SharePoint Security Best Practices

January 22, 2018 | Kim Crawley
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

collaboration with Microsoft Sharepoint requires security best practices

Being conscientious of SharePoint security is simple if you understand the basics. SharePoint is a Microsoft platform which is designed to integrate with Microsoft Office. Microsoft launched the product in 2001. SharePoint is useful for thousands of organizations worldwide because it facilitates sharing documents on private web servers.

SharePoint can be purchased as a separate product to deploy on your own intranet web servers, or you can use SharePoint Online as a component of many Office 365 packages. SharePoint Online is hosted on Microsoft’s own servers.. But poorly secured web servers and web applications can make organizations vulnerable to cyber-attack. Some of a company’s documents that are distributed through SharePoint may contain sensitive or proprietary information, and you don’t want them to fall into the hands of cyber attackers who could be either internal or external to your network! This quick guide will show you how to use and deploy SharePoint in a secure way so your organization can enjoy the convenience and functionality of SharePoint without introducing vulnerabilities to your corporate network.

permission levels are provided in SharePoint and it is best practice to limit

SharePoint security permission levels

There are various different types of permissions you can grant users in your SharePoint system.

  • Full Control- These users have all possible SharePoint permissions, and this permission is granted to all members of the Owners group by default. Be careful about which users you place in the Owners security group or otherwise grant Full Control permission. The best practice here is to only grant a limited number of administrators this permission.
  • Edit- This permission enables users to add, edit, and delete lists, and to view, add, update, and delete documents and list items. By default, all users in the Members security group have this permission. So don’t place users in the Members group who only need to view, read, or contribute documents.
  • Design- Users with this permission can create lists and document libraries. They can also make sites look pretty by editing pages, applying themes, style sheets, and borders. No security group is assigned this permission automatically. So if you want some users to be able to make aesthetic changes to your SharePoint site pages who aren’t administrators in your Owners group with Full Control, then you’ll have to manually assign this permission to another group or to individual users.
  • Contribute- This is a more limited version of the Edit permission. Users with the Contribute permission can add, update, view, and delete documents and list items.
  • Read- This permission should be granted to users who just need to view and download documents, and  may also need to see historical versions of documents.
  • Restricted Read- These users can view pages and documents, but they can’t see historical versions of documents or user permissions. In most cases where a user only needs to be able to read the documents on a site, this is the best permission to grant them.
  • View Only- These users can view pages, items and documents. They can only download documents that cannot be viewed in their web browser.
  • Limited Access- This permission only grants users some access to a specific page or file as opposed to an entire site. This level is automatically assigned by SharePoint when you provide access to one specific item. You can’t directly grant this permission to any user or group. If you grant a user edit or open permissions to a document, by default they’ll receive Limited Access to other required locations in order to open that document, such as other areas on the site.
  • Approve- These users can edit and approve documents, list items, and pages. By default, members of the Approvers security group acquire this permission. Users in your Approvers group can be thought of as sub-administrators and you should limit the number of Approvers as you limit your number of administrators with Full Control.
  • Manage Hierarchy- This permission allows users to create sites and edit pages, list items, and documents. By default, this permission level is assigned to the Hierarchy Managers group. Like your Approvers group, you should also think of these users as sub-administrators and limit the number of those users accordingly.

With SharePoint security in mind, permissions can be granted to SharePoint users in a similar way that permissions are granted to Windows users. You can think about site collections being equivalent to volumes, sites being equivalent to folders, and documents being equivalent to individual files if you’re used to using Active Directory to administer NTFS permissions within your organization. Permission inheritance works according to that hierarchy. So for example, if you grant a user an Edit permission to a site collection, by default they also may edit within each site within the collection and all of the documents in all of those sites.

When it comes to SharePoint permissions and Office 365 security best practices, the key is to apply the cybersecurity concept of least privilege. That means that any user should only have the permissions that they require in order to do their jobs and no more. Only a limited number of users should have administrative access to any entity of your SharePoint site collection, and those users should be watched very carefully.

Sharepoint access control and permissions

External sharing

External sharing from your SharePoint sites should also be limited only to a select few users who are external to your network for the sake of better SharePoint security. Those external users should also only be able to access your SharePoint sites through a VPN in order to protect the overall security of your internal network from the public internet.

SharePoint security features you should use

Within your SharePoint administration settings, you can edit authentication methods for all possible users. You can be very careful about which users and groups you grant which permissions to, but all of that work is pointless if you don’t have an effective way to authenticate users on your SharePoint web application.

It’s possible to allow users to have anonymous access to your SharePoint sites. The best practice is to disable anonymous access altogether because it makes it more difficult for security administrators to monitor your site’s security. Ideally administrators should know who all of the users are and be able to make all users accountable for their actions. That way, external cyber-attacks can be discovered more easily, and internal cyber-attacks can be traced to a specific user.

SharePoint sites in internal networks are run within Microsoft IIS web servers. Therefore, the best practice is to enable IIS authentication settings, which should be set to use Kerberos to encrypt authentication data. It’s possible to enable basic authentication, which sends passwords in cleartext. Don’t enable that feature; passwords should never be transmitted in cleartext anywhere in your network! While arguably difficult in many situations, Man-in-the-middle attacks are still one of the biggest cybersecurity issues - so the best practice is for all data transmitted in your network to be encrypted.

don't use cleartext in Sharepoint, use encryption as a security best practice

Keeping these simple user permission and authentication tips in mind are crucial to deploying SharePoint in a secure manner.

Kim Crawley

About the Author: Kim Crawley, Guest Blogger
Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.
Read more posts from Kim Crawley ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL