Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Poor Microsoft SharePoint security permissions policies can derail deployments

A strong Microsoft SharePoint security policy starts with proper permissions and access controls to internal resources, and to control external users. This is the first of a two-part technical tip.

Microsoft SharePoint security is not difficult to establish and maintain, as long as your organization has a well...

thought-out plan for best practices before implementation.

More SharePoint Resources
Security enhancements in Microsoft Essential Business Server 2008: Microsoft Essential Business Server solves major security and network management issues for midmarket companies that are outgrowing Microsoft Small Business Server 2003 and are too small for enterprise solutions.
Microsoft Stirling Beta 2 release includes Exchange SaaS offering: Microsoft continues to meld security and identity management, with the Beta 2 release this week of Stirling, the next generation of its Forefront Security Suite.

SharePoint provides a Web-based portal for content management, collaboration, managing business processes and forms, and search inside the company, as well as reaching out to authorized partners, contractors and other third parties. It's easy to deploy and use, so that business users can manage their sites without constantly relying on IT for help.

Security is not difficult, but issues can arise, primarily over access control if SharePoint permissions are poorly thought out or implemented. External users can also be an issue if they are not properly managed.

This two-part tip will explain five of the most important things experts say you should keep in mind when you design SharePoint security. Part two will cover how to handle external users, authorization and general security issues.

A common error is simply the failure to create thoughtful SharePoint security best practices in first place.

If the policy is too permissive, users wind up with too much liberty to customize SharePoint sites, especially around access to resources. The evitable consequence is people seeing and/or being able to change documents they shouldn't have those rights to.

This often happens when users ask the help desk to do something for their site. But instead of addressing the specific request, IT responds by simply giving them site admin privileges so they can make the change--and any future changes--without coming back to the help desk. This behavior is typical of overworked IT departments, said Matt Ranlett, principal consultant in Atlanta, Ga.-based Intellinet Corp.'s worker information practice and a Microsoft MVP for SharePoint Server.

On the other extreme are organizations that are so rigid that everything is locked down and every change requires a help desk request. That's bad news for small IT departments and for users who just want to get on with their jobs.

"There needs to be a middle ground," said Ranlett. "There's more art than science to how you grant users permission to make modifications to the design of a site."

Smaller organizations generally don't have to worry about policy control and enforcement across multiple units and SharePoint deployments, so once your organization has configured SharePoint and set appropriate use policies, site admins should pretty much run things on their own.

If you are like most midmarket companies, you use Active Directory as your primary user information repository for email distribution groups, user authentication, and application and file access and authorization. Simplify your management of SharePoint identities by either using existing AD security groups or creating new ones and moving them to SharePoint.

You should note that SharePoint is designed to be perfectly workable if you don't have Active Directory. You can create SharePoint groups for authorization privileges and use any LDAP, SQL Server, Oracle, or third-party product for authentication.

A small IT staff doesn't have time to manage users and groups in two places. You can always have the site admin manage individual exceptions in SharePoint, rather than involve IT in an AD change.

"If I want to share information with you and Bob down hall, it's not likely there's an AD group to reflect that," said Neil MacDonald, VP at Stamford, Conn.-based Gartner.

SharePoint doesn't have a centralized rights management interface. It can't generate reports that show what a given user has access to--you would have to check each object (think, 1,000 documents, for example) in SharePoint to see if the user has access. In AD, on the other hand, it's easy to report on user access and replicate rights for new employees or for changing roles.

One caution here: Don't assume your existing AD groups will automatically meet your SharePoint needs. A department AD group or geographic group may be a convenient way to organize employees for authentication and other AD tasks, but may not reflect how people work.

"The problem is AD doesn't necessarily reflect how people share information or want to share information," said MacDonald.

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.


This was last published in August 2009

Dig Deeper on Microsoft identity and access management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.