O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Securing sharepoint

Mais Conteúdo rRelacionado

Diapositivos para si

Securing sharepoint

  1. 1. 10 points to make a rogue SharePoint environment really, really secure.. Presented By Peter Ward – April 3rd 2014 w- www.sohodragon.com c- 862 220 6080 b-www.wardpeter.com
  2. 2. Agenda • Context of the presentation • Where to start? • Understanding security permissions and how to apply it • Create a methodology • How to avoid data leaks • Show user activity on all levels • Creating a game plan
  3. 3. Green dot This indicates an important point
  4. 4. Before We Begin • Q&A – We will have time at the end of the presentation for questions…. But I encourage you to interrupt me and ask • A copy of this presentation is on my blog
  5. 5. Reminder slide • A copy of this presentation is on my blog www.wardpeter.com This means you only need to watch. There is no need to take notes
  6. 6. Context of the presentation This SharePoint needs to work Summary  2 days to take ownership  Only Prod environment  No Dev.  Rogue former vendor team
  7. 7. Takeaways • Understanding ownership steps • Confidently applying security • The little things really matter • Process and communication is key • Learn how to refactor an environment • Good example of reality SharePoint security planning Learn learnt: Technology problems aren’t always technology problems
  8. 8. Audience Networking FolksSharePoint Folks Networking steps SharePoint steps Networking steps SharePoint steps
  9. 9. The inherited environment • Hosted environment • SharePoint 2010 Enterprise • 3 months of undocumented code and environment. • No Visio diagrams • Hard coded ID and passwords everywhere… and I mean everywhere • A few URL’s a Service Account ID and password • SQL Server Reporting Services • Oh I forgot: • Can’t use 3rd party tools to run audits of security • Internal IT department has no real understanding how SharePoint works or what was deployed or developed
  10. 10. Where to start • Understand SharePoint security • Business processes • Create a methodology
  11. 11. Understanding security accounts and how to apply it Domain • Active Directory Groups…. Not distribution • Domain services- Exchange, IIS Server • Boxes SharePoint • Site Collections • Sites • SharePoint groups Demarcation of responsibility Service accounts
  12. 12. Business Processes Talk to end users face to face Understand their language:  What they think SharePoint actually is  A list is a report  Alert is an email What, why, when, who
  13. 13. Now we can start
  14. 14. Create a methodology Wave 1 Wave 2 Wave 3 Wave 4 Wave 5 Wave 6 Wave 7 Wave 8 Wave 9 Wave 10
  15. 15. Wave 1 – Kick off  Back up the server .. Make sure this is SQL. Ask how long back ups are kept  Ask for a back up.. To test the internal IT  Restoring env.  Notify the user base what is going on and in the communication have a team member’s email and direct phone number  Identify all the services are running  Reboot the servers  Enforce a change log- SharePoint list. Set up alerts to your team Key wins:  Immediately know if services stop… and are not related to the password changes  Any problems you can blame the previous vendor on the morning you start
  16. 16. Wave 2 – Start documentation • Technical inventory of the following: • SharePoint, edition, SQL version • InfoPath- purpose, template location • Server box names • Obtain/ create system accounts and password and purpose • Server boxes • Architectural diagram • Env.. • SharePoint collections • Central Admin • Installed web parts
  17. 17. Wave 2 – continued- Ask questions • What’s the source code control? This should be reviewed • Is there a DR plan for SQL db’s • Is there a DR plan for SharePoint • Report names and their purpose • Understand the integration points
  18. 18. Now you need to break ground
  19. 19. Wave 3 – Removing access • VPN access- remove • Service accounts • Vendor ids • Remote access to boxes • SharePoint env. • Site collection administrators
  20. 20. Wave 4 – Users • Reset all users passwords in PowerShell • Ed Wilson and Craig Liebendorfer, Scripting Guys • Don’t delete the old vendor ID yet. Because they are in code and workflow
  21. 21. Wave 4 – disable unused accounts • Wait a week for things to settle down • Note disable.. Not delete
  22. 22. Wave- 4 SharePoint permissions • Do’s • Use Groups – Either AD or SharePoint •Don’ts • Not everyone needs to be Site Collection Admin • Or Full Control
  23. 23. Wave 5 – Service Accounts • Create a ID inventory file (Excel) with both old and new password • Stop and restart services • Restart server for good measure
  24. 24. Wave 6 – Firewall account • Because there could be IP addresses of the boxes made public. • and there was… therefore you could get to the box, with no VPN • Use Netstat command to listen to traffic on the ports Link
  25. 25. Tea break • Questions if you want.
  26. 26. Wave 6 – Network Traffic
  27. 27. Wave 6 – Network Traffic • Port 443 secure https • Port 80 Unsure
  28. 28. Think again Think old vendor is locked out…….
  29. 29. Wave 7 – Email • Change emails in AD • Redirection capture - DNS
  30. 30. Wave 7 – Email • Email forwarding
  31. 31. Wave 7 – Workflow • Impersonation Steps Create a workflow AD account . Needs to be a site collection administrator
  32. 32. Wave 7 – Workflow • Hard coded email addresses
  33. 33. Wave 8- SP Security trimming  Central Admin  Internal IP address  Only accessible via RDP login
  34. 34. Wave 9- Quick Sweep  Check the Service accounts  Logging
  35. 35. Wave 10- Continued  Add in tracking into the masterpage: <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsOb ject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1 *new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.sr c=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google- analytics.com/analytics.js','ga'); ga('create', 'UA-4669498-5', 'onecallcm.com'); ga('send', 'pageview'); </script>
  36. 36. Wave 10+- Final bit of advice to client • Buy password security software • Stores IDs and passwords • Audit log of who’s accessing IDs IT loved this
  37. 37. This is the end. This is the part of the presentation when people should clap and cheer
  38. 38. Questions? • e-pw@sohodragon.com • w-www.sohodragon.com • b-www.wardpeter.com • c- 862 220 6080

×