Security

In light of the recent NHS attack, I wanted to write a blog about Security and re-emphasise what we should be doing to protect our data, especially in regards to SharePoint.

This blog will focus on SharePoint within Office 365 and on Premise and some (of many) pointers of defence to help protect SharePoint.

  • A common security issues I see with many clients is permission governance.

A SharePoint governance plan can help keep your data secure and compliant, by helping you structure, create policies and procedures and implement controls, such as designing security controls, permissions and roles for assigning permissions etc.

SharePoint is used to store data, and on most occasions, sensitive data.  It is important to ensure that this sensitive data is not accessible to the people who do not need to see it, especially as data if shared with external parties, such as contractors, partners etc, therefore it is vital to ensure that access rights remain aligned with the business needs.  There have been many cases known where data has got into the wrong hands, e.g. United States v. Manning.

This also includes using the least privileged accounts and use specific accounts for specific purposes.  I have seen many SharePoint systems where IT use the farm account as their admin account.   Plan for administrative service accounts : https://technet.microsoft.com/en-us/library/cc263445.aspx .

Also you should being using Groups to manage users as much as you can. Using groups gives you a more maintainable security model, meaning If you want to make a change to permission, you apply it to a group, not individual people.

for e.g. different sites require different governance policies. Site such as homepage would be more tightly governed as it would typically be available to everyone in the organisation, whereas the HR department, for example would be more tightly governed than other generic sites such knowledge based areas.

  • Multi Factor Authentication – Within office 365, Multi Factor Authentication (MFA) increases the security of user login. With MFA, users are required to enter an second stage of authentication after their initial entering of their password. The second stage requires the user to receive an email, app notification, phone call or text message to enter a number. Only after the second stage is complete will the user be authenticated to sign in.
  • Virus Protector: For On-Premise installs of SharePoint, there are a growing number 3rd party tools which can be used for anti-virus protection, such as
    1. MacAfee
    2. Bit Defender
    3. Sophos
    4. Trend Micro

However, Microsoft recommend that you install an anti-virus solution based on SharePoint Portal Server Virus Scanning Application (VS API) – this is because SharePoint is continually providing enhancements to SharePoint via, installing a non related SharePoint AV will not guarantee you any support for SharePoint specific issues.

https://support.microsoft.com/en-us/help/322941/microsoft-s-position-on-antivirus-solutions-for-microsoft-sharepoint-portal-server

Within Office 365, files are scanned as they are uploaded. If a file is found to be infected, a property is set so that users cant download that file from the browser or syn the file in the One Drive for business client.

https://blog.qipoint.com/2016/07/27/sharepoint-and-anti-virus/

This is not to say you should not have a virus protector on your local machine

  • Information Rights Management (IRM) – IRM is a technology applied at the list / library level in SharePoint. A document that is IRM permission can either permit / deny a user from doing certain actions within that document such as :
    1. Controlling copy and paste
    2. Preventing printing and editing
    3. Require users to review their credentials at specific intervals
    4. Provide ability to not upload documents that are not IRM protected
    5. Allow people with least the view items permissions to run embedded code or macros on a document.

Now this next step is not strictly a SharePoint security setting. With SharePoint, Online and On-Premise it’s important to have some sort of lock or password on your device, especially as users now bring their own devices into work. SharePoint is available on mobile, apps like Yammer, One Drive for Business can be exposed thus potentially leaking sensitive data.

In addition to this, I wrote a blog on Data Loss Prevention (here) which is another great way of ensuring that sensitive data does not leave the corporate domain.

SharePoint & SSL

Back in October I  was tasked with installing an Intranet / Extranet for a customer.  Installing and configuring the SharePoint was all done, the customer however required secure communication over the extranet so external users could communicate securely over https.
This blog article will detail how I set up SSL (Secure Socket Layer) and shall furthermore describe how SSL works.

Firstly, I extended the Intranet URL to the Extranet Zone.  This ensured that the external users could access the same information as Internal Users.
(When you extend a zone, SharePoint automatically creates an Alternate Access Mapping (AAM) , this basically tells SharePoint how to map the request to a URL)

1. Highlight the web application you wish to extend and select the extend tab from the ribbon

1.ExtendTab

2. From the Next screen I populated the following fields

Ensure the Extended zones is on Port Is 443
2.ExtendedURL

Ensure the Extended Zones is configured to run on SSL

3.UseSSL

Check the URL and the zone is correct
4.PublicURLandZone

Once you Click OK – SharePoint will create an additional zone for you in IIS (as below)5.IIS

Once your IIS site is created, you can attach you Certificate to the site.

3. To create the Certificate, in IIS click ‘Create Certificate Request’

15.NewCertificate

Populate the Distinguished Name Properties (as below) and Click Next

16.DistinguidedName

Save the .txt file. The txt should be used to request the certificate from a verified issuer such as VeriSign or GoDaddy.

3. Once your certificate .cer file is on the web server , right click it and select Install Certificate. (If you have multiple WFE servers, do this step on all of them)
6.InstallCertificate

4. Ensure the certificate is imported onto the Local Machine and placed in the Personal Store.

7.SelectLocalMachine
8.PersonalStore

5. Head back into IIS and double click Server Certificates.

13.IISServerCertificate

Your Certificate will be visible.

6. Go back to the extended SharePoint Site, Right Click and select Edit Bindings
9.EditBindings

select Edit
10.EditBindings2

Select your certificate from the SSL dropdown and Select OK.
11.SelectCertificate

7. Your Certificate is now attached to your Web Application.

(Move the Certificate into the Trusted Authority Store)

8. Navigate to your Extended SharePoint site and assuming you have your DNS records set up; it should load with problems with the green padlock 🙂 (as below)

https

Now having set all that up; what does attaching a certificate to the SharePoint server actually do?

1. Your computer  makes a request to access the http://extranet.domain.com site

2. The server where the certificate is installed for http://extranet.domain.com  issues a Public Key to the requesting computer.

3.Your  Computer then encrypts the data with the Public Key (that was sent from the server)  and sends data back to the server.

4. The Server then decrypts the data using the Private Key – and only the server with the Private Key can decrypt the data..
If anyone intercepts the data in between, the data will be ‘Jibberish’.  The Private Key is the only way the data can be decrypted.

Target Audiences Column appearing as GUID

So, I have been working on a project for a customer who wanted to Target Audience individual list items in SharePoint….Simple task right?.

I allowed the management of content types on my list and added in the ‘Target Audience’ site column which is available to us out of the box.  This bit all works fine.

The actual problem arises when you start to audience target the list items.

When you audience target list items, the audience appears as a GUID in the list view (as below)

AudienceWithBothItemsError

But if you remove the audience from the first list item, the audience does not appear as  a GUID (as below)

AudienceNoError

So basically, if the first item in the list has an audience, then ALL the items appear as GUIDS.
As soon as you remove the audience from the first list item, the audience name loads correctly i.e. doesn’t display the GUID.

I did a bit of further reading on this ,  A lot of people have said this issue is by design, but surely it can’t be a design issue. No ones wants to see a GUID in the view.
I found this issue is evident on all on-premise versions of SharePoint (2007, 2010 and 2013) and SharePoint on-line .

Having contacted Microsoft about the issue; they confirmed that this issue is a Bug in SharePoint and there is currently no fix for it 🙁
The current workaround is to remove the audience from the first item :S

Awaiting a response as to when it will be fixed and why it hasn’t been fixed since 07. Until then, I guess we have to live with it.

**UPDATE – Microsoft responded to my reply as to why this issue had not been fixed since 07  & when they plan to have a fix for it.  Below is the response.

This bug will not be fixed. SharePoint uses XSLT stylesheets to render list views. A list is rendered as an HTML table and the value of a field is rendered into the appropriate cell of the table by a simple XSLT template from the fldtypes.xsl file located in %ProgramFiles%\Common Files\Microsoft Shared\web server extensions\14\TEMPLATE\LAYOUTS\XSL. And this issue relates to the .xsl file. 

So there you have it folks, an unfixable bug in SharePoint 🙁 –

I will have a play around to see if we can have another workaround to this issue – where we don’t have to remove the audience from the first list item. Will keep you posted!

 **UPDATE – Temporary Fix to Audiences appearing as GUID

Hi All, finally got around to finding a temporary fix to this problem.

As the GUID on Target Audiences only appears on the first item in the list, we need to find a way of hiding the first item… Having tried to use filters on the view to hide the first ID – the problem still remained, (because the first item in the list will be item 2 If you hide item 1)

A Solution that worked for me was adding the snippet web part to the actual list and then adding a bit of code to it. See below.

1. Create a bogus item as the first item in the list. Make sure that this item has an ID of 1. (So it has to be the first item in the list)

BogusItem

1. Edit the list by selecting the cog in the corner and Edit Page

EditPage

2. Insert the snippet web part on top of the list and insert the following code:

 <style>
.ms-listviewtable > tbody > tr:first-child{
   display: none;
}
</style>

3. Save the page

4. Voila

NoGUID

The snippet is just basically just hiding the first item in the list.

*I strongly recommend you try and test this before you insert any code onto a PROD environment.

User Profile Stuck on Starting.

When installing UPS. Never log in as the Farm account.. Just ensure the farm account is the local admin on the SharePoint server.

If the ups sync service is stuck on starting, run the following Powershell command (PoSh)

 Get-spserviceinstance | select TypeName, ID

This will return the ID of the service that is stuck,

Then run the following PoSh command once you have the ID

Stop-SPServiceInstance -id “id of service” .

There are occasions when the service still won’t stop even after running the Stop-SPServiceInstance PoSh command (This can occur when you start the UPS whilst logged in as the farm account).

One way of stopping the service (if the Stop-SPServiceInstance doesn’t stop it) is to use the following stsadm commands. (You can also run the commands below in Powershell – no need to load any type of SnapIn.) – but for my example, I used STSADM.

stsadm -o enumservices > c:\services.txt – This produces a .txt file which gives a list of services and shows the name of the service you need (as below)

ups

Services

Then run stsadm -o provisionservice -action stop -servicetype “Microsoft.Office.Server.Administration.ProfileSynchronizationService, Microsoft.Office.Server.UserProfiles, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” -servicename FIMSynchronizationService

The service type (in italics) is the from the service.txt (with the red border) 🙂

Upgrading a Multi-Server SharePoint Farm

 UPGRADING MULTI SERVER FARM

I was having a nightmare upgrading a multi-server sp13 farm from Standard to Enterprise . Having inserted the Enterprise Key in the usual place in Central Administration,  – it kept throwing errors every time… (below)

ConversionError

I spent lots of time troubleshooting this, such as,  checking the error Logs, clearing the cache, to name a few.
In the end One line of PowerShell fixed it…

Set-SPFarmConfig -InstalledProductsRefresh

So if any of you try to upgrade a multi server farm from the usual way of inserting the product key & doesn’t work, below are the  steps I followed,

  1. Insert the product key in the convert license type or Enable Enterprise Features. (let it error)
  2. Run the above Powershell Command.
  3. SharePoint should upgrade to Enterprise
  4. Remember to enable Enterprise features on all existing web applications and site collections.