Lock It Down-Securing Your SharePoint Environment

Report
Lock It Down: Securing Your
SharePoint Environment
Liam Cleary
About Me
• Solution Architect @ Protiviti
• SharePoint MVP
• Everything SharePoint
•
•
•
•
Architecture
Infrastructure
Development
Security
• SharePoint Dreamer
• Speak at lots of community events
Agenda
The Hackers
SharePoint
& Hacking
Securing
Topologies
Close those
entry points
Final
Thoughts
The
Hackers
SharePoint
& Hacking
,
SharePoint
& Hacking
wget -r –A pdf --no-check-certificate
https://{siteurl}/Forms/AllItems.aspx
SharePoint
& Hacking
Function IteratePages()
{
[CMDLetBinding()]
Param ([String] $url, [Int] $start, [Int] $end)
for ($i=$start; $i -lt $end; $i++)
{
Write-Host $i
SharePoint
& Hacking
$saveTo = 'C:\OUT\' + $i + '.txt'
Write-Host $saveTo
$retUrl = $url + $i
Write-Host $retUrl
Get-WebPage $retUrl > $saveTo
}
}
Securing
Topologies
Securing
Topologies
Block the standard SQL Server ports
Configure SQL Server database instances to listen on a nonstandard port
Configure SQL client aliases
Bypass the actual server name
Close those
entry points
Configured SQL Encryption
Implement Windows Firewall Policies
Run “Best Practice Security Analyzer” and use “Server Hardening
Guidance”
Utilize Group Policies
Implement Windows Firewall Policies
Run “Best Practice Security Analyzer” and use “Server Hardening
Guidance”
Utilize Group Policies
Close those
entry points
Open “Allowed Ports” ONLY
List Common App Server Ports Here
Open “Allowed Ports” ONLY
TCP 80 – HTTP
TCP 443 - HTTPS
Implement Windows Firewall Policies
Close those
entry points
Run “Best Practice Security Analyzer” and use “Server Hardening
Guidance”
Utilize Group Policies
Open “Allowed Ports” ONLY
TCP 80 – HTTP
TCP 443 - HTTPS
Hardware / Software Firewall
Close those
entry points
SSL Encryption & Inspection
Offload Authentication / Delegation
User Access Gateway (UAG)
Close those
entry points
•
netsh advfirewall firewall add rule name="SQLServer" dir=in action=allow protocol=TCP localport=1433 profile=DOMAIN
•
netsh advfirewall firewall add rule name="SQL DAC" dir=in action=allow protocol=TCP localport=1434 profile=DOMAIN
•
netsh advfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=UDP localport=1434 profile=DOMAIN
•
netsh advfirewall firewall add rule name="Mirroring EndPoint" dir=in action=allow protocol=TCP localport=5022 profile=DOMAIN
•
netsh advfirewall firewall add rule name="SQL Service Broker" dir=in action=allow protocol=TCP localport=4022 profile=DOMAIN
•
netsh advfirewall firewall add rule name="T-SQL Debugger" dir=in action=allow protocol=TCP localport=135 profile=DOMAIN
Close those
entry points
•
netsh advfirewall firewall add rule name="SharePoint HTTP/HTTPS" dir=in action=allow protocol=TCP localport=80,443 profile=DOMAIN
•
netsh advfirewall firewall add rule name="SharePoint Cache" dir=in action=allow protocol=TCP localport=22233-22236 profile=DOMAIN
•
netsh advfirewall firewall add rule name="SharePoint Farm Communication (TCP)" dir=in action=allow protocol=UDP localport=389,464 profile=DOMAIN
•
netsh advfirewall firewall add rule name="SharePoint Search" dir=in action=allow protocol=TCP localport=16500-16519,445,137-139,5725 profile=DOMAIN
•
netsh advfirewall firewall add rule name="SharePoint Workflow" dir=in action=allow protocol=TCP localport=9354-9356,9000 profile=DOMAIN
Page Lockdown
Fix Security Slip-Ups – manual process
Comply with Compliance and Governance Policies
Administrator can modify or delete logs
Final
Thoughts
Secure Web Site
SQL Injection, Brute Force Password Attack and Cross Site Scripting (XSS)
Understand that SharePoint is SQL
Privileged Users could hack Permission for SharePoint
Fix Search Engine Visibility
Mississippi National Guard apologized for exposing personal data through their public SharePoint Site
Pentest your SharePoint Site
Internal – Choice
External – No Choice
Ensure Latest Patches
Final
Thoughts
Suggested Rule, stay two CU’s behind unless it resolves a current issue
Learn to Hack
Make Security a to Priority
Learn to “Publish” SharePoint Correctly
We (Protiviti) can help you with this 
Liam Cleary
Email: [email protected]
Twitter: @helloitsliam
Blog: http://blog.helloitsliam.com
Final
Thoughts

similar documents