Download - Auditing SharePoint Permissions
AUDITING SHAREPOINT PERMISSIONSWHY? HOW? WHAT?
KARIM ROUMANISOLUTIONS DIRECTOR/SPEAKERTWITTER: @[email protected]
ASSUMING
• Assume have an basic understanding
• eBook to get started - http://bit.ly/1RuAAn7
WHY SHOULD YOU CARE?• CyberCrime is not a hobby, its big business
• Organized Crime• Nation States• Terror Groups
• Security Vulnerabilities Hit all Time high in 2014• Heartbleed SSL• Shellshock (unix)• Sandworm (windows malware using OLE)
• People Are the Weakest link / Bad Apple / Leakers• Downsizing, Leaving on Bad Terms, Mistakes, Social Engineering • Competitors
• Contractors• Examples
• eBay, Home Depot, Michaels, Sony, Target
WHY PERMISSIONS ARE DIFFICULT TO REGULATE?
THE HUMAN WEAKNESS
• Convenience people just give permissions without thorough understanding• Forget • To delete the user• Set an expiration date• Remove the permissions
• Lack of Visibility and Visualization on the Data• Difficulty to Grasp the Risks
THE HUMAN WEAKNESS• Difficulty to Grasp the Risks
SHAREPOINT CHALLENGE
• Nested Objects• Hard to see a full picture• Confusing• Daunting Effort• No Process Exists
IMPACT OF BREACH• Lawsuits• Trade Secret/ Financial Loss• Social Security, Credit Cards, Medical Records• Compliance Issues• Embarrassment
Producer at SONY thinks Angelina Jolie is a "spoiled brat"
RISK IMPACT OF BREACH• PR Crisis• Fired
HOW? PLAN?
GOAL: No Person Should have Access to Information they shouldn’t have access to.
THE PLANMaster Checklist• NOW• Unique
Verification• With
Content Owners
Remediation Sign Off
PERMISSION CHECK LIST
Marketing Owners
Mike
HOW DO I BUILD THIS MASTER LIST?
BRUSH UP
AUDITING SITE COLLECTION ADMINISTRATORS• OPEN DEMO
MANUAL CHECK OF UNIQUE PERMISSIONS
• Sites
Excel Master List
ITEM UNIQUE PERMISSIONS
• Items
CHALLENGES OUT OF THE BOX
• Too Many Clicks and Windows• Very tough to track• Collaboration is difficult• Building a Master Tedius
USING TOOLS
• Powershell (scripting/coding)• Tru Permissions Auditor (turn-key)
POWESHELL FLAVORS
• Server Code (works only with on-premises)• Client Code (needed for O365)
TRU PERMISSION AUDITOR DEMO
truapps.portalfront.com
4 FINAL KEY TIPS
AUDITING EFFECTIVE PERMISSIONS
• EFFECTIVE PERMISSIONS ARE THE TRUTH• IF
JOHN.DOE READMARKETING GROUP EDITJOHN.DOE IS MEMBER OF MARKETING GROUP
THEN EFFECTIVE PERMISSIONS ARE JOHN.DOE EDIT
DEMO CHECK PERMISSIONS
EXTERNAL USERS
• What is an external user?• An external user is someone outside of your organization who can access your SharePoint Online
sites and documents but does not have a license for your SharePoint Online or Microsoft Office 365 subscription. External users are not employees, contractors, or onsite agents for you or your affiliates.
• External users inherit the use rights of the SharePoint Online customer who is inviting them to collaborate. That is, if an organization purchases an E3 Enterprise plan, and builds a site that uses enterprise features, the external user is granted rights to use and/or view the enterprise features within the site collection they are invited to. While external users can be invited as extended project members to perform a full range of actions on a site, they will not have the exact same capabilities as a full, paid, licensed member within your organization. The limitations are described in the table below.
WHAT IS“EVERYONE EXCEPT EXTERNAL USERS” GROUPEVERYONE EXCEPT EXTERNAL USERS WHEN A USER IS ADDED TO OFFICE 365, THE USER AUTOMATICALLY BECOMES A MEMBER OF EVERYONE EXCEPT EXTERNAL USERS. BY DEFAULT, THE EVERYONE EXCEPT EXTERNAL USERS GROUP IS ADDED TO THE MEMBERS GROUP ON THE SHAREPOINT TEAM SITE. IT IS AUTOMATICALLY ASSIGNED A PERMISSION LEVEL OF CONTRIBUTE. THIS MEANS ALL USERS WHO ARE ADDED TO OFFICE 365 CAN VIEW, ADD, UPDATE, AND DELETE ITEMS FROM LISTS AND LIBRARIES. IF YOU WANT TO CHANGE THE PERMISSION LEVELS FOR THIS GROUP, YOU CAN REMOVE IT FROM THE MEMBERS GROUP AND THEN ADD IT TO A GROUP THAT USES DIFFERENT PERMISSIONS. FOR EXAMPLE, YOU MIGHT ADD THE EVERYONE EXCEPT EXTERNAL USERS TO THE SHAREPOINT VISITORS GROUP. THIS AUTOMATICALLY ASSIGNS A READ PERMISSION LEVEL TO ALL USERS IN THE EVERYONE EXCEPT EXTERNAL USERS GROUP
“SHARE EVERYTHING IN THIS FOLDER” (NEW FEATURE)
• Changes were made to the folder sharing behavior in SharePoint Online. Before this update, folder sharing shared only the contents of the folder that inherited permissions from the folder. The new changes lets users share all contents (even uniquely permissioned contents) in a folder when they share a folder. To do this, select the Share everything in this folder, even items with unique permissions check box in the sharing dialog box for a folder.
• https://support.microsoft.com/en-us/kb/3048806
MOVING FORWARD
• Site Owner Education• Audit Triggers / Schedules
WHEN TO AUDIT• Migration of Data• Security Review• Recent Breach• Employee or Contractor leaving
• What do they still have access to?
• Did they modify permissions• Taking over administration. What's the current lay of the land.• Validating controls of a new comer.• Many unique item level permissions• Employee Changing Roles
COMMON PITFALLS
• A person still in a nested group• A person given direct access to an obscure object• External Users who still have access• A person who gave another person the wrong access.
(lack of training/user error)
SUMMARY
• RISKS • Challenges Keeping Clean Permissions• Audit Plan• Master List / manual using tools• External Users• Key Concepts
ULTIMATE GOAL
No Person Should have Access to Information they shouldn’t have access to.
THANK YOU FOR ATTENDING/ QUESTIONS
Karim RoumaniSolutions Director/SpeakerTwitter: @[email protected]
• We will send you a link to the recording• Please fill out feedback survey • Tru Apps: http://
truapps.portalfront.com/sharepoint-permissions-audit-report.html• SharePoint Permissions eBook: http://bit.ly/1RuAAn7
• Add me to twitter• Email me for questions