sharepoint security
play

SharePoint Security Advanced SharePoint Security Tips and Tools 05 - PowerPoint PPT Presentation

Jul 22, 2023 •40 likes •490 views

SharePoint Security Advanced SharePoint Security Tips and Tools 05 Oct 2010 Presen sented ted by: Francis Brown Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Brief f Intro o to o SharePoint ePoint Overview of

  1. SharePoint Security Advanced SharePoint Security Tips and Tools 05 Oct 2010 Presen sented ted by: Francis Brown Stach & Liu, LLC www.stachliu.com

  2. Agenda O V E R V I E W • Brief f Intro o to o SharePoint ePoint • Overview of Major Components • ShareP ePoint oint Secu curity ity • Security Tips and Tools 2

  3. Background G E T T I N G U P T O S P E E D 3

  4. Background MS SharePoint Products & Technologies • Windo dows ws SharePoint ePoint Servic vices es (WSS) ) • Office ice ShareP ePoint oint Server ver 2007/2010 7/2010 (MOSS) S) • ShareP ePoint oint Desig igner ner 2007/201 7/2010 0 (SPD PD) 4

  5. Background MS SharePoint Products & Technologies 5

  6. Background MS SharePoint Products & Technologies 6

  7. Background MS SharePoint Products & Technologies 7

  8. Background MS SharePoint Products & Technologies 8

  9. Site Hierarchy Intro to SharePoint 9

  10. SharePoint Site Hierarchy Intro to SharePoint Base Site e URLs Ls: • http://learnsouth/ • http://learnsouth/Media/ • http://learnsouth/Revisions/ • http://learnsouth/Schools/ • http://learnsouth/Schools/SchoolA/ • http://learnsouth/Schools/SchoolB/ • http://learnsouth/Schools/SchoolC/ 10

  11. Site Structure Intro to SharePoint 11

  12. Site Navigation Intro to SharePoint 12

  13. Security Tips W H A T Y O U S H O U L D K N O W 13

  14. Security Tips S H A R E P O I N T S E C U R I T Y # Security Tip 1 Know your external exposure … 2 Beware of normal users with excessive access … 3 Spot check user permissions and inheritance… 4 Beware third-party plugins/code…BUT not too much… 5 Backup every which way from Sunday… … 14

  15. Security Tip #1 K N O W Y O U R E X T E R N A L E X P O S U R E 15

  16. External Exposure F I N D I N G H O L E S 1. “Google Hack yourself” 1. Search Google for exposed SharePoint admin pages 2. E.g. inurl :"/_catalogs/wt/“ 3. NEW: SharePoint Google Regexs for S&L SearchDiggity – 109 queries 3. 2. SharePoint URL Brute-forcing 1. Forceful browse to common SharePoint extensions to test access 2. 2. NEW: Tool to bruteforce SharePoint URLs – 89 known extensions 3. Nmap for other SharePoint administrative apps 1. E.g. Central Administration, Shared Service Providers (SSP) 16

  17. External Exposure G O O G L E H A C K I N G S H A R E P O I N T 17

  18. S H A R E P O I N T H A C K I N G T O O L S DEMO DEMO 18

  19. Security Tip #2 B E W A R E U S E R S W I T H E X C E S S I V E A C C E S S 19

  20. C O N T I N U E D S H A R E P O I N T H A C K I N G DEMO DEMO 20

  21. Excessive User Access M O R E T H A N Y O U B A R G A I N E D F O R . . . • Web Servic vices es examples mples • Admin.asmx • Permissions.asmx • User Administr inistration ation examples mples • “People and Groups” • ”Add Users” • “ PeoplePicker ” 21

  22. Security Tip #3 C H E C K P E R M I S S I O N S A N D I N H E R I T A N C E 22

  23. User Permissions S E C U R I T Y T I P S 23

  24. User Permissions S E C U R I T Y T I P S 24

  25. User Permissions S E C U R I T Y T I P S 25

  26. Security Tools U S E R P E R M I S S I O N S 26

  27. Security Tools U S E R P E R M I S S I O N S 27

  28. Security Tools U S E R P E R M I S S I O N S 28

  29. Security Tip #4 B E W A R E T H I R D- P A R T Y C O D E… N O T T O O M U C H 29

  30. Third-Party Plugins N E C E S S A R Y E V I L • SharePoint without third-party plugins is like an iPhone with no apps • Solutions, Features • Web Parts, Templates • If too strict, people will circumvent you 30

  31. Third-Party Plugins S O L U T I O N S 31

  32. Third-Party Plugins S O L U T I O N S 32

  33. Third-Party Plugins F E A T U R E S 33

  34. Third-Party Plugins F E A T U R E S 34

  35. Third-Party Plugins F U T U R E S E C U R I T Y • SharePoint 2010 has sandboxed solutions • Minimize risk of running untrusted third-party plugins 35

  36. Third-Party Plugins S A N D B O X E D S O L U T I O N S 36

  37. Security Tip #5 B A C K U P E V E R Y W H I C H W A Y F R O M S U N D A Y 37

  38. Backups M A N Y M E T H O D S … A L L T E R R I B L E 1. Windows 2003/2008 Server backups 2. Stsadm.exe cmdline tool backups 3. Central Administration v3 backups 4. SharePoint Designer backups 5. Site and List template backups 6. Raw MS SQL database backups 38

  39. Backups S H A R E P O I N T D E S I G N E R 39

  40. Backups S T S A D M / C E N T R A L A D M I N I S T R A T I O N 40

  41. Backups S I T E A N D L I S T T E M P L A T E S 41

  42. Backups S I T E A N D L I S T T E M P L A T E S 42

  43. Backups R A W S Q L D A T A B A S E S Farm Config DB Central Administration Console/ Custom Backup Application File Server Content DB Content DB Search SSP DB Index Full Back up Differntial SQL Backup/Restore 43

  44. Questions? Ask us something We’ll try to answer it. For more info: Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com

  45. Thank You Stach & Li Liu SharePoi oint nt Hacking Diggity Project ect info: http://www.stachliu.com/index.php/resources/tools/sharepoint-hacking-diggity-project/ 45

Recommend

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012 Los Angeles, CA Presen sented ed b by: Francis Brown Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Br Brief ef Int

606 views • 58 slides
Office Online Sanjoyan Mustafi Senior Program Manager SharePoint & OneDrive Security &

Office Online Sanjoyan Mustafi Senior Program Manager SharePoint & OneDrive Security &

New features for Sensitivity labels: SharePoint, Teams, Office Online Sanjoyan Mustafi Senior Program Manager SharePoint & OneDrive Security & Compliance https://www.linkedin.com/in/Sanjoyan/ Admin: New label creation flow for

375 views • 14 slides
Upgrading SharePoint 2010 to SharePoint 2013 Todd Klindt SharePoint Nerd Rackspace Who is this

Upgrading SharePoint 2010 to SharePoint 2013 Todd Klindt SharePoint Nerd Rackspace Who is this

Upgrading SharePoint 2010 to SharePoint 2013 Todd Klindt SharePoint Nerd Rackspace Who is this Todd guy? WSS MVP since 2006 Speaker, writer, consultant, lover of cheese Personal Blog www.toddklindt.com/blog Company web

565 views • 27 slides
SharePoint Online Introduction Scott A. Concilla Microsoft Certified Trainer IM-61, OCIO,

SharePoint Online Introduction Scott A. Concilla Microsoft Certified Trainer IM-61, OCIO,

SharePoint Online Introduction Scott A. Concilla Microsoft Certified Trainer IM-61, OCIO, Department of Energy Class Topics Understanding SharePoint Online SharePoint Online Structure Navigating a SharePoint Site SharePoint

944 views • 90 slides
SharePoint Connect and empower your organisation Stefanie Kechayas Senior Consultant 17

SharePoint Connect and empower your organisation Stefanie Kechayas Senior Consultant 17

Enhancing community sector service delivery SharePoint Connect and empower your organisation Stefanie Kechayas Senior Consultant 17 February 2016 Technology for Social Justice Today 1. What is SharePoint? 2. Why use SharePoint? a. Some

523 views • 33 slides
SharePoint A first look Sahil Malik www.winsmarts.com Agenda End user level

SharePoint A first look Sahil Malik www.winsmarts.com Agenda End user level

SharePoint A first look Sahil Malik www.winsmarts.com Agenda End user level familiarization with SharePoint An overview of development choices and your development machine Pre-Requisites A SharePoint site with 4 users, Tiger

336 views • 21 slides
SharePoint Admin 101 (and beyond) Shane Young 13 Year SharePoint MVP

SharePoint Admin 101 (and beyond) Shane Young 13 Year SharePoint MVP

SharePoint Admin 101 (and beyond) Shane Young 13 Year SharePoint MVP Shane@powerapps911.com @ShanesCows http://www.youtube.com/ShaneYoungCloud Cincinnati, Ohio https://www.PowerApps911.com https://www.BoldZebras.com

430 views • 17 slides
Implementing SharePoint A Case Study on tailoring SharePoint to meet agency recordkeeping needs

Implementing SharePoint A Case Study on tailoring SharePoint to meet agency recordkeeping needs

Implementing SharePoint A Case Study on tailoring SharePoint to meet agency recordkeeping needs Mary Ann Rosenthal Team Leader Information Management Whittlesea Growing 2007 population 133,000 2017 population 216,000 2028

551 views • 30 slides
PowerShell with SharePoint Server and Office 365 Shane Young 13 Year SharePoint MVP

PowerShell with SharePoint Server and Office 365 Shane Young 13 Year SharePoint MVP

PowerShell with SharePoint Server and Office 365 Shane Young 13 Year SharePoint MVP Shane@powerapps911.com @ShanesCows http://www.youtube.com/ShaneYoungCloud Cincinnati, Ohio https://www.PowerApps911.com

1.55k views • 45 slides
Scaling SharePoint Farms with MinRole & Other T ools Spencer Harbar #SPSMUC02 October 10 th ,

Scaling SharePoint Farms with MinRole & Other T ools Spencer Harbar #SPSMUC02 October 10 th ,

Scaling SharePoint Farms with MinRole & Other T ools Spencer Harbar #SPSMUC02 October 10 th , 2015 About Spencer Harbar Agenda SharePoint T opology Fundamental Truths SharePoint (any version) is not designed from the cloud up

412 views • 29 slides
Discovery of Challenging Sources: SharePoint, Unstructured Data, the Cloud and Beyond Panelist:

Discovery of Challenging Sources: SharePoint, Unstructured Data, the Cloud and Beyond Panelist:

Discovery of Challenging Sources: SharePoint, Unstructured Data, the Cloud and Beyond Panelist: Larry Briggi Leigh Isaacs Karin Roberts Moderator: Mary Pat Poteet Security issues of the Cloud: What to avoid and how to batten down the

418 views • 15 slides
SHAREPOINT SERVER 2016 Todd Klindt SharePoint MVP since 2006 Speaker, writer, consultant,

SHAREPOINT SERVER 2016 Todd Klindt SharePoint MVP since 2006 Speaker, writer, consultant,

TODD KLINDT UPGRADING TO SHAREPOINT SERVER 2016 Todd Klindt SharePoint MVP since 2006 Speaker, writer, consultant, Aquarius, Iowa Native Fan of all Microsoft Technologies Personal Blog: www.toddklindt.com/blog Twitter: @toddklindt Podcast:

296 views • 27 slides
Using Flow in your On Premise Environment SharePoint Saturday Baltimore #SPSBMORE May 20, 2017

Using Flow in your On Premise Environment SharePoint Saturday Baltimore #SPSBMORE May 20, 2017

Using Flow in your On Premise Environment SharePoint Saturday Baltimore #SPSBMORE May 20, 2017 About Me SharePoint consultant who specializes in easy to use solutions for simplifying and automating business processes. Federal client

300 views • 19 slides
Modernization of TSD Documentation Using SharePoint Yun He TSD Topical Meeting August 16, 2018

Modernization of TSD Documentation Using SharePoint Yun He TSD Topical Meeting August 16, 2018

Modernization of TSD Documentation Using SharePoint Yun He TSD Topical Meeting August 16, 2018 Outline How to navigate TSD online documentation system TSD public web site: http://targets.fnal.gov/ TSD SharePoint sites: Public:

544 views • 12 slides
FastTrack from FastTrack SharePoint Presentation www.officelabs.co.uk By OfficeLabs CONTENTS

FastTrack from FastTrack SharePoint Presentation www.officelabs.co.uk By OfficeLabs CONTENTS

FastTrack from FastTrack SharePoint Presentation www.officelabs.co.uk By OfficeLabs CONTENTS FastTrack SharePoint What is it? Key Benefits Key Features Support Next Step FastTrack SharePoint Presentation

389 views • 7 slides
University of Illinois SharePoint Shared Service Birds of a Feather Roundtable

University of Illinois SharePoint Shared Service Birds of a Feather Roundtable

University of Illinois SharePoint Shared Service Birds of a Feather Roundtable https://web.uillinois.edu/sharepoint Phil Nyman & Larry Gibson Spring UIUC IT Pro Forum @ iHotel June 8, 2017 Who are we? Phil Nyman Technology

524 views • 17 slides
Social Computing in SharePoint 2010 IN COLLABORATION WITH Agenda Welcome and Introduction

Social Computing in SharePoint 2010 IN COLLABORATION WITH Agenda Welcome and Introduction

Social Computing in SharePoint 2010 IN COLLABORATION WITH Agenda Welcome and Introduction SharePoint 2010 Overview Social Computing Overview A Day In the Life SC In SharePoint 2010 Conclusions and Next Steps

531 views • 36 slides
2012 Natural Gas Conference Portland, Oregon September 24, 2012 What is SharePoint?

2012 Natural Gas Conference Portland, Oregon September 24, 2012 What is SharePoint?

2012 Natural Gas Conference Portland, Oregon September 24, 2012 What is SharePoint? SharePoint is a website that is accessed through a web browser (Internet Explorer, FireFox, etc) and an internet connection with an assigned

298 views • 25 slides
SharePoint 2010 Digital Marketing Executive Roundtable December 2 nd , 2010 Introductions

SharePoint 2010 Digital Marketing Executive Roundtable December 2 nd , 2010 Introductions

SharePoint 2010 Digital Marketing Executive Roundtable December 2 nd , 2010 Introductions Joe Seguin, Director Consulting Services Peter Mackenzie, Vice President Peter Carson, President Our Focus Focused on complex SharePoint

1.06k views • 39 slides
ARAS - Load Test Tool GENERAL DESCRIPTION POINT OF SHAREPOINT console application (command

ARAS - Load Test Tool GENERAL DESCRIPTION POINT OF SHAREPOINT console application (command

Presentation of POINT OF SHAREPOINT ARAS - Load Test Tool GENERAL DESCRIPTION POINT OF SHAREPOINT console application (command line tool) multi-threaded environment (simulates real work scenario) configuration based (connection

362 views • 10 slides
Scott A. Concilla Microsoft Certified Trainer LCG Systems Description The class covers

Scott A. Concilla Microsoft Certified Trainer LCG Systems Description The class covers

Scott A. Concilla Microsoft Certified Trainer LCG Systems Description The class covers the basics of working in a SharePoint list for end users. Audience Anyone who uses a SharePoint list. Prerequisite SharePoint 2010 -

1.52k views • 114 slides
Scott Diener, Ph.D. Associate Director, IT Services Academic Support s.diener@auckland.ac.nz

Scott Diener, Ph.D. Associate Director, IT Services Academic Support s.diener@auckland.ac.nz

Scott Diener, Ph.D. Associate Director, IT Services Academic Support s.diener@auckland.ac.nz Sharepoint Ribbon UI SharePoint Workspace SharePoint Mobile Business Connectivity Services Office Client and Office Web App Integration InfoPath

732 views • 20 slides
SHAREPOINT AND OFFICE 365 HYBRID BETTER TOGETHER TODD KLINDT, SHAREPOINT MVP @TODDKLINDT

SHAREPOINT AND OFFICE 365 HYBRID BETTER TOGETHER TODD KLINDT, SHAREPOINT MVP @TODDKLINDT

SHAREPOINT AND OFFICE 365 HYBRID BETTER TOGETHER TODD KLINDT, SHAREPOINT MVP @TODDKLINDT HTTP://WWW.TODDKLINDT.COM WHO IS THIS TODD KLINDT GUY? www.toddklindt.com/blog todd@toddklindt.com

678 views • 39 slides
Designing Your SharePoint Extranet to Work for You Presented by Peter Carson President, Envision

Designing Your SharePoint Extranet to Work for You Presented by Peter Carson President, Envision

Designing Your SharePoint Extranet to Work for You Presented by Peter Carson President, Envision IT April 19, 2012 Peter Carson President, Envision IT SharePoint MVP Virtual Technical Specialist, Microsoft Canada

736 views • 51 slides

More recommend