Tip

SharePoint security should not be an afterthought

Microsoft SharePoint has been around for 10 years now and it seems every company I work with uses it in some fashion. However, I’m always surprised at how frequently SharePoint security is an afterthought. Companies go to great lengths to protect servers running Windows, IIS and SQL Server,

Requires Free Membership to View

yet SharePoint controls are often overlooked.

Enterprises often see SharePoint as not quite a server and not quite a Web application. This view is the heart of the problem. Not only is SharePoint a public/private Web system, but it is an entire collection of systems that contains an abundance of sensitive information. And most of these systems can be accessed and exploited from inside your own network.

SharePoint has plenty of built-in security controls, but that doesn’t mean it is inherently secure. Below I’ve listed the top security issues facing SharePoint deployments:

1. Failure to take internal security policies and plans into account
I see lots of configuration and administration inconsistencies in SharePoint. And having a development team manage SharePoint systems -- which so many do --can create accountability problems. Be sure you always have the answers to the following:

2. Failure to test the Web side of the system
It’s easy to use a generic vulnerability scanner to scan the IP address of a SharePoint server -- and many do. However, many overlook the Web side of the equation.

SharePoint environments have the same application vulnerabilities as traditional websites and applications. Don’t be scared to dig a little deeper to find everything that matters. This is especially important with SharePoint because there is so much custom code.

3.Failure to properly maintain patches
Numerous server-side vulnerabilities have been uncovered in SharePoint. In fact, a simple search that uses the QualysGuard vulnerability scanner database reveals a couple of dozen vulnerability checks that apply directly to SharePoint.

Consider Windows, SQL Server and IIS-based flaws that can be exploited as well. All it takes is a bored or unruly insider with a free vulnerability scanner and the free Metasploit tool to find and exploit missing patches and effectively “own” your system. Adding insult to injury, odds are that you’ll never know the exploit happened.

4. Failure to account for the mobile workforce 
It’s one thing to have SharePoint data locked down in the data center or in the cloud, but once you bring iOS, Android and Windows Mobile systems into the equation, you’ve got an entirely new set of issues.

Chances are your users access SharePoint remotely. But just how secure are their mobile devices? Do they have password protection or encryption set up? How is their data being backed up? Are they properly protected from malware?

Many agree that mobile devices are becoming the new desktop, so it’s critical to keep these issues in mind. I suspect we’ll will have a slew of new mobile security risks in the near future.

Just because SharePoint sits behind a firewall, you cannot install it blindly and assume all will be well. Dig in and see what’s at risk. You may surprise yourself.

About the author:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in independent security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security including Hacking For Dummies. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect with him on LinkedIn.

This was first published in November 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.