Sunday, May 3, 2009

Securing / Hacking Sharepoint

Security is most crucial requirement for any sharepoint implementation, we wanted to secure the documents/information and also wanted to make sure that we identify all the different holes from where someone can get into the sharepoint environement.

How many places someone can get permission:
- CA> Operations> Update Farm Administrator

- CA> Application Management> Policy for Web Application
Strange thing about setting permission here is it doesn't even show up in code , if you enumerate Site Collection AllUsers property . Also this is the only place to Deny All

- CA> Application Management> Update Site Collection Administrator

- Site Action> Site Settings> Site Collection Administrator ( In site collection Root Web only )

- List Settings> Manage Permission , no way to restrict break inheritance option by site owner. Data in sharepoint is in lists only. So I will say another risky spot.

- Item level Settings> Manage Permission , no way to restrict break inheritance option by list owner

Other Options:
- Save a list or document library as template ( AlwaysIncludeContent=TRUE by default) and restore in another environment.
Mininum Permission required : ManageLists

- Save a site template and restore in another environment
Mininum Permission required : Site Owner

- List Definition AllowEveryoneViewItems Attribute = FALSE by default, but can be set to TRUE by a small utility, i think most dangerous. As this will open files to anyone with Anonymous rights.
Mininum Permission required : ManageLists

- There is no concept of restricting permissions on list view

- Audit logs are not accurate ( don't show all the downloaded entries as long as have tested, comments welcome )

- People and Group - Privacy issues ( http://localhost/_layouts/people.aspx ), anyone can see other users information , like email and cell number etc. I know this is better in MOSS but in WSS, its an issue.

Developer's Code

- AllowUnsafeUpdate = TRUE , most of developer's do this.
- RunAtElevatedPriveldges() , that's another birth right of developers
- SPList.WriteSecurity & SPList.ReadSecurity