Key Findings
Properly securing SharePoint requires an information-centric (not device- or network-
centric) mind-set for protecting content throughout its life cycle.
Microsoft's SharePoint security mechanisms are flexible, but with this flexibility comes
complexity and an increased chance for misconfiguration.
SharePoint is often deployed to store and share information copied from production
systems (such as enterprise resource planning [ERP]), but the access controls are not
carried over, leaving sensitive information exposed.
Recommendations
For information security professionals:
If an initial SharePoint project is planned for your organization in 2009, get involved now
in SharePoint configuration, planning and implementation discussions, and use the
guidelines in this research to proactively address potential security issues before
deployment.
If SharePoint is already deployed, use this research as a framework to assess the more
serious security issues we have seen in the production deployments of our clients.
In all cases, security configuration guidelines and policies for SharePoint should be
established, and adherence to policy regularly confirmed.
For larger deployments with multiple usage patterns, develop a set of SharePoint use
cases that include appropriate security configuration and policy.
For operations teams responsible for SharePoint:
2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form
without prior written permission is forbidden. The information contained herein has been obtained from sources believed to
be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although
Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors,
omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein
are subject to change without notice.
Involve your information security team in the planning phases and use the best practices
outlined in this research as a way to frame the discussion of securing SharePoint.
Analysis ............................................................................................................................................. 4
1.0 Basic SharePoint Physical and Logical Architecture..................................................... 4
2.0 Security Policy and Governance Issues......................................................................... 6
3.0 SharePoint Access Control Issues ................................................................................. 7
4.0 SharePoint Information Protection Issues .................................................................... 11
5.0 SharePoint Network and Server Protection Issues ...................................................... 15
Recommended Reading.................................................................................................................. 18
LIST OF FIGURES
SharePoint serves a very important business need to provide a collaboration infrastructure for
people to share information internally and externally. However, many SharePoint deployments
have been set up without fully considering the security implications of their deployment, or, in
other cases, only basic, insufficient guidelines were followed.
Users
Tier 1:
IIS Web Front-End
Servers
Tier 2: Index
Web Application
Servers Query (Search)
Single Sign-on
Excel Calculation Services
Office Project Server
Tier 3:
Content Database
Shared SQL
Database Server s Configuration Database
Dat abases
Admin Content Database
Source: Gartner (February 2009)
Subsite s
Site
In many deployments, information security wasn't involved in the planning and deployment of
SharePoint beyond basic security hardening, network placement and integration with Active
Directory. Other SharePoint deployments have been made directly by user departments without
centralized IT involvement or security involvement. Even when basic SharePoint security
guidelines are followed (see Note 2), clients continue to have problems in several areas. Security
issues in SharePoint deployments fall into several broad groups: policy and governance, access
control, information protection and network/server protection. In the following sections, we explore
issues and offer recommendations in each area.
If you don't already have a SharePoint governance model in place, start now. Formulate
this in conjunction with the business stakeholders.
For larger enterprises with multiple usage patterns of SharePoint, develop a set of
SharePoint use cases that include appropriate security configuration and policy.
Establish policies and guidelines for all SharePoint servers and regularly scan to see
these are enforced where possible.
Don't control too tightly. Focus on the minimum policies necessary to enable secure
collaboration and protect the organization's most sensitive information assets.
Issue: Unmanaged, "rogue" SharePoint installations in the organization aren't visible and aren't
being secured according to policy.
You can't secure what you don't know about and can't see. We estimate that 30% of SharePoint
servers are deployed outside the management of the IT department. The issue is not that rogue
SharePoint sites are bad per se. The issue is that the ad hoc configuration may not conform to
enterprise security policy for configuration, authentication, authorization and so on. While many
unmanaged sites have followed basic SharePoint security guidelines (see Note 2), the
information they store, its sensitivity and proper protection is often overlooked. The information
being shared may or may not be appropriate or may not be appropriately protected. Once servers
are discovered, the information stored on them as well as access control policies should be
enumerated and checked for policy compliance.
Recommendations:
For visibility into unmanaged SharePoint deployments, regularly scan for unmanaged
SharePoint installations. Microsoft provides a free tool to do this at
http://technet.microsoft.com/library/cc295797.aspx . Quest Software also offers a free
tool for this purpose: http://www.quest.com/discovery-wizard-for-sharepoint .
Establish standard security configuration guidelines for SharePoint servers and regularly
scan to ensure that these are enforced. Require the organization's standard
configuration monitoring tools to explicitly support SharePoint.
For external organizations, where you trust their ability to manage and authenticate
users correctly, consider a federation relationship either via an explicit trust
relationship, if they use AD, or by more-generic federation, if they don't. In either case,
this configuration reduces the amount of administration required on your site.
For external users that don't use AD and where federation is not possible, use an LDAP-
enabled repository, if you already have one. Look for explicit certification of support from
the LDAP provider for SharePoint integration.
For external, non-AD users where you don't have an existing LDAP-enabled repository
to leverage, use the built-in SQL authentication capabilities of SharePoint or, for
authenticating consumers, consider LiveID.
Regularly scan all SharePoint site collections for inactive IDs that may still have access
to content (note that the SharePoint configuration database alone does not provide this
information).
Depending on the purpose of the SharePoint site and the type of information being
stored, consider if anonymous access may be appropriate for some sites (for example,
consumer-facing marketing and public relations materials).
Log all failed login attempts whether to the underlying Windows OS, AD, SharePoint,
LDAP or the underlying SQL database.
Determine who will manage and support external users and their access controls, and
put formal processes in place to ensure that this is carefully managed.
Use the built-in groups within SharePoint for access control assignments where
possible.
Use groups wherever possible for administering SharePoint sites. Apply access rights
as high as possible in the SharePoint object hierarchy and avoid per-user and per-item-
level access to avoid complexity (which increases the change for misadministration) and
potential technical constraints on access control lists.
Incorporating additional context (such as the time of day), which can be incorporated
into real-time at the time the access is requested, providing more-adaptive security
infrastructure (see "Achieving Agility: Building Blocks for a Policy-Driven, Agile Security
Services Infrastructure")
Once in place, the authorization infrastructure can be leveraged by other application authorization
silos, including internally developed applications. However, the benefits of an externalized
authorization management solution for SharePoint must be evaluated against the additional cost.
Recommendations:
For larger deployments, use third-party tools for compliance and entitlement reporting.
Tightly control SQL system administrator access to SharePoint's databases and fully
audit all SQL Server administrative activities.
Require the organization to baseline all Windows and SQL server deployments against
the organizations' own guidelines or Microsoft's best practices. For example, Microsoft
provides its baseline security analyzer, which scans Windows and SQL
http://technet.microsoft.com/en-us/security/cc184924.aspx .
Consider SAPM tools (see "Toolkit: Password Management Tools for Shared Accounts
and Service Accounts") for controlling all SharePoint administrative accounts, including
SQL server administrative accounts.
Require the use of Microsoft's SQL Server 2005 or higher, which provides stronger out-
of-the-box security capabilities than previous versions.
Issue: SharePoint is used to store and share sensitive information copied by users from
production systems, but without proper access controls.
Much of SharePoint's appeal is that it enables users to bypass the explicit and organizational and
process barriers of the organization. SharePoint is often used to host data that end users have
unofficially copied or extracted from official "production" systems, such as ERP systems, that are
then subsequently used in ad hoc processes and collaboration. However, in most cases, the data
is moved into SharePoint but without the protection capabilities and policies of the production
systems they displace.
Develop policies for the types of information that can be shared within SharePoint.
Ideally, an enterprisewide strategy for data classification would be used and policies
defined for SharePoint (see "A Simple Method for Expressing Information Criticality and
Classification").
Where access to production systems and data is needed, link SharePoint directly, using
native SSO capabilities that preserve the access control definitions of the production
systems.
Develop strategy for data loss prevention that includes SharePoint (see "Develop an
Enterprise Strategy for Content Monitoring and Filtering/Data Loss Prevention"). At a
minimum, explicit SharePoint-specific policies should be designed and monitored for the
most sensitive information (such as customer data, sales figures, personally identifiable
information and HR data).
Regularly crawl all SharePoint sites for sensitive data and ensure that unauthorized
persons cannot access sensitive data.
Don't purchase a CMF/data loss prevention (DLP) solution that doesn't natively support
SharePoint.
Issue: Sensitive information, even if protected within SharePoint, is left unprotected if the
information is taken offline, e-mailed or copied.
This is an issue with any IT system, not just SharePoint. SharePoint protects the information it
controls, but these controls are lost if the information is taken offline, e-mailed or copied. One
solution is to enable SharePoint access via a terminal services session and use its ability to
restrict session activity. This is useful for controlling information remotely accessed by partners
and employees, but it doesn't support working offline.
Another approach is to scan for sensitive data as data is moved from SharePoint sites and block
this. The CMF/DLP solutions mentioned above can perform this. Some SharePoint malware
filtering solutions, such as McAfee's PortalShield, can scan content for patterns that might be
indicative of sensitive content being moved from SharePoint (for example, patient record
numbers) and block this.
Consider terminal services-based access as a way to control what remote users are
able to do with content when accessing via SharePoint.
Protect sensitive data stored in SharePoint with DRM. However, solutions that encrypt
the data before storing it in SharePoint interfere with the correct indexing and searching
of content discussed above.
Require DRM solutions to directly integrate with SharePoint, so that information rights
management policy may be applied automatically as content is moved to and from a
SharePoint folder.
Issue: Information encrypted in SharePoint isn't properly indexed.
As discussed above, SharePoint-integrated DRM solutions provide protection from information as
it moves to and from the SharePoint server, but this doesn't protect against information theft by
rogue administrators. Some organizations choose to encrypt sensitive data when it is stored on
SharePoint to protect data from exposure to theft by a rogue administrator or external attack.
However, encrypted data stored in SharePoint can't be properly indexed by SharePoint and
cannot be searched or easily shared.
SharePoint doesn't have a native encryption solution; however, there are multiple alternatives for
protecting SharePoint information using encryption (see Figure 3). Each alternative has pros and
cons.
Protects data
F rom
W indows OS
or SharePoint From SQL
appli cation Serv er
breach or applicati on Onc e content Doe snt
rogue breac h or is m oved from Enable s require the
Encryption From disk SharePoint rogue SQL SharePoint indexing end user to
applied theft adminis trator administrator s ever and se arch think
Full-drive
encry ption
End-us er encrypts
or applies DRM to
content before
storing
SharePoint auto-
applies DRM when
content is m oved
Both SQL
encry ption and
SharePoint-applied
DRM
Source: Gartner (February 2009)
Because SharePoint is an application running on top of SQL Server, the built-in encryption
capabilities of SQL Server may be used to protect sensitive data in such a way that indexing
works correctly while still providing a level of protection against most unauthorized data access.
Organizations may be tempted to encrypt everything stored by SharePoint in SQL; however,
there is a cost of approximately 3% to 5%, in terms of processing power. The impact on server
processing may be reduced with SQL Server 2008, which supports the hardware-based offload of
encryption.
A combination of SQL encryption and a SharePoint-integrated DRM solution provides the most
protection, but organizations must weigh the additional cost and processing requirements of such
a solution against the benefits. Even in this case, information is at risk from a SQL-level attack
and, thus, our recommendations previously in this research to treat the SQL server as the most-
sensitive element when developing a SharePoint security strategy.
Recommendations:
Use the built-in SQL server encryption capabilities wherever possible. This preserves
indexing and search results and provides an additional layer of protection to protect
sensitive data from external breaches (for example, from a rogue SharePoint system
administrator or from most external attacks).
For highly sensitive content, set SharePoint policy so that search results are
automatically trimmed at the time of query to reduce the risk of showing an index to
content for which the user no longer has access.
For crawling and indexing highly sensitive data, use a separate content access account.
Separate SharePoint sites should be used to strongly isolate sensitive data and access.
Set network security controls and policy wherever possible so that the back-end SQL
database is never directly accessible directly to end users.
Place a firewall between front-end Web servers and database servers, which (unless
access is for external users only) should always be hosted internally, not directly in the
demilitarized zone (DMZ).
Application servers should be placed behind the firewall that protects the database
servers, or, for more security, can be placed behind an additional firewall separating it
from the outward-facing Web server.
Harden each type of server to the level appropriate to each server role and use case.
Use Microsoft's hardening guidelines and tools to perform this.
To prevent malicious attacks from accessing the SQL Server Resolution Service, assign
obfuscated static port numbers to named instances of SQL Server and then disable the
service.
Use a reverse proxy where possible to increase the security of external collaboration.
Even in initial deployments, design your SharePoint server farm into "front-end" Web
(Internet-facing) and "behind the firewall" (application and database servers). This will
make extending internal deployments securely to the extranet much easier.
Ensure that the central administration site is not hosted on an external-facing a Web
server.
Any information flow between the IIS Web front end and other tiers should be encrypted
(VPN or IPsec).
VLANs alone are not sufficient for effective separation of computing tiers in the DMZ.
Use firewalls or routers, and consider physical network separation.
Issue: Running server-based antivirus (AV) on the SharePoint Server doesn't detect malware
stored in SharePoint's SQL repository.
The content stored in SharePoint's SQL server isn't scanned by most Windows file system-based
AV solutions; thus, malware in SharePoint's content database is not detected. Collaborative
workspaces provide an easy mechanism for file and content sharing, which also facilitates
malware propagation. This is a significant concern if content originates from outside the
organization from unmanaged machines (for example, enabling consumers to post resumes on a
SharePoint-based human resources site, or enabling customers to post attachments on a
SharePoint-based blog).
Treat all content attachment uploads from all external sources (ideally all content) as
potentially hostile and scan all content, regardless of extension, with an anti-malware
scanning solution integrated into SharePoint or by routing all SharePoint traffic through a
SharePoint-aware Web security gateway. At a minimum, scan all uploaded content from
external sources. Ideally, all uploaded and downloaded content would be scanned.
RECOMMENDED READING
Note 1
SharePoint Resources
http://office.microsoft.com/download/afile.aspx?AssetID=AM102570981033
http://technet.microsoft.com/en-us/library/cc262619.aspx
http://technet.microsoft.com/en-us/library/cc262350.aspx
Note 2
Basic SharePoint Security Guidelines
Server security:
Use NTFS security for the SharePoint application and its file system as well as all
indexed content.
Harden the SharePoint servers Windows OS, SharePoint and SQL application, using
Microsoft's guidelines and tools to remove unnecessary files and services removed.
SharePoint administrative access:
Use multiple service accounts, one specific for each task and configured via principle of
least privilege
Set strong password policies on all accounts user, administrator and service
accounts with regular changes of all passwords. Use automated tools for the resetting of
service accounts if necessary.
Control and log all administrative access to the OS, SharePoint and SQL
High availability:
Architect for resiliency. Ensure business continuity and disaster recovery plans
developed and tested.
Use SQL Server high availability options (for example, clustering) as necessary.
Note 3
AD Groups for External Users
If federation is used (ADFS or otherwise), external users may be mapped to AD groups, which
may then be used as security identifiers within SharePoint. To do this, the customer maps
incoming claims to AD groups, see http://technet.microsoft.com/es-es/library/cc772094.aspx and
http://technet.microsoft.com/zh-tw/library/cc753670.aspx . The mapping can map individual
remote users to an AD group, or map remote groups to an AD group. This method works even if
the remote federation server is not AD FS.
Note 4
Example Authorization Management Solutions With SharePoint-Specific
Capabilities
BiTKOO
NextLabs
REGIONAL HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096
European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611
Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600
Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670