If you don’t do anything to SharePoint, it’s very secure. You don’t see what you don’t have access to and, by default, no one has access to anything. From there, the main issue that may cause a SharePoint security breach is you.
In fact, in the past, we’ve seen how a simple mistake granted access to two external users across an entire Site Collection. If you’re on SharePoint Online and want to get a little extra security, Microsoft has just made a few changes you might quite like.
The SharePoint Security Basics before we begin
No don’t worry, I won’t go over the same things as in my previous post on SharePoint Security Groups. However, if you’re not familiar with what these are just starting to explore SharePoint or Office 365 SharePoint Online, then I strongly recommend you go through it first.
You see, I’m sharing these stories and tips because a few weeks, or months ago now, we had a little SharePoint security problem.
While running some routine SharePoint security reports, we soon realized that two external users meant to collaborate with us on one or two documents had access to the entire Site Collection. But that’s not all, they also had more than just read permissions.
Just to recap before we go any further, in SharePoint you have objects such as Sites, Lists, Libraries, Folders, Items and Documents. Each of these can be granted access to, but by default each inherits the permissions from the parent object. In other words, a library in a site will automatically have the same permissions as the site and not manage it at the library level. Of course you can break inheritance and start applying your SharePoint security at any of these levels.
As general best practice, we always grant access to these through what we call SharePoint Security Groups or AD Groups, but definitely groups. But in SharePoint, there are a few…special groups.
To get back to my earlier example, two external users had access to the entire Site Collection. Though the proper access was originally granted to these people only to specific documents, a simple mistake changed all of that. To “make things easier”, someone had added a group called “Everyone” in the Members Group.
And with one click, every single user (authenticated or anonymous) as well as external users with Microsoft Live Accounts had complete access to our Site Collection.
In fact, a default setting for SharePoint security in Office 365 might not be OK with everyone:
“Everyone except external users: When a user is added to Office 365, the user automatically becomes a member of Everyone except external users. By default, the Everyone except external users group is added to the Members group on the SharePoint Team Site. It is automatically assigned a permission level of Contribute. This means all users who are added to Office 365 can view, add, update, and delete items from lists and libraries.”
Using SharePoint security PowerShell commands to help
If you see something that cannot be done using the interface, don’t worry. There’s a very likely chance that some PowerShell magic could do the trick.
Let’s take this new external users concept for example. There are different ways to enable them or disable them in your SharePoint directly through the interface. However, once they’re granted access to something, somewhere in your SharePoint, it’s difficult to have insights on what’s going on. There’s no easy way for you to list these external users and remove them.
That’s where PowerShell can help you with commands like Get-SPOExternalUser to find them and remove them if that’s your wish.
Recently though, Microsoft has released some commands that may help some of those that may still be worried about their SharePoint security. In fact, it really is just one new command called Set-SPOTenant.
A good example is one showing how you can lock access to a Site Collection and have it redirect to another URL.
However, the best thing to do when looking at these kinds of pages from Microsoft isn’t necessarily to look at the examples, even if they’re great. What you want to do is scroll down and expand “Parameters” to see all the things you can do with that specific command.
Think about it Set-SPOTenant or Set-SPOSite just means that you want to set settings for the entire tenant or for a Site Collection. The parameters will be where the real value is located. Where you get that extra control on your SharePoint security for example.
Now, the new command, or parameter, I wanted to bring your attention to is to help you remove the Everyone SharePoint security group.
If you want and are sure that it’s ok to never be able to use the “Everyone” group to help grant permissions on something, then you can remove it from the people picker.
Though a good SharePoint Governance Plan is always highly recommended to help set the guidelines for users to properly leverage SharePoint, this may help mitigate some of the potential security issues.
Tell me, have you ever had trouble resulting from security permissions that could have been prevented easily with this?