Managing external data access in SharePoint governance

Permitting external access to SharePoint data allows employees to do their jobs, even when they are out of the office. However, be sure the methods you use to allow remote access to SharePoint comply with your governance plan.

This article can also be found in the Premium Editorial Download: SharePoint Insider: Top five SharePoint challenges and solutions:

As you develop your SharePoint governance plan, it is only a matter of time before you lock horns with the subject

of external SharePoint access.

More on SharePoint governance

Four steps to creating practical SharePoint governance standards
Big SharePoint governance mistakes

Quantifying the success of your SharePoint governance policy

At first, the question of whether you want to allow users to access SharePoint resources from across the Internet probably seems really simple. Either you do want to allow external access or you don't. But, it's much more complicated than that. Learn what to consider when designing your external access policy for SharePoint.

If you decide that you don't want users accessing SharePoint data from outside of your network, then you probably don't have to worry about any additional planning in this area. The primary advantage to allowing external access to SharePoint data is that doing so enables employees to do their jobs, even when they are working outside of the office.

On the other hand, allowing external access to SharePoint data increases the risks of accidental data disclosure. It is important to remember that unless users are accessing SharePoint data from company-issued computers, then you have to assume that their computers do not comply with your normal corporate security policy.

If you do want to allow external access, though, there are a number of issues related to the level of access you must address. The first of these issues is what type of external access you want to allow. For example, is it acceptable for users to access SharePoint from a public Internet kiosk, or do you want to limit access to those users who have company-issued laptops?

There is a trade-off between freer access and better security. Generally, the best way to achieve a balance is to determine if the risks of providing external access outweigh the benefits. Some companies may find it essential for remote users to access SharePoint data, while for others it may be little more than a convenience factor.

Another important issue to consider is whether users should be able to access the same SharePoint content that they could if they were sitting in the office or if you want to limit their external access to a subset of the data. Some organizations find that they are comfortable allowing users to externally access SharePoint calendars and some SharePoint lists and document libraries but that other document libraries may contain data that is especially sensitive, such as financial statements or business plans.

In these types of situations, it may make sense to allow users to access some SharePoint data but not to give them external access to everything. There are many different techniques for accomplishing this. For example, you might create a special SharePoint site that has access only to resources that are approved for external access. Exchange Server and Outlook can also be especially effective mechanisms for controlling external access to SharePoint data.

If you decide that there are some types of SharePoint data that should not be externally accessible, then you will have to figure out how to segment the data based on your security requirements. If that's your approach, there are at least two options available to you.

  • Create a dedicated SharePoint site for external users, and design that site in such a way that only the acceptable data is available.
    For example, the site might provide users with some document libraries but not others. Likewise, you could create a SharePoint site where users have access to calendars and contacts but nothing else. Depending on how your SharePoint deployment is configured, though, this solution might be impractical, especially if the documents that users need external access to are included in the same document library as the documents that you want to protect.
  • Configure SharePoint to provide access to SharePoint resources through Outlook or through Outlook Web Access (OWA).
    What is nice about using OWA is that you can avoid exposing your SharePoint servers to the outside world. Instead, Exchange Server acts as a proxy and retrieves the requested data on the user's behalf.

The Exchange 2007 version of OWA contains a mechanism called Direct File Access that allows users to browse SharePoint document libraries directly through the OWA interface. Because all users' requests are proxied through Exchange, Microsoft designed Exchange 2007 so that you can specify which SharePoint servers' users should be able to access through OWA.

Another nice thing about Direct File Access is that Exchange maintains two separate profiles—one for private computers and one for public computers. Because users access OWA through a standard Web browser, Exchange has no way of knowing whether users are actually using a public or a private computer, but the OWA sign-on screen does ask users which type of computer they are using. If the user does not explicitly tell OWA that they are using a private computer, OWA will assume that the user is working from a public computer.

OWA allows you to control external access to resources based on whether a user is using a public or a private computer.

From a governance standpoint, providing access to SharePoint document libraries through OWA may be just what the doctor ordered. After all, OWA allows you to control which SharePoint servers users can access externally. It even allows you to control external access to resources based on whether a user is using a public or a private computer.

Unfortunately, OWA does not offer a comprehensive solution for those who want to give external access to SharePoint resources in a controlled manner. You can allow access to SharePoint document libraries through OWA, but OWA does not allow you to connect to SharePoint lists, calendars or other resources.

The good news is that you can configure Outlook 2007 to connect to SharePoint lists, document libraries and calendars. Access to these resources can also be controlled through Group Policy settings. What this means is that you can provide external users with specific SharePoint resources in a controlled manner. Because Outlook must be physically installed on the user's computer for this to work, using Outlook as the sole means for providing external access to SharePoint guarantees that users will not access the program from public Internet kiosks.

If you decide to give external users remote access to SharePoint resources, then you have to tackle what types of data you will allow users to access and which access methods you'll allow. In situations in which your governance plan mandates that only a subset of the SharePoint data be externally accessible, you may have to get a bit creative in providing users with the appropriate access.

Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit his personal Web site at

This was first published in February 2010

Dig deeper on Microsoft SharePoint Governance



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: