind the administrators from any data that they should not be able to see.
2. No item-level permissions
SharePoint allows organizations to set permissions on almost any level, down to a single item or document. But this type of permission assignment is not recommended due to the amount of possible problems that comes from having too many single-file permissions set. It is also hard for organizations to see all of those specific accounts in one list within SharePoint. More about permissions below.
3. Control people’s permissions in Groups
While SharePoint is able to assign different permissions on several levels, from a group of sites down to a single document or item – one should not give everyone access to everything and leave it at that. At the same time, applying permission rights to singular users is generally not recommended due to the amount of work needed when it comes to changing several people’s permissions at a time. That’s why SharePoint has the ability to assign permissions in groups.
Using groups is highly recommended since it makes working with permissions in general that much easier – Administrators don’t need to change each person’s permissions one at a time but can do this in groups unless there is an exception. This also helps simplifying the process of assigning necessary permissions to each and every new person in the system – Admins can just add users to a specific group and they’ll be given necessary permissions automatically.
Speaking of permissions – SharePoint as a system is quite complex when it comes to what kind of permissions you can assign to someone. Those permissions include, but not limited by, the following:
- Read – can only view and download documents, as well as seeing previous versions of a single document;
- Edit – creating, reading and deleting permissions when it comes to lists, items and documents;
- Restricted read – “read” without the ability to view previous document versions or user permissions in general;
- View only – viewing access to documents, items and pages, downloading is only for those files that can’t be viewed using web browser;
- Contribute – “edit” with some limitations, allows to create, delete, view and change list items or single documents;
- Approve – partial administrator rights, ability to edit and/or approve list items, documents or pages;
- Design – ability to create document libraries and lists, as well as making aesthetic changes to the site or sites, not assigned to anyone by default (aside from people with “Full Access”);
- Limited access – access to a specific file or a single site page, automatically assigned when specified access to a specific item or document;
- Full control – basic “all-in-one” package, access to anything and everything within the system, gained by default to everyone in the “Owners” group;
- Manage hierarchy – another partial administrator role, allows to edit pages/items/documents and even create sites.
There are quite a lot of different permissions within SharePoint as a platform. It is worth noting that permissions with administrator rights (Full control, approve and manage hierarchy) should be given out after substantial consideration, as it also makes them bigger targets for hackers and data breaches in general.
4. “Share” permission is a huge risk
Sharing in general is such a commonplace activity that no one even thinks about it most of the time. However, SharePoint’s “Share” permission is different. It allows you to share a single item within SharePoint – with anyone – via one single link. It is an extremely big security risk, and it should be handled with a lot of consideration given to the potential risks. Organizations and admins can very easily lose oversight of all the different sharing permissions that have been set on the various levels within SharePoint or other content collaboration platforms.
5. Take advantage of Microsoft’s built-in security features
SharePoint as a service is now the go-to standard and more and more people are adapting it over classical file management. For that exact reason Microsoft is trying to improve their product on a continuous basis to ensure they stay ahead of the competition. There are plenty of built-in features when it comes to security, some of them enabled by default and some which need to be configured first. Let’s have a look at the most obvious two when it comes to security – data encryption and virus detection.
Data encryption can be split in two categories – mid-transit and at rest. Both of them are automatically protected using the most advanced technologies possible, like AES-256 encryption. There are some specific features: data mid-transit is protection using IPsec, TLS/SSL and more; data at rest is taking advantage of BitLocker and a variety of features tied to Microsoft’s Azure cloud storage – TDE (Transparent Data Encryption), Azure Disk Encryption and so on.
Virus detection is an automated feature that checks every file that is saved within a document library/site. It uses a highly sophisticated anti-malware engine to scan files for viruses and other contaminants. If any user tries to download an infected file – they’ll get a warning message about a possible infection within the file and the download is blocked with a warning message. The user is given a choice to download that file and attempt to fix it with their own standalone antivirus software or discard the download all together.
It’s true that there are several important features provided by Microsoft that can make securing SharePoint that much easier. However, consider using other means of protection as well, since built-in services aren’t perfect. For example, virus detection isn’t checking files with size over 25 Mb. And data encryption relies solely on MS Azure as the only data storage for the most of their features, which makes it potentially vulnerable at the same time. At the same time admins are also not prevented from accessing internal sensitive information.
6. Use audit reviews
Audit functionality in an organization’s SharePoint system should be enabled as soon as possible. Audits allow admins to track a variety of information within your website or site group, as well as history of actions of a specific person. It can be used to look for the suspicious activity beforehand, or finding out which account was the cause of security breach or data loss. With these features organizations will have an easier time meeting stricter compliance requirements and have a better understanding of how their information is used, with the aim of detecting the anomalies.
7. Don’t forget about the browser
While SharePoint is a great system, it is still missing some important features that would make all this security talk much easier. One such feature is a Web Application Firewall (WAF). Until this is integrated by default, admins need to take several extra steps to ensure custom apps are properly configured with granular permissions, etc.
The choice in browser is also important and users should ensure that the browser of their choice can hold its own against most of the “regular” attack types, like SQL injection or cross-site scripting.
8. Keep personal devices locked
This one is less about SharePoint security and more about security in general. Since in the modern age literally everyone has at least one smartphone or a tablet – it’s quite important to remember to secure BYOD and personal devices.
While securing an employee laptops is standard, a lot of people tend to forget that personal mobile devices are even more vulnerable without proper protection. Gaining access to mobile apps such as SharePoint Newsfeed or OneDrive for Business could lead to a potential breach without the attacker needing to access a workstation. That’s why it is recommended to use at least some sort of protection with personal devices such as password protection, MFA or better yet some form of MDM solution or similar.
Everyone should be aware of their responsibilities in the overall corporate risk profile, especially when it comes to sensitive data. A well thought through and executed SharePoint security best practices are paramount for all organizations, irrespective of their size.
In addition there is also a possibility of a security breach through a disgruntled administrator and employee or negligent users (insider threats). This is where it is important to segregate the duties of various employees to ensure not one single entity has the keys to the kingdom.
That’s why companies like archTIS exist. archTIS’ NC Protect provides complimentary security features to enhance your SharePoint security posture, from data discovery and classification, dynamic attribute-based protection, watermarks, read-only access. data encryption, key management services and preventing administrators from being able to view files.
Blinding admins or any privileged user ensures that each specific account with admin or sub-admin rights can’t use their permission levels to view an information that they happened to open on accident or with some sort of malicious intent. That part of possible data loss is often overlooked by most of the Administrators or Managers, regardless of whether its file servers, SharePoint farms or cloud environments like Microsoft, AWS or Google.
By distributing the data ownership away from the central administrators and back to the data owner, NC Protect is able to protect your data from every possible angle, especially when it comes to one or several administrators being the source of the trouble.
White Paper: Dynamic Data Loss Prevention in SharePoint
Achieve Real-Time, Attribute-based Data Security