Securing Your Sharepoint Environment With Custom Solutions

ByThe SharePoint FAQs Team

Understanding SharePoint Security Risks

As an expansive collaboration platform, SharePoint offers many benefits for organizations but also comes with certain inherent security risks. Being aware of these vulnerabilities can help SharePoint administrators and developers make informed decisions when securing the environment.

Common Vulnerabilities and Threats

Some of the most prevalent SharePoint security issues include:

  • Compromised user accounts – Attackers gaining access to valid credentials can infiltrate SharePoint sites and access sensitive data. Multi-factor authentication and password policies can help mitigate this.
  • Cross-site scripting (XSS) – Malicious scripts injected into pages or web parts that execute when other users access the content. Input validation and output encoding on custom solutions are key to preventing XSS.
  • Sensitive information disclosure – By default, SharePoint can reveal version histories, metadata, and other details that expose confidential data. Detailed permission management and redaction capabilities are essential.
  • Vulnerable web parts and custom code – Any custom elements added to SharePoint should be developed with security in mind, as they can potentially be an attack vector.
  • Malware upload – The collaborative nature of SharePoint means that infected file attachments or documents could spread malware across sites. Antivirus integration and safe file handling must be implemented.

OOTB Limitations

While SharePoint provides extensive platform security capabilities out of the box, some limitations include:

  • Coarse permission management – The predefined SharePoint roles can be too broad for refined permission control needed in some situations.
  • Auditing gaps – The built-in audit log may not fully capture all user activity at a detailed level.
  • Third-party compliance – Specific regulatory mandates may require customization beyond default settings for legal compliance.
  • Extranet security – Access for external partners often necessitates tighter security than the collaboration focus of internal SharePoint.

Implementing Custom Security Solutions

To augment the out-of-the-box SharePoint security features, custom code solutions can be deployed to enforce tighter control over sensitive environments.

Authorization Code Examples

Fine-grained permission checks can be integrated directly in page logic:

 
if(!user.IsCurrentUserMemberOfGroup("Finance Team")) {
     SPUtility.TransferToErrorPage("Access Denied");
}


SPRoleAssignment role = web.RoleAssignments.GetAssignmentByPrincipal(user);
if (!role.RoleDefinitionBindings.Contains("ConfidentialDocsAccess")) {
     SPUtility.TransferToAccessDeniedPage(); 
}

Claims-based authorization logic grants access based on user attributes:


if (userClaims.Department != "Sales") {
    Response.Redirect("/AccessDenied.aspx"); 
}


if (currentRecord.CreatedBy != userLogin) {
    webPartManager.CloseWebPart(this);
}

Encryption Techniques

Sensitive SharePoint data can be protected through encryption:

  • Encrypt sections of web.config containing credentials
  • Use SSL/TLS for all services and web applications
  • Encrypt customer data stored in lists and libraries
  • Hash/salt passwords stored in user profile database
  • Digitally sign custom solutions for tamper detection

The .NET Cryptography classes provide many options:

// AES encrypt record contents
using (Aes aes = Aes.Create())  
{
  byte[] encrypted = EncryptStringToBytes(data, aes.Key, aes.IV);
  SPListItem.Update();
}
   
// Hash site visitor identifier 
int hash = userGuid.GetHashCode();
Response.Cookies.Set("Id", hash.ToString());

Securing Search Crawl Data

Custom code can block sensitive info from the index: 

public class ConfidentialContentAccessor : IFilter
{
   public override void Element(FilterElement elm)  
   {
     elm.Action = FilterElementAction.Exclude;
   }
}

Managed properties facilitate access controls:

 
public override IEnumerable> GetPropertyValues(IList props) {
  
  if(HasAccess(currentUser, securedProperties)) {
    return base.GetPropertyValues(props);  
  }
  else {
    return base.GetPropertyValues(allowedProperties);
  }

}

Monitoring and Responding

Visibility into SharePoint security events enables incident detection and response.

Log Analysis

Centralized logging of access audits, errors, and custom tracking events provides security monitoring. Example log data usage:

  • Activity analysis – Unusual access spikes, repeated failed logins, resource access anomalies.
  • Error monitoring – Debug issues plus identify attack attempts via unexpected errors.
  • Audit tracking – Document permission changes, configuration changes, data access.

Key steps for enabling analysis:

  1. Streamline data collection – Aggregate disparate logs into unified systems.
  2. Retain critical history – Archive sufficient log data for investigation needs.
  3. Simplify parsing – Structure logs consistently to ease extraction.
  4. Visualize patterns – Charts highlighting trends assist human consumption.
  5. Trigger alerts – Set thresholds on key metrics to automatically issue alerts.

Incident Response Planning

Formal plans for security incident management ensure issues are handled appropriately:

  • Documented procedures – Consistent steps for containment, eradication and recovery.
  • Response personnel – Designated owners accountable for executing the plan.
  • Reporting protocols – Required notifications when certain events occur.
  • Post-mortem review – Analysis of lessons learned to improve outcomes.

Tabletop exercises prepare teams to implement response plans effectively.

Auditing Custom Solutions

Code review and security testing validate protection:

  • Analyze access control logic – Verify conditions granting access to data.
  • Input validation testing – Confirm handling of malicious input to prevent attacks.
  • Exploit signal monitoring – Detect activity indicating probing for weaknesses.
  • Penetration testing – Attempt to breach the system under test conditions.

Track issues in transparent backlogs accessible by administrators.

Maintaining a Secure Environment

A sustainable process continually enhances protection over time as risks evolve.

Applying Latest Updates

Consistently deploy security fixes through:

  • Microsoft and third-party patches
  • Cumulative updates for SharePoint
  • Upgrades to latest SharePoint version

Monitoring developer notifications identifies code changes needing attention:

  • Review .NET security advisories
  • Refresh outdated library dependencies
  • Retest custom code after infrastructure changes

Retesting Custom Code

Regression testing verifies continued functionality and security under updated conditions:

  • Load testing – Validate performance metrics under simulated traffic.
  • Security scanning – Detect new weaknesses introduced by updates.
  • Authorization checks – Confirm access rules still being enforced properly.

Compare latest results against previous baselines.

User Education

Awareness training fortifies the human element of the secure SharePoint architecture:

  • Onboarding for access policies and handling sensitive data
  • Phishing simulation to spot potential social engineering
  • Refreshers on latest identified threats in the wild

Track training completion rates to confirm coverage across personnel.

Leave a Reply

Your email address will not be published. Required fields are marked *