Maximizing SharePoint Security Whitepaper v2.0 1/2018 This technical whitepaper describes how to protect SharePoint Servers and Websites, in addition to what is the best practices to maximize the SharePoint Security controls. Fadi Abdulwahab CSSLP, MCC, MCITP
77
Embed
Maximizing SharePoint Security Whitepaper v2...Author for SharePoint 2013 book and many SharePoint whitepapers including Search, Variation and Availability topics, focus on building
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Maximizing SharePoint Security Whitepaper v2.0
1/2018
This technical whitepaper describes how to protect SharePoint Servers
and Websites, in addition to what is the best practices to maximize the
SharePoint Security controls.
Fadi Abdulwahab
CSSLP, MCC, MCITP
2 | P a g e
Author
Author for SharePoint 2013 book and many SharePoint
whitepapers including Search, Variation and Availability
topics, focus on building secure web applications.
Achieved many projects with Microsoft Technologies since
2006 for banks, universities, and ministries.
Experienced in SharePoint Administration, Infrastructure,
Development, Governance, and Disaster Recovery.
Specialties: SharePoint Server, AWS/Azure, ASP.NET/C#, OWASP Top 10, SQL Server
Administration and High Availability Solutions.
Recognized as Microsoft Community Contributor in July 2013
(ISC) 2 - CSSLP® Certified Secure Software Lifecycle Professional in July 2015
AWS Solutions Architect – Associate certification in April 2017
HTTPs everywhere It's a top priority to have a secure connection for your websites in order to protect your
information in transit by using SSL/TLS protocol and protect users from common attacks like
DNS poisoning and others. HTTPs (represents the top layer of SSL/TLS protocol) which
provides your websites with the following objectives:
1. Confidentiality to protect the data in transit from sniffing by using tools like fiddler, Wireshark, hijacking or MITM attacks (Main goal).
2. Integrity by protecting the data from tampering during transition, so it will reject the request if anyone in the middle of transit modified the packets.
3. Authenticity by telling and giving the visitors assurance about your domain and who your visitors are talking to.
4. Ranking Signal, Google try to encourage the people to make the internet safer and more secure, in addition to increase the website ranking in Google search engine.
General Best Practices and Tips Here some of most important tips to be considered when deploying HTTPs:
Decide the kind of certificate: single, multi-domain or wildcard certificate and make
sure they cover all your hostnames.
Use 2048 bit private keys and if you still have 1024 bit RSA keys, replace them as
soon as possible.
Don't use self-signed certificate in production servers and use valid certificates from
valid Certificate Authorities like DigiCert, Godaddy or even free SSL Certificate from
StartSSL or CloudFlare.
Protect the Private Key and keep it as secret asset.
Use complex password with the private key certificate.
Avoid invalid certificate warning due to date expiration or other reasons, which will
confuse the users and weaken their trust against your website (Authenticity).
Replace SHA1 certificates with strong certificate algorithm like SHA256.
Deploy certificates with valid certificate chains.
TLS v1.2 should be your main protocol and disable the old protocols like SSL v3 and
v2.
Note
Check your client browser version because IE 6 on Windows XP doesn't support new secured
Configuring SSL/TLS for SharePoint Here I will explain to you how to configure SSL/TLS for SharePoint 2013 and you could follow
the same steps in SharePoint 2010.
Notes: Previous versions of SharePoint only supported TLS 1.0 but SharePoint 2016 support
TLS 1.2
Use SSL Bridging instead of SSL Offloading because it is more secure and HTTPs is not
any more against the performance but maybe it’s faster than HTTP especially when
it’s compared to HTTP/2 protocol, try this site https://www.httpvshttps.com/ .
Prerequisites:
1. IIS 8
2. SharePoint Server 2013 Farm
3. Windows Server 2012
4. Web Application on Port 80
5. Administrator privilege in the server
Steps:
1. Create Self Signed Certificate on IIS 8 2. Import Self Signed Certificate to SharePoint Certificate store(Optional) 3. Add Self Signed Certificate to trust management in Central Administration(Optional) 4. Configure IIS Binding 5. Configure AAM
Open IIS Manager and then go to Server name and choose IIS Section “Server Certificates”
Click on Create Self-Signed Certificate... on Actions pane
Specify any name like “SharePointSelfSignedCert” and click Ok
Double click on this created Certificate and go to details Tab and click copy to file...
12 | P a g e
Click Next (Welcome…),
Select No, do not export the private key and click next,
Select DER encoded binary and click next,
Specify the location for the certificate and Click Next and then finish.
Step 2: Import Self Signed Certificate to SharePoint Certificate store (Optional)
Open Manage Compute Certificate on Windows Server 2012 and go to SharePoint node and then right click All tasks >> import …
Click next and then specify the location of exported certificate in previous step and then Click Next
Make sure Certificate store is SharePoint and Click Next and then finish (Exported)
13 | P a g e
Step 3: Add Self Signed Certificate to trust management in Central Administration (Optional)
Go to Central Administration >> Security >> Manage Trust (to inform SharePoint to trust this certificate also).
And Click New
And a name and specify the location for the certificate and Click Ok.
Step 4: Configure IIS Binding
Go to IIS Manager and choose your web application and then click on Binding in Actions pane
14 | P a g e
Click Add...
Type: Https
SSL Certificate: SharePointSlefSignedCert (which created previously).
Click Ok.
Step 5: Configure AAM
Go Central Administration >> Alternate Access Mapping and Choose your web application
And click on Edit Public URLs and then add HTTPs URL
15 | P a g e
And Click Save.
Now try to browse your website with HTTPs URL
Notes
1. If you add the Self-Signed Certificate to Trusted Root Certification Authorities in Client PC, then the Certification error or warning in the browser will disappear.
2. In production servers, you need to use a valid certificate and in this case you need to import PKCS#12 or PFX formatted certificate.
16 | P a g e
3. Sometime, you need tools to convert the certificate to .pfx format like OpenSSL or DigiCert Certificate Utility SSL tools.
4. It's recommended to disable "Allow this certificate to be exported" to make it difficult to extract it from the server.
Redirect from HTTP to HTTPs It's not enough to enable HTTPs but you need also to force the users to go with HTTPs. First
you need to install IIS Rewrite extension to all SharePoint Web servers (Frontend Servers),
different key. Without forward secrecy, the security of all connections effectively
depends on the server’s private key. If that key is ever broken or stolen, all previous
communication can be decrypted."
Mixed Content Mode
Again, not because the website has valid HTTPs certificate that means you can exchange the
secure sessions safely.
If you see one of the above indicators in your browser, then this means the current website
has issue called "Mixed Content Mode" which can give the attacker possibility to steal your
session by sniffing the HTTP context because cookie attached with each request include the
images and JavaScript files along with HTTPs requests.
The fix for this issue, to make sure there is no HTTP content in your page and only deals with
HTTPs requests.
Note
Sometime we have to go with Mixed Content mode because of using third parties which
may they are only supported with HTTP context so be aware of this risk and make sure to
only transit your sensitive data through secure channels.
25 | P a g e
HTTPs on Login Page only Some developers go with very bad practice to serve their website performance by only
implementing HTTPs on Login page and then redirect the user to HTTP communication.
In this way, they prevent the leakage of username and password to be sniffed but still the
attacker can use the token which in most cases stored in cookie or as a value in the header.
Using tool like Fiddler or built-in Web developer tools in the browsers like chrome can help
you to recognize this issue, try to login to any Form authentication website and copy the
Auth cookie value (Name of Cookie can be changed).
Then try to open new session without to login to the website, open the console windows in
the chrome browser and run this command document.cookie="FedAuth=[cookie Value]"
Refresh the page, you are now login to the website without need to know the username or
password.
Secure cookies Make sure to use secure cookies in case you have sensitive data stored in cookies like Auth
cookie in form or identity authentications.
To make sure the cookie is only transit in HTTPs channels even if the website support HTTP
connections, set the following attribute in web application's web.config
You can check if the cookie is secure by using Chrome's web developer tool and check the
"Secure" column"
26 | P a g e
HTTPOnly cookies
In General, it's always recommended to set HttpOnly attribute with cookies to prevent XSS script risk against these cookies like Auth Token Cookie which then it can be used in hijacking and other attacks.
In SharePoint if you are using Form authentication then by default SharePoint flag Auth Token with HttpOnly but there are some cookies in SharePoint not flagged with HttpOnly like "wss_keepsessionauthenticated".
The easiest fix for this risk to add this header X-Frame-Options to HTTP Response but remember this way is not supported in all browsers.
To configure IIS to add an X-Frame-Options header to all responses for a given website, follow these steps:
1. Open Internet Information Services (IIS) Manager. 2. In the Connections pane on the left side, expand the Sites folder and select the site
that you want to protect. 3. Double-click the HTTP Response Headers icon in the feature list in the middle. 4. In the Actions pane on the right side, click Add. 5. In the dialog box that appears, type X-Frame-Options in the Name field
and type SAMEORIGIN in the Value field. 6. Click OK to save your changes.
Note
By default, SharePoint 2013/2016 configured with this header response.
35 | P a g e
ViewState is not encrypted SharePoint doesn't use Viewstate to store any sensitive data such as user tokens or other so
just give your security department justification that Viewstate is required to be existing in
the SharePoint because it's built on top of ASP.NET Web forms.
Note
In case you have custom code using Viewstate, make sure to avoid storing sensitive data in
Viewstate because it's readable and represented by base64 encoding. In case you use it then
make sure to enable Encryption and MAC encoding for integrity.
Try to use ASP.NET ViewState Decoder, copy any value of _VIEWSTATE from HTML source
code
Then decode the binary string
36 | P a g e
Sensitive resources For anonymous SharePoint website, it's better to prevent users from accessing sensitive
resources which may disclose some critical information or grant the user access to admin
pages like application pages in SharePoint which they exist under _layout folder like
/layouts/Viewlsts.aspx.
Accessing _layout/ folder By default, Publishing SharePoint Site template has enabled with feature called
"ViewFormPagesLockDown" which prevent anonymous users from accessing application
pages. In case it's disabled then you can activate it by the following command:
_vti_inf.html, _vti_bin , _vti_pvt and _vti_bin/spsdisco.aspx If your SharePoint application is anonymously accessible then it's recommended to consider
implementing authorization rules to restrict access to web services, or resources under
_vti_bin, _vti_pvt , _vti_bin/spsdisco.aspx ... to at least prevent attacker from accessing
these resources to gain information like SharePoint version or FrontPage configuration
information ... etc.
Add these rules setting to web application's web.config
Web.config configurations We can categories them by the following sections:
Stack Trace and Errors Disclosure (ASP.NET) It's recommended to stop disclosing information because of unhandled errors, trace and
debug. With easy steps, you can prevent leaking this information which might help an
attacker to gain more information and potentially focus on the development of further
attacks. Also, some of these configuration help in increasing the website performance like
debug setting.
Change these settings in web application's web.config file
Set <customErrors mode="On" on web.config Remove or set <trace enabled="false" (by default is not enabled) Set <compilation debug=”false” /> Set <SafeMode CallStack="false"
Also, do the same in the web.config file which it's under _layout folder.
Validation Request Request validation, a feature in ASP.NET since version 1.1, prevents the server from
accepting content containing un-encoded HTML. This feature is designed to help prevent
some script-injection attacks whereby client script code or HTML can be unknowingly
submitted to a server, stored, and then presented to other users.
SharePoint like other .NET content management systems which has a lot of places where
rich text needs to be submitted to the server. By default, Microsoft disable ValidateRequest
in web.config and if you try to enable it then you will not able to create pages with HTML
contents. In this case, you need to accept the risk and keep this feature disabled but you
need take care of your SharePoint and make sure it's patched with up-to-date fixes and in
case you have custom code, make sure to validate and encode the input at the client and
server sides using libraries like AntiXSS and others.
38 | P a g e
Patching
SharePoint is prone to exploitation since new threats are discovered so there is a need to fix the vulnerabilities and security problems.
SharePoint patches can be in three form:
1. Service Pack: include previous and new fixes and also may has new features. 2. Cumulative Update (CU): include fixes that have been reported by the customer in
context of support cases (monthly release). 3. Hot fix, Public Update or Quick Fix engineering (QFE): include security fixes or fixes
for problems affected by a certain customer.
Patching process needs to be planned and it will cause to bring your farm down so it's recommended to have Backup or Disaster Recovery farm.
Some tips to be considered when patching your SharePoint farm:
Stop Automatic Window Update in SharePoint and SQL Servers. Check for updates and fixes from this site.
http://blogs.technet.com/b/stefan_gossner/ and https://technet.microsoft.com/library/dn789211(v=office.14)
Check for the SharePoint Build version from these sites. o SharePoint 2010.
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=224 o SharePoint 2013.
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=346 o SharePoint 2016.
http://www.toddklindt.com/blog/Builds/SharePoint-2016-Builds.aspx Check this blog which provide good articles related to patching.
http://blogs.msdn.com/b/sambetts/archive/tags/patching/ To patch SharePoint 2016 with zero downtime then you need to fulfill a specific
condition, for more information. https://fabdulwahab.com/2018/01/11/recommendations-for-patching-sharepoint-2016/
Check for SharePoint version using PowerShell: (Get-SPFarm).BuildVersion. Notify your users because it will cause the SharePoint to be down. Test the patching in testing Farm before go live (consider using the Virtual machine
and no need to be identical farm as the production servers). Documentation for SharePoint Farm and Rollback plan.
o You can use this power shell https://gallery.technet.microsoft.com/office/Inventory-SharePoint-Farm-dc11fc28/view/Discussions or others scripts in CodePlex site to document your SharePoint farm.
Identify the maintenance time. Test the farm after patching process. Monitor it.
Any security vulnerabilities apply to ASP.NET, it will be applied to SharePoint because SharePoint built on top of ASP.NET framework.
These are some of Common security vulnerabilities:
1. Padding oracle vulnerability: (ASP.NET v1.0 to v3.5), most probably this vulnerability exists in non-patched SharePoint 2010 and older versions. To know about this vulnerability you can check http://weblogs.asp.net/scottgu/important-asp-net-security-vulnerability or http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html To avoid this issue , update your SharePoint with the latest new version of CU to address this and other issues or you can install the direct fix from https://technet.microsoft.com/library/security/ms10-070
2. Hash DoS vulnerability: (resolved with the release of .NET 4.5), allows an attacker to make a POST request with a very large number of parameters constructed to cause hash collisions when parsed by ASP.NET. To know about this vulnerability you can check http://www.troyhunt.com/2011/12/has-hash-dos-patch-been-installed-on.html To avoid this issue , Update your SharePoint with the latest new version of CU to address this and other issues or you can install the direct fix https://technet.microsoft.com/library/security/ms11-100
Persistent XSS flaw in SharePoint 2013 This particular vulnerability, CVE-2015-2522, is caused by insufficiently sanitizing user-
supplied input in a number of input points like notes, keywords, and comments.
Manage blocked file types in SharePoint SharePoint can be configured to disallows uploads that end in specific file extensions.
This feature of SharePoint prevents specified file types from being saved or retrieved
from any site on the server
The following URL shows the file types that are blocked by default and their corresponding file name extensions. https://technet.microsoft.com/en-us/library/cc262496.aspx
Set Security Validation to On
Enabling validation reduces the chance that a page will be accessed by an unauthorized
user while an authenticated user is absent. This setting forces the user to reauthenticate
after a specified inactivity period is exceeded
By Default, this option is On but make sure to set it to expire after 30 minutes
Do Not Crawl Sensitive Content
The listing of restricted content in search results can lead to information disclosure, to
avoid this issue, make sure to configure SharePoint list to exclude it from the search
Crawl Rules in Search Some contents or pages like http://*allitems.aspx should not be accessed by the public user
in SharePoint search result because they could disclose some important information.
To avoid this issue, we can create Crawl Rules to hide them from the search result and by
creating the following crawl rules:
http://*editform.aspx
http://*dispform.aspx
http://*my-sub.aspx
http://*mod-view.aspx
http://*itemsonhomepage.aspx
http://*thumbnails.aspx
Note
Consider to create crawl rules for sub sites with limited access like admin or others to be secured from anonymous access and crawling.
43 | P a g e
Default content access account SharePoint Search service uses this account for crawling the contents. Avoid grant this
service account Full Control permission.
To avoid this issue, this service account needs full read access to each web application. Under "User Policy" of a Web application, make sure this account only has only "Full Read" permission.
Max Upload Document / Max Request length It's recommended to decrease the amount/size in these settings "Maximum Upload Size"
and "maxRequestLength" to limit the impacts of the load, response time and data capacity
in the server especially in the case of DDoS attacks.
You can follow these steps (make sure these values meet your business requirements):
To setup the maximum upload size, follow these steps:
1. Click Start, point to All Programs, point to Administrative Tools, and then
click SharePoint Central Administration.
2. Click Application Management.
3. Under SharePoint Web Application Management, click Web application general settings.
4. On the Web Application, General Settings page, click the web application that you want
to change.
5. Under Maximum upload size, type the maximum file size in megabytes that you want,
and then click OK. You can specify a maximum file size up to 2,047 megabytes.
To setup the Maximum Request length, follow these steps:
1. Open the Web.config file in Notepad for the following path Program Files\Common
Files\Microsoft Shared\Web server extensions\14\TEMPLATE\LAYOUTS
Note: 15\TEMPLATE\LAYOUTS in case of SharePoint 2013
It's recommended to prevent Anonymous user from accessing Client Object Model interfaces. When this option is checked, it simply means that the user must possess the Use Remote Interfaces permission which allows access to SOAP, Web DAV and Client Object Model.
Enable Client Integration
It's recommended to disable Client integration in case of anonymous website but it will effectively block SharePoint from being a useful collaboration tool, and block all Office client interaction with SharePoint and also prevent you to work with SharePoint Designer and using Windows Explorer View.
Note
Don't go with this option except you evaluate the client business requirements and you extended the SharePoint website to work with SharePoint Designer and other client features.
Separation of duties
Separation of Duties is a security principle which it's the process of separate sharing of more
than one individual in one single task to prevent fraud and errors. In case of anonymous
46 | P a g e
websites this policy it can be very important and it can apply in SharePoint in many ways for
examples:
Content deployment is a feature in SharePoint that can use to deploy content from
a source website to a destination website. By this way you can stop the
authentication process from the production server. Also, consider to place
SharePoint production servers in different zone like DMZ.
Ensure Dbcreator and Securityadmin roles are only used as needed
Ensure that the SharePoint Online Web Part Gallery component is configured with limited access
Secure Infrastructure Design
Ensure a secondary SharePoint site collection administrator has been defined on each site collection
Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions
Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers
Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied
Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured
Ensure that SharePoint is configured with "Strict" browser file handling settings
Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds
Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages
Ensure that the default SharePoint database server ports are changed and/or disabled
Ensure that SharePoint application servers are protected by a reverse proxy
Ensure SharePoint database servers are segregated from application server and placed in a secure zone
Ensure that the SharePoint Central Administration interface is not hosted in the DMZ
Authentication Ensure SharePoint displays an approved system use notification message or banner before granting access to the system
Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm
Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol
Ensure Anonymous authentication is denied
Auditing Ensure that auditable events and diagnostic tracking settings within the SharePoint system is consistent with the organization's security plans
Ensure that remote sessions for accessing security functions and security-relevant information are audited
Services and Connections Ensure that the SQL Server component to SharePoint is set to listen on non-default ports, with the defaults (UDP 1434 and TCP 1433) disabled
Ensure HTTPS binding: TCP 32844 is used
Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded
76 | P a g e
Web.Config Configuration Ensure that the MaxZoneParts setting for Web Part limits is set to 100
Ensure that the SafeControls list is set to the minimum set of controls needed for your sites
Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed
Ensure the SharePoint CallStack and AllowPageLevelTrace "SafeMode" parameters are set to false
77 | P a g e
Thank You Thanks for reading this Whitepaper. Again, I really hope this has been informative and that
will help you to maximizing SharePoint Security. For any questions or comments, send me