In this article, I’d like to focus on one role I can relate to: SharePoint administrator, or Site Collection administrator, or site administrator. You might name it differently depending on your organization. So what does it take for these people to sleep well every night?
Inspect and Adapt
I like to see Security Management tasks as an Agile Process: Inspect and Adapt. Even if you can have the best governance plan, the best process to give access and rights, you can never be sure that everything is entirely safe inside your environment.
So yes, first of all it’s really important to define your governance plan and to implement some kind security process, but after that, you need to make frequent verifications.
Check for any security breach or any suspect information. For example, a new external user has appeared, a new permission level has been created, or someone has broken inheritance at a list, folder or document level.
Here are some actions and verifications I can advise you to do. Please adapt it to your context, and if you find more verification process, let us know in the comments!
Control the External Sharing feature
External Sharing concerns only Office 365 environments. If you have any questions on how it works, please read this Guide. Concerning Sharepoint and Office 365 Security management tasks, this is what you can do to inspect your SharePoint Online:
Once a week (or more):
- Verify the list of external users (Sharegate’s security tab shows you the list on each site collection you have inside your SharePoint. It’s so easy to consult!)
- Check the permission level link to the external user.
- Check the External Sharing Report to see which document is shared with external users from your organization.
- Verify the content shared with anonymous guest links in the report section.
Twice a month:
- Verify the site collections with external sharing enabled.
- Export the External Users list and check if their access permissions are still relevant.
Check any change in your site properties (Groups and Permission Levels)
This can apply to any version of SharePoint. You can avoid it if you don’t have any users with “Full control” rights. But if your governance is open, you might want to verify these items:
Twice a month
- Verify Permissions
- Is there any new groups? What are the Permissions Levels associated with them“Default permission levels are predefined sets of permissions that you can assign to individual users, groups of users, or security groups, based on the functional requirements of the users and on security considerations.” Read more on https://technet.microsoft.com
- Are there any new Explicit Permissions?By explicit Permissions, we mean permissions access given directly to a user. For example, I directly give Benjamin the Permissions Level “Full Control” on my Site Collection without putting him in a SharePoint group.
- Who are the Site Collection Administrators and the Site Owners?Two roles with a lot of rights and power! Keep an eye on who the users with Site Collection administrators or owners permissions are. Sharegate’s Security tab allows you to see it quickly!
- Does the user or group have access to the correct permissions?It’s easy to check the groups and their access type, but it’s hard to see who the users inside a SharePoint group are, and especially the users inside an Active Directory Group inside a SharePoint group. Or an Active Directory group inside an Active Directory group, inside an Active Directory group inside a SharePoint group… You get the point!
The Permissions Matrix Report is incredible for that. It allows you to expand a SharePoint group to see who’s inside. And if it’s an Active Directory group, you can also expand it.
This report completely answers the question “Who has access to what through what permission level?”.
Figure 1: Expand SharePoint and Active Directory groups to see the list of users
- Verify inheritance (broken permissions)The common comment you can receive when you work at the Help Desk is someone asking to access to a site, a list or, even better, a folder or a document. You thought that this person already
had access because you added them to the group “members”, and then realized that someone has specified custom permissions (so the inheritance is broken).
Depending on your governance and if you allow it, I’d advise you to verify it once in a while to avoid desperate users having access to content! I love the Sharegate Explorer, I can use it to quickly see where the custom permissions are.
Once you identify a security breach, you have to adapt and take some actions. Here’s a few of those available in Sharegate. There’s no frequency linked to them, so you need to act on them really quickly.
The Remove Permissions is useful here. If you see someone with explicit access, you can remove it. If you think a group has a permission level that’s not right, you can also remove it. If an external user needs to be removed from a group, use this action.
For example, I want here to remove Camille from all the “owners” groups on my Site Collection.
I also want to be sure to remove the “Full Control” access she has.
With one click, you can easily restore inheritance. Use the basket to bulk restore inheritance.
Remove anonymous guest links
Use the edit feature to remove one or multiple documents at once via the Edit or View (or both) anonymous access links.
Sleep Well Tonight!
Once you’ve done these checkups, you can relax and be sure there’s no confidential content outside your organization, and you can trust users because they have the right access. Don’t forget to update your governance plan or security process so the breach won’t be repeated again!
Again, it’s a small list of tips you can follow. I’m really curious about your Sharepoint and Office 365 security management routine! Don’t hesitate to share it with us!