Problem solve Get help with specific problems with your technologies, process and projects.

Strategies for securing SharePoint in the Windows enterprise

Although securing SharePoint may seem like a 500-piece puzzle, with many parts to keep track of, planning for security during the stages of SharePoint deployment can serve as the glue. Learn where to focus your efforts to keep SharePoint secure.

Stephen Cummins, Contributor
Stephen Cummins
When it comes to securing SharePoint Server, decisions are best made during the planning stages of SharePoint deployment because it's difficult to retroactively apply security policies. SharePoint security strategies should focus on three key areas: access control, application security and content security.

Access control
The main way to secure SharePoint is through access control. SharePoint allows users to create and manage their own groups, but there are ways to control them. The IT department can create Active Directory roles within SharePoint groups so only those authorized to use AD management tools can grant and change access permissions.

Centralized access management leads to greater control and more efficiency, but it also slows users from creating their own structures and granting access to them. A practical compromise is to control access to top-level department sites and enterprise-wide sites from Active Directory and IT, but to have areas in SharePoint where users can create ad hoc sites and grant access to them themselves.

More on SharePoint

Integrating document management systems into Microsoft SharePoint 2007

Using SharePoint search in the enterprise

These areas would then be managed using policies and quotas. For example, if a SharePoint site is not accessed for 90 days, the administrator would be asked to keep or delete it. Those sites can also have size quotas where administrators would be notified by email if they reach 80% of capacity; and no more content can be added when they reach 100%.

Application security
Application security policies protect against denial of service attacks and anything that might compromise the performance or stability of the SharePoint Server platform. For the first layer of protection, during installation, apply the principles of least privilege to the service accounts SharePoint uses to run the application. . To complete this process follow the steps outlined in TechNet's Plan for administrative and service accounts (Office SharePoint Server).

Note: SharePoint Server can be added to and customized since it is, at its core, an ASP.NET application. There are many ways code or markup changes can interfere with the system. Clear policies at the start will ensure that SharePoint remains as secure as possible. Once again, apply the principles of least privilege here. Custom code needs execute permission to run and this is a high level of privilege. There are three ways to provide this level of privilege.

  1. You could edit the virtual server's web.config file from minimal to medium or full. This is not recommended, as it allows too much latitude to the code.
  2. You can install the assemblies in the GAC. This provides very high privileges, but there is no way to control what the code can and cannot do. The solution is custom policy files, which are difficult to implement but are the most secure way to deploy assemblies. To learn more about code access security, review Microsoft Windows SharePoint services and code access security.
  3. You can use SharePoint Designer, which is a free productivity tool that has many benefits, but it can create security headaches because sites can become inaccessible. It can, however, be locked down at a number of levels by removing specific permissions within SharePoint.

Content security
Securing SharePoint's content requires having policies that dictate how, where and who can publish and share content and for what audience. For example, some companies may restrict employees from having blogs as a way of controlling how they share sensitive information with the public.

While policy restrictions may make it clear to employees that unauthorized sharing is prohibited, you may want to be more proactive by creating channels that do allow information to be shared, but in a way that means it is vetted and approved first. To create channels that restrict viewing before content is approved, use approval workflows. Note: While "audiences" can be defined to target what content can be viewed, they do not secure it. Anyone can still access information as long as he or she has the appropriate access rights.

Remember, business conditions and circumstances change all the time, so security policies must be reviewed and improved regularly to keep in step with business needs. SharePoint allows users and developers to be in control. They need clear rules that allow maximum freedom and that maintain security, stability and, most important, performance.

Stephen Cummins, founder of, is a SharePoint consultant and has been a SharePoint MVP (Most Valuable Professional) for the past seven years. He lives in Kildare, Ireland with his wife, daughter, two dogs and an ever-changing number of goldfish.

Dig Deeper on SharePoint administration and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.