SlideShare a Scribd company logo

Taking the Share out of Sharepoint: SharePoint Application Security.

Aspenware, profile picture
Aspenware

The document discusses the security vulnerabilities of SharePoint applications, highlighting that many organizations lack adequate security policies for the platform. It provides insights from cybersecurity experts and emphasizes the need for proper installation, configuration, access control, and development practices to mitigate risks. The document also offers tips for organizations to enhance their SharePoint security and protect against potential hacker exploits.

Technology
Related topics:
Application Security
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Why Your SharePoint Applications are a Hackers Best Friend
Waughn Hughes Waughn has over 14 years of consulting experience, and has worked extensively with SharePoint for the past seven years as a developer and solutions architect. Solutions Architect | about.me/waughn
Justin Tibbs Justin Tibbs, developed and heads up the security solutions practice at NET Source, Inc, in Littleton Colorado. Prior to NET Source, Justin held positions at Cisco Systems, Lockheed Martin, and others, specializing in the areas of Vulnerability & Threat Research, Exploitation Development, and Secure Architecture Design. NET Source Security Director | about.me/justintibbs
Agenda • Introduction • SharePoint Tips and Tools Why Your SharePoint Applications are a Hackers Best Friend 4
Definitions Security Breach An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. Security Violation An act from inside an organization that bypasses or contravenes security policies, practices, or procedures. Why Your SharePoint Applications are a Hackers Best Friend 5
National Security Agency "This leaker was a sysadmin who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." - National Security Agency Director and the Pentagon's Cyber Command Commander General Keith Alexander Why Your SharePoint Applications are a Hackers Best Friend NSA chief leaks info on data sharing tech: It's SharePoint, By Jack Clark Clear and Present Danger: Cyber-Crime; Cyber-Espionage; Cyber-Terror; and Cyber-War 6
Why SharePoint? Started as a way to simplify document sharing… 12 years and numerous releases later… Evolved into a platform for collaboration, document and file management, intranets, extranets, websites, enterprise search, business intelligence, business process automation, social networks, etc… Used by 78% of the Fortune 500 companies* Why Your SharePoint Applications are a Hackers Best Friend 7 * SharePoint 2010 : The First 10 Years [http://technet.microsoft.com/en-us/magazine/gg981684.aspx]
SharePoint Security Policy Why Your SharePoint Applications are a Hackers Best Friend 8 A recent study by Emedia, covered in full by InfoSecurity magazine in February 2013, found that only about one-third of organizations with 25-5000 users employing SharePoint have security policies covering the platform.
Installation & Configuration • Windows, SQL Server and .NET Stack • Security Patching • Service Accounts • Service Applications • Authentication • Web Applications, Site Collections and Sites Why Your SharePoint Applications are a Hackers Best Friend 9
Installation & Configuration: Tips • Review and install applicable service packs and cumulative updates • Plan for least-privilege administration and do not use single account to run SharePoint farm(s) • Understand the features and configuration options for service applications prior to deployment • Define authentication methods for the various web and extended web applications • Develop and use information architecture to define web applications, site collections and sites • Use metadata to identify data sensitivity Why Your SharePoint Applications are a Hackers Best Friend 10
Access Control • User Permissions • Excessive Access • Administrative Access Why Your SharePoint Applications are a Hackers Best Friend 11
Access Control: Tips • Train end users on the key permission feature within SharePoint (e.g. security groups, permission levels, and permissions inheritance) • Automate the review process to keep rights aligned with business needs • Enable auditing for sites that contain sensitive information • Access the need to use database encryption to protect content Why Your SharePoint Applications are a Hackers Best Friend 12
External Exposure: Demo Why Your SharePoint Applications are a Hackers Best Friend 13
External Exposure: Tips • Use Google or Bing to check for externally exposed information • Google Samples: • inurl:"/_layouts/viewlsts.aspx" • "all site content" filetype:aspx • Use port scanner like nMap to look for open listeners • Management applications • Misconfigured web services • Database listeners (SQL) • Pretend to be a hacker… Try Shodan, a search engine that lets you find specific types of computers using a variety of filters Why Your SharePoint Applications are a Hackers Best Friend 14
Development • Cross-Site Scripting • Cross-Site Request Forgery • Elevation of Privilege • Information Disclosure Why Your SharePoint Applications are a Hackers Best Friend 15
Development: Tips • Understand Code Access Security • Encode output properly using SPHttpUtility methods • Do not allow contributor users to add script to the site • Specify a charset in the Content-Type HTTP response header • Avoid using AllowUnsafeUpdates where possible • Check user permissions appropriately Why Your SharePoint Applications are a Hackers Best Friend 16
Questions? Why Your SharePoint Applications are a Hackers Best Friend 17
6000 Greenwood Plaza Blvd Suite 110 Greenwood Village, CO 80111 303.798.5458 www.aspenware.com Aspenware

More Related Content

PPTX
Developing Secure Web Apps
Mark Garratt
 
PPTX
Securing Web Applications
Mark Garratt
 
PPTX
5 Security Questions To Ask A Cloud Service Provider
Tyrone Systems
 
PDF
Ayala mar23
National Information Standards Organization (NISO)
 
PDF
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
PDF
6 Most Surprising SharePoint Security Risks
Imperva
 
PDF
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
PDF
Information Security and Forensics
Tharindu Weerasinghe
 
Developing Secure Web Apps
Mark Garratt
 
Securing Web Applications
Mark Garratt
 
5 Security Questions To Ask A Cloud Service Provider
Tyrone Systems
 
Ayala mar23
National Information Standards Organization (NISO)
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
6 Most Surprising SharePoint Security Risks
Imperva
 
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Information Security and Forensics
Tharindu Weerasinghe
 

What's hot (20)

PDF
Goans-Helms-IT Security at Georgia Tech Library
National Information Standards Organization (NISO)
 
PDF
SPUnite17 10 Steps to be Successful with Enterprise Search
NCCOMMS
 
PPTX
What is Ethical Hacking?
Dignitas Digital Pvt. Ltd.
 
PDF
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
NCCOMMS
 
PPTX
Red teaming in the cloud
Peter Wood
 
PPTX
Intro to Office 365 Security & Compliance Center
Craig Jahnke
 
PPTX
Basics of Security Testing
KarthikeyanRajendran27
 
PPTX
Security & Compliance: Core Concepts Explained
Alan Eardley
 
PPTX
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
PDF
Logikcull Webinar: Preventing the #1 Litigation Risk
Logikcull.com
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PPTX
AWS User Group August Edition
Andreas Wasita
 
PPT
Ethical Hacking
justyogesh
 
PPTX
OWASP Top Ten 2017
Michael Furman
 
PPT
Universal Search for Legal Enterprises
AdhereSolutions
 
PPTX
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore
 
PPTX
Ann West- Trust Federations: What We Have In Common
National Information Standards Organization (NISO)
 
PPTX
Enterprise search
Emrah M. Işık
 
PDF
Emerging Technology Risk Series - Internet of Things (IoT)
Eryk Budi Pratama
 
PPTX
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
Goans-Helms-IT Security at Georgia Tech Library
National Information Standards Organization (NISO)
 
SPUnite17 10 Steps to be Successful with Enterprise Search
NCCOMMS
 
What is Ethical Hacking?
Dignitas Digital Pvt. Ltd.
 
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
NCCOMMS
 
Red teaming in the cloud
Peter Wood
 
Intro to Office 365 Security & Compliance Center
Craig Jahnke
 
Basics of Security Testing
KarthikeyanRajendran27
 
Security & Compliance: Core Concepts Explained
Alan Eardley
 
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
Logikcull Webinar: Preventing the #1 Litigation Risk
Logikcull.com
 
Owasp 2017 oveview
Shreyas N
 
AWS User Group August Edition
Andreas Wasita
 
Ethical Hacking
justyogesh
 
OWASP Top Ten 2017
Michael Furman
 
Universal Search for Legal Enterprises
AdhereSolutions
 
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore
 
Ann West- Trust Federations: What We Have In Common
National Information Standards Organization (NISO)
 
Enterprise search
Emrah M. Işık
 
Emerging Technology Risk Series - Internet of Things (IoT)
Eryk Budi Pratama
 
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
Ad

Similar to Taking the Share out of Sharepoint: SharePoint Application Security. (20)

PDF
OWASP LA – SharePoint Hacking – 22Feb2012 – Slides.PDF
Bishop Fox
 
PPT
D Cornell Securing Share Point
Art Upton
 
PPTX
Securing the SharePoint Platform
Bert Johnson
 
PDF
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
PPTX
Hacking_SharePoint_FINAL
Ian Naumenko, CISSP, CRISC
 
PPTX
What’s your Social IQ? Succeeding with SharePoint Social by Chris McNulty - S...
SPTechCon
 
PDF
Preventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
Joel Oleson
 
PPTX
Securing Sharepoint platform
Ken Barnes
 
PPSX
Replacing your fileshare with SharePoint 2013 Farm - SharePoint User Group UK...
Chirag Patel
 
PDF
Securing Microsoft Technologies for HITECH Compliance
Marie-Michelle Strah, PhD
 
PPTX
SharePoint 2013 App Provisioning Models
Shailen Sukul
 
PDF
CISO's Guide to Securing SharePoint
Imperva
 
PPTX
ESDDC - Making Secured Content Discoverable in SharePoint
Jonathan Ralton
 
PPTX
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Christian Buckley
 
PPTX
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
PDF
Selecting And Protecting The Right Sharepoint Backup Targets Sps Michigan
Christopher Bunn
 
PPTX
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
PPTX
SPSPTCDC - SharePoint Admin 101 - SpeedMetal - PowerUser to Admin in 75 Minutes
Knowledge Management Associates, LLC
 
PPT
Share Point Server Security with Joel Oleson
Joel Oleson
 
PDF
RSA SecurBook for Microsoft SharePoint
Susam Pal
 
OWASP LA – SharePoint Hacking – 22Feb2012 – Slides.PDF
Bishop Fox
 
D Cornell Securing Share Point
Art Upton
 
Securing the SharePoint Platform
Bert Johnson
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Hacking_SharePoint_FINAL
Ian Naumenko, CISSP, CRISC
 
What’s your Social IQ? Succeeding with SharePoint Social by Chris McNulty - S...
SPTechCon
 
Preventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
Joel Oleson
 
Securing Sharepoint platform
Ken Barnes
 
Replacing your fileshare with SharePoint 2013 Farm - SharePoint User Group UK...
Chirag Patel
 
Securing Microsoft Technologies for HITECH Compliance
Marie-Michelle Strah, PhD
 
SharePoint 2013 App Provisioning Models
Shailen Sukul
 
CISO's Guide to Securing SharePoint
Imperva
 
ESDDC - Making Secured Content Discoverable in SharePoint
Jonathan Ralton
 
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Christian Buckley
 
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
Selecting And Protecting The Right Sharepoint Backup Targets Sps Michigan
Christopher Bunn
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
SPSPTCDC - SharePoint Admin 101 - SpeedMetal - PowerUser to Admin in 75 Minutes
Knowledge Management Associates, LLC
 
Share Point Server Security with Joel Oleson
Joel Oleson
 
RSA SecurBook for Microsoft SharePoint
Susam Pal
 
Ad

More from Aspenware (20)

PPTX
Playing nice with the MEAN stack
Aspenware
 
PDF
Stop competing and start leading: A user experience case study.
Aspenware
 
PPTX
Tips for building fast multi touch enabled web sites
Aspenware
 
PPTX
Build once deploy everywhere using the telerik platform
Aspenware
 
PPTX
Building web applications using kendo ui and the mvvm pattern
Aspenware
 
PDF
Rich Web Applications with Aspenware
Aspenware
 
PPTX
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Aspenware
 
PPTX
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Aspenware
 
PDF
Building a Windows Store App for SharePoint 2013
Aspenware
 
PDF
Aspenware TechMunch presents: mobile communities of interest
Aspenware
 
PDF
Hate JavaScript? Try TypeScript.
Aspenware
 
PDF
Understanding Game Mechanics
Aspenware
 
PDF
What people are saying about working with Aspenware.
Aspenware
 
PPTX
Aspenware Customer Labs lift line experience
Aspenware
 
PDF
Aspenware 2013 consulting program
Aspenware
 
PPTX
On Culture and Perks
Aspenware
 
PDF
Maintaining Culture and Staying True to Your Values in Times of Change: Tye E...
Aspenware
 
PPTX
Fast multi touch enabled web sites
Aspenware
 
PDF
Business considerations for node.js applications
Aspenware
 
PPTX
Restful web services with nodejs
Aspenware
 
Playing nice with the MEAN stack
Aspenware
 
Stop competing and start leading: A user experience case study.
Aspenware
 
Tips for building fast multi touch enabled web sites
Aspenware
 
Build once deploy everywhere using the telerik platform
Aspenware
 
Building web applications using kendo ui and the mvvm pattern
Aspenware
 
Rich Web Applications with Aspenware
Aspenware
 
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Aspenware
 
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Aspenware
 
Building a Windows Store App for SharePoint 2013
Aspenware
 
Aspenware TechMunch presents: mobile communities of interest
Aspenware
 
Hate JavaScript? Try TypeScript.
Aspenware
 
Understanding Game Mechanics
Aspenware
 
What people are saying about working with Aspenware.
Aspenware
 
Aspenware Customer Labs lift line experience
Aspenware
 
Aspenware 2013 consulting program
Aspenware
 
On Culture and Perks
Aspenware
 
Maintaining Culture and Staying True to Your Values in Times of Change: Tye E...
Aspenware
 
Fast multi touch enabled web sites
Aspenware
 
Business considerations for node.js applications
Aspenware
 
Restful web services with nodejs
Aspenware
 

Recently uploaded (20)

PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Encapsulation theory and applications.pdf
gurumoop
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 

Taking the Share out of Sharepoint: SharePoint Application Security.

  • 1. Why Your SharePoint Applications are a Hackers Best Friend
  • 2. Waughn Hughes Waughn has over 14 years of consulting experience, and has worked extensively with SharePoint for the past seven years as a developer and solutions architect. Solutions Architect | about.me/waughn
  • 3. Justin Tibbs Justin Tibbs, developed and heads up the security solutions practice at NET Source, Inc, in Littleton Colorado. Prior to NET Source, Justin held positions at Cisco Systems, Lockheed Martin, and others, specializing in the areas of Vulnerability & Threat Research, Exploitation Development, and Secure Architecture Design. NET Source Security Director | about.me/justintibbs
  • 4. Agenda • Introduction • SharePoint Tips and Tools Why Your SharePoint Applications are a Hackers Best Friend 4
  • 5. Definitions Security Breach An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. Security Violation An act from inside an organization that bypasses or contravenes security policies, practices, or procedures. Why Your SharePoint Applications are a Hackers Best Friend 5
  • 6. National Security Agency "This leaker was a sysadmin who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." - National Security Agency Director and the Pentagon's Cyber Command Commander General Keith Alexander Why Your SharePoint Applications are a Hackers Best Friend NSA chief leaks info on data sharing tech: It's SharePoint, By Jack Clark Clear and Present Danger: Cyber-Crime; Cyber-Espionage; Cyber-Terror; and Cyber-War 6
  • 7. Why SharePoint? Started as a way to simplify document sharing… 12 years and numerous releases later… Evolved into a platform for collaboration, document and file management, intranets, extranets, websites, enterprise search, business intelligence, business process automation, social networks, etc… Used by 78% of the Fortune 500 companies* Why Your SharePoint Applications are a Hackers Best Friend 7 * SharePoint 2010 : The First 10 Years [http://technet.microsoft.com/en-us/magazine/gg981684.aspx]
  • 8. SharePoint Security Policy Why Your SharePoint Applications are a Hackers Best Friend 8 A recent study by Emedia, covered in full by InfoSecurity magazine in February 2013, found that only about one-third of organizations with 25-5000 users employing SharePoint have security policies covering the platform.
  • 9. Installation & Configuration • Windows, SQL Server and .NET Stack • Security Patching • Service Accounts • Service Applications • Authentication • Web Applications, Site Collections and Sites Why Your SharePoint Applications are a Hackers Best Friend 9
  • 10. Installation & Configuration: Tips • Review and install applicable service packs and cumulative updates • Plan for least-privilege administration and do not use single account to run SharePoint farm(s) • Understand the features and configuration options for service applications prior to deployment • Define authentication methods for the various web and extended web applications • Develop and use information architecture to define web applications, site collections and sites • Use metadata to identify data sensitivity Why Your SharePoint Applications are a Hackers Best Friend 10
  • 11. Access Control • User Permissions • Excessive Access • Administrative Access Why Your SharePoint Applications are a Hackers Best Friend 11
  • 12. Access Control: Tips • Train end users on the key permission feature within SharePoint (e.g. security groups, permission levels, and permissions inheritance) • Automate the review process to keep rights aligned with business needs • Enable auditing for sites that contain sensitive information • Access the need to use database encryption to protect content Why Your SharePoint Applications are a Hackers Best Friend 12
  • 13. External Exposure: Demo Why Your SharePoint Applications are a Hackers Best Friend 13
  • 14. External Exposure: Tips • Use Google or Bing to check for externally exposed information • Google Samples: • inurl:"/_layouts/viewlsts.aspx" • "all site content" filetype:aspx • Use port scanner like nMap to look for open listeners • Management applications • Misconfigured web services • Database listeners (SQL) • Pretend to be a hacker… Try Shodan, a search engine that lets you find specific types of computers using a variety of filters Why Your SharePoint Applications are a Hackers Best Friend 14
  • 15. Development • Cross-Site Scripting • Cross-Site Request Forgery • Elevation of Privilege • Information Disclosure Why Your SharePoint Applications are a Hackers Best Friend 15
  • 16. Development: Tips • Understand Code Access Security • Encode output properly using SPHttpUtility methods • Do not allow contributor users to add script to the site • Specify a charset in the Content-Type HTTP response header • Avoid using AllowUnsafeUpdates where possible • Check user permissions appropriately Why Your SharePoint Applications are a Hackers Best Friend 16
  • 17. Questions? Why Your SharePoint Applications are a Hackers Best Friend 17
  • 18. 6000 Greenwood Plaza Blvd Suite 110 Greenwood Village, CO 80111 303.798.5458 www.aspenware.com Aspenware