maximizing sharepoint security whitepaper v2 · specialties: sharepoint server, aws/azure,...
Post on 06-Jun-2020
20 Views
Preview:
TRANSCRIPT
Maximizing SharePoint Security Whitepaper v2.0
1/2018
This technical whitepaper describes how to protect SharePoint Servers
and Websites, in addition to what is the best practices to maximize the
SharePoint Security controls.
Fadi Abdulwahab
CSSLP, MCC, MCITP
2 | P a g e
Author
Author for SharePoint 2013 book and many SharePoint
whitepapers including Search, Variation and Availability
topics, focus on building secure web applications.
Achieved many projects with Microsoft Technologies since
2006 for banks, universities, and ministries.
Experienced in SharePoint Administration, Infrastructure,
Development, Governance, and Disaster Recovery.
Specialties: SharePoint Server, AWS/Azure, ASP.NET/C#, OWASP Top 10, SQL Server
Administration and High Availability Solutions.
Recognized as Microsoft Community Contributor in July 2013
(ISC) 2 - CSSLP® Certified Secure Software Lifecycle Professional in July 2015
AWS Solutions Architect – Associate certification in April 2017
My Blog:
https://fabdulwahab.com
My Twitter Account:
https://twitter.com/fadi_abdulwahab
My LinkedIn account:
https://www.linkedin.com/in/fadiabdulwahab
My MSDN Profile:
https://social.msdn.microsoft.com/profile/fadi%20abdulwahab/
My SharePoint Book (Advanced Topics in SharePoint 2013 in Arabic language):
http://www.neelwafurat.com/itempage.aspx?id=lbb229815-208246&search=books
3 | P a g e
Disclaimer
This document is provided "As is", therefore test any changes before go live.
Product or company names mentioned in this document may be the trademarks of their
respective owners.
You can use this whitepaper for your websites and other needs.
Fadi Abdulwahab © 2018, all right reserved.
I will be happy with your feedback because your feedback is very important, if you have
comments or new points please send it to me @ fabdulwahab@outlook.com
Version logs
Version No. Date Notes
1.0 20/12/2015 First release
1.1 4/12/2016 Added CIS SharePoint benchmark
Added link for more security headers like HTTP Public Key Pinning
Added more security controls in SharePoint configurations
Fixed Search Crawl Rules
2.0 24/1/2018 Added CIS SharePoint 2016 benchmark Added New features of SharePoint 2016 which related to security like
Data Loss Prevention
Outgoing SMTP Encryption
TLS 1.2 support
Patching with Zero downtime
New changes for SharePoint 2016 service accounts
…
4 | P a g e
Table of Contents Author ......................................................................................................................... 2
Disclaimer .................................................................................................................... 3
Version logs ................................................................................................................. 3
Why Maximizing SharePoint Security .............................................................................. 7
Introduction ................................................................................................................. 8
HTTPs everywhere ........................................................................................................ 9
General Best Practices and Tips ............................................................................................ 9
Configuring SSL/TLS for SharePoint ..................................................................................... 10
Redirect from HTTP to HTTPs .............................................................................................. 16
Server Name Indication (SNI) .............................................................................................. 17
HTTP and HTTPs in AAM ...................................................................................................... 18
SSL Server Test ..................................................................................................................... 18
Mixed Content Mode .......................................................................................................... 24
HTTPs on Login Page only .................................................................................................... 25
Secure cookies ..................................................................................................................... 25
HTTPOnly cookies ................................................................................................................ 26
HSTS ..................................................................................................................................... 26
https://scotthelme.co.uk/hardening-your-http-response-headers/ .................................. 29
End to End Secure Channels ................................................................................................ 29
Extended Validation Certificate (EV) ................................................................................... 29
Performance vs. Security ..................................................................................................... 29
100% security coverage ....................................................................................................... 30
Recommended Reference ................................................................................................... 30
References ........................................................................................................................... 30
Response Headers ...................................................................................................... 31
Version Disclosure (ASP.NET) .............................................................................................. 31
ASP.NET Identified ............................................................................................................... 31
Version Disclosure (IIS) ........................................................................................................ 32
Version Disclosure (SharePoint) .......................................................................................... 33
Clickjacking .......................................................................................................................... 33
ViewState is not encrypted .......................................................................................... 35
Sensitive resources ..................................................................................................... 36
Accessing _layout/ folder .................................................................................................... 36
_vti_inf.html, _vti_bin , _vti_pvt and _vti_bin/spsdisco.aspx ............................................. 36
Web.config configurations ........................................................................................... 37
5 | P a g e
Stack Trace and Errors Disclosure (ASP.NET) ...................................................................... 37
Validation Request .............................................................................................................. 37
Patching .................................................................................................................... 38
ASP.NET Security Vulnerabilities ......................................................................................... 39
Persistent XSS flaw in SharePoint 2013 ............................................................................... 39
SharePoint configurations ............................................................................................ 40
Secure SharePoint’s Components ........................................................................................ 40
Plan for administrative and service accounts in SharePoint ............................................... 40
Central Administration Site ................................................................................................. 40
Manage blocked file types in SharePoint ............................................................................ 41
Set Security Validation to On............................................................................................... 41
Do Not Crawl Sensitive Content .......................................................................................... 41
Crawl Rules in Search .......................................................................................................... 42
Default content access account .......................................................................................... 43
Max Upload Document / Max Request length .................................................................... 43
Health Check ........................................................................................................................ 44
Require Use Remote Interfaces permission ........................................................................ 45
Enable Client Integration ..................................................................................................... 45
Separation of duties ............................................................................................................ 45
SharePoint Anti-Virus .......................................................................................................... 47
Windows configurations .............................................................................................. 49
Disable loopback check ....................................................................................................... 49
TCP/IP Ports of SharePoint 2013/2016 ............................................................................... 49
Data Loss Prevention in SharePoint 2016 ........................................................................... 51
Outgoing SMTP Encryption ................................................................................................. 51
Google Hacking .......................................................................................................... 53
Preferences .......................................................................................................................... 53
Advanced Operators ............................................................................................................ 53
Hacking Your Website ......................................................................................................... 54
Robots.txt configuration...................................................................................................... 59
Caching ............................................................................................................................ 59
Snippet ............................................................................................................................. 59
No Index .......................................................................................................................... 60
Remove Pages from Google's Index .................................................................................... 60
Tools .................................................................................................................................... 60
GHDB ............................................................................................................................... 60
6 | P a g e
WIKTO .............................................................................................................................. 61
SearchDiggity ................................................................................................................... 64
SHODAN ........................................................................................................................... 67
Recommended Reference ................................................................................................... 68
SharePoint Support ..................................................................................................... 69
Metasploit ................................................................................................................. 70
ASafaWeb .................................................................................................................. 71
CIS SharePoint benchmark ........................................................................................... 73
7 | P a g e
Why Maximizing SharePoint Security
Security is becoming an increasingly important concern during the lifecycle of developing
operationally hacker-resilient application also as application become accessible over the
internet.
Maximizing because security is about degrees (There is no 100% security!).
I try in this version to recover the most common issues and security controls which related
to on-premises SharePoint 2010/2013 and 2016.
Finally, treat security as continuous process, it's not just about "set and forget".
8 | P a g e
Introduction This document helps SharePoint developers and administrators to protect SharePoint
Applications and portals from common security issues which they are frequently reported by
the Health checker and Penetration testing tools. Most of these issues related to disclosing
information , which is related to No.6 "Sensitive Data Exposure" and also consider the No.9
"Using Components with known Vulnerabilities" risks in OWASP Top 10 2013 because
SharePoint is a product or framework "Secure by default" therefor rarely to find risks like
Injection or broken Sessions in SharePoint Server applications unless if you develop custom
applications and host those applications in SharePoint as web parts or by any way of hosting
custom applications inside SharePoint, then you need to consider the other risks .
Unfortunately, many of testing tools report False Positive risks ,for instance I read Security
testing report and one of the issue was “MongoDB NoSQL Injection”… all of us know that
SharePoint uses SQL Server only as back-end system (you can’t install SharePoint in other
RDBMS so How it can be with NoSQL Databases !!).
Most of these issues and their mitigation already published in the internet but here I will try
to put them in one place to make it easy to me and others to review the SharePoint Security
risks.
Finally, before I list the points, I want to clarify that I will not mention points related to best
practices for installation, proper configuration, planning … etc. I assume you follow the right
implementation during building your SharePoint Farm.
9 | P a g e
HTTPs everywhere It's a top priority to have a secure connection for your websites in order to protect your
information in transit by using SSL/TLS protocol and protect users from common attacks like
DNS poisoning and others. HTTPs (represents the top layer of SSL/TLS protocol) which
provides your websites with the following objectives:
1. Confidentiality to protect the data in transit from sniffing by using tools like fiddler, Wireshark, hijacking or MITM attacks (Main goal).
2. Integrity by protecting the data from tampering during transition, so it will reject the request if anyone in the middle of transit modified the packets.
3. Authenticity by telling and giving the visitors assurance about your domain and who your visitors are talking to.
4. Ranking Signal, Google try to encourage the people to make the internet safer and more secure, in addition to increase the website ranking in Google search engine.
General Best Practices and Tips Here some of most important tips to be considered when deploying HTTPs:
Decide the kind of certificate: single, multi-domain or wildcard certificate and make
sure they cover all your hostnames.
Use 2048 bit private keys and if you still have 1024 bit RSA keys, replace them as
soon as possible.
Don't use self-signed certificate in production servers and use valid certificates from
valid Certificate Authorities like DigiCert, Godaddy or even free SSL Certificate from
StartSSL or CloudFlare.
Protect the Private Key and keep it as secret asset.
Use complex password with the private key certificate.
Avoid invalid certificate warning due to date expiration or other reasons, which will
confuse the users and weaken their trust against your website (Authenticity).
Replace SHA1 certificates with strong certificate algorithm like SHA256.
Deploy certificates with valid certificate chains.
TLS v1.2 should be your main protocol and disable the old protocols like SSL v3 and
v2.
Note
Check your client browser version because IE 6 on Windows XP doesn't support new secured
hashing like SHA256.
10 | P a g e
Configuring SSL/TLS for SharePoint Here I will explain to you how to configure SSL/TLS for SharePoint 2013 and you could follow
the same steps in SharePoint 2010.
Notes: Previous versions of SharePoint only supported TLS 1.0 but SharePoint 2016 support
TLS 1.2
Use SSL Bridging instead of SSL Offloading because it is more secure and HTTPs is not
any more against the performance but maybe it’s faster than HTTP especially when
it’s compared to HTTP/2 protocol, try this site https://www.httpvshttps.com/ .
Prerequisites:
1. IIS 8
2. SharePoint Server 2013 Farm
3. Windows Server 2012
4. Web Application on Port 80
5. Administrator privilege in the server
Steps:
1. Create Self Signed Certificate on IIS 8 2. Import Self Signed Certificate to SharePoint Certificate store(Optional) 3. Add Self Signed Certificate to trust management in Central Administration(Optional) 4. Configure IIS Binding 5. Configure AAM
11 | P a g e
Step 1: Create Self Signed Certificate on IIS 8
Open IIS Manager and then go to Server name and choose IIS Section “Server Certificates”
Click on Create Self-Signed Certificate... on Actions pane
Specify any name like “SharePointSelfSignedCert” and click Ok
Double click on this created Certificate and go to details Tab and click copy to file...
12 | P a g e
Click Next (Welcome…),
Select No, do not export the private key and click next,
Select DER encoded binary and click next,
Specify the location for the certificate and Click Next and then finish.
Step 2: Import Self Signed Certificate to SharePoint Certificate store (Optional)
Open Manage Compute Certificate on Windows Server 2012 and go to SharePoint node and then right click All tasks >> import …
Click next and then specify the location of exported certificate in previous step and then Click Next
Make sure Certificate store is SharePoint and Click Next and then finish (Exported)
13 | P a g e
Step 3: Add Self Signed Certificate to trust management in Central Administration (Optional)
Go to Central Administration >> Security >> Manage Trust (to inform SharePoint to trust this certificate also).
And Click New
And a name and specify the location for the certificate and Click Ok.
Step 4: Configure IIS Binding
Go to IIS Manager and choose your web application and then click on Binding in Actions pane
14 | P a g e
Click Add...
Type: Https
SSL Certificate: SharePointSlefSignedCert (which created previously).
Click Ok.
Step 5: Configure AAM
Go Central Administration >> Alternate Access Mapping and Choose your web application
And click on Edit Public URLs and then add HTTPs URL
15 | P a g e
And Click Save.
Now try to browse your website with HTTPs URL
Notes
1. If you add the Self-Signed Certificate to Trusted Root Certification Authorities in Client PC, then the Certification error or warning in the browser will disappear.
2. In production servers, you need to use a valid certificate and in this case you need to import PKCS#12 or PFX formatted certificate.
16 | P a g e
3. Sometime, you need tools to convert the certificate to .pfx format like OpenSSL or DigiCert Certificate Utility SSL tools.
4. It's recommended to disable "Allow this certificate to be exported" to make it difficult to extract it from the server.
Redirect from HTTP to HTTPs It's not enough to enable HTTPs but you need also to force the users to go with HTTPs. First
you need to install IIS Rewrite extension to all SharePoint Web servers (Frontend Servers),
follow this URL to install the extension
http://www.iis.net/downloads/microsoft/url-rewrite
Then go to Web application's web.config and add the following section under
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
17 | P a g e
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
Note
Because the redirection roundtrip, we still have a minor vulnerability which it's open to
MITM attack before the Redirection take place and for this issue we will see how HSTS
response header can mitigate this risk.
Server Name Indication (SNI) This is new extension added to TLS protocol which enabled in IIS 8 to allow IIS 8 to host
multiple SSL websites and certificates on a single IP Address based on the Host Headers.
Let me give you a real example:
Assume that we have two web applications as following:
https://intranet.domain.com = Host for Intranet SharePoint Web application
https://*.apps.intranet.domain.com = Host for SharePoint Apps
In this case, you need two certificates, one for the intranet portal with this SNI name
intranet.domain.com and one for the SharePoint Apps as wildcard certificate because each
time the user adds SharePoint Apps to SharePoint store it will assign a specific prefix sub
domain to each Apps for example app-432524352345.apps.intranet.domain.com
The case before SNI extension, you need to have two IPs, one IP for each certificate but with
the SNI, the client will send the hostname header when he is establishing the connection
with the server so you can use one IP address with multiple different certificates.
18 | P a g e
Note
Windows XP and some Android version don't support it.
HTTP and HTTPs in AAM If login with HTTPs URL and then redirect the user to HTTP, the browser will ask the user to
login again with HTTP URL (Always use HTTPs).
How to fix it:
Go to Central Administration
Open Alternate Access Mapping (AAM)
Select your will application from the dropdown menu on top right side
Click on Edit Public URLs and remove HTTPS URL
Click on Add Internal URLs and then add HTTPs URL and select the same zone as HTTP URL
Notes
1. It's recommended to have only HTTPs zone in case you want to publish your website
with HTTPs only
2. Maybe the above case is valid if you configure the HTTPs on load balancer only and
then internally you want to access the site as HTTP.
SSL Server Test SSL/TLS protocol like other frameworks has features, extensions and also Bugs. Installing and
configuring your website with HTTPs is not enough because you could have HTTPs website
but in reality, behaves like HTTP website because for example the certificate use weak
19 | P a g e
hashing or encryption or you don't disable old protocols which consider nowadays to be
insecure.
"Qualys SSL Labs" has many important projects and one of them is "SSL Server Test" which
provide the following testing steps:
1. Validating the Certificate
2. Validating server configuration including
a. Protocol support
b. Key exchange support
c. Cipher support
According to above test steps, it will grant your website grades as following:
Server Certificate testing include the following issues:
Domain name mismatch
Certificate not yet valid
Certificate expired
Use of a self-signed certificate
Use of a certificate that is not trusted (unknown CA or some other validation error)
Use of a revoked certificate
Insecure certificate signature (MD2 or MD5)
Insecure key
Protocol Support testing include the following issues:
Check existing of SSL/TLS Protocols
o SSL v2, v3, TLS 1.0, TLS 1.1 and TLS 1.2
At lease make sure to disable SSL v2 and v3 because these protocols considered insecure
and have many weaknesses and vulnerabilities like POODLE attack.
Key exchange testing includes the following issues:
Check key exchange without authentication issue
Weak key exchange procedure
Cipher Strength testing include checking symmetric cipher if it’s weak or strong and also
check the key length.
You can find more about the SSL Server rating and testing in the references sections in this
document.
20 | P a g e
To test your HTTPs implementation, go to https://www.ssllabs.com/ssltest/ and add your
domain name in the textbox and click submit
Because most of the Certificate Authorities CAs try to enhance the security controls on their
certificates and stop using weak ciphers so they update their certificates with strong
encryption and hashing. In this case, most of issues that appear when you have updated
certificate, belong to SSL Protocols in Windows servers.
Let us see the result of two websites:
This is the first website with the right implementation (not 100%)
Certificate testing part was valid and the certificate is updated with secure ciphers.
21 | P a g e
SSL Protocols testing part only support the secure protocols and it disabled the SSLv2 and v3
which considered insecure protocols.
Let us see the second website with the misconfiguring SSL protocols
22 | P a g e
As the above result, this website has the following issues:
This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server is vulnerable to the POODLE TLS attack. Patching required. Grade set to
F.
This server uses SSL 3, which is obsolete and insecure. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade
capped to C.
This server accepts RC4 cipher, but only with older protocol versions. Grade capped
to B.
The server does not support Forward Secrecy with the reference browsers.
We can summarize these issues into 3 points, if we fix these 3 points then we will pass the
test assessment with Grade "A" and the fixes for these issues are very easy.
The reason for these issues is results in that the Windows Server still support or accept
connections using the old protocols which they are SSL v2 and v3 and these protocols have
deprecated and have many vulnerabilities and issues like POODLE attack. In addition that the
server supports weak ciphers encryption like RC4 which is considered insecure.
Disabling these old protocols and week ciphers which are existed in the registry in this key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols
You can follow these steps to disable SSL v2 and v3:
1. Open regedit. 2. In Registry Editor, locate the following registry key/folder:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
5. Enter Enabled as the name and hit Enter.
23 | P a g e
6. Ensure that it shows 0x00000000 (0) under the Data column. 7. Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then
click Key. Name the new folder Server. 8. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit)
Value. 9. Enter Enabled as the name and hit Enter. 10. Ensure that it shows 0x00000000 (0) under the Data column. 11. Restart the computer.
The RC4 cipher can be completely disabled on Windows platforms by setting the "Enabled"
(REG_DWORD) entry to value 00000000 in the following registry locations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\C
iphers\RC4 128/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\C
iphers\RC4 40/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\C
iphers\RC4 56/128
Then restart the servers.
In addition, you can use many free tools like IIS Crypto or script which can help you to
automate the process. I suggest to use the following PowerShell script which help you to
disable these protocols and weak ciphers.
Visit this URL https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-
tls-12 and then download the recommended ps1 file and run it in the web servers.
Notes
1. Take backup from Registry before run the above scripts
2. POODLE TLS attack according to Wikipedia:
"The POODLE attack (which stands for "Padding Oracle on Downgraded Legacy
Encryption") is a man-in-the-middle exploit which takes advantage of Internet and
security software clients' fallback to SSL 3.0. If attackers successfully exploit this
vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one
byte of encrypted messages."
3. Forward Secrecy according to Ivan Ristić:
"With forward secrecy, every connection to your site is individually protected, using
24 | P a g e
different key. Without forward secrecy, the security of all connections effectively
depends on the server’s private key. If that key is ever broken or stolen, all previous
communication can be decrypted."
Mixed Content Mode
Again, not because the website has valid HTTPs certificate that means you can exchange the
secure sessions safely.
If you see one of the above indicators in your browser, then this means the current website
has issue called "Mixed Content Mode" which can give the attacker possibility to steal your
session by sniffing the HTTP context because cookie attached with each request include the
images and JavaScript files along with HTTPs requests.
The fix for this issue, to make sure there is no HTTP content in your page and only deals with
HTTPs requests.
Note
Sometime we have to go with Mixed Content mode because of using third parties which
may they are only supported with HTTP context so be aware of this risk and make sure to
only transit your sensitive data through secure channels.
25 | P a g e
HTTPs on Login Page only Some developers go with very bad practice to serve their website performance by only
implementing HTTPs on Login page and then redirect the user to HTTP communication.
In this way, they prevent the leakage of username and password to be sniffed but still the
attacker can use the token which in most cases stored in cookie or as a value in the header.
Using tool like Fiddler or built-in Web developer tools in the browsers like chrome can help
you to recognize this issue, try to login to any Form authentication website and copy the
Auth cookie value (Name of Cookie can be changed).
Then try to open new session without to login to the website, open the console windows in
the chrome browser and run this command document.cookie="FedAuth=[cookie Value]"
Refresh the page, you are now login to the website without need to know the username or
password.
Secure cookies Make sure to use secure cookies in case you have sensitive data stored in cookies like Auth
cookie in form or identity authentications.
To make sure the cookie is only transit in HTTPs channels even if the website support HTTP
connections, set the following attribute in web application's web.config
You can check if the cookie is secure by using Chrome's web developer tool and check the
"Secure" column"
26 | P a g e
HTTPOnly cookies
In General, it's always recommended to set HttpOnly attribute with cookies to prevent XSS script risk against these cookies like Auth Token Cookie which then it can be used in hijacking and other attacks.
In SharePoint if you are using Form authentication then by default SharePoint flag Auth Token with HttpOnly but there are some cookies in SharePoint not flagged with HttpOnly like "wss_keepsessionauthenticated".
Add these setting to web application's web.config
<system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" />
Notes
1. Also, make sure to use requireSSL="true" with other cookies to make sure these
cookies are transit in secure channels.
2. If you have cookies need to be access by the JavaScript, then make these cookies
explicitly flagged with no HTTPOnly flag or consider to use local storage in HTML5.
3. Avoid URI-based cookies and make sure to use cokieless="UseCookies".
4. It will cause an error when you are creating out of the box SharePoint workflows so
in this case it’s better to extend the site and only apply it in extended site.
HSTS Using HTTP Strict Transport Security (HSTS) helping to force the browser to browse the site
to a certain time (based on Max age value) in HTTPs without need to send redirection
request to the server so the risk of redirection from HTTP to HTTPs will be minimized
(minimized because first time request will go to the server and then based on return
response header, it will be implemented in the client browser).
Also, this header will prevent the user to pass through warning showed by the browser
when the certificate is invalid due to date expiration, self-signed certificates or others.
Try to open Google search engine with invalid certificate and check the behavior of the
browser
27 | P a g e
The disadvantage of this header that it's not supported in all browsers and if you are using it
then users can't return back to HTTP until the time expired or user remove it from the
browser explicitly. But still you can consider it additional defense in your website and
security enhancement.
To add HSTS to your website, you can follow these steps:
1. Open IIS, Go to your site.
2. Double click on HTTP Response Headers.
3. In the HTTP Response Headers pane, click Add... in the Actions pane.
4. In the Add Custom HTTP Response Header dialog box
Name: Strict-Transport-Security
Value: max-age= 31536000 (in seconds = 365 days)
28 | P a g e
Notes
1. You can include includeSubDomains parameter to include also new or existing sub
domains but again be careful, these sub domains should be browsed with HTTPs.
2. You can use preload parameter to make your website included in the preload list of
Google (to solve the first time request issue to be in secure connection).
3. This header will increase the performance because the redirection of HTTP to HTTPs
has gone (301 redirect request).
4. This header implementation will increase the grade of "SSL Server Test" by Qualys
SSL Labs.
29 | P a g e
You can find more security headers like HTTP Public Key Pinning and others in the
following URL
https://scotthelme.co.uk/hardening-your-http-response-headers/
End to End Secure Channels If a certain website using HTTPs and it shows green color HTTPs icon, this does not mean the
website has implemented from end to end using secure channels because in some cases
these websites only implemented the HTTPs to load balancer level and for internal requests,
they redirect the requests using HTTP communication.
It's recommended to use end to end HTTPs including internal communication and this
maybe make the managing of these servers or certificate more complex but more secure
from internal hijacking or sniffing activities.
Extended Validation Certificate (EV) It's highly recommended for High secure and valuable websites to use this kind of certificate
which has some special confirmation processes, but it gives the user more trust especially
for websites like banks.
You can indicate if the website has this kind of certificate from the address bar which show
the organization name in green color as the below image.
Performance vs. Security The answer for this question in the Title of this post "TLS has exactly one performance
problem: it is not used widely enough."
https://istlsfastyet.com/?utm_source=wmx_blog&utm_medium=referral&utm_campaign=tl
s_en_post
30 | P a g e
100% security coverage Nothing is perfect in security term. Even if your implementation is perfect you still have
many risks like
New SSL/TLS errors or known vulnerabilities.
Your data travel across many hops in many countries, even if it's encrypted, for
passive attacks can be useful in future when they break the encryption.
Many cases of Certificate Authorities compromised like DigiNotar.
Delay in propagating revocation information list.
Tricking the CA to issue a certificate like what happened with VeriSign or Thawte
… Unlimited .
Recommended Reference Bulletproof SSL and TLS book by Ivan Ristić
https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
References 1. https://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-
signal.html
2. https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
3. https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf
4. http://www.troyhunt.com/2015/06/understanding-http-strict-transport.html
31 | P a g e
Response Headers
Many information can be found in the Response Headers which can help the attacker to
build profile against your website which then can search for common public issues from
websites like "National Vulnerability Database" https://web.nvd.nist.gov/view/vuln/search
or others for zero-day attacks.
We can categories them by the following headers:
Version Disclosure (ASP.NET)
Again, this information could be helpful in hacking phase but it doesn't mean your website
will be exploited.
To remove this header, you can follow these steps:
Add this attribute inside the <system.web> element in web application's web.config
<httpRuntime enableVersionHeader="false" />
ASP.NET Identified
To remove this header, you can follow these steps:
Add this setting in your web application's web.config <httpProtocol> <customHeaders> <remove name="X-Powered-By" />
32 | P a g e
Version Disclosure (IIS)
To remove this header, you can follow these steps:
Create custom HTTP Module as following:
namespace MyNamespace
{
public class HttpHeadersCleanup : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += PreSendRequestHeaders;
}
private static void PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
}
public void Dispose()
{
}
}
}
Then add this setting in web application's web.config
<system.webServer> <modules> <add name="HttpHeadersCleanup " type="MyNamespace.HttpHeadersCleanup, MyAssembly"/>
33 | P a g e
Version Disclosure (SharePoint)
The most important one is MicrosoftSharePointTeamServices. It's not recommended to
remove this header and it's better to accept the risk in this case because this header will
affect the SharePoint search crawling and other features like InfoPath.
Note
In this case, it's better to extend Web application to keep the default website for crawling
and the extended web application for anonymous access with limited features so then you
can remove this header by adding to web application's web.config
Check this KB article https://support.microsoft.com/en-us/kb/2728313
Clickjacking Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple
transparent or opaque layers to trick a user into clicking on a button or link on another page
when they were intending to click on the top-level page. Thus, the attacker is "hijacking"
clicks meant for their page and routing them to another page, most likely owned by another
application, domain, or both.
34 | P a g e
The easiest fix for this risk to add this header X-Frame-Options to HTTP Response but remember this way is not supported in all browsers.
To configure IIS to add an X-Frame-Options header to all responses for a given website, follow these steps:
1. Open Internet Information Services (IIS) Manager. 2. In the Connections pane on the left side, expand the Sites folder and select the site
that you want to protect. 3. Double-click the HTTP Response Headers icon in the feature list in the middle. 4. In the Actions pane on the right side, click Add. 5. In the dialog box that appears, type X-Frame-Options in the Name field
and type SAMEORIGIN in the Value field. 6. Click OK to save your changes.
Note
By default, SharePoint 2013/2016 configured with this header response.
35 | P a g e
ViewState is not encrypted SharePoint doesn't use Viewstate to store any sensitive data such as user tokens or other so
just give your security department justification that Viewstate is required to be existing in
the SharePoint because it's built on top of ASP.NET Web forms.
Note
In case you have custom code using Viewstate, make sure to avoid storing sensitive data in
Viewstate because it's readable and represented by base64 encoding. In case you use it then
make sure to enable Encryption and MAC encoding for integrity.
Try to use ASP.NET ViewState Decoder, copy any value of _VIEWSTATE from HTML source
code
Then decode the binary string
36 | P a g e
Sensitive resources For anonymous SharePoint website, it's better to prevent users from accessing sensitive
resources which may disclose some critical information or grant the user access to admin
pages like application pages in SharePoint which they exist under _layout folder like
/layouts/Viewlsts.aspx.
Accessing _layout/ folder By default, Publishing SharePoint Site template has enabled with feature called
"ViewFormPagesLockDown" which prevent anonymous users from accessing application
pages. In case it's disabled then you can activate it by the following command:
Enable-SPFeature ViewFormPagesLockDown -Url http://youSite
_vti_inf.html, _vti_bin , _vti_pvt and _vti_bin/spsdisco.aspx If your SharePoint application is anonymously accessible then it's recommended to consider
implementing authorization rules to restrict access to web services, or resources under
_vti_bin, _vti_pvt , _vti_bin/spsdisco.aspx ... to at least prevent attacker from accessing
these resources to gain information like SharePoint version or FrontPage configuration
information ... etc.
Add these rules setting to web application's web.config
<location path="_vti_inf.html"> <system.web> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> </location> <location path="_vti_pvt"> <system.web> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> </location> <location path="_vti_bin"> <system.web> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> </location>
37 | P a g e
Web.config configurations We can categories them by the following sections:
Stack Trace and Errors Disclosure (ASP.NET) It's recommended to stop disclosing information because of unhandled errors, trace and
debug. With easy steps, you can prevent leaking this information which might help an
attacker to gain more information and potentially focus on the development of further
attacks. Also, some of these configuration help in increasing the website performance like
debug setting.
Change these settings in web application's web.config file
Set <customErrors mode="On" on web.config Remove or set <trace enabled="false" (by default is not enabled) Set <compilation debug=”false” /> Set <SafeMode CallStack="false"
Also, do the same in the web.config file which it's under _layout folder.
Validation Request Request validation, a feature in ASP.NET since version 1.1, prevents the server from
accepting content containing un-encoded HTML. This feature is designed to help prevent
some script-injection attacks whereby client script code or HTML can be unknowingly
submitted to a server, stored, and then presented to other users.
SharePoint like other .NET content management systems which has a lot of places where
rich text needs to be submitted to the server. By default, Microsoft disable ValidateRequest
in web.config and if you try to enable it then you will not able to create pages with HTML
contents. In this case, you need to accept the risk and keep this feature disabled but you
need take care of your SharePoint and make sure it's patched with up-to-date fixes and in
case you have custom code, make sure to validate and encode the input at the client and
server sides using libraries like AntiXSS and others.
38 | P a g e
Patching
SharePoint is prone to exploitation since new threats are discovered so there is a need to fix the vulnerabilities and security problems.
SharePoint patches can be in three form:
1. Service Pack: include previous and new fixes and also may has new features. 2. Cumulative Update (CU): include fixes that have been reported by the customer in
context of support cases (monthly release). 3. Hot fix, Public Update or Quick Fix engineering (QFE): include security fixes or fixes
for problems affected by a certain customer.
Patching process needs to be planned and it will cause to bring your farm down so it's recommended to have Backup or Disaster Recovery farm.
Some tips to be considered when patching your SharePoint farm:
Stop Automatic Window Update in SharePoint and SQL Servers. Check for updates and fixes from this site.
http://blogs.technet.com/b/stefan_gossner/ and https://technet.microsoft.com/library/dn789211(v=office.14)
Check for the SharePoint Build version from these sites. o SharePoint 2010.
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=224 o SharePoint 2013.
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=346 o SharePoint 2016.
http://www.toddklindt.com/blog/Builds/SharePoint-2016-Builds.aspx Check this blog which provide good articles related to patching.
http://blogs.msdn.com/b/sambetts/archive/tags/patching/ To patch SharePoint 2016 with zero downtime then you need to fulfill a specific
condition, for more information. https://fabdulwahab.com/2018/01/11/recommendations-for-patching-sharepoint-2016/
Check for SharePoint version using PowerShell: (Get-SPFarm).BuildVersion. Notify your users because it will cause the SharePoint to be down. Test the patching in testing Farm before go live (consider using the Virtual machine
and no need to be identical farm as the production servers). Documentation for SharePoint Farm and Rollback plan.
o You can use this power shell https://gallery.technet.microsoft.com/office/Inventory-SharePoint-Farm-dc11fc28/view/Discussions or others scripts in CodePlex site to document your SharePoint farm.
Identify the maintenance time. Test the farm after patching process. Monitor it.
39 | P a g e
ASP.NET Security Vulnerabilities
Any security vulnerabilities apply to ASP.NET, it will be applied to SharePoint because SharePoint built on top of ASP.NET framework.
These are some of Common security vulnerabilities:
1. Padding oracle vulnerability: (ASP.NET v1.0 to v3.5), most probably this vulnerability exists in non-patched SharePoint 2010 and older versions. To know about this vulnerability you can check http://weblogs.asp.net/scottgu/important-asp-net-security-vulnerability or http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html To avoid this issue , update your SharePoint with the latest new version of CU to address this and other issues or you can install the direct fix from https://technet.microsoft.com/library/security/ms10-070
2. Hash DoS vulnerability: (resolved with the release of .NET 4.5), allows an attacker to make a POST request with a very large number of parameters constructed to cause hash collisions when parsed by ASP.NET. To know about this vulnerability you can check http://www.troyhunt.com/2011/12/has-hash-dos-patch-been-installed-on.html To avoid this issue , Update your SharePoint with the latest new version of CU to address this and other issues or you can install the direct fix https://technet.microsoft.com/library/security/ms11-100
Persistent XSS flaw in SharePoint 2013 This particular vulnerability, CVE-2015-2522, is caused by insufficiently sanitizing user-
supplied input in a number of input points like notes, keywords, and comments.
For more details, you can check this link
http://blog.fortinet.com/post/sharepoint-2013-xss-vulnerability-discovered
To avoid this issue, update your SharePoint with the latest new version of CU to address this and other issues.
Note
Only SharePoint 2013 with version build 15.0.4571.1502 and before should be updated to avoid this XSS risk.
40 | P a g e
SharePoint configurations We can categories them by the following sections:
Secure SharePoint’s Components Secure Host Operating System and other servers like Active directory, SQL server and IIS
because SharePoint depends on these components heavily and any miss or weak in these
components could break your SharePoint farm.
You can find CIS benchmark documents for each of these components in this URL
http://benchmarks.cisecurity.org/
Plan for administrative and service accounts in SharePoint To install SharePoint 2013, you have to have appropriate administrative and service
accounts on servers running SharePoint 2013 and SQL Server, also to make sure you are
applying least privilege principle.
General good practices need to be considered:
Verify a Least Privileged permission, for example Setup account doesn’t need to be
domain administrator or belong to SQL Server local administrator group
Use a separate domain User account especially in services which they are shared
between more than one web applications like Search or User profile or with services
connect to external sources like Excel service and application pools
Avoid built-in service accounts like local service or Network service and use least
privileged service account
Because of Forefront Identity Manager is removed from SharePoint Server 2016,
farm service account no longer requires Local Administrator rights on any
SharePoint server
Claims to Windows Token Service account is now the only account that continues to
require Local Administrator rights (only servers running C2WTS services)
Plan for administrative and service accounts in SharePoint 2013
https://technet.microsoft.com/en-us/library/cc263445.aspx
Plan for administrative and service accounts (SharePoint Server 2010)
https://technet.microsoft.com/en-us/library/cc263445(v=office.14).aspx
Plan for administrative and service accounts (SharePoint Server 2016)
https://technet.microsoft.com/en-us/library/cc263445(v=office.16).aspx
Central Administration Site There are many best practices related to Central administration site to secure it because you
can manage all SharePoint farm from this website.
General good practices need to be considered:
41 | P a g e
Don’t host it in frontend or web servers
Block external access to the Central Administration site using firewall
Enable Secure Sockets Layer (SSL) on the Central Administration site
You can find more information in how to configure SSL for Central administration site in this
URL
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-
SharePoint-2013.aspx
Manage blocked file types in SharePoint SharePoint can be configured to disallows uploads that end in specific file extensions.
This feature of SharePoint prevents specified file types from being saved or retrieved
from any site on the server
The following URL shows the file types that are blocked by default and their corresponding file name extensions. https://technet.microsoft.com/en-us/library/cc262496.aspx
Set Security Validation to On
Enabling validation reduces the chance that a page will be accessed by an unauthorized
user while an authenticated user is absent. This setting forces the user to reauthenticate
after a specified inactivity period is exceeded
By Default, this option is On but make sure to set it to expire after 30 minutes
Do Not Crawl Sensitive Content
The listing of restricted content in search results can lead to information disclosure, to
avoid this issue, make sure to configure SharePoint list to exclude it from the search
result.
42 | P a g e
Crawl Rules in Search Some contents or pages like http://*allitems.aspx should not be accessed by the public user
in SharePoint search result because they could disclose some important information.
To avoid this issue, we can create Crawl Rules to hide them from the search result and by
creating the following crawl rules:
http://*editform.aspx
http://*dispform.aspx
http://*my-sub.aspx
http://*mod-view.aspx
http://*itemsonhomepage.aspx
http://*thumbnails.aspx
Note
Consider to create crawl rules for sub sites with limited access like admin or others to be secured from anonymous access and crawling.
43 | P a g e
Default content access account SharePoint Search service uses this account for crawling the contents. Avoid grant this
service account Full Control permission.
To avoid this issue, this service account needs full read access to each web application. Under "User Policy" of a Web application, make sure this account only has only "Full Read" permission.
Max Upload Document / Max Request length It's recommended to decrease the amount/size in these settings "Maximum Upload Size"
and "maxRequestLength" to limit the impacts of the load, response time and data capacity
in the server especially in the case of DDoS attacks.
You can follow these steps (make sure these values meet your business requirements):
To setup the maximum upload size, follow these steps:
1. Click Start, point to All Programs, point to Administrative Tools, and then
click SharePoint Central Administration.
2. Click Application Management.
3. Under SharePoint Web Application Management, click Web application general settings.
4. On the Web Application, General Settings page, click the web application that you want
to change.
5. Under Maximum upload size, type the maximum file size in megabytes that you want,
and then click OK. You can specify a maximum file size up to 2,047 megabytes.
To setup the Maximum Request length, follow these steps:
1. Open the Web.config file in Notepad for the following path Program Files\Common
Files\Microsoft Shared\Web server extensions\14\TEMPLATE\LAYOUTS
Note: 15\TEMPLATE\LAYOUTS in case of SharePoint 2013
44 | P a g e
2. Add the value that you want.
<httpRuntime executionTimeout="999999" maxRequestLength="2097151" />
3. Click File, and then click Save.
4. Open the web application Web.config file in Notepad, for the following path
Inetpub\wwwroot\wss\VirtualDirectories\VirtualDirectoryFolder
5. Change the following line in the file.
<httpRuntime executionTimeout="999999" maxRequestLength="51200" />
6. Click File, and then click Save.
Health Check SharePoint Health Analyzer is a feature that enables administrators to schedule regular,
automatic checks for potential configuration, performance, and usage problems in the
SharePoint server farm.
SharePoint has four Health check rules related to Security as following:
1. Accounts used by application pools or service identities are in the local machine
Administrators group.
2. Business Data Connectivity connectors are currently enabled in a partitioned
environment.
3. Web Applications using Claims authentication require an update.
4. The server farm account should not be used for other services.
Most of these rules are best practices to be implemented. You can ignore them but make
sure to have a good reason.
1. Fix for Point 1 https://technet.microsoft.com/en-us/library/hh344224.aspx
2. Fix for Point 2 https://technet.microsoft.com/en-us/library/jj891123.aspx
3. Fix for Point 3 https://technet.microsoft.com/en-us/library/ff686815.aspx
4. Fix for Point 4 https://technet.microsoft.com/en-
us/library/ff805056(v=office.14).aspx
For the point 4, it's very important point and need to be implemented in the right way.
The account used for the SharePoint timer service and the central administration site, is
highly privileged and should not be used for any other services on any machines in the
server farm. In SharePoint Health Analyzer, you could find similar warning like Accounts
used by application pools or service identities are in the local machine Administrators group
or others warnings and all related to inappropriate setup service accounts.
To avoid this issue, you have to have appropriate administrative and service accounts on
servers running SharePoint and SQL Server.
Check "Plan for administrative and service accounts in SharePoint 2013"
https://technet.microsoft.com/en-us/library/cc263445.aspx
and “Plan for administrative and service accounts (SharePoint Server 2016)”
https://technet.microsoft.com/en-us/library/cc263445(v=office.16).aspx
45 | P a g e
Require Use Remote Interfaces permission
It's recommended to prevent Anonymous user from accessing Client Object Model interfaces. When this option is checked, it simply means that the user must possess the Use Remote Interfaces permission which allows access to SOAP, Web DAV and Client Object Model.
Enable Client Integration
It's recommended to disable Client integration in case of anonymous website but it will effectively block SharePoint from being a useful collaboration tool, and block all Office client interaction with SharePoint and also prevent you to work with SharePoint Designer and using Windows Explorer View.
Note
Don't go with this option except you evaluate the client business requirements and you extended the SharePoint website to work with SharePoint Designer and other client features.
Separation of duties
Separation of Duties is a security principle which it's the process of separate sharing of more
than one individual in one single task to prevent fraud and errors. In case of anonymous
46 | P a g e
websites this policy it can be very important and it can apply in SharePoint in many ways for
examples:
Content deployment is a feature in SharePoint that can use to deploy content from
a source website to a destination website. By this way you can stop the
authentication process from the production server. Also, consider to place
SharePoint production servers in different zone like DMZ.
You can find more information about it in
https://technet.microsoft.com/en-us/library/cc262004(v=office.14).aspx
Extending SharePoint web application by having two IIS websites, one for
anonymous access and one for admin which it can be only accessible from local or
by certain people with different authentication process and also give you the ability
to enable client integration features in more secure way.
You can find more information about it in
https://technet.microsoft.com/en-us/library/cc261698(v=office.14).aspx
47 | P a g e
SharePoint Anti-Virus You can configure SharePoint to scan documents on uploading or downloading because
these documents could contain malware. In this case, you need compatible Anti-Virus
scanners to be hosted in your SharePoint Farm. There are many options from Microsoft and
other companies, from Microsoft we can use Microsoft Forefront Protection 2010 for
SharePoint (FPSP) to scan the documents stored in document libraries and lists for viruses,
as well as whether you want to attempt to clean infected documents, but this product is
discontinued. You can check other products like Symantec Protection for SharePoint,
McAfee Security for SharePoint …
Check this reference for the available options
http://www.harbar.net/archive/2013/02/22/Antivirus-and-SharePoint-2013.aspx
In addition, from SharePoint Central Administration, you can configure General settings
related to Anti-Virus settings.
These settings are as following:
48 | P a g e
Scan documents on upload Specifies whether to scan a file that is being uploaded to the SharePoint server.
Scan documents on download Specifies whether to scan a file that is being downloaded from the SharePoint server.
Allow users to download infected documents
If enabled, this setting permits the downloading of documents known to be infected.
Attempt to clean infected documents If enabled, this setting permits the real-time scan to clean infected documents, if possible.
Antivirus Time Out To modify how long, in seconds, the real-time scan should run before timing out.
Antivirus Threads To modify the number of execution threads that the real-time scan can use.
49 | P a g e
Windows configurations We can categories them by the following sections:
Disable loopback check When you use the fully qualified domain name (FQDN) or a custom host header to browse a
local Web site that is hosted on a computer that is running Microsoft Internet Information
Services (IIS) 5.1 or a later version, you may receive an error message that resembles the
following:
HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is
mapped to the local loopback address. People go around this issue by wrong way (even me)
because Microsoft consider this as a security feature.
Don't use "DisableLoopbackCheck" and instead of that fix it using the following registry key
"BackConnectionHostNames".
To specify the host names that are mapped to the loopback address and can connect to Web
sites on your computer, follow these steps:
1. Set the DisableStrictNameChecking registry entry to 1. Click Start, click Run,
type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host name or the host names for the sites that are
on the local computer, and then clickOK.
7. Quit Registry Editor, and then restart the IISAdmin service.
Note
You can go with "DisableLoopbackCheck" option in the development and testing servers.
TCP/IP Ports of SharePoint 2013/2016 List of ports used by SharePoint 2013/2016 and its related services. This table built by
Thomas from his blog http://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/
50 | P a g e
Protocol Port Usage Comment
TCP 80 http Client to SharePoint web server traffic
(SharePoint – Office Web Apps
communication)
TCP 443 https/ssl Encrypted client to SharePoint web
server traffic
(Encrypted SharePoint – Office Web
Apps communication)
TCP 1433 SQL Server default
communication port.
May be configured to use custom port
for increased security
UDP 1434 SQL Server default port used
to establish connection
May be configured to use custom port
for increased security
TCP 445 SQL Server using named
pipes
When SQL Server is configured to listen
for incoming client connections by using
named pipes over a NetBIOS session,
SQL Server communicates over TCP
port 445
TCP 25 SMTP for e-mail integration Cannot be configured
TCP 16500-
16519
Ports used by the search
index component
Intra-farm only
Inbound rule Added to Windows firewall
by SharePoint
TCP 22233-
22236
Ports required for the
AppFabric Caching Service
Distributed Cache…
TCP 808 Windows Communication
Foundation communication
WCF
TCP 32843 Communication between Web
servers and service
applications
http (default) To use custom port, see
references section
Inbound rule Added to Windows firewall
by SharePoint
TCP 32844 Communication between Web
servers and service
applications
https
Inbound rule Added to Windows firewall
by SharePoint
TCP 32845 net.tcp binding: TCP 32845
(only if a third party has
implemented this option for a
service application)
Custom Service Applications
Inbound rule Added to Windows firewall
by SharePoint
TCP 32846 Microsoft SharePoint
Foundation User Code
Inbound on all Web Servers
Inbound rule Added to Windows firewall
51 | P a g e
Service (for sandbox
solutions)
by SharePoint
Outbound on all Web and App servers
with service enabled.
TCP 5725 User Profile Synchronization
Service(FIM)
Synchronizing profiles between
SharePoint 2013 and Active Directory
Domain Services (AD DS) on the server
that runs the Forefront Identity
Management agent
SharePoint 2013 only
TCP +
UDP
389 User Profile Synchronization
Service(FIM)
LDAP Service
SharePoint 2013 only
TCP +
UDP
88 User Profile Synchronization
Service(FIM)
Kerberos
SharePoint 2013 only
TCP +
UDP
53 User Profile Synchronization
Service(FIM)
DNS
UDP 464 User Profile Service(FIM) Kerberos change password
SharePoint 2013 only
TCP 809 Office Web Apps Intra-farm Office Web Apps
communication.
Data Loss Prevention in SharePoint 2016 Microsoft included Data Loss Prevention (DLP) in SharePoint 2016 in order to identify,
monitor, and automatically protect sensitive information in documents across your site
collections. It can find about more than 50 information types like credit cards, Social Security
Numbers ... etc.
You can find more information like how to configure it and use it to block sensitive
information from wrong users in this link:
Overview of data loss prevention in SharePoint Server 2016
https://support.office.com/en-us/article/overview-of-data-loss-prevention-in-sharepoint-
server-2016-80f907bb-b944-448d-b83d-8fec4abcc24c
Outgoing SMTP Encryption Microsoft introduces encryption in outgoing emails using TLS 1.2 when possible, you need to
select YES in Use Secure Sockets Layer (SSL) option.
52 | P a g e
53 | P a g e
Google Hacking By using advanced search operators in Google search engine, we can expose some sensitive
information which related to SharePoint or read it from the Google cache even if the
website's owner added access control to these pages but after the Google has crawled these
documents.
Hackers use Google Search engine to scan your website passively without sending any
request to your website to increase the anonymity.
Always keep this in your mind "To be secure, Keep sensitive data away from public search
engines".
Preferences Before we can test the SharePoint websites, it's recommended to setup some settings or
preferences in Google search engine.
Go to https://www.google.com.sa/preferences and turn off SafeSearch Filters so we can
know if the website has violent or adult content during our testing assessment.
Advanced Operators The following table show the most common operators used with Google Search engine
Note
Remember, Keywords and terms used during the Search in Google is not case sensitive
except for "or", it must be "OR" to be used as an operator.
54 | P a g e
Hacking Your Website Start with "site" operator to get only results for your domain or IP. For example, to get
results from www.microsoft.com domain only
Also, this search helps you to recognize the top high ranking pages in your websites.
What if you want to check if this domain has subdomains then you can go with this example
To decrease the search result, you can exclude some common extensions like .aspx
extension by using this expression
To only search for specific extension(s) you can go with this example
55 | P a g e
To see the cache version for specific document then click the cache link
Note
If you try to open the cache link, any external resources like images or flash, they will be
requested from the original website except the text of page.
In this case to anonymity the request, copy the cache link without opening the URI and paste
it to another browser tab with adding at the end of this URI this query string &strip=1 or use
Internet proxy.
Many website owners forget to disable the Directory listing pages which can disclose many
information like website folders and framework version. This page is disabled by default in
IIS 7+
56 | P a g e
Try to search for sensitive data inside files like logs, web.config,… for example
Try to search for application pages under SharePoint website like _layouts/settings.aspx
Try common title or text content in SharePoint like "All Site content"
57 | P a g e
Remember in this case SharePoint knowledge is the power.
To search for login pages, you can go with this example
Note
Try many synonyms like "Login" or "Logon" and you combine them in one search action.
Search for sensitive data like emails, accounts and phones by using part of their patterns for
example to search for email try this example
58 | P a g e
Search for the common words used by the frameworks like "Powered By" or search for
common errors which related to ASP.NET or SharePoint, in this case for example
Search for critical words like password (again use synonyms), admin or .bak, for example
Also, Google search engine can help in hijacking attack by searching for Auth cookies which
used with form authentication applications, for example
59 | P a g e
Finally try these tips:
Try to combine between these operators with the site operator to narrow the result
Exclude the common public resources from your search result like (.aspx , doc)
Again, your Knowledge in SharePoint is the power with Google Hacking
Robots.txt configuration Robots.txt instruct the crawlers to allow or disallow crawling specific paths. This file should
be in the root of your website.
The below configurations help the webmaster to control the way of crawling of your
websites.
Caching To prevent Google search engine and other crawlers from caching your pages, add this Meta
tag to your website pages
<META NAME="ROBOTS" CONTENT="NOARCHIVE">
To prevent only Google crawler then use this Meta tag
<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">
Snippet To remove the cache pages and the text showed in the Google search result as description,
use this Meta tag
< META NAME=" GOOGLEBOT " CONTENT="nosnippet">
This good for admin pages or user management pages.
For more information, check this link http://noarchive.net/meta/
60 | P a g e
No Index To prevent crawlers from indexing the content of a page, use this Meta tag
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
Remove Pages from Google's Index To remove pages from Google search index, you can follow steps in this URI
https://www.google.com/webmasters/tools/url-removal
Tools Instead of doing manual Google hacking, there are many free tools help you to automate the
process with predefined queries dictionary which help to find a list of admin, application or
sensitive URIs related to SharePoint.
GHDB Google Hacking Database (GHDB) is source for common queries used with Google search
engine to find sensitive data, vulnerable servers and other disclosing information.
This database integrated with the Exploit Database which has several of exploits to help the
tester to test web applications against public exploits, identify error messages, access
sensitive files and logs.
Go to https://www.exploit-db.com/google-hacking-database/
61 | P a g e
Try to search for queries related to SharePoint
Try to look deeply into these common queries and try to test them
WIKTO WIKTO is a Windows based tool (like NIKTO in Kali Linux) which help the tester or hacker to
find vulnerabilities in a website by scanning common server misconfigurations and
unpatched systems. This tool has many features but the most important part of this tool, the
ability to locate vulnerabilities by applying queries from Google Hacking Database (GHDB).
It’s simply import the latest GHDB vulnerability list and then use these queries against
Google search engine to find holes in your website.
62 | P a g e
Steps
Download it from https://github.com/sensepost/wikto
Open WIKTO tool
Go to Google Hacking tab
Click "Load Google Hack Database" to download the last version of GHDB in your PC
Wait until you get confirmation like this
63 | P a g e
Enter the domain name to test
And click start
It will try many common patterns exists in GHDB
But in my case I didn't work and I think the reason because Google prevent such tool from
automate the search actions using Google search engine.
64 | P a g e
SearchDiggity Another automated tool which try to find disclosing information and exposed vulnerabilities
by using Google hacking.
This tool is more accurate because it has predefined dictionary for SharePoint websites by to
hack your SharePoint website using search engines like Google or Bing.
You can download the tool from http://www.bishopfox.com/resources/tools/google-
hacking-diggity/attack-tools/
Open Search Diggity tool
In this case, we will go with Bing Hacking, go to Bing tab
Enter the target site and check for SharePoint Diggity from right side which has list of queries
applicable to SharePoint websites
Then click Scan button
Check the output, it will tell you how many resources match the queries
65 | P a g e
To use Google hacking, you need workaround because Google prevent this tool from
automation the process of search.
Let us try this workaround which described in this URI
http://www.bishopfox.com/blog/2014/08/searchdiggity-avoid-bot-detection-issues-
leveraging-google-bing-shodan-apis/
Go to Google Developers Console https://code.google.com/apis/console
Enable API
66 | P a g e
Then go to Credentials
Choose API Key
I created API key based on Server option
Enter this key to Search Diggity tool and then click scan
67 | P a g e
Check the output, it will tell you how many resources match the queries
Note
Bing or Google need API Key to enable the user to automate the search process and this Key
also limited to quota per day and in some cases, it will cost you money.
SHODAN Use Shodan to discover which of your devices are connected to the Internet, where they are
located and who is using them. In this case I will show you how response headers are risky.
Go to https://www.shodan.io/
Enter the following search term: MicrosoftSharePointTeamServices country:US
68 | P a g e
It returns all websites which has the above SharePoint response header in US country in
their website, not only the websites but also you can filter based on Windows or IIS versions.
Recommended Reference Google Hacking for Penetration Testers, Third Edition
By Johnny Long, Bill Gardner, Justin Brown
69 | P a g e
SharePoint Support Because SharePoint is a Product developed and created by Microsoft, product Support need
to be maintain to make sure you can have Hotfix Support and Updates for bugs and security
issues.
For SharePoint 2010, there is no more service packs so make sure to upgrade to SharePoint
2013. Security related hotfixes will be created for SharePoint 2010 and any other problems
in SharePoint product will not be fixed (except for customers who purchased Extended
Hotfix Support through Premier Support).
You can find more information in this URI
https://blogs.technet.microsoft.com/stefan_gossner/2015/10/14/still-on-sharepoint-2010-
second-edition/
70 | P a g e
Metasploit For security professionals, this tool is one of the most important testing tool. You can
consider this tool as framework (collection of tools or tool integrated with many other tools)
to perform many things like scanting ports, exploits against Windows, SQL Server,
SharePoint and other products.
You can download the tool from this URI http://www.metasploit.com/
In my case, I run this tool from Kali 2 which has Metasploit community version installed by
default.
Run this command from Terminal: Msfconsole
To search for SharePoint exploits run the following command
search sharepoint
Till now it has only one exploit for SharePoint 2007 and this is make it for SharePoint 2010 or
2013 not useful testing tool but this doesn't mean we can't use this tool to test our
SharePoint environment because it's still has good exploits against other products like
Windows, SQL Server, Active directory … etc.
71 | P a g e
ASafaWeb Automated Security Analyzer for ASP.NET Websites (ASafaWeb) is online testing tool created
by smart person "Troy Hunt" to scan your website by sending HTTP requests and see how
the site responds.
This tool helps you to find common misconfiguration vulnerabilities live in ASP.NET websites,
these configurations are:
Tracing
Custom errors
Stack Trace
Request validation
HTTP to HTTPs redirect
Hash DoS patch
ELMAH logs
Excessive headers
HTTPOnly cookies
Secure cookies
Clickjacking
Viewstate MAC
You can find more information about the scanning in this URI
https://asafaweb.com/Home/Scans
Because SharePoint built on top of ASP.NET, this tool will be helpful to scan your SharePoint
websites to find the misconfiguration settings.
Go to https://asafaweb.com/ and enter your website and click scan
After scanning your website, it will show you the scanning result in simple way with the tips
to fix these issues.
72 | P a g e
All the above points except the ELMAH log can be applied to SharePoint, even ELMAH add-
on can be used with custom applications hosted in SharePoint for custom error logging and
handling.
All these issues I explained how to fix them in this whitepaper but there are three points
need to be considered from the above results.
First point "Request validation: Fail”, SharePoint like other .NET content management
systems which has a lot of places where rich text needs to be submitted to the server so By
default Microsoft disable ValidateRequest in web.config and if you try to enable it then you
will not able to create pages with Html contents. In this case, you need to accept the risk and
keep this feature disabled but take care for your SharePoint and make sure it's patched with
up to date fixes and in case you have custom code, make sure to validate and encode the
input at the client and server sides using libraries like AntiXSS and others.
For second point "Hash DoS patch: Not tested", only make sure, Your SharePoint farm has
updated with latest Service pack and Cumulative updates.
For last point "HTTP to HTTPs: Warning", no technical action needs, it just about user
awareness and education.
73 | P a g e
CIS SharePoint benchmark CIS benchmark document is currently available for SharePoint 2007 but still there are
many security controls can be applied to SharePoint 2010/2013, this checklist includes
only what is applicable to new versions.
You can find the details and steps in this URL
https://benchmarks.cisecurity.org/downloads/benchmarks/
Security Control Set Correctly
Yes No
Accounts
Verify a Least Privileged Setup Account
Verify a Least Privileged Office SharePoint Server Search Account
Verify a Dedicated Excel Services Unattended Service Domain Account
Verify a Least Privileged Separate Domain User Account for Each Application Pool
Verify a Least Privileged SQL Server Service Account
Verify a Least Privileged Dedicated Server Farm Domain Account
Verify a Least Privileged Dedicated Default Content Access account
Verify a Dedicated Least Privileged Profile Import Default Access Account
Installation and Configuration
Secure Windows Host Operating System
Secure IIS Components
Secure Microsoft SQL Components
SharePoint Server Hotfixes and Service Packs
Central Administration Site Location (not hosted on a front-end)
Central Administration Site Access (using Firewall)
Enable Secure Sockets Layer (SSL) on the Central Administration site
Limit Intranet IP Address in External DNS
Central Administration
Enable Secure Sockets Layer (SSL)
Block potentially dangerous uploads
Pluggable Authentication Provider
Configure antivirus settings
Disable Self-Service Site Creation
Set List, Site and Personal Permissions as Appropriate
Set Access Rights per Zone
Disable Anonymous Access
Enable SSL for Web Applications
Use quota Templates
Set Security Validation to On
Define a Secondary Site Collection Administrator
Set SMTP Mail Server
Specify Search "exclude" Crawl Rules
Site Administration
Do Not Crawl Sensitive Content
Set the "Auto-accept requests?" property to [No]
Allow only Group Owners to Edit Group Membership
74 | P a g e
Restrict who can View Group Membership
Backup and Recovery
Configure document versioning
Two-stage Recycle Bin
Back up SharePoint
Backup IIS Configurations
Enable Recycle Bin
Back up critical sites
Recycle Bin Retention Period
Logging and Reporting
Diagnostic Logging
SharePoint Extensions
Use Strong-names for Web.config [SafeControl] Entries
Permissions on ASP.NET Applications
Also CIS Microsoft SharePoint 2016 Benchmark released on 8-2017 (version 1.0) and the
below is the list of security controls:
https://www.cisecurity.org/benchmark/microsoft_sharepoint/
Security Control Set Correctly
Yes No
Settings
Ensure access to SharePointEmailws.asmx is limited to only the server farm account
Ensure that the SharePoint Central Administration Site is TLS-enabled
Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are set
Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Authentication Provider
Access and Permissions
Ensure 'Block File Types' is configured to match the enterprise blacklist
Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges for the local server
Ensure the SharePoint setup account is configured with the minimum privileges in Active Directory
Ensure SharePoint provides the ability to prohibit the transfer of unsanctioned information in accordance with security policy
Ensure the SharePoint setup account is configured with the minimum privileges on the SQL server
Ensure the SharePoint farm service account (database access account) is configured with the minimum privileges on the SQL server
Ensure only the server farm account has access to SharePointEmailws.asmx
Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2016 objects
Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections
75 | P a g e
Ensure Dbcreator and Securityadmin roles are only used as needed
Ensure that the SharePoint Online Web Part Gallery component is configured with limited access
Secure Infrastructure Design
Ensure a secondary SharePoint site collection administrator has been defined on each site collection
Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions
Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers
Ensure SharePoint identifies data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied
Ensure that SharePoint specific malware (i.e. anti-virus) protection software is integrated and configured
Ensure that SharePoint is configured with "Strict" browser file handling settings
Ensure that SharePoint is set to reject or delay network traffic generated above configurable traffic volume thresholds
Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages
Ensure that the default SharePoint database server ports are changed and/or disabled
Ensure that SharePoint application servers are protected by a reverse proxy
Ensure SharePoint database servers are segregated from application server and placed in a secure zone
Ensure that the SharePoint Central Administration interface is not hosted in the DMZ
Authentication Ensure SharePoint displays an approved system use notification message or banner before granting access to the system
Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm
Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol
Ensure Anonymous authentication is denied
Auditing Ensure that auditable events and diagnostic tracking settings within the SharePoint system is consistent with the organization's security plans
Ensure that remote sessions for accessing security functions and security-relevant information are audited
Services and Connections Ensure that the SQL Server component to SharePoint is set to listen on non-default ports, with the defaults (UDP 1434 and TCP 1433) disabled
Ensure HTTPS binding: TCP 32844 is used
Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded
76 | P a g e
Web.Config Configuration Ensure that the MaxZoneParts setting for Web Part limits is set to 100
Ensure that the SafeControls list is set to the minimum set of controls needed for your sites
Ensure compilation or scripting of database pages via the PageParserPaths elements is not allowed
Ensure the SharePoint CallStack and AllowPageLevelTrace "SafeMode" parameters are set to false
77 | P a g e
Thank You Thanks for reading this Whitepaper. Again, I really hope this has been informative and that
will help you to maximizing SharePoint Security. For any questions or comments, send me
an email @ fabdulwahab@outlook.com .
top related