Securing Your Sharepoint Environment With Custom Solutions
Understanding SharePoint Security Risks
As an expansive collaboration platform, SharePoint offers many benefits for organizations but also comes with certain inherent security risks. Being aware of these vulnerabilities can help SharePoint administrators and developers make informed decisions when securing the environment.
Common Vulnerabilities and Threats
Some of the most prevalent SharePoint security issues include:
- Compromised user accounts – Attackers gaining access to valid credentials can infiltrate SharePoint sites and access sensitive data. Multi-factor authentication and password policies can help mitigate this.
- Cross-site scripting (XSS) – Malicious scripts injected into pages or web parts that execute when other users access the content. Input validation and output encoding on custom solutions are key to preventing XSS.
- Sensitive information disclosure – By default, SharePoint can reveal version histories, metadata, and other details that expose confidential data. Detailed permission management and redaction capabilities are essential.
- Vulnerable web parts and custom code – Any custom elements added to SharePoint should be developed with security in mind, as they can potentially be an attack vector.
- Malware upload – The collaborative nature of SharePoint means that infected file attachments or documents could spread malware across sites. Antivirus integration and safe file handling must be implemented.
OOTB Limitations
While SharePoint provides extensive platform security capabilities out of the box, some limitations include:
- Coarse permission management – The predefined SharePoint roles can be too broad for refined permission control needed in some situations.
- Auditing gaps – The built-in audit log may not fully capture all user activity at a detailed level.
- Third-party compliance – Specific regulatory mandates may require customization beyond default settings for legal compliance.
- Extranet security – Access for external partners often necessitates tighter security than the collaboration focus of internal SharePoint.
Implementing Custom Security Solutions
To augment the out-of-the-box SharePoint security features, custom code solutions can be deployed to enforce tighter control over sensitive environments.
Authorization Code Examples
Fine-grained permission checks can be integrated directly in page logic:
if(!user.IsCurrentUserMemberOfGroup("Finance Team")) { SPUtility.TransferToErrorPage("Access Denied"); } SPRoleAssignment role = web.RoleAssignments.GetAssignmentByPrincipal(user); if (!role.RoleDefinitionBindings.Contains("ConfidentialDocsAccess")) { SPUtility.TransferToAccessDeniedPage(); }
Claims-based authorization logic grants access based on user attributes:
if (userClaims.Department != "Sales") { Response.Redirect("/AccessDenied.aspx"); } if (currentRecord.CreatedBy != userLogin) { webPartManager.CloseWebPart(this); }
Encryption Techniques
Sensitive SharePoint data can be protected through encryption:
- Encrypt sections of web.config containing credentials
- Use SSL/TLS for all services and web applications
- Encrypt customer data stored in lists and libraries
- Hash/salt passwords stored in user profile database
- Digitally sign custom solutions for tamper detection
The .NET Cryptography classes provide many options:
// AES encrypt record contents using (Aes aes = Aes.Create()) { byte[] encrypted = EncryptStringToBytes(data, aes.Key, aes.IV); SPListItem.Update(); } // Hash site visitor identifier int hash = userGuid.GetHashCode(); Response.Cookies.Set("Id", hash.ToString());
Securing Search Crawl Data
Custom code can block sensitive info from the index:
public class ConfidentialContentAccessor : IFilter { public override void Element(FilterElement elm) { elm.Action = FilterElementAction.Exclude; } }
Managed properties facilitate access controls:
public override IEnumerable> GetPropertyValues(IList props) { if(HasAccess(currentUser, securedProperties)) { return base.GetPropertyValues(props); } else { return base.GetPropertyValues(allowedProperties); } }
Monitoring and Responding
Visibility into SharePoint security events enables incident detection and response.
Log Analysis
Centralized logging of access audits, errors, and custom tracking events provides security monitoring. Example log data usage:
- Activity analysis – Unusual access spikes, repeated failed logins, resource access anomalies.
- Error monitoring – Debug issues plus identify attack attempts via unexpected errors.
- Audit tracking – Document permission changes, configuration changes, data access.
Key steps for enabling analysis:
- Streamline data collection – Aggregate disparate logs into unified systems.
- Retain critical history – Archive sufficient log data for investigation needs.
- Simplify parsing – Structure logs consistently to ease extraction.
- Visualize patterns – Charts highlighting trends assist human consumption.
- Trigger alerts – Set thresholds on key metrics to automatically issue alerts.
Incident Response Planning
Formal plans for security incident management ensure issues are handled appropriately:
- Documented procedures – Consistent steps for containment, eradication and recovery.
- Response personnel – Designated owners accountable for executing the plan.
- Reporting protocols – Required notifications when certain events occur.
- Post-mortem review – Analysis of lessons learned to improve outcomes.
Tabletop exercises prepare teams to implement response plans effectively.
Auditing Custom Solutions
Code review and security testing validate protection:
- Analyze access control logic – Verify conditions granting access to data.
- Input validation testing – Confirm handling of malicious input to prevent attacks.
- Exploit signal monitoring – Detect activity indicating probing for weaknesses.
- Penetration testing – Attempt to breach the system under test conditions.
Track issues in transparent backlogs accessible by administrators.
Maintaining a Secure Environment
A sustainable process continually enhances protection over time as risks evolve.
Applying Latest Updates
Consistently deploy security fixes through:
- Microsoft and third-party patches
- Cumulative updates for SharePoint
- Upgrades to latest SharePoint version
Monitoring developer notifications identifies code changes needing attention:
- Review .NET security advisories
- Refresh outdated library dependencies
- Retest custom code after infrastructure changes
Retesting Custom Code
Regression testing verifies continued functionality and security under updated conditions:
- Load testing – Validate performance metrics under simulated traffic.
- Security scanning – Detect new weaknesses introduced by updates.
- Authorization checks – Confirm access rules still being enforced properly.
Compare latest results against previous baselines.
User Education
Awareness training fortifies the human element of the secure SharePoint architecture:
- Onboarding for access policies and handling sensitive data
- Phishing simulation to spot potential social engineering
- Refreshers on latest identified threats in the wild
Track training completion rates to confirm coverage across personnel.