SharePoint Defense in Depth

A community site for SharePoint security and compliance issues

About this community

SharePoint Defense in Depth is an open community site and resource for those interested in security, defense in depth, compliance, and SharePoint. This community site provides a place to pose questions to experts, and to learn how best to tackle your SharePoint security challenges.

For access to resources including a SharePoint Content Scanner, and SharePoint Risk Assessment, please create a login. Note that to limit spam and non-useful content on this site, we require either a valid corporate e-mail domain, or a legitimate LinkedIn profile for registrants before approving access.

Our simple goal is to provide the SharePoint community with tools and resources that enable you to more effectively secure your SharePoint environments. We encourage you to engage, and post your own tips, tricks, and resource to help make SharePoint sites more secure. If you have ideas as to how we can make the SharePoint Defense in Depth site a better community resource, please contact us on:

Blog Posts

Video demonstration of the content scanner

Posted by Mike Fleck on July 18, 2016 at 9:53am 0 Comments

If you came to SharePointDefenseInDepth looking for complimentary access to the data discovery tool (Content Scanner), you can request your copy by reaching out to If you'd like to learn more about how to use the scanner and what it can locate check out this video on Vimeo. The first minutes minutes is background material so don't worry if you heard the audio but the video doesn't seem to be moving. …


Understanding file encryption in Office 365

Posted by Mike Fleck on March 8, 2016 at 12:01pm 0 Comments

In early 2015 Microsoft started rolling out per file encryption for SharePoint Online and OneDrive for Business in Office 365. Prior to that, the file encryption capability in Office 365 was simple BitLocker storage encryption. The newer approach, often referred to as Fort Knox, involved breaking files into fragments and encrypting each file fragment with a unique encryption key. Microsoft sometimes refers to this fragmenting of files as “shredded storage.” The fragment encryption keys (FEK)…


Reimagining a New Security Model for SharePoint

Posted by Peter Bradley on January 6, 2016 at 5:00pm 0 Comments

SharePoint's old security model was conceived in a different era. Let's imagine what a new security model might look like.

In my last post, we looked at the humble beginnings of SharePoint as Microsoft Tahoe, and pointed out that the security…


The free SharePoint Content Scanner is back

Posted by Mike Fleck on December 18, 2015 at 12:57pm 0 Comments

CipherPoint is once again providing free access to the content scanner.Yes, Office 365 has Data Loss Prevention but there are few reasons why you would be interested in this tool vs. the one from Microsoft.

  1. The CipherPoint scanner lets you create custom patterns to find.
  2. The CipherPoint scanner can search for sensitive content in on-premises AND Office 365 at the same time.
  3. The CipherPoint scanner is a lot easier to use.

To get the scanner you…





Take the CipherPoint's Annual State of Collaboration Security Survey

Started by Mike Fleck in General security topics Jul 14, 2014. 0 Replies

Each year, CipherPoint conducts a survey to understand businesses’ top security concerns relating to file…Continue

Government Agencies Deploying SharePoint Despite the Lack of FIPS 140-2 Level Validation

Started by K Nahbrha in Industry compliance. Last reply by Mike Fleck Dec 6, 2013. 1 Reply

How are government agencies deploying SharePoint 2010 despite the fact that SharePoint does not support FIPS 140-2 level validation as required by NIST?The operating system that hosts SharePoint must…Continue

Tags: DISA, Cryptography, NIST, 2010, SharePoint

Securing SharePoint

Started by Site Admin in General security topics Aug 16, 2013. 0 Replies

A reader posted this response to a blog we posted on the Snowden breach, and the SharePoint connection. What do you think...can SharePoint be securely deployed?JimOur blog is here:…Continue

Is anyone using RMS and SharePoint 2013?

Started by Mike Fleck in General security topics. Last reply by Kirk Hasty Jul 22, 2013. 1 Reply

One of our members just posted the above question in his status. Is anyone here using Windows Rights Management (or third party RMS provider) with *any* version of SharePoint? If so, please post your…Continue

Tags: 2013, sharepoint, management, rights

Microsoft Tahoe and the Evolution of SharePoint Security

In my first post, I explained the biggest problems of SharePoint security model and how it creates risks. With so much change, so much growth, so many new threats - perhaps SharePoint's security model could use a rethink?

Microsoft Tahoe - Where it all began

Back in 2000, an internal project at Microsoft called 'Tahoe' began publicising a new product they had been working on. Tahoe was a new technology that enabled small work teams to perform simple document sharing, collaboration and content searching through a web browser.

By the time it was released, the marketing department had come up with the name 'SharePoint Portal Server'. The market didn't receive the new product particularly positively!

Debra Logan, a research analyst at Gartner said, "SharePoint Portal is just document management based around one Exchange server. It is better than a shared file system, but big deal."

Ashim Pal, programme director for analyst Meta Group, said, "It is lightweight document management for the masses. There will be a mass migration to… [another technology] in the next 24-36 months, so users should be careful not to over commit to any development around SharePoint."

Computing Magazine UK actually used phrases like "too lightweight", "too basic" and "will soon be redundant"!

A typical SharePoint Portal 2001 home page

Looking at the information management powerhouse that SharePoint / Office 365 has become today, and as one of many people who have built a good career on top of it - its hard to resist a wry little smile ;) I don't know many people who would today describe SharePoint as "too basic"!

SharePoint Portal Server 2001 Security

The examples in Microsoft's documentation for SharePoint Workspaces reveals the thinking at the time. This was not a technology designed for serious deployments. They really didn't envisage more than a dozen or so people using them! It didn't use a proper database, it didn't support clustered server farms.

It was really just a small scale, browser-based extension for Windows Server and Exchange that let people share and search across a few documents.

With SharePoint Portal Server 2001, users could be granted one of three 'roles' to content in SharePoint Workspaces:

  • 'Coordinator' was for administrators and information owners
  • 'Author' allowed the user to add and update documents
  • 'Reader' allowed read-only access through navigation or search


Permissions to content were granted either to groups of people in Windows or Exchange, or to individual users. It was very manual and unsophisticated, but it worked.

Permissions in SharePoint Today

Fast forward to today with SharePoint 2013 and SharePoint Online / Office 365. First lets substitute a few equivalent terms:

Something obvious jumps straight out. The model hasn't changed!! In 15 years, there has been no evolution the security model at all - the concepts and basic ideas line up exactly.

Security in SharePoint is still managed in the same basic way as it was on day one: we manually compile lists of people, and grant them permissions to stuff.

  • Even though SharePoint systems have gone from dozens of users to hundreds of thousands.
  • The volumes of data have gone from a few folders to terabytes of mission-critical sensitive content.
  • The intensity, relentlessness and consequences of the security threat have gone from fairly minimal to extreme.
  • The role of SharePoint has gone from being "not much better than a file share", to being central to the operations of millions of organisations around the world.
  • And the internet and the interconnectedness of networks became absolutely ubiquitous.


Some of the most notorious information security breaches in recent years have involved information stolen from SharePoint systems. Not hacked by clever anarchists in dark rooms, but simply downloaded by disenfranchised trusted staff with access to far more information than they needed in order to do their jobs.

But still, SharePoint offers the exact same ideas for securing content as it always has!

So, in light of all this change, all this growth, all these new threats - perhaps, the security model in SharePoint could use a bit of a rethink.

We've outgrown it.

In my next post, I'll dive deeper into how SharePoint's security model tends to cause huge problems for an organization, and some of the practical things we can do to minimize them.

Thanks for reading :)


CEO and Principal Architect at Torsion Information Security

Views: 142


You need to be a member of SharePoint Defense in Depth to add comments!

Join SharePoint Defense in Depth

© 2020   Created by Jim.   Powered by

Badges  |  Report an Issue  |  Terms of Service