Security

In light of the recent NHS attack, I wanted to write a blog about Security and re-emphasise what we should be doing to protect our data, especially in regards to SharePoint.

This blog will focus on SharePoint within Office 365 and on Premise and some (of many) pointers of defence to help protect SharePoint.

  • A common security issues I see with many clients is permission governance.

A SharePoint governance plan can help keep your data secure and compliant, by helping you structure, create policies and procedures and implement controls, such as designing security controls, permissions and roles for assigning permissions etc.

SharePoint is used to store data, and on most occasions, sensitive data.  It is important to ensure that this sensitive data is not accessible to the people who do not need to see it, especially as data if shared with external parties, such as contractors, partners etc, therefore it is vital to ensure that access rights remain aligned with the business needs.  There have been many cases known where data has got into the wrong hands, e.g. United States v. Manning.

This also includes using the least privileged accounts and use specific accounts for specific purposes.  I have seen many SharePoint systems where IT use the farm account as their admin account.   Plan for administrative service accounts : https://technet.microsoft.com/en-us/library/cc263445.aspx .

Also you should being using Groups to manage users as much as you can. Using groups gives you a more maintainable security model, meaning If you want to make a change to permission, you apply it to a group, not individual people.

for e.g. different sites require different governance policies. Site such as homepage would be more tightly governed as it would typically be available to everyone in the organisation, whereas the HR department, for example would be more tightly governed than other generic sites such knowledge based areas.

  • Multi Factor Authentication – Within office 365, Multi Factor Authentication (MFA) increases the security of user login. With MFA, users are required to enter an second stage of authentication after their initial entering of their password. The second stage requires the user to receive an email, app notification, phone call or text message to enter a number. Only after the second stage is complete will the user be authenticated to sign in.
  • Virus Protector: For On-Premise installs of SharePoint, there are a growing number 3rd party tools which can be used for anti-virus protection, such as
    1. MacAfee
    2. Bit Defender
    3. Sophos
    4. Trend Micro

However, Microsoft recommend that you install an anti-virus solution based on SharePoint Portal Server Virus Scanning Application (VS API) – this is because SharePoint is continually providing enhancements to SharePoint via, installing a non related SharePoint AV will not guarantee you any support for SharePoint specific issues.

https://support.microsoft.com/en-us/help/322941/microsoft-s-position-on-antivirus-solutions-for-microsoft-sharepoint-portal-server

Within Office 365, files are scanned as they are uploaded. If a file is found to be infected, a property is set so that users cant download that file from the browser or syn the file in the One Drive for business client.

https://blog.qipoint.com/2016/07/27/sharepoint-and-anti-virus/

This is not to say you should not have a virus protector on your local machine

  • Information Rights Management (IRM) – IRM is a technology applied at the list / library level in SharePoint. A document that is IRM permission can either permit / deny a user from doing certain actions within that document such as :
    1. Controlling copy and paste
    2. Preventing printing and editing
    3. Require users to review their credentials at specific intervals
    4. Provide ability to not upload documents that are not IRM protected
    5. Allow people with least the view items permissions to run embedded code or macros on a document.

Now this next step is not strictly a SharePoint security setting. With SharePoint, Online and On-Premise it’s important to have some sort of lock or password on your device, especially as users now bring their own devices into work. SharePoint is available on mobile, apps like Yammer, One Drive for Business can be exposed thus potentially leaking sensitive data.

In addition to this, I wrote a blog on Data Loss Prevention (here) which is another great way of ensuring that sensitive data does not leave the corporate domain.

Data Loss Prevention

To add onto my last blog about Security, I wanted to write about a new feature available with the on premise version of SharePoint 2016,  Data Loss Prevention.

Now I’m sure you have all heard of Data Loss Prevention within the compliance centre in office 365 – but I wanted to discuss what it is and how it works on premise.
This blog will demonstrate how DLP works, and how to set it up on SharePoint 2016.

What is Data Loss Prevention?
Put Simply, “Data Loss Prevention is a way to ensuring that sensitive data is protected against misuse or accidental disclosure”

How does SharePoint know what sensitive data is?
In SharePoint, sensitive information is defined by a pattern which is identified by a regular expression e.g. a bank number. The search engine contains several pre-defined keywords and checksums that are used to identify sensitive information alongside a confidence level process.

For example if a DLP has been configured where a UK Passport Number cannot be sent or seen within a corporate network, the following checks (table below) are checked against via the SharePoint search engine.

Format Nine digits
Pattern Nine consecutive digits
Checksum No
Definition A DLP policy is 75% confident that it’s detected this type of sensitive information if, within a proximity of 300 characters:

  • The function Func_usa_uk_passport finds content that matches the pattern.
  • A keyword from Keyword_passport is found.

Entity id=”178ec42a-18b4-47cc-85c7-d62c92fd67f8″ patternsProximity=”300″ recommendedConfidence=”75″>    <Pattern confidenceLevel=”75″>        <IdMatch idRef=”Func_usa_uk_passport” />        <Match idRef=”Keyword_passport” />    </Pattern></Entity>

 

Keywords
Keyword_uk_drivers_license
Passport Number
Passport No
Passport #
Passport#
PassportID
Passportno
passportnumber
パスポート
パスポート番号
パスポートのNum
パスポート#
Numéro de passeport
Passeport n °
Passeport Non
Passeport #
Passeport#
PasseportNon
Passeportn °

If the document meets the criteria above, then the document will be flagged up and depending on the actions set, the document will be blocked.

Hope that has given you a good understanding of What DLP is, I now I will show you how to set this up in SharePoint 2016 in a few easy steps.

To set up DLP on SharePoint on-premise, there are a few pre-requisites that need to be setup prior.

  • SharePoint Server 2016
  • Search service application configured and running crawls.
  • Compliance Centre
  • eDiscovery Centre
  • Outgoing email with emails configured on users.

From within the eDiscovery site collection you have select ‘Create DLP Query’, as below

Then select New Item

From the New DLP Query pop up box, choose the template you wish to use, for example, for this demo, I will use the “UK Data Protection Act”.
Ensure you change the number at the bottom from 9 to 1 to ensure the rule works if 1 instance of the rule is found
3.template
Select Next

Give the Query a Name, and a start and end data and choose the source you want the DLP to work from.  (For this demo, I will leave the source as ‘Search Everything in SharePoint’), as below

Select Save.

That’s it, the DLP query has been created.

Now upload a document into SharePoint document library which contains nine consecutive numbers and a term from the Keyword, e.g below.

Save the document into SharePoint as Loreum ipsum.

loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum  789208725 passportno loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum

run a search crawl, and select Search from the eDiscovery site collection, you should see the document appear (circled below)

5.new

So you can see that the document I uploaded which contained nine consecutive number and a term from the keywords has been flagged up via the eDiscovery Centre results section.

Now we need to create a Policy for this DLP.

Navigate to the Compliance Centre and select ‘Data Loss Prevention Policies’

6.ComplianceSelect New Item and select the a name  for the policy, select the template you chose above and edit the 9 to a 1 to change the number to 1 conflict before the rule to take effect. Insert an email address so that a when a DLP finds a match, it will email this person. And then choose what to do with the file once a match is find, i.e. show a policy tip and block document.  As below

7.complianceTemplate

Select Save.

After the Policy is created, we must assign that policy to a site collection. From the Compliance centre select DLP Policy Assignments for Site Collections

8.

Select New Item and choose, First Choose a site Collection,

9

Select Save

Now under Managed Assigned Policy, assign your Policy to the site collection.

10

Select Save

Please note that when you add a New Policy Assignment, it may take 24 hours to apply, but High Priority rules such as Credit Cards and Passport numbers take up to 15 mins.

11

Policy Tips

In the Compliance Policy above, we ticked a box to say we wanted to enable Policy Tips and to block access to documents which meet the DLP policy rules, well this is what a Policy tips looks is and how it behaves in SharePoint once a rule has been met.

When a document in a library meets a Policy, a Policy tip is shown and the document is blocked, as below

12

The Policy tip displays an error on the document informing the user it is blocked (as we selected in the compliance centre).

The tip informs who the document is open to, the user the problems with the document.  The Owner, last modifier or the site owner can go into the document in remove the passport number, or if they think it’s an error, click resolve.

13

When you click resolve, you can override the policy, which means that you are aware and its normal that the data lives in the document. The other choice is Report an issue, where you think the document in fine and that it shouldn’t trigger a policy.

14

When you click on override, you must give a business justification as to why you want to override the rule, as below

15.businessJustification

The rule has been overwritten, and the error image is now been removed.

16

Azure Security Center

With more and more organisations adopting cloud solutions such as Azure, the security of the cloud resources is becoming a growing concern.
This blog will aim to give you a detailed overview of the Azure security center and how it gives you the tools you need to address your organisations security posture in the cloud.

Azure Security Center provides you with a centralized view of all your Azure Resources and their security state. At a glance, you can verify the appropriate security controls that are in place and quickly identify any resources that require attention.  Azure Security Center has 3 core capabilities which are

  • Prevent – Azure Security Center will monitor your Azure subscription(s) based on the security policies you configure.
  • Detect – Azure Security Center will automatically collect and analyse security data from your Azure resources, the network, and partner solutions like anti-malware programs and firewalls. It leverages global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds.
  • Respond – Any alerts generated are prioritised, insights into the source of an attack and any impacted resources are all part of Azure Security Center, along with suggestions on how to stop a current attack and help prevent future attacks.

Security Center Dashboard 

Below is a screenshot of the Security Center Dashboard which gives you a high level overview of the security of your Azure Subscription.

Azure Security Center Dashboard

You can drill down further to view the security issues by clicking on the line items, or graphs where you can view recommendations about the issue. (more on this below)

Security Policies

A security policy defines the set of controls, which are recommended for resources within your subscription or resource group.

By default all prevention policies are turned on. Prevention policies and recommendations are tied to each other. In other words, if you enable a prevention policy, such as OS Vulnerabilities, then that enables recommendations for that policy. In most situations, you will want to enable all policies, even though some might be more important to you than others depending on the Azure resource you’ve deployed.

Below is a screenshot of all the prevention policies (turned on by default) with details of what the recommendations are.

Recommendations

System updates. Retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services.
OS vulnerabilities. Analyses operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack.
Endpoint protection. Recommends endpoint protection to be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software.
Disk encryption. Recommends enabling disk encryption in all virtual machines to enhance data protection at rest.
Network Security Groups. Recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. In addition to checking that a network security group has been configured, this policy assesses inbound security rules.
Web application firewall. Extends network protections beyond network security groups, which are built into Azure. Security Center will discover deployments for which a next generation firewall is recommended and enable you to provision a virtual appliance.
Next generation firewall. Extends network protections beyond network security groups, which are built into Azure. Security Center will discover deployments for which a next generation firewall is recommended and enable you to provision a virtual appliance.
Vulnerability Assessment. Recommends that you install a vulnerability assessment solution on your VM.
SQL auditing & Threat detection. Recommends that auditing of access to Azure Database be enabled for compliance and advanced threat detection, for investigation purposes.
SQL Encryption. Recommends that encryption at rest be enabled for your Azure SQL Database, associated backups, and transaction log files. Even if your data is breached, it will not be readable.

Recommendations

As Security Center collects data from your Azure resources, it will periodically analyse the contents of that data and present you with recommendations to address potential security vulnerabilities. On the Security Center blade, the recommendations tile displays the total number of available recommendations. If you click on the recommendation tile it will present you with the full list of recommendations.

Recommendations Tile

Once you click on the Recommendations tile you will be presented with a table as shown in the following screenshot. You can click on each recommendation to view additional information or to act to resolve the issue.

Remediating Recommendations

After reviewing the list of available recommendations, you can click on the individual line items to take further action. For example, from the screenshot above, if you click on the line item to ‘Enable Network Security Groups on subnets’, you will be presented with all of the resources that apply to the recommendation, as shown in the following screenshot

Remeidating recomendations

From here, on the ‘Configure Missing Network Security Groups for subnets’ you can mark the subnet you need to remediate, which will present you  with the option to create a Network Security Group for that subnet.
(Please view the following article for best practices on Azure Network Security Groups: https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/)

Partner Solutions

Security Center is integrated tightly with third-party solutions from Azure partners. When it comes time to implement a solution to a Security Center recommendation, you often have several choices. You can implement one of the Microsoft solutions. Or, you can implement a partner solution.

For example, there is a recommendation for adding a Next Generation Firewall. Next generation firewall solutions extend network protections beyond Network Security Groups, which are built-in to Azure. At the time of this writing, there are three options for adding a Next Generation Firewall – adding a Barracuda Networks NextGen firewall, adding a Check Point vSEC firewall and adding a Fortinet VM Firewall. This is one example of a recommendation that can be remediated by partner solutions. Additional partner solutions are planned and will be integrated into Azure Security Center in the future.

Partner Solutions

Monitoring Partner Solutions

After you’ve implemented some partner solutions, Azure enables you to monitor those solutions. The Partner solutions tile on the Security Center blade lets you monitor the health status. The screen capture below shows the Security Center overview blade with the Partner solutions tile highlighted

Monitoring Partner Solutions

The Partner solutions tile displays the number of partner solutions and a status summary for those solutions. The status of a partner solution can be:

Protected (green). There is no health issue.
Unhealthy (red). There is a health issue that requires immediate attention.
Stopped reporting (orange). The solution has stopped reporting its health.
Unknown protection status (orange). The health of the solution is unknown at this time due to a failed process of adding a new resource to the existing solution.
Not reported (grey). The solution has not reported anything yet, a solution’s status may be unreported if it has just been connected and is still deploying.

Monitor Solutions Health

To view the health of your partner solutions, select the Partner solutions tile. A blade opens displaying a list of your partner solutions connected to Security Center, as seen in the screen capture below:

Partner Solutions 2

From this screen, select a partner solution to display the status of the partner solution as well as the solution’s associated resources. You can click Solution console to open the partner management experience for this solution. Additionally, you can click on the Link app button to connect resources to this partner solution. For example, you could do basic management (add a new application to be protected by WAF) or access the partner management console for advanced configuration.

Further reading : https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Excel Web Access and OData Connections: Data Refresh

Have you ever tried to use a SharePoint list to populate a Power Pivot Graph in excel ; and then render the graph in SharePoint using Excel Web Apps? – Sounds pretty cool eh!?

Not Quite.

I created a SharePoint list, for e.g. Profit Loss , which details the a financial summary of a project, e.g.  (Profit is a calculated column)

ProfitLoss

Having created the list, I opened up Excel and created a OOData Data Feed connection (below) and generated a graph based on the data within the list.

OData

Graph below

ProfitLossChart

Seems relative.

However, if you make a change to the SharePoint list, the excel web access web part in SharePoint  does not dynamically update to show an updated chart to reflect the change made on the list.  You must manually open the excel sheet, refresh data connections and then save the excel sheet again to update the excel web access web part.

If you manually refresh the Excel web part by clicking Data, Refresh Selected DataConnection, the web part loads  the new updated data;

Screenshot below showing new data

newProfit

Screenshot below showing a manual refresh

ManualUpdate

Result after doing a Manual Refresh (notice the profit)

NewChart

If the entire page is refreshed, the webpart reverts back to the original, see image below.

Normal Chart

 

I noticed that if you have the excel sheet open in real time and make a change to the SharePoint list – the Excel will in fact update – but it does not save the sheet. (You can check the modified date on the library).

Having done further tests – I also noticed the Pivot Chart had a ‘Refresh data when opening the file’ – I checked this and saved the excel file to my sharepoint document library. DataRefresh

The Excel Web Access web part now showed an Warning when the page was loaded, as below

Warning

The user must click Yes to load the worksheet – which as a result refreshes the latest data. Not, really a solution though.

For On-Premise users – we can resolve the warning message by adding the Excel file as a trusted location in the Excel Services Application; however, the Excel Service Service Application is not available in SharePoint on-line :(

I guess the only viable solution is to for a user to manually open the Excel sheet(s) and do a refresh all and then save the worksheet back into SharePoint; thus updating all the Power Pivot Charts..

I will let you know if there are any updates on when or if the Excel Service Application is available so we could add worksheets into the trusted locations.

There is a good blog article here which could be of help should you run into a similar issue:

 

Azure Storage Explorer

I often find myself having to transfer or download files from my Azure Storage Account.

There are a number of ways to download your files, such as from your Azure subscription; there are also a lot of third party tools out there that can help you transfer and or download your files such as Zudio which is a cheap web based subscription service and Azure Storage Explorer from codeplex  (This one is really good! ).

However recently, I have been using Azure Explorer by Cerebrata.
Azure Explorer is a fantastic way to upload, download files to and from your Azure Storage Container while at the same time ensuring security is maximised, the tool effectively allows you to manage your Azure files in an easy to use interface.
You can download Azure Explorer here.

Firstly, In order to use the tool you will need to have your Azure Storage Account set up and your Storage Account key; then download the tool from the link above.

Once the Azure Explorer is downloaded you will have to:

1. Add your Azure Storage Account

AddStorageAccount

Then click on ‘Test Connection’ to ensure you can connect to your Azure Storage

successful Connection

2.  Once connected, you will be able to access to your files / BLOBS in user friendly interface, in which you can upload / download / delete etc…

Below shows the storage account

AzureStorageLevel1

Click into the storage account will show the containers within the storage account.

AzureStorageLevel2

Clicking into the containers will show the files.

AzureStorageLevel3

I particularly find this tool useful for sharing with customers, as it enables me to send files to customers in an easy, free secure way.

How safe is it storing data in the cloud?

My journey into work last week consisted of me having a debate with a few friends about storing data on-premise vs storing data in the cloud, in particular office 365.
I was able to discuss some key points and advantages of using office 365, so I thought it would be a good idea to give a brief overview on some of the advantages of using office 365 on my blog and more importantly outline what measures Microsoft take to ensure that ‘our’ data is safe in the cloud.

Firstly, its important to understand that Microsoft offers various levels of security to its users within Office 365.
No one has specific access to data, No third party, literally no one.
Each data centre (where data is stored) has a strict control of access as to who can actually enter the data centre & what they can do; this is governed by what Microsoft called ‘Lock Box’. Essentially  meaning that if an engineer does have to go into the data centre; then their is a strict access control as to what the engineer can do – at no point will that engineer have access to the data; its mainly just troubleshooting tasks.
https://products.office.com/en-us/business/office-365-trust-center-engage-videos#a

Below is a brief overview on some of the various layers of security offered on different layers.

Network Layer – Firstly all data on Office 365 is encrypted in transit using TLS/SSL; this ensures that data is confidential; (previous blog post on SSL) – so if a user did ‘intercept’ communication; then the results would be scrambled and would be of no use to them.

Physical Layer.  On Premise, an IT Admin or IT staff know exactly where the disk that contains the data is, they know exactly which computer it is on and exactly how to get to it; this is generally how an premise environment is run – in that someone knows exactly where the data is. A malicious user once on the server has the ability to do whatever they want, i.e. run code, delete data, copy data, remove the drive etc.

In the cloud world, the only folks who can get into the data centre are the engineers, for e.g. during maintenance – but their are strict access controls in place to ensure data is not accessed, its mainly just troubleshooting tasks.
Having ability to find out whose server is whose, or which partition data lives on or where it lives within the data centre is like finding a needle in a haystack, the size of the data centre and the amount of servers would mean a malicious person would never know which disk drive belongs to a particular person.
But in a worse case scenario supposing an engineer pulls a drive out? – Microsoft have invested in BitLocker which basically means that the drive that is pulled out will be wiped.

Furthermore Microsoft have  a Blue team and red team.
The red team are constantly trying to ‘hack’ into Microsoft Data centres whilst at the same time the Blue team are consistently trying to prevent those attacks.

Logical Layer. No code that is not known to Microsoft is allowed to be executed on any of the servers; i.e it cant get random code out of the environment and run it on servers . Only known processes are white listed to run on servers, This would make is virtually impossible for a malicious user to run a malicious code on a server (that’s if they ever got on).

User Layer  – The office 365 admin portal offers much more in terms of security.

>Multi Factor Authentication – Multi factor Authentication is a two way sign in process, making it harder for a malicious user to get into your account; When a user signs into their Office 365 account with their username and password – an additional layer of security must be acknowledged via a phone call or text before that user can sign in.  This feature is also available on most Hotmail / Outlook accounts.

> Data loss prevention – DLP essentially scans emails for sensitive information, such as “Credit Card Number”.  Warnings can be given to the sender alerting them and give the sender control of weather they would like to send the email or not. If the sender agrees to send the email, then it can be encrypted using TLS encryption or we could apply rights management

> Rights management. Rights Management is a list / library setting (within SharePoint) that allows site owners to protect attachments stored against list items and / or supported file types.
For e.g. If a document is downloaded; the file is encrypted  so only authorised people can view it; furthermore the file can be have restrictions imposed on it; making it impossible for users to print, copy, save a local copy etc.

There is a fantastic white paper which is available here to download which details the above with additional security measures Microsoft have  taken to ensure data is safe in the cloud.

http://www.microsoft.com/en-gb/download/confirmation.aspx?id=26552

 

SharePoint & SSL

Back in October I  was tasked with installing an Intranet / Extranet for a customer.  Installing and configuring the SharePoint was all done, the customer however required secure communication over the extranet so external users could communicate securely over https.
This blog article will detail how I set up SSL (Secure Socket Layer) and shall furthermore describe how SSL works.

Firstly, I extended the Intranet URL to the Extranet Zone.  This ensured that the external users could access the same information as Internal Users.
(When you extend a zone, SharePoint automatically creates an Alternate Access Mapping (AAM) , this basically tells SharePoint how to map the request to a URL)

1. Highlight the web application you wish to extend and select the extend tab from the ribbon

1.ExtendTab

2. From the Next screen I populated the following fields

Ensure the Extended zones is on Port Is 443
2.ExtendedURL

Ensure the Extended Zones is configured to run on SSL

3.UseSSL

Check the URL and the zone is correct
4.PublicURLandZone

Once you Click OK – SharePoint will create an additional zone for you in IIS (as below)5.IIS

Once your IIS site is created, you can attach you Certificate to the site.

3. To create the Certificate, in IIS click ‘Create Certificate Request’

15.NewCertificate

Populate the Distinguished Name Properties (as below) and Click Next

16.DistinguidedName

Save the .txt file. The txt should be used to request the certificate from a verified issuer such as VeriSign or GoDaddy.

3. Once your certificate .cer file is on the web server , right click it and select Install Certificate. (If you have multiple WFE servers, do this step on all of them)
6.InstallCertificate

4. Ensure the certificate is imported onto the Local Machine and placed in the Personal Store.

7.SelectLocalMachine
8.PersonalStore

5. Head back into IIS and double click Server Certificates.

13.IISServerCertificate

Your Certificate will be visible.

6. Go back to the extended SharePoint Site, Right Click and select Edit Bindings
9.EditBindings

select Edit
10.EditBindings2

Select your certificate from the SSL dropdown and Select OK.
11.SelectCertificate

7. Your Certificate is now attached to your Web Application.

(Move the Certificate into the Trusted Authority Store)

8. Navigate to your Extended SharePoint site and assuming you have your DNS records set up; it should load with problems with the green padlock :) (as below)

https

Now having set all that up; what does attaching a certificate to the SharePoint server actually do?

1. Your computer  makes a request to access the http://extranet.domain.com site

2. The server where the certificate is installed for http://extranet.domain.com  issues a Public Key to the requesting computer.

3.Your  Computer then encrypts the data with the Public Key (that was sent from the server)  and sends data back to the server.

4. The Server then decrypts the data using the Private Key – and only the server with the Private Key can decrypt the data..
If anyone intercepts the data in between, the data will be ‘Jibberish’.  The Private Key is the only way the data can be decrypted.

Target Audiences Column appearing as GUID

So, I have been working on a project for a customer who wanted to Target Audience individual list items in SharePoint….Simple task right?.

I allowed the management of content types on my list and added in the ‘Target Audience’ site column which is available to us out of the box.  This bit all works fine.

The actual problem arises when you start to audience target the list items.

When you audience target list items, the audience appears as a GUID in the list view (as below)

AudienceWithBothItemsError

But if you remove the audience from the first list item, the audience does not appear as  a GUID (as below)

AudienceNoError

So basically, if the first item in the list has an audience, then ALL the items appear as GUIDS.
As soon as you remove the audience from the first list item, the audience name loads correctly i.e. doesn’t display the GUID.

I did a bit of further reading on this ,  A lot of people have said this issue is by design, but surely it can’t be a design issue. No ones wants to see a GUID in the view.
I found this issue is evident on all on-premise versions of SharePoint (2007, 2010 and 2013) and SharePoint on-line .

Having contacted Microsoft about the issue; they confirmed that this issue is a Bug in SharePoint and there is currently no fix for it :(
The current workaround is to remove the audience from the first item :S

Awaiting a response as to when it will be fixed and why it hasn’t been fixed since 07. Until then, I guess we have to live with it.

**UPDATE – Microsoft responded to my reply as to why this issue had not been fixed since 07  & when they plan to have a fix for it.  Below is the response.

This bug will not be fixed. SharePoint uses XSLT stylesheets to render list views. A list is rendered as an HTML table and the value of a field is rendered into the appropriate cell of the table by a simple XSLT template from the fldtypes.xsl file located in %ProgramFiles%\Common Files\Microsoft Shared\web server extensions\14\TEMPLATE\LAYOUTS\XSL. And this issue relates to the .xsl file. 

So there you have it folks, an unfixable bug in SharePoint :(

I will have a play around to see if we can have another workaround to this issue – where we don’t have to remove the audience from the first list item. Will keep you posted!

 **UPDATE – Temporary Fix to Audiences appearing as GUID

Hi All, finally got around to finding a temporary fix to this problem.

As the GUID on Target Audiences only appears on the first item in the list, we need to find a way of hiding the first item… Having tried to use filters on the view to hide the first ID – the problem still remained, (because the first item in the list will be item 2 If you hide item 1)

A Solution that worked for me was adding the snippet web part to the actual list and then adding a bit of code to it. See below.

1. Create a bogus item as the first item in the list. Make sure that this item has an ID of 1. (So it has to be the first item in the list)

BogusItem

1. Edit the list by selecting the cog in the corner and Edit Page

EditPage

2. Insert the snippet web part on top of the list and insert the following code:

 <style>
.ms-listviewtable > tbody > tr:first-child{
   display: none;
}
</style>

3. Save the page

4. Voila

NoGUID

The snippet is just basically just hiding the first item in the list.

*I strongly recommend you try and test this before you insert any code onto a PROD environment.

User Profile Stuck on Starting.

When installing UPS. Never log in as the Farm account.. Just ensure the farm account is the local admin on the SharePoint server.

If the ups sync service is stuck on starting, run the following Powershell command (PoSh)

 Get-spserviceinstance | select TypeName, ID

This will return the ID of the service that is stuck,

Then run the following PoSh command once you have the ID

Stop-SPServiceInstance -id “id of service” .

There are occasions when the service still won’t stop even after running the Stop-SPServiceInstance PoSh command (This can occur when you start the UPS whilst logged in as the farm account).

One way of stopping the service (if the Stop-SPServiceInstance doesn’t stop it) is to use the following stsadm commands. (You can also run the commands below in Powershell – no need to load any type of SnapIn.) – but for my example, I used STSADM.

stsadm -o enumservices > c:\services.txt – This produces a .txt file which gives a list of services and shows the name of the service you need (as below)

ups

Services

Then run stsadm -o provisionservice -action stop -servicetype “Microsoft.Office.Server.Administration.ProfileSynchronizationService, Microsoft.Office.Server.UserProfiles, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” -servicename FIMSynchronizationService

The service type (in italics) is the from the service.txt (with the red border) :)