A Deep-Dive into SharePoint Security: Key Features, Tools, and Optimal Techniques
SharePoint security is a highly debatable aspect. While organizations can hardly overcome their security concerns, Microsoft boasts their irreproachable digital defenses. So who is right?
It seems that after Edward Snowden used his privileged admin rights to pump sensitive content out of a corporate SharePoint storage, the platform got a permanent blot on its security reputation. It’s true that security concerns haunt SharePoint owners till these days. The spread of SharePoint Online and Office 365 has even increased the general fear because those are in the cloud environment. Indeed, security is the top factor that makes businesses clutch at their on-premises SharePoint deployments.
In this article, we will try to assess the state of SharePoint security impartially with all its advantages and drawbacks. We will also provide organizations running their SharePoint deployments or just planning one with the guidance on setting up and supporting an optimal security environment.
Real Threat, Prejudice, and Ignorance
There is one key question: should organizations worry so much about the security of their SharePoint solutions, or do media and SharePoint haters play havoc for no reason?
To cut it short, as a web application by nature, SharePoint is prone to all types of web-specific cyberattacks. Obviously, since the platform usually hosts big volumes of corporate content and sensitive information, it attracts cybercriminals. Throughout the years when SharePoint On-Premises dominated the market, companies reported a complete set of web attacks, including brute force, SQL injections, cross-site scripting, clickjacking, etc.
Going back to 2017, Ponemon Institute reported that nearly half of the surveyed organizations using SharePoint deployments had experienced at least one breach within the previous two years.
Today, with the global adoption of Office 365, cybercriminals started to use more sophisticated techniques to penetrate the suite and access SharePoint. Thus, companies register an increasing number of malware and phishing attacks that often target Exchange Online users and use emails as the entry point to the Office 365 environment. There is also a visible proliferation of account takeover (ATO) attacks that were reported by almost 30% of Office 365 owners in March 2019. In these attacks, hackers used compromised accounts to further spread over 1.5 million of malicious and spam emails.
At this point, we could expect a jeer from SharePoint Server adepts. However, SharePoint On-Premises isn’t safe from hackers’ attention either.
The exploit of CVE-2019-0604 vulnerability in May 2019 became a buzz. The flaw in SharePoint Server enabled hackers to run arbitrary code on the applications and get access to servers to further penetrate corporate networks through admin-level commands. The exploit was mitigated through a range of security updates and servers’ hardening.
That’s where we come to an interesting point.
First of all, there’s the prejudice that SharePoint is one of the most unprotected solutions. Yes, attacks do occur in SharePoint environments. However, there are no fewer attacks against other popular enterprise systems. For example, one of the recent SAP vulnerabilities put over 50,000 organizations at risk worldwide with misconfigurations registered across over a million systems using SAP NetWeaver and S/4HANA.
On the other hand, there is certain bias against the security of Office 365 and SharePoint Online. Regardless of the measures that Microsoft takes to improve the protection of their collaboration suites, organizations still blame the corporation and their software for cyberattacks of all types. In reality, organizations themselves are often badly prepared to face those attacks and aren’t familiar with the Microsoft security and compliance features.
What’s worse, some organizations just don’t use available security features, thus exposing their deployments to cyberthreats.
In May 2019, the Cybersecurity and Infrastructure Agency (CISA) issued a report targeting organizations that were planning or already running their Office 365 deployments. The Agency analyzed multiple customers who had migrated their email services to Office 365 and revealed a number of typical misconfigurations that could compromise corporate mailboxes and further proliferate attacks. Among the top revealed issues were neglected essential security controls, including non-activated multifactor authentication for admin accounts, disabled mailbox auditing, password sync enabled, and authentication unsupported by legacy protocols.
The stats prove that the built-in security features of the Microsoft collaboration suite are generally underused or neglected.
This ignorance usually results in missed cyberattacks. For example, in February 2019, the massive NoRelationship phishing attack hit Office 365 tenants through security gaps in Exchange Online. Security professionals affirmed that many organizations could detect this attack immediately had they used Microsoft Advanced Threat Protection (ATP), included in the most popular Office 365 enterprise and business plans.
3 Levels of SharePoint Security
As you can see, there is no signle verdict on SharePoint security. The threat is real, but it is obvious that organizations have to put more effort into fortifying their deployments.
Basically, all businesses running SharePoint or Office 365 have to ensure security across three levels, including infrastructure, users, and content. Let’s explore each of these levels in detail.
By purchasing SharePoint Server, organizations become fully responsible for their solutions. It’s critical to stick to the recommended security settings to guarantee stable protection of a SharePoint deployment. Typically, these recommendations touch upon such aspects as:
- optimal configuration of SSL and TLS protocols
- proper configuration of SharePoint-connected network devices
- hardening of SharePoint servers depending on server roles
With SharePoint Online and Office 365, tenants don’t have physical access to the servers; it’s Microsoft that manages the entire infrastructure. SharePoint Online and Office 365 data centers are distributed all over the world, which is necessary for performance and compliance purposes. Organizations are still responsible for configuring their internal network correctly, including internet proxy settings, network capacity support, firewall setup, etc.
For example, SharePoint Online owners can experience a substantial increase in the internet circuit. To guarantee that the cloud suite functions properly, organizations have to assess their current bandwidth capability and scale it if necessary, reserving 20% of bandwidth for peak loads.
You can consider user protection in SharePoint from two angles. On the one hand, you have to ensure users work securely within the application. On the other hand, you have to control what users do in the application to protect the solution and its content, as well as prevent unauthorized users from accessing the system.
Globally, there are two core domains of user-level security in SharePoint: user authentication and user permissions.
User authentication is a digital barrier that allows only authorized users to access content and functionality of an application. In SharePoint Server, there are three types of user authentication:
- Windows authentication (NTML, Kerberos, Digest, Basic)
- Claim-based authentication (most often, form-based authentication (FBA))
- SAML token-based authentication
Apart from that, there is anonymous access to a SharePoint site collection that doesn’t require any credentials from a user.
Normally, the choice between this or that authentication method depends on the nature of a SharePoint application, the area from which a user wants to access the app, and the corporate infrastructure.
For example, speaking of a SharePoint public-facing site, admins can enable anonymous access to ensure that any user can visit the website. In case of a SharePoint intranet, having at least one of the authentication methods is a must. At the same time, Kerberos is considered to be the most reliable type of Windows authentication. Not all organizations use it, though, because it is most demanding in terms of configuration and infrastructure. Instead, many companies prefer simpler Digest or Basic authentication methods.
The authentication mechanism of SharePoint Online is different due to the suite’s architecture. To let users avoid repetitive logins, SharePoint Online comes with persistent cookies so that credentials can be saved even when users close a browser or restart a computer.
Mobile authentication is another security aspect organizations should care about. SharePoint On-Premises supports NTML, Basic, and SAML authentication on mobile devices, while SharePoint Online comes with FBA. It is also possible to set up an additional PIN or fingerprint verification to protect user access to specific content on Android or iOS-based devices.
User permissions are the mechanism that enables admins to control users’ access to specific SharePoint sites and content.
The logic of permissions follows that of the SharePoint architecture: users and user groups can get permissions to a site collection, a site, a subsite, a list, and a list item. Owing to inheritance rules, smaller SharePoint components adopt permissions from larger components, unless custom permissions are set up. Therefore, if users can access a particular site, they can access all the content on this site and perform a variety of actions (read, edit, share, approve, reject items, etc.) by default. Combining permissions, admins can create complex hierarchies of users with different levels of access to this or that content and activities.
There are various permission scenarios depending on SharePoint components, a number of users, and corporate policies. All in all, it is highly recommended to manage user permissions at the group level, instead of going with per-user permissions.
Apart from that, to build a clear and easily manageable user hierarchy, companies need to stick to best practices of distributing SharePoint permissions. To set everything up correctly, it is always reasonable to go for SharePoint consulting and get assistance from professional developers who know the tricks of SharePoint permissions.
These are typical recommendations that SharePoint admins should follow when granting permissions:
- Stick to the Principle of the Least Privilege, to avoid granting owner-level permissions to way too many users.
- Never replace out-of-the-box permission levels with custom ones but create proprietary permissions from scratch and add them to the default ones.
- Avoid item-level permissions, which will only complicate your SharePoint management and create an extremely granular permission canvas.
Intranets usually host a lot of content with different levels of sensitivity.
If we speak about typical corporate content, it is protected through the system of user permissions described above. Thus, no user can access a SharePoint site and its content without relevant permissions granted by the admin.
To prevent content leaks, it is also recommended to disable the default external sharing feature in order to prevent employees from sharing content items with users outside your organization. If a user needs external sharing, it’s always better to grant it individually.
If we speak about the user-generated content, SharePoint Online ensures encryption of both data in-transit and data at rest. Microsoft uses BitLocker to encrypt disk-hosted data, and Advanced Encryption Standard (AES) with 256-bit keys to ensure per-file encryption.
When it comes to sensitive data protection, compliance is one of the greatest concerns for organizations. If you are among those who are particularly skeptical about the strength of SharePoint Online or Office 365 compliance, there is positive news for you. The suite meets a variety of standards and regulatory requirements:
Apart from that, organizations can take control over sensitive data using data leak prevention features available in both SharePoint Server and SharePoint Online. By creating custom DLP policies and queries, SharePoint admins will have complete visibility into collaborative processes involving sensitive data, and will be able to stop sensitive data sharing at a user level.
SharePoint Security and Compliance Tools
Finally, it is worth saying that SharePoint security isn’t limited to protection features. Microsoft provides fully functional administration environments where SharePoint professionals can monitor deployments and keep their security at the required levels.
SharePoint Admin Center
To control their SharePoint solutions, admins can use the SharePoint admin center. The center represents a dedicated area where SharePoint professionals can view reports on a variety of in-app activities. It delivers stats on site usage rates over a given period of time, users’ actions with specific files, as well as announces about newly deployed features and shows the overall ‘health’ of a SharePoint deployment.
Office 365 and Microsoft 365 Security and Compliance Centers
Office 365 and Microsoft 365 admins can access respective security and compliance centers where they can set up and tune security and compliance features, as well as analyze their monitored deployments in detail.
Using the Office 365 security and compliance center, admins can customize a variety of security features within their subscriptions. A great advantage is that the center is available even for standalone products. It means that SharePoint Online admins can access the Office 365 security and compliance center too. Permissions, threat management, data governance, security alerts, data loss prevention are just a few aspects that can be adjusted in the center.
In 2019, Microsoft also launched the brand-new Microsoft 365 security and compliance center that comes with larger capabilities, particularly with accurate security and compliance metrics. What makes the Microsoft 365 security center different is that it not only overviews a particular deployment but also provides recommendations on optimal settings.
Security Is Multidimensional
SharePoint security is a broad topic that is too large for a single article. However, with this overview, you can approach the security and compliance capabilities of SharePoint and Office 365 as well as the overall security logic of these collaboration solutions without prejudice.
It is worth highlighting that SharePoint security is an ongoing and versatile activity that goes far beyond admins’ daily routine. It should include thorough work on security and compliance documentation, timely audits, and regular user training.
If right now you feel that the current security level of your SharePoint deployment is far from ideal, make sure that you are aware of all the SharePoint security features and use them to the fullest. If you need to ensure in-depth monitoring of your SharePoint solutions, you can also leverage advanced information security tool, such as SIEM systems, to enable the platform's 24/7 protection.
with your SharePoint security
Should your organization choose SharePoint On-Premises or implement Office 365 in the cloud? This side-by-side comparison will help you decide which solution best matches your organizational priorities.
We provide a comprehensive overview of the most popular collaboration solution, with recommendations that will help you create a modern SharePoint intranet.
In this article, Iflexion's professionals provide practical recommendations that will help you find a reliable, long-term partner for your IT projects.
WANT TO START A PROJECT?