Sharepoint Security Best Practices: Permissions, Encryption, And Auditing

ByThe SharePoint FAQs Team

Securing SharePoint Data and Content

Implementing robust security measures in SharePoint is critical to protecting sensitive data and content. By properly configuring permissions, encrypting data, and auditing activity, organizations can reduce the risk of data breaches and ensure regulatory compliance.

Setting Up Permissions and Access Controls

Managing permissions is essential to restrict access to SharePoint sites, libraries, lists, content types and columns. Permissions should be granted based on user roles and access requirements.

Defining Permission Levels and Groups

SharePoint includes default permission levels like Read, Contribute and Full Control. Additionally, custom permission levels can be created to define specific access rights that align with user roles. Permission groups streamline assigning access, so groups should be set up for various departments, project teams, security roles and so on. Ensure the principle of least privilege by only enabling necessary permissions.

Assigning Permissions to Sites, Libraries, Lists

Granular permissions can be configured at the site collection, site, library, list, folder, document and item level. Though time-consuming, precision permissions enable locking down data. Automate permissions through scripts when possible, and leverage inheritance to cascade settings down to child sites and content.

Securing Content Types and Columns

Control access to content types and columns by breaking permissions inheritance and assigning custom permissions. Restrict sensitive columns like Personally Identifiable Information to be visible only for certain user groups. Disable ability to edit columns where integrity is vital.

Example: Allowing Edit Access for Certain Users

The management team site hosts proprietary strategy documents that should only be editable by top executives. Create an Active Directory group for the executive team granting them exclusive contribute access. All other employees get read-only permission to prevent unauthorized changes.

Encrypting Sensitive SharePoint Data

SharePoint offers various encryption methods to protect sensitive or confidential data at the column, library, list or site collection level.

Encryption Methods in SharePoint

SharePoint Information Rights Management (IRM) protects documents, email and list items with use restrictions and encryption. BitLocker Drive Encryption provides full disk encryption for SharePoint database servers. Cell level encryption masks sensitive entries such as passwords or social security numbers.

Encrypting Libraries, Lists and Columns

Enable IRM on SharePoint document libraries and lists to encrypt content. Ensure IRM protection travels with documents downloaded outside the library. Encrypt individual columns with sensitive data via the UI or PowerShell. Turn on BitLocker encryption for SharePoint SQL servers for robust protection.

Example: Encrypting a Document Library

A research library contains proprietary formulas that must only be viewed by the research team. Turn on IRM for the document library using a custom permission policy restricting access and download to the researchers group. This safeguards the intellectual property if documents are copied off the network.

Auditing Site Activity

Auditing tracks all events and changes for compliance reporting. Enable comprehensive audit logging and establish policies to detect suspicious activity.

Enabling Audit Logging

In the Security & Compliance admin center, enable site collection, site and list auditing to log events like access requests, policy changes and content deletions. Adjust audit log trimming policies and quotas to retain data. Forward logs to Security Information & Event Management software for long-term analysis.

Using Audit Reports to Track Access and Changes

Audit reports reveal which users accessed specific sites, lists, libraries, documents and list items. Reports show forbidden access along with name changes or content deletions. Review reports regularly for anomalies indicative of compromised credentials or data theft.

Alert Policies for Critical Events

Configure email alerts for critical audit events like multiple failed sign-in attempts, excessive data downloads and unauthorized deletion of sensitive content. Alerts should notify admins ASAP of high risk activity requiring emergency response.

Example: Getting Alerts for Document Deletions

Turn on daily aggregation reports for discarded SharePoint site collections, sites, lists, libraries, folders and documents. Generate email alerts for admins if the daily deletion tally for critical sites or libraries exceeds expected thresholds, triggering incident response.

Additional SharePoint Security Tips

Beyond permissions, encryption and auditing, additional practices boost SharePoint security.

Using Multi-Factor Authentication

Activate multi-factor authentication (MFA) through Active Directory or a third-party identity provider to harden sign-in security. MFA reduces account compromise from stolen credentials by requiring a secondary form of verification like a security code sent to users’ mobile devices.

Scanning for Vulnerabilities

Routinely scan SharePoint for security misconfigurations and missing patches which cybercriminals exploit. Utilize built-in Microsoft tools like Security Validation and the Security Scorecard. Additionally, employ third-party vulnerability scanners tailored for finding SharePoint exposures.

Training End Users on Security

Educate end users on SharePoint security best practices related to credentials, downloading sensitive data and identifying social engineering attacks. Include security in new employee onboarding processes. Frequently refresh training to keep security top of mind for users across the organization.

Leave a Reply

Your email address will not be published. Required fields are marked *