SharePoint Security and Penetration Testing

There is a course on Pluralsight: Penetration Testing SharePoint by Liam Cleary.

Here are some fundamentals every SharePoint architect should know on “how to protect SharePoint environment”, from this course and from my personal experience.

Security basics

  • audit environment, document it (annual, semi-annual)
  • permission matrix and authentication flow (semi-annual, monthly) – using 3-rd party tools
  • test environment security

Protect from the Scans

  • Monitoring
  • Access control (accounts, passwords, least permissions, audit)
  • Port restriction (enable only required ports and protocols)
  • Server firewall (including SQL, SharePoint, OOS, Workflow) + Isolation
  • Local Computer Policies
  • Network firewall (incl. edge firewall and internal firewall)

IIS – web.config

  • <authentication …>
  • <microsoft.identityModel>
  • <location path …><allow users …>
  • viewlsts.aspx – protect using <location path …><allow users …> on IIS level
  • … CallStack …
  • <CustomErrors …>
  • <appSettings>

IIS

  • Site – Authentication – Specific user
  • Certificates – Binding

Central administration

  • Web Applications – Web Application – User policies
  • Web Applications – Web Application – Anonymous policies
  • Web Applications – Web Application – Blocked file types
  • Service Applications – Service Application – Administrators/Permissions
  • Security – Farm Administrators

Roles

Architect, Support – should have farm-level access
Developer, Designer, End User, External – should not have farm-level access

Use personalized account for administration/support (do not use farm account or install account)

BTW, My opinion: Do not allow Developers any access to production farm.
The rights/responsibilities and dev workflow should be:

  • SharePoint Developer: Dev farm for development, Dev-Test farm for self-testing
  • SharePoint Tester: Test-farm for testing
  • SharePoint Administrator: Pre-production farm and Production farm

If somebody combine roles – use different accounts and separation of roles.
 

SharePoint updates

  • security updates
  • public updates, cumulative updates (download)
  • service packs, feature packs

Some useful PowerShell commands:

$subnet = "192.168.214"
$range = 223..225
$range | %{$ip = $subnet + '.' + $_; Test-Connection -Count 1 -ComputerName $ip -Quiet } | ?{$_ -eq $true} | %{Write-Host $ip " - Test OK"}

$port = 3389
foreach ($byte in $range) {
    $ip = "{0}.{1}" -F $subnet, $byte
    Write-Host "Testing NetConnection to $ip`:$port `- " -NoNewline
    $tnc = Test-NetConnection -ComputerName $ip -Port $port -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
    Write-Host $tnc.TcpTestSucceeded
}

 

Links:

  • https://www.exploit-db.com
  • http://angryip.org/ – network scanner
  • https://nmap.org/ – free security scanner
  • http://sparty.secniche.org/ – MS Sharepoint and Frontpage Auditing Tool
  • https://www.metasploit.com/ – Penetration Testing Software
  • https://www.cvedetails.com/ – Common Vulnerabilities and Exposures