SharePoint Security Advanced SharePoint Security Tips and Tools 22 - PowerPoint PPT Presentation

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 – OWASP L.A. 2012 – Los Angeles, CA Presen sented ed b by: Francis Brown Stach & Liu, LLC www.stachliu.com

Agenda O V E R V I E W • Br Brief ef Int Intro t to S Shar harePoint • Overview of Major Components • SharePoin int S t Security ity • Security Tips and Tools 2

Background G E T T I N G U P T O S P E E D 3

Background MS SharePoint Products & Technologies • Wi Wind ndows S s Shar harePoint Services ( es (WSS) ) • Office e ShareP ePoint nt S Server er 2007/2010 ( 7/2010 (MOSS) • ShareP ePoint nt D Designer ner 2007/2010 ( 7/2010 (SPD) 4

Core Components MS SharePoint Products & Technologies 5

Core Components MS SharePoint Products & Technologies 6

Core Components MS SharePoint Products & Technologies 7

Centralized Portal MS SharePoint Products & Technologies 8

Site Hierarchy Intro to SharePoint 9

SharePoint Site Hierarchy Intro to SharePoint Base Base Site UR URLs: s: • http://learnsouth/ • http://learnsouth/Media/ • http://learnsouth/Revisions/ • http://learnsouth/Schools/ • http://learnsouth/Schools/SchoolA/ • http://learnsouth/Schools/SchoolB/ • http://learnsouth/Schools/SchoolC/ 10

Site Structure Intro to SharePoint 11

Site Navigation Intro to SharePoint 12

Security Tips W H A T Y O U S H O U L D K N O W 13

WikiLeaks and SharePoint R I S K O F E X P O S U R E • Wget scripts targeting SharePoint downloads • 250,000 government cables sent to WikiLeaks 14

Security Tips S H A R E P O I N T S E C U R I T Y # Security Tip 1 Know your external exposure… 2 Beware of normal users with excessive access… 3 Spot check user permissions and inheritance… 4 Beware 3 rd party plugins/code…BUT not too much… 5 Backup every which way from Sunday… … 15

Security Tip #1 K N O W Y O U R E X T E R N A L E X P O S U R E 16

External Exposure F I N D I N G H O L E S 1. 1. “Googl gle H Hack ck y yourse self” 1. Search Google for exposed SharePoint admin pages 2. E.g. inurl:"/_catalogs/wt/“ 3. 3. NEW EW: SharePoint Google Regexs for S&L SearchDiggity – 121 queries 4. Coming Soon: SharePoint Bing Dictionary 5. SHODAN searching for SharePoint servers 6. SharePoint Hacking Alerts 2. 2. SharePoint Sha nt U URL B Brut ute-forcing 1. Forceful browse to common SharePoint extensions to test access 2. 2. NEW EW: Tool to bruteforce SharePoint URLs – 101 known extensions 3. 3. Nmap ap for r other r Share rePoint a administrat rative a apps ps 1. E.g. Central Administration, Shared Service Providers (SSP) 17

External Exposure S H A R E P O I N T A D M I N W E B A P P S 18

External Exposure G O O G L E H A C K I N G S H A R E P O I N T 19

External Exposure G O O G L E H A C K I N G S H A R E P O I N T 20

External Exposure G O O G L E H A C K I N G S H A R E P O I N T 21

External Exposure B I N G H A C K I N G S H A R E P O I N T 22

External Exposure S H O D A N F O R S H A R E P O I N T 23

External Exposure S H A R E P O I N T H A C K I N G A L E R T S 24

S H A R E P O I N T H A C K I N G T O O L S DEMO DEMO 25

External Exposure S H A R E P O I N T U R L B R U T E F O R C I N G 26

Security Tip #2 B E W A R E U S E R S W I T H E X C E S S I V E A C C E S S 27

Excessive User Access M O R E T H A N Y O U B A R G A I N E D F O R . . . • Web Services e es exampl mples es • Admin.asmx • Permissions.asmx • User A Admini nist strat ation n exampl mples es • “People and Groups” • ”Add Users” • “PeoplePicker” 28

C O N T I N U E D S H A R E P O I N T H A C K I N G DEMO DEMO 29

Excessive User Access S H A R E P O I N T W E B S E R V I C E S 30

Security Tip #3 C H E C K P E R M I S S I O N S A N D I N H E R I T A N C E 31

User Permissions S E C U R I T Y T I P S 32

User Permissions S E C U R I T Y T I P S 33

User Permissions S E C U R I T Y T I P S 34

Security Tools U S E R P E R M I S S I O N S 35

Security Tools U S E R P E R M I S S I O N S 36

Security Tools U S E R P E R M I S S I O N S 37

Security Tools U S E R P E R M I S S I O N S 38

Security Tools U S E R P E R M I S S I O N S 39

Security Tip #4 B E W A R E 3 RD P A R T Y C O D E… N O T T O O M U C H 40

3 RD Party Plugins N E C E S S A R Y E V I L • SharePoint without 3 rd party plugins is like an iPhone with no apps • Solutions, Features • Web Parts, Templates • If too strict, people will circumvent you • Leads to rogue e Sha hareP ePoint nt d dep eployment ents 41

Detect Rogue SharePoint R O G U E D E P L O Y M E N T S Quest Software - Server Administrator for SharePoint 42

Detect Rogue SharePoint R O G U E D E P L O Y M E N T S McAfee - Network Discovery for Microsoft SharePoint 43

3 RD Party Plugins S O L U T I O N S 44

3 RD Party Plugins S O L U T I O N S 45

3 RD Party Plugins F E A T U R E S 46

3 RD Party Plugins F E A T U R E S 47

3 RD Party Plugins F U T U R E S E C U R I T Y • SharePoint 2010 has sandboxed solutions • Minimize risk of running untrusted 3 rd party plugins 48

3 RD Party Plugins S A N D B O X E D S O L U T I O N S 49

Security Tip #5 B A C K U P E V E R Y W H I C H W A Y F R O M S U N D A Y 50

Backups M A N Y M E T H O D S … M O S T T E R R I B L E 1. Microsoft System Center: Data Protection Manager 2. Windows 2003/2008 Server backups 3. Stsadm.exe cmdline tool backups 4. Central Administration v3 backups 5. SharePoint Designer backups 6. Site and List template backups 7. Raw MS SQL database backups 51

Backups S H A R E P O I N T D E S I G N E R 52

Backups S T S A D M / C E N T R A L A D M I N I S T R A T I O N 53

Backups S I T E A N D L I S T T E M P L A T E S 54

Backups S I T E A N D L I S T T E M P L A T E S 55

Backups R A W S Q L D A T A B A S E S 56

Questions? Ask us something We’ll try to answer it. For or m mor ore i e info: o: Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com

Thank You Stach ach & & Li Liu S Shar arePoint Hack acking g Diggi ggity Pr Proj oject i info: o: http://www.stachliu.com/index.php/resources/tools/sharepoint-hacking-diggity-project/ 58