Open Access in SharePoint – What it is And How to Find it

Within SharePoint, there are a few groups which can give ‘Open Access’ to a given resource that can leave the environment vulnerable depending on where these groups exist. With open access comes the increased risk of data being ‘lost’ and with data loss comes risks to sales and revenue, lawsuits, IP theft, and subsequently – compliance breaches.

What is Open Access?

An instance of open access exists whenever one of the large groups described below has access to a resource. It is important to understand where these groups exist and what data they are granting access to. Below I will break down the ‘Everyone Group’ and then explain the other open access groups between groups that exist in SharePoint server and groups that exist in SharePoint Online.

The ‘Everyone’ group

The ‘Everyone’ security principle is frequently referred to as a “group” but is not actually a user group in the sense of being able to add and remove user accounts from it. The definition of this principle has changed a lot throughout the years but it’s important to understand what it really is today. It is one of the Windows special identities that does not have specific memberships that can be modified. The Everyone security principle is defined and managed by the Windows operating system and represents:

“… all current network users, including guests and users from other domains. Whenever a user logs on to the network, the user is added automatically to the Everyone group”

This security principle previously included:

“…all users, even anonymous users and guests..[including] authenticated and unauthenticated users. In essence, every user who accesses the system is a member of the Everyone group…”

(see Microsoft Windows 2000 Security Configuration Guide: Appendix D – User and Group Accounts  )

However, this was changed for Windows 2003 and greater where the Anonymous Logon group was no longer a member of the Everyone security principle by default.  You can still add it to Everyone, but this must now be done through the security policy setting. The same is true for SharePoint online, where the Everyone group is actually disabled by default but can be enabled and will include external users. Otherwise, the ‘Everyone Except External Users’ group is typically the group you will leverage in SPO to open up access to a resource.

SharePoint Server:

1. ‘NT Authorityauthenticated users’ – This group is effectively a subset of the ‘Everyone’ group in that it’s actually a security principle which represents all users with a valid user account in active directory. Please note that Authenticated Users also includes any user authenticated in another domain within that forest hosting the SharePoint farm, trusted by the home domain or domains in external forests. In summary, this security principle is not centrally manageable at the domain level.
2. DOMAINDomain users – This group contains all of the users accounts in the respective domain’s ‘Domain User’s Group’ when you create a user account in a domain, it is automatically added to this group.

In addition to the groups described for SharePoint Server, the following open access groups may also exist in SharePoint Online.

SharePoint Online (SPO):

1. ‘Everyone except external users’ – This group exists in SharePoint Online and gives access to anyone that is a member of your organization.
2. Anonymous Access links – resources shared via an Anonymous Access Link (or Anyone Link) are the equivalent to a resource being open to ‘Everyone’ (including external users) since that link does not require authentication in order to be used.
   • Alternative access links, like links which give access to your entire organization, also fall into this category.

As a SharePoint admin, you need to be aware of these groups, where they exist and what they are giving access to. If you do not know the aforementioned points you are at serious risk for a data leak which could be a very expensive position to be in especially if your organization falls within the GDPR, CPAA, HIPAA or another compliance regulation.

The Dangers of Open Access

Having open access resources increases your attack surface. In SharePoint specifically, where by default sites are set to inherit permissions–having open access in one site collection usually means that there is open access in its sub-sites as well.

In SharePoint Online for example, when a resource is shared to ‘Everyone except external users’ this means that everyone inside your organization can access the resource. This opens up vulnerabilities for an internal attack or may cause the organization to fail compliance regulations depending on what your org is held accountable for. For example, a Portuguese hospital was fined €400,000 for giving excessive access to sensitive patient information as highlighted in my earlier post on GDPR fines.

How do I Know if I Have Sites Exposed by Open Access?

SharePoint Server:

To do this manually you can check the permissions of a site by navigating to Site Settings à Site Permissions and using the Check Permissions tool to look for the open access groups described. Once you check permissions on one of the aforementioned groups SharePoint will tell you if it has access and what level of access, however, it won’t tell you where it has access if it’s been directly applied.

So based on the Limited Access message, we know that the Everyone group has directly applied access to something on this site but not the entire site. Now you have to check each library, list, and file to find out where it’s been given that access. Doing this in a production environment is not ideal but you should focus first on the sites that contain sensitive data as these are the most at-risk sites. Be conscious of Active Directory groups like the Domain Users group, as well as SharePoint groups which give access to wide audiences. 

There is no easy manual way to do this at mass. However, with PowerShell, there is an easier approach to getting this information. The query below from http://sharepointchips.com will return the users and groups who have access to a site in SharePoint.

$sites = Get-SPWebApplication http://WebApplicationURL | Get-SPSite -limit all
"Site Collection`t Group`t User Name`t User Login" | out-file groupmembersreport.csv
foreach($site in $sites)
{
	foreach($sitegroup in $site.RootWeb.SiteGroups)
        {
	  foreach($user in $sitegroup.Users)
	 	{	
		"$($site.url) `t $($sitegroup.Name) `t $($user.displayname) `t $($user) " | out-file groupmembersreport.csv -append
		}
          }
$site.Dispose()
}

The output will be in a csv file located in whichever directory you run the command from or C:/users/LoggedInUser/documents by default. As shown in the screenshot above, this command will give a complete list of all the users and groups for a given site collection. Highlighted in the export are some examples of open access groups you may see after running the report.

SharePoint Online:

In addition to open access groups like the Domain Users group in SharePoint Online (SPO), the ‘Everyone Except External Users’ group also exists. An easy way to look for these groups in SharePoint Online is with PowerShell. Below is a script you can use to create a CSV file that will output all your SPO environments users and groups and their access in SharePoint as shown below.

Below is a script from http://www.sharepointdiary.com to run in PowerShell, the only variables you need to worry about are the –admin URL and a path to where the CSV file can be written.

#Admin Center & Site collection URL, replace admin-URL and path to a location where the CSV report can be written to.
$AdminCenterURL = "https://HOSTNAME-admin.sharepoint.com"
$CSVPath = "C:UsersUserNameDocumentsGroupReport.csv"
#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential (Get-Credential)
$GroupsData = @()
#Get all Site collections
Get-SPOSite -Limit ALL | ForEach-Object {
    Write-Host -f Yellow "Processing Site Collection:"$_.URL
    #Get all Site Groups
    $SiteGroups = Get-SPOSiteGroup -Site $_.URL
    Write-host "Total Number of Groups Found:"$SiteGroups.Count
    ForEach($Group in $SiteGroups)
    {
        $GroupsData += New-Object PSObject -Property @{
            'Site URL' = $_.URL
            'Group Name' = $Group.Title
            'Permissions' = $Group.Roles -join ","
            'Users' =  $Group.Users -join ","
        }
    }
}
#Export the data to CSV
$GroupsData | Export-Csv $CSVPath -NoTypeInformation
 
Write-host -f Green "Groups Report Generated Successfully!"

In addition to open access groups, Access links are direct links to a SPO resource and depending on the type of link, can be considered open access. A link can be shared with ‘People in My Organization with the link’ or it can be shared with ‘Anyone’ which is essentially ‘Everyone’ since the link does not require authentication. For example here’s an Anonymous Access link I created which gives view access to anyone with the link: Link

There are a number of settings at your disposal for controlling how your users are allowed to create access links, I go more in-depth on how these work, as well as other SharePoint, sharing controls in my earlier blog post if you’re looking for more information on these. Knowing about what active Anonymous Access Links exist in your environment is important, I recommend mandating an expiration date on access links as a fail-safe to any that may slip through the cracks. To mandate an expiration date on Anonymous Access Links navigate to the SharePoint Admin center, underneath ‘Policies’ click on ‘Sharing’ and the settings in the screenshot below will be available to you. You’ll see there are a number of settings available for managing access to links like the type of access allowed via the link and the expiration date. Even more granular external sharing settings are available if you click on the ‘Limit external sharing to specific security groups’ hyperlink underneath Other Settings.

To find these anonymous links in SPO manually you will have to check who each resource is shared with by going to each resource and selecting it.

So, What’s the Plan?

There are 5 key steps that we encourage here at STEALTHbits for an approach to securing your data:

1. Identify open access
   • Run those PowerShell scripts and compile a list of sites with open access
2. Identify where sensitive data exists.
   • Communicate with your team or use a sensitive data discovery tool to figure out which sites contain Sensitive Data.
3. Identify other toxic conditions such as broken inheritance
   • Moving forward we want to manage access with resource based groups. Out of the Box SharePoint creates a number of purpose-built security groups for each site collection which you should use to provision your users based on how they engage with the site. The primary groups you should leverage include Owners (Full control), Members(Contribute) and Visitors (Read).
4. Find probable owners of the data
   • This is tough to do manually so I recommend leveraging a tool like StealthAUDIT, but you want to know who owns what data. Once you know who owns the data, you can delegate ownership appropriately and more efficiently manage your environment.
5. Prioritize your efforts based on the aforementioned points
   • Lockdown sites containing sensitive data
   • Remediate conditions like open access that put your data at risk
     • Deploy a least privilege model and remove unnecessary security principals to reduce the data surface attackers can use
     • Close down those open site collections, and clean up stale data that is no longer needed
   • Create tags which your users can apply to files moving forward to identify data as sensitive in order to better manage it.
     • Create DLP policies which will protect tagged data (O365)

How STEALTHAudit Can Help

With StealthAUDIT, reports are generated which will highlight the sites which have the most high-risk conditions (open access in this case). This is broken down at the site, list and library level and broken down further in a details table below the report which contains locations of the open access and what level of permission it has.

Using STEALTHAudit you would also be able to view information on open access links in our High Risk permissions report group where we have a report specifically for anonymous access links highlighting Site Collections (shown below) with Anonymously Shared Files.

We break down this data further in the Anonymous Sharing Details table which includes the location of the anonymous link, whether it’s shared externally or not and whether it gives access to Sensitive Data.

As seen in the example below, the Access Details report breaks down open access for you revealing where the open access exists via the URL path, what access the group has (Read, Write, Delete, Manage), and how they are getting the access – in this case via the Members group.

In summary, the more open access you have in your environment the larger your attack surface is. You want to know who has access to your data, especially the sensitive data in order to protect it. To make all of this easier, with our approach you can identify your open SharePoint resources, locate your sensitive data and then control the access to that data. In addition to high-risk conditions we also audit and report on Sensitive data, stale data, broken inheritance, activity and make suggestions on probable owners of your data to help with delegating data ownership and much more. For a full list of our SharePoint offering check out https://www.stealthbits.com/sharepoint-auditing.