200 likes | 449 Views
Lock It Down: Securing Your SharePoint Environment. Liam Cleary. About Me. Solution Architect @ Protiviti SharePoint MVP Everything SharePoint Architecture Infrastructure Development Security SharePoint Dreamer Speak at lots of community events. Agenda. Hackers
E N D
Lock It Down: Securing Your SharePoint Environment Liam Cleary
About Me • Solution Architect @ Protiviti • SharePoint MVP • Everything SharePoint • Architecture • Infrastructure • Development • Security • SharePoint Dreamer • Speak at lots of community events
Hackers • The real world hackers • Employees • The ones you always do, though you shouldn’t trust • Developers • No-one trusts these guys • Administrators • “We have the Power”
Manual: SharePoint “Brute-Force” • Test Access for common URLs • Search Engine • Google: inurl:”/_layouts/viewlsts.aspx” • Bing: instreamset: url :viewlsts.aspx • Nmap • Access Central Administration • Shared Services • Web Service Endpoints • RegEx Tools • SHODAN Searching • ”WWW-authenticate”, “MicrosoftSharePointTeamServices: 12/14/15”
Cross Site Scripting (XSS) • Web Services Endpoints Exposed – “_vti_bin/spdisco.aspx” • “_layouts/viewlsts.aspx” – potential data leak • “_vti_bin” – functionality can be available as anonymous • “_layouts/userdisp.aspx?Force=True&ID={0}” – User Enumeration • “_vti_inf.html” – expose internal Front Page Extensions • Common functions available through Web Services • Search Principals • GetAllUserCollectionsFromWeb • 3rd Party components, such as web parts • “http://{siteurl}/_layouts/{Vendor Name Removed}.Feature/userpresensesvc.ashx?userID=68&userProfileUrl=http://{site url}/_layouts/userdisp.aspx?ID=68”
wget -r –A pdf --no-check-certificate https://{siteurl}/Forms/AllItems.aspx
Function IteratePages() { [CMDLetBinding()] Param ([String] $url, [Int] $start, [Int] $end) for ($i=$start; $i -lt $end; $i++) { Write-Host $i $saveTo = 'C:\OUT\' + $i + '.txt' Write-Host $saveTo $retUrl = $url + $i Write-Host $retUrl Get-WebPage $retUrl > $saveTo } } IteratePages http://{site url}/_layouts/userdisp.aspx?ID= 1 1000
Web Database Services Application HTTP/HTTPS
Web Database Services Application HTTP/HTTPS
Web Cache Application Search Workflow TCP 9354 TCP 9355 TCP 9356 TCP 9000 (5 Rand Ports) TCP 16500/19 TCP 445 UDP 445 TCP 137 - 139 UDP 137 - 139 TCP 5725 TCP 389 UDP 389 TCP 464 UDP 464 HTTP 80 HTTPS 443 TCP 22233 TCP 22234 TCP 22235 TCP 22236
Block the standard SQL Server ports Configure SQL Server database instances to listen on a nonstandard port Configure SQL client aliases Bypass the actual server name Configured SQL Encryption Implement Windows Firewall Policies Run “Best Practice Security Analyzer” and use “Server Hardening Guidance” Utilize Group Policies
Implement Windows Firewall Policies Run “Best Practice Security Analyzer” and use “Server Hardening Guidance” Utilize Group Policies Open “Allowed Ports” ONLY List Common App Server Ports Here
Open “Allowed Ports” ONLY TCP 80 – HTTP TCP 443 - HTTPS Implement Windows Firewall Policies Run “Best Practice Security Analyzer” and use “Server Hardening Guidance” Utilize Group Policies
Open “Allowed Ports” ONLY TCP 80 – HTTP TCP 443 - HTTPS Hardware / Software Firewall SSL Encryption & Inspection Offload Authentication / Delegation User Access Gateway (UAG)
netshadvfirewall firewall add rule name="SQLServer" dir=in action=allow protocol=TCP localport=1433 profile=DOMAIN • netshadvfirewall firewall add rule name="SQL DAC" dir=in action=allow protocol=TCP localport=1434 profile=DOMAIN • netshadvfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=UDP localport=1434 profile=DOMAIN • netshadvfirewall firewall add rule name="Mirroring EndPoint" dir=in action=allow protocol=TCP localport=5022 profile=DOMAIN • netshadvfirewall firewall add rule name="SQL Service Broker" dir=in action=allow protocol=TCP localport=4022 profile=DOMAIN • netshadvfirewall firewall add rule name="T-SQL Debugger" dir=in action=allow protocol=TCP localport=135 profile=DOMAIN
netsh advfirewall firewall add rule name="SharePoint HTTP/HTTPS" dir=in action=allow protocol=TCP localport=80,443 profile=DOMAIN • netsh advfirewall firewall add rule name="SharePoint Cache" dir=in action=allow protocol=TCP localport=22233-22236 profile=DOMAIN • netsh advfirewall firewall add rule name="SharePoint Farm Communication (TCP)" dir=in action=allow protocol=UDP localport=389,464 profile=DOMAIN • netsh advfirewall firewall add rule name="SharePoint Search" dir=in action=allow protocol=TCP localport=16500-16519,445,137-139,5725 profile=DOMAIN • netsh advfirewall firewall add rule name="SharePoint Workflow" dir=in action=allow protocol=TCP localport=9354-9356,9000 profile=DOMAIN
Page Lockdown Fix Security Slip-Ups – manual process Comply with Compliance and Governance Policies Administrator can modify or delete logs Secure Web Site SQL Injection, Brute Force Password Attack and Cross Site Scripting (XSS) Understand that SharePoint is SQL Privileged Users could hack Permission for SharePoint Fix Search Engine Visibility Mississippi National Guard apologized for exposing personal data through their public SharePoint Site
Pentest your SharePoint Site Internal – Choice External – No Choice Ensure Latest Patches Suggested Rule, stay two CU’s behind unless it resolves a current issue Learn to Hack Make Security a to Priority Learn to “Publish” SharePoint Correctly We (Protiviti) can help you with this
Liam Cleary Email: liam.cleary@Protiviti.com Twitter: @helloitsliam Blog: http://blog.helloitsliam.com