Microsoft SharePoint server is a widely implemented information portal. One of the main drivers of its success is that it is largely free. In a typical enterprise, there might be any number of authorized SharePoint servers to which almost everyone has access, plus a few that simply spring up and start growing for specific projects. SharePoint can be a lot of things such as a document library, a shared online workspace, or a reporting and business intelligence source.
Most installations begin as document libraries. SharePoint is simply pointed at a bunch of file shares, which are then cataloged and presented through a Web interface to users. In order to make this process easier, Microsoft relies on an inheritance model for privileges — if a person could access the file on a share then she can access the file through SharePoint. Unfortunately, file shares are typically littered with years of files and, more importantly, if the file and directory privileges were configured to allow maximal access, then SharePoint will expose them for maximal access.
There’s a lot to SharePoint security, probably because there is a lot to SharePoint. A multi-faceted approach works well to protect the application itself and your organization’s data from attack. As you roll out security policy it’s important to test new access, authentication, and authorization controls before going live with them. You don’t want to restrict access to those who deserve and require it.
So here’s some pointers on making SharePoint work for you, not against you (at least from a security point of view):
1. The server farm itself should rely on security best practices before you secure the SharePoint implementation on top of it. Secure and harden Microsoft Windows Server 2008 to form a solid foundation.
2. Make sure that the proper privileges are given to the proper users and groups in Active Directory. SQL Server 2005 or SQL Server 2008 will host most of your SharePoint content.
3. The content databases that hold site collections and sites can be copied on a database level, so make sure to control and audit users who have access to the physical databases.
4. It also goes without saying that server antivirus, a software firewall, and host-based intrusion prevention (HIPS) further protect servers.
5. The underpinnings of all of this (the network and storage systems) should be properly secured as well. A solid network security program involves compartmentalization of users and systems. Make sure to perform regular audits of switches, routers, and servers to understand who accessed what and how. A firewall is a critical component of network security. Make sure that the right access control rules are in place to protect your SharePoint installation whether it is external, internal or somewhere in between in the DMZ.
6. Speaking of access rules, the emphasis of security within a SharePoint environment should be on controlling access to information and how it can be accessed through the applications. This, obviously, must be role-based using Active Directory for identity, authentication, and authorization. A big thing to focus on is the implication of inherited privileges in your environment. When you grant privileges over content, like a project plan or a PowerPoint presentation, to a manager, she then has the privilege to assign privileges to her team members. This makes it easier for your IT staff so they don’t have to change privileges 10,000 times a day across your organizations. But delegating the privilege of assigning privileges opens you up to a potential escalation of everyone under the manager. The tendency to solve access issues by escalating privileges is common enough among professional IT people and this tendency is magnified in the hands of business people.
The principles of security hold true in SharePoint as well as other knowledge management platforms. Inmagic’s Presto Social is a social knowledge management application that lets organizations build a centralized base of knowledge using self-service social tools, such as comments, ratings, tags, wikis, blogs, collaborative editing, discussions, and more. I spoke with Phil Green, CTO, and Mike Cassettari, VP of Marketing of Inmagic about some of their best practices for securing information.
Phil said it all centers on restricting access control to content, which starts by carefully planning the platform you’re using and understanding the different roles within your organization and how each role works with documents and information.
“Documents and types of information, even down to the field or record level, should be classified and protected according to that classification. Different features within the application should be controlled, such as who can put information into the system and who can change it.” Presto includes these abilities plus the ability to track content and generate a full audit trail.
Microsoft has a good deal of information about securing SharePoint at http://technet.microsoft.com/en-us/sharepoint/ff601872.aspx and here at http://msdn.microsoft.com/en-us/sharepoint/ff660758.aspx.
Just remember: It’s not only convenient for knowledge workers to have an entire organization’s information in one easy to access portal, it’s convenient for thieves, too.
Matt Sarrel is executive director of Sarrel Group, a technology product test lab, editorial services and consulting practice specializing in gathering and leveraging competitive intelligence. He has over 20 years of experience in IT and focuses on high-speed large scale networking, information security, and enterprise storage. E-mail [email protected], Twitter: @msarrel.