SharePoint Defense in Depth

A community site for SharePoint security and compliance issues

About this community

SharePoint Defense in Depth is an open community site and resource for those interested in security, defense in depth, compliance, and SharePoint. This community site provides a place to pose questions to experts, and to learn how best to tackle your SharePoint security challenges.

For access to resources including a SharePoint Content Scanner, and SharePoint Risk Assessment, please create a login. Note that to limit spam and non-useful content on this site, we require either a valid corporate e-mail domain, or a legitimate LinkedIn profile for registrants before approving access.

Our simple goal is to provide the SharePoint community with tools and resources that enable you to more effectively secure your SharePoint environments. We encourage you to engage, and post your own tips, tricks, and resource to help make SharePoint sites more secure. If you have ideas as to how we can make the SharePoint Defense in Depth site a better community resource, please contact us on:

Blog Posts

Video demonstration of the content scanner

Posted by Mike Fleck on July 18, 2016 at 9:53am 0 Comments

If you came to SharePointDefenseInDepth looking for complimentary access to the data discovery tool (Content Scanner), you can request your copy by reaching out to If you'd like to learn more about how to use the scanner and what it can locate check out this video on Vimeo. The first minutes minutes is background material so don't worry if you heard the audio but the video doesn't seem to be moving. …


Understanding file encryption in Office 365

Posted by Mike Fleck on March 8, 2016 at 12:01pm 0 Comments

In early 2015 Microsoft started rolling out per file encryption for SharePoint Online and OneDrive for Business in Office 365. Prior to that, the file encryption capability in Office 365 was simple BitLocker storage encryption. The newer approach, often referred to as Fort Knox, involved breaking files into fragments and encrypting each file fragment with a unique encryption key. Microsoft sometimes refers to this fragmenting of files as “shredded storage.” The fragment encryption keys (FEK)…


Reimagining a New Security Model for SharePoint

Posted by Peter Bradley on January 6, 2016 at 5:00pm 0 Comments

SharePoint's old security model was conceived in a different era. Let's imagine what a new security model might look like.

In my last post, we looked at the humble beginnings of SharePoint as Microsoft Tahoe, and pointed out that the security…


The free SharePoint Content Scanner is back

Posted by Mike Fleck on December 18, 2015 at 12:57pm 0 Comments

CipherPoint is once again providing free access to the content scanner.Yes, Office 365 has Data Loss Prevention but there are few reasons why you would be interested in this tool vs. the one from Microsoft.

  1. The CipherPoint scanner lets you create custom patterns to find.
  2. The CipherPoint scanner can search for sensitive content in on-premises AND Office 365 at the same time.
  3. The CipherPoint scanner is a lot easier to use.

To get the scanner you…





Take the CipherPoint's Annual State of Collaboration Security Survey

Started by Mike Fleck in General security topics Jul 14, 2014. 0 Replies

Each year, CipherPoint conducts a survey to understand businesses’ top security concerns relating to file…Continue

Government Agencies Deploying SharePoint Despite the Lack of FIPS 140-2 Level Validation

Started by K Nahbrha in Industry compliance. Last reply by Mike Fleck Dec 6, 2013. 1 Reply

How are government agencies deploying SharePoint 2010 despite the fact that SharePoint does not support FIPS 140-2 level validation as required by NIST?The operating system that hosts SharePoint must…Continue

Tags: DISA, Cryptography, NIST, 2010, SharePoint

Securing SharePoint

Started by Site Admin in General security topics Aug 16, 2013. 0 Replies

A reader posted this response to a blog we posted on the Snowden breach, and the SharePoint connection. What do you think...can SharePoint be securely deployed?JimOur blog is here:…Continue

Is anyone using RMS and SharePoint 2013?

Started by Mike Fleck in General security topics. Last reply by Kirk Hasty Jul 22, 2013. 1 Reply

One of our members just posted the above question in his status. Is anyone here using Windows Rights Management (or third party RMS provider) with *any* version of SharePoint? If so, please post your…Continue

Tags: 2013, sharepoint, management, rights

The Biggest Problems With Microsoft's SharePoint Security Model

Dear all,

I wanted to share with you my thoughts on SharePoint security model, and why it's clearly outdated for today's corporate environment.

SharePoint's groups-based security model

SharePoint security is based on groups. Whether you favor SharePoint groups or Domain groups, either way the groups model is based on hundreds of long lists of people’s names.

Groups must be manually populated with the people who should get access to information - a tedious task which is highly prone to human error.

SharePoint makes it simple to add new users who transition into relevant roles and assignments, but there is no clean-up of permissions when they transition back out.

And besides, organizations aren’t typically structured around groups – they are structured around people having roles, credentials and assignments. People move around and shift focus all the time.

SharePoint also provides very little support for an information owner trying to add the correct group to their SharePoint site. It is far too easy to make a mistake, and there is no help to detect if one has been made.

And so, without confidence in their actions to secure their information in SharePoint, the information owner will often feel it could be better to start yet another new group. And the wheel gets reinvented again!

The importance of maintenance

Modern organizations are dynamic places. People move around organizations regularly. Organizational structures change regularly. In fact, change may be the only real constant!

And so, because SharePoint security is based on lists of people's names, those lists must be constantly maintained. We need to ensure that the set of people getting access to information remains appropriate as business circumstances change.

But groups in SharePoint include no clear link to the original reason a person may be a member – so how are we to evaluate if it remains appropriate? Especially when the maintenance task falls to IT - who may be quite distant from the information involved, and who often don't have first-hand knowledge of the information or people involved. How can they possibly be expected to make good proactive decisions about who should keep their access?

Experience has shown that as many as 30% of SharePoint site owners have left their company or moved jobs. Over 50% of SharePoint sites are abandoned within 3 years, but sensitive documents remain accessible.

Permissions in SharePoint often get in a tangled mess - and people tend to accumulate access to information as they move around over time.

And the larger or more complex the organization, the more DIFFICULT, EXPENSIVE, and INACCURATE maintenance becomes.

'Silent' permissions

SharePoint includes several ways to gain access to information. Some of these are not visible to information owners.

For examine, information owners can’t see who are members of Domain groups. Also, Domain groups can be nested inside other groups, also without information owners knowledge.

Site Collection Administration rights, and Web Application Policies can effectively provide ‘silent’ access. That is, permissions for people to information without the knowledge of information owners. Although this function exists for the legitimate purpose of enabling administration of the system - the fact that information owners can't see this can create significant problems.

Ultimately, lack of visibility undermines trust.

The consequences of lack of visibility

SharePoint is designed to promote information sharing, but security information is not clearly visible.

Take a standard SharePoint document library. Exactly who can access it? Its not easy to tell. Users can’t easy know what permissions are on the SharePoint sites they are trusting their documents to.

SharePoint's ‘Shared With’ dialog is slow and unreliable. The ‘Manage Permissions’ page is buried inside settings.

Administrative permissions, such as Site Collection Administration rights, and Web Application Policies are hidden from users and information owners.

Membership of groups is hidden – we only see the group name, which may or may not be descriptive, helpful or consistent. And there is no way to view the membership of Domain groups

Without the trust of information owners, adoption and value is compromised.

And this can lead to an attitude of security being ‘someone else’s problem’ – rather than promoting a culture of shared responsibility!

Risk to the organization constantly grows

Since SharePoint began 15 years ago:

The volumes of information we deal with,
the general dynamism of organizations, and
the intensity of the security threat
...have increased exponentially! SharePoint’s groups-based security model has seen very little evolution over that time.

Ultimately, these factors create weaknesses in your information security armour - increasing riskto the organization of a serious security incident. You can read more here on solutions to tackle these challenges.

Thank you for reading. Let me know your thoughts :)


Views: 149


You need to be a member of SharePoint Defense in Depth to add comments!

Join SharePoint Defense in Depth

© 2020   Created by Jim.   Powered by

Badges  |  Report an Issue  |  Terms of Service