sharepoint security
play

SharePoint Security Advanced SharePoint Security Tips and Tools 05 - PowerPoint PPT Presentation

Jul 22, 2023 •40 likes •490 views

SharePoint Security Advanced SharePoint Security Tips and Tools 05 Oct 2010 Presen sented ted by: Francis Brown Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Brief f Intro o to o SharePoint ePoint Overview of

  1. SharePoint Security Advanced SharePoint Security Tips and Tools 05 Oct 2010 Presen sented ted by: Francis Brown Stach & Liu, LLC www.stachliu.com

  2. Agenda O V E R V I E W • Brief f Intro o to o SharePoint ePoint • Overview of Major Components • ShareP ePoint oint Secu curity ity • Security Tips and Tools 2

  3. Background G E T T I N G U P T O S P E E D 3

  4. Background MS SharePoint Products & Technologies • Windo dows ws SharePoint ePoint Servic vices es (WSS) ) • Office ice ShareP ePoint oint Server ver 2007/2010 7/2010 (MOSS) S) • ShareP ePoint oint Desig igner ner 2007/201 7/2010 0 (SPD PD) 4

  5. Background MS SharePoint Products & Technologies 5

  6. Background MS SharePoint Products & Technologies 6

  7. Background MS SharePoint Products & Technologies 7

  8. Background MS SharePoint Products & Technologies 8

  9. Site Hierarchy Intro to SharePoint 9

  10. SharePoint Site Hierarchy Intro to SharePoint Base Site e URLs Ls: • http://learnsouth/ • http://learnsouth/Media/ • http://learnsouth/Revisions/ • http://learnsouth/Schools/ • http://learnsouth/Schools/SchoolA/ • http://learnsouth/Schools/SchoolB/ • http://learnsouth/Schools/SchoolC/ 10

  11. Site Structure Intro to SharePoint 11

  12. Site Navigation Intro to SharePoint 12

  13. Security Tips W H A T Y O U S H O U L D K N O W 13

  14. Security Tips S H A R E P O I N T S E C U R I T Y # Security Tip 1 Know your external exposure … 2 Beware of normal users with excessive access … 3 Spot check user permissions and inheritance… 4 Beware third-party plugins/code…BUT not too much… 5 Backup every which way from Sunday… … 14

  15. Security Tip #1 K N O W Y O U R E X T E R N A L E X P O S U R E 15

  16. External Exposure F I N D I N G H O L E S 1. “Google Hack yourself” 1. Search Google for exposed SharePoint admin pages 2. E.g. inurl :"/_catalogs/wt/“ 3. NEW: SharePoint Google Regexs for S&L SearchDiggity – 109 queries 3. 2. SharePoint URL Brute-forcing 1. Forceful browse to common SharePoint extensions to test access 2. 2. NEW: Tool to bruteforce SharePoint URLs – 89 known extensions 3. Nmap for other SharePoint administrative apps 1. E.g. Central Administration, Shared Service Providers (SSP) 16

  17. External Exposure G O O G L E H A C K I N G S H A R E P O I N T 17

  18. S H A R E P O I N T H A C K I N G T O O L S DEMO DEMO 18

  19. Security Tip #2 B E W A R E U S E R S W I T H E X C E S S I V E A C C E S S 19

  20. C O N T I N U E D S H A R E P O I N T H A C K I N G DEMO DEMO 20

  21. Excessive User Access M O R E T H A N Y O U B A R G A I N E D F O R . . . • Web Servic vices es examples mples • Admin.asmx • Permissions.asmx • User Administr inistration ation examples mples • “People and Groups” • ”Add Users” • “ PeoplePicker ” 21

  22. Security Tip #3 C H E C K P E R M I S S I O N S A N D I N H E R I T A N C E 22

  23. User Permissions S E C U R I T Y T I P S 23

  24. User Permissions S E C U R I T Y T I P S 24

  25. User Permissions S E C U R I T Y T I P S 25

  26. Security Tools U S E R P E R M I S S I O N S 26

  27. Security Tools U S E R P E R M I S S I O N S 27

  28. Security Tools U S E R P E R M I S S I O N S 28

  29. Security Tip #4 B E W A R E T H I R D- P A R T Y C O D E… N O T T O O M U C H 29

  30. Third-Party Plugins N E C E S S A R Y E V I L • SharePoint without third-party plugins is like an iPhone with no apps • Solutions, Features • Web Parts, Templates • If too strict, people will circumvent you 30

  31. Third-Party Plugins S O L U T I O N S 31

  32. Third-Party Plugins S O L U T I O N S 32

  33. Third-Party Plugins F E A T U R E S 33

  34. Third-Party Plugins F E A T U R E S 34

  35. Third-Party Plugins F U T U R E S E C U R I T Y • SharePoint 2010 has sandboxed solutions • Minimize risk of running untrusted third-party plugins 35

  36. Third-Party Plugins S A N D B O X E D S O L U T I O N S 36

  37. Security Tip #5 B A C K U P E V E R Y W H I C H W A Y F R O M S U N D A Y 37

  38. Backups M A N Y M E T H O D S … A L L T E R R I B L E 1. Windows 2003/2008 Server backups 2. Stsadm.exe cmdline tool backups 3. Central Administration v3 backups 4. SharePoint Designer backups 5. Site and List template backups 6. Raw MS SQL database backups 38

  39. Backups S H A R E P O I N T D E S I G N E R 39

  40. Backups S T S A D M / C E N T R A L A D M I N I S T R A T I O N 40

  41. Backups S I T E A N D L I S T T E M P L A T E S 41

  42. Backups S I T E A N D L I S T T E M P L A T E S 42

  43. Backups R A W S Q L D A T A B A S E S Farm Config DB Central Administration Console/ Custom Backup Application File Server Content DB Content DB Search SSP DB Index Full Back up Differntial SQL Backup/Restore 43

  44. Questions? Ask us something We’ll try to answer it. For more info: Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com

  45. Thank You Stach & Li Liu SharePoi oint nt Hacking Diggity Project ect info: http://www.stachliu.com/index.php/resources/tools/sharepoint-hacking-diggity-project/ 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012 Los Angeles, CA Presen sented ed b by: Francis Brown Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Br Brief ef Int

606 views • 58 slides
Office Online Sanjoyan Mustafi Senior Program Manager SharePoint & OneDrive Security &

Office Online Sanjoyan Mustafi Senior Program Manager SharePoint & OneDrive Security &

New features for Sensitivity labels: SharePoint, Teams, Office Online Sanjoyan Mustafi Senior Program Manager SharePoint & OneDrive Security & Compliance https://www.linkedin.com/in/Sanjoyan/ Admin: New label creation flow for

375 views • 14 slides
Upgrading SharePoint 2010 to SharePoint 2013 Todd Klindt SharePoint Nerd Rackspace Who is this

Upgrading SharePoint 2010 to SharePoint 2013 Todd Klindt SharePoint Nerd Rackspace Who is this

Upgrading SharePoint 2010 to SharePoint 2013 Todd Klindt SharePoint Nerd Rackspace Who is this Todd guy? WSS MVP since 2006 Speaker, writer, consultant, lover of cheese Personal Blog www.toddklindt.com/blog Company web

565 views • 27 slides
SharePoint Online Introduction Scott A. Concilla Microsoft Certified Trainer IM-61, OCIO,

SharePoint Online Introduction Scott A. Concilla Microsoft Certified Trainer IM-61, OCIO,

SharePoint Online Introduction Scott A. Concilla Microsoft Certified Trainer IM-61, OCIO, Department of Energy Class Topics Understanding SharePoint Online SharePoint Online Structure Navigating a SharePoint Site SharePoint

944 views • 90 slides
SharePoint Connect and empower your organisation Stefanie Kechayas Senior Consultant 17

SharePoint Connect and empower your organisation Stefanie Kechayas Senior Consultant 17

Enhancing community sector service delivery SharePoint Connect and empower your organisation Stefanie Kechayas Senior Consultant 17 February 2016 Technology for Social Justice Today 1. What is SharePoint? 2. Why use SharePoint? a. Some

523 views • 33 slides
SharePoint A first look Sahil Malik www.winsmarts.com Agenda End user level

SharePoint A first look Sahil Malik www.winsmarts.com Agenda End user level

SharePoint A first look Sahil Malik www.winsmarts.com Agenda End user level familiarization with SharePoint An overview of development choices and your development machine Pre-Requisites A SharePoint site with 4 users, Tiger

336 views • 21 slides
SharePoint Admin 101 (and beyond) Shane Young 13 Year SharePoint MVP

SharePoint Admin 101 (and beyond) Shane Young 13 Year SharePoint MVP

SharePoint Admin 101 (and beyond) Shane Young 13 Year SharePoint MVP Shane@powerapps911.com @ShanesCows http://www.youtube.com/ShaneYoungCloud Cincinnati, Ohio https://www.PowerApps911.com https://www.BoldZebras.com

430 views • 17 slides
Implementing SharePoint A Case Study on tailoring SharePoint to meet agency recordkeeping needs

Implementing SharePoint A Case Study on tailoring SharePoint to meet agency recordkeeping needs

Implementing SharePoint A Case Study on tailoring SharePoint to meet agency recordkeeping needs Mary Ann Rosenthal Team Leader Information Management Whittlesea Growing 2007 population 133,000 2017 population 216,000 2028

551 views • 30 slides
PowerShell with SharePoint Server and Office 365 Shane Young 13 Year SharePoint MVP

PowerShell with SharePoint Server and Office 365 Shane Young 13 Year SharePoint MVP

PowerShell with SharePoint Server and Office 365 Shane Young 13 Year SharePoint MVP Shane@powerapps911.com @ShanesCows http://www.youtube.com/ShaneYoungCloud Cincinnati, Ohio https://www.PowerApps911.com

1.55k views • 45 slides
Scaling SharePoint Farms with MinRole & Other T ools Spencer Harbar #SPSMUC02 October 10 th ,

Scaling SharePoint Farms with MinRole & Other T ools Spencer Harbar #SPSMUC02 October 10 th ,

Scaling SharePoint Farms with MinRole & Other T ools Spencer Harbar #SPSMUC02 October 10 th , 2015 About Spencer Harbar Agenda SharePoint T opology Fundamental Truths SharePoint (any version) is not designed from the cloud up

412 views • 29 slides
Discovery of Challenging Sources: SharePoint, Unstructured Data, the Cloud and Beyond Panelist:

Discovery of Challenging Sources: SharePoint, Unstructured Data, the Cloud and Beyond Panelist:

Discovery of Challenging Sources: SharePoint, Unstructured Data, the Cloud and Beyond Panelist: Larry Briggi Leigh Isaacs Karin Roberts Moderator: Mary Pat Poteet Security issues of the Cloud: What to avoid and how to batten down the

418 views • 15 slides
SHAREPOINT SERVER 2016 Todd Klindt SharePoint MVP since 2006 Speaker, writer, consultant,

SHAREPOINT SERVER 2016 Todd Klindt SharePoint MVP since 2006 Speaker, writer, consultant,

TODD KLINDT UPGRADING TO SHAREPOINT SERVER 2016 Todd Klindt SharePoint MVP since 2006 Speaker, writer, consultant, Aquarius, Iowa Native Fan of all Microsoft Technologies Personal Blog: www.toddklindt.com/blog Twitter: @toddklindt Podcast:

296 views • 27 slides
Using Flow in your On Premise Environment SharePoint Saturday Baltimore #SPSBMORE May 20, 2017

Using Flow in your On Premise Environment SharePoint Saturday Baltimore #SPSBMORE May 20, 2017

Using Flow in your On Premise Environment SharePoint Saturday Baltimore #SPSBMORE May 20, 2017 About Me SharePoint consultant who specializes in easy to use solutions for simplifying and automating business processes. Federal client

300 views • 19 slides
Modernization of TSD Documentation Using SharePoint Yun He TSD Topical Meeting August 16, 2018

Modernization of TSD Documentation Using SharePoint Yun He TSD Topical Meeting August 16, 2018

Modernization of TSD Documentation Using SharePoint Yun He TSD Topical Meeting August 16, 2018 Outline How to navigate TSD online documentation system TSD public web site: http://targets.fnal.gov/ TSD SharePoint sites: Public:

544 views • 12 slides
FastTrack from FastTrack SharePoint Presentation www.officelabs.co.uk By OfficeLabs CONTENTS

FastTrack from FastTrack SharePoint Presentation www.officelabs.co.uk By OfficeLabs CONTENTS

FastTrack from FastTrack SharePoint Presentation www.officelabs.co.uk By OfficeLabs CONTENTS FastTrack SharePoint What is it? Key Benefits Key Features Support Next Step FastTrack SharePoint Presentation

389 views • 7 slides
University of Illinois SharePoint Shared Service Birds of a Feather Roundtable

University of Illinois SharePoint Shared Service Birds of a Feather Roundtable

University of Illinois SharePoint Shared Service Birds of a Feather Roundtable https://web.uillinois.edu/sharepoint Phil Nyman & Larry Gibson Spring UIUC IT Pro Forum @ iHotel June 8, 2017 Who are we? Phil Nyman Technology

524 views • 17 slides
Trends in Managing Data at the Petabyte Scale Steve Kleiman Sr. VP & CTO Before we

Trends in Managing Data at the Petabyte Scale Steve Kleiman Sr. VP & CTO Before we

Trends in Managing Data at the Petabyte Scale Steve Kleiman Sr. VP & CTO Before we begin Disk reliability SIGMETRICS 07: An Analysis of Latent Sector Errors in Disk Drives Lakshmi Bairavasundaram, Garth Goodson, Jiri

684 views • 21 slides
CSSE 120 DAY 1 Introduction to Software Development - Robotics Outline Introductions:

CSSE 120 DAY 1 Introduction to Software Development - Robotics Outline Introductions:

As you arrive Start up your computer and plug it in. Find the course web site, by visiting: www.rose-hulman.edu/class csse Then csse120 Then 201110 Then for Delvins sections 201110robotics for Davids sections

264 views • 25 slides
signin.ritlug.com sign in! The Importance of Backups RITLug - Week 2! Solomon Rubin Backups!

signin.ritlug.com sign in! The Importance of Backups RITLug - Week 2! Solomon Rubin Backups!

Dont forget to signin.ritlug.com sign in! The Importance of Backups RITLug - Week 2! Solomon Rubin Backups! What is it?! Copy and archiving data to a secondary location. (Duh) Two Purposes Data recovery File Replacement

324 views • 15 slides
Disaster Recovery Planning Marcus Bendtsen Institutionen fr Datavetenskap (IDA) Avdelningen

Disaster Recovery Planning Marcus Bendtsen Institutionen fr Datavetenskap (IDA) Avdelningen

Disaster Recovery Planning Marcus Bendtsen Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Disaster Recovery Planning When a disaster strikes and the business continuity plan fails to prevent

757 views • 39 slides
Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these attacks are similar to TOCTTOU (Time of Check to Time of Use) vulnerabilities From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al,

376 views • 14 slides
Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help

Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help

Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help You Tr Training Overview 1. Why Conversion Rate Optimization (CRO) / Landing Pages Matter 2. 6 Costly Conversion Mistakes Agencies Make 3. 7

1.02k views • 57 slides
Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission

Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission

Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission Introduction to Computer Security Web/crypto/middleboxes combined slides More crypto protocols More causes of crypto failure Stephen McCamant

440 views • 10 slides
MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes part of the users trusted path Attacker can

619 views • 38 slides

More recommend