Within SharePoint, there are a few groups which can give ‘Open Access’ to a given resource that can leave the environment vulnerable depending on where these groups exist. With open access comes the increased risk of data being ‘lost’ and with data loss comes risks to sales and revenue, lawsuits, IP theft, and subsequently – compliance breaches.
An instance of open access exists whenever one of the large groups described below has access to a resource. It is important to understand where these groups exist and what data they are granting access to. Below I will break down the ‘Everyone Group’ and then explain the other open access groups between groups that exist in SharePoint server and groups that exist in SharePoint Online.
The ‘Everyone’ group
The ‘Everyone’ security principle is frequently referred to as a “group” but is not actually a user group in the sense of being able to add and remove user accounts from it. The definition of this principle has changed a lot throughout the years but it’s important to understand what it really is today. It is one of the Windows special identities that does not have specific memberships that can be modified. The Everyone security principle is defined and managed by the Windows operating system and represents:
“… all current network users, including guests and users from other domains. Whenever a user logs on to the network, the user is added automatically to the Everyone group”
This security principle previously included:
“…all users, even anonymous users and guests..[including] authenticated and unauthenticated users. In essence, every user who accesses the system is a member of the Everyone group…”
(see Microsoft Windows 2000 Security Configuration Guide: Appendix D – User and Group Accounts )
However, this was changed for Windows 2003 and greater where the Anonymous Logon group was no longer a member of the Everyone security principle by default. You can still add it to Everyone, but this must now be done through the security policy setting. The same is true for SharePoint online, where the Everyone group is actually disabled by default but can be enabled and will include external users. Otherwise, the ‘Everyone Except External Users’ group is typically the group you will leverage in SPO to open up access to a resource.
SharePoint Server:
In addition to the groups described for SharePoint Server, the following open access groups may also exist in SharePoint Online.
SharePoint Online (SPO):
As a SharePoint admin, you need to be aware of these groups, where they exist and what they are giving access to. If you do not know the aforementioned points you are at serious risk for a data leak which could be a very expensive position to be in especially if your organization falls within the GDPR, CPAA, HIPAA or another compliance regulation.
Having open access resources increases your attack surface. In SharePoint specifically, where by default sites are set to inherit permissions–having open access in one site collection usually means that there is open access in its sub-sites as well.
In SharePoint Online for example, when a resource is shared to ‘Everyone except external users’ this means that everyone inside your organization can access the resource. This opens up vulnerabilities for an internal attack or may cause the organization to fail compliance regulations depending on what your org is held accountable for. For example, a Portuguese hospital was fined €400,000 for giving excessive access to sensitive patient information as highlighted in my earlier post on GDPR fines.
SharePoint Server:
To do this manually you can check the permissions of a site by navigating to Site Settings à Site Permissions and using the Check Permissions tool to look for the open access groups described. Once you check permissions on one of the aforementioned groups SharePoint will tell you if it has access and what level of access, however, it won’t tell you where it has access if it’s been directly applied.
So based on the Limited Access message, we know that the Everyone group has directly applied access to something on this site but not the entire site. Now you have to check each library, list, and file to find out where it’s been given that access. Doing this in a production environment is not ideal but you should focus first on the sites that contain sensitive data as these are the most at-risk sites. Be conscious of Active Directory groups like the Domain Users group, as well as SharePoint groups which give access to wide audiences.
There is no easy manual way to do this at mass. However, with PowerShell, there is an easier approach to getting this information. The query below from http://sharepointchips.com will return the users and groups who have access to a site in SharePoint.
$sites = Get-SPWebApplication http://WebApplicationURL | Get-SPSite -limit all
"Site Collection`t Group`t User Name`t User Login" | out-file groupmembersreport.csv
foreach($site in $sites)
{
foreach($sitegroup in $site.RootWeb.SiteGroups)
{
foreach($user in $sitegroup.Users)
{
"$($site.url) `t $($sitegroup.Name) `t $($user.displayname) `t $($user) " | out-file groupmembersreport.csv -append
}
}
$site.Dispose()
}
The output will be in a csv file located in whichever directory you run the command from or C:/users/LoggedInUser/documents by default. As shown in the screenshot above, this command will give a complete list of all the users and groups for a given site collection. Highlighted in the export are some examples of open access groups you may see after running the report.
SharePoint Online:
In addition to open access groups like the Domain Users group in SharePoint Online (SPO), the ‘Everyone Except External Users’ group also exists. An easy way to look for these groups in SharePoint Online is with PowerShell. Below is a script you can use to create a CSV file that will output all your SPO environments users and groups and their access in SharePoint as shown below.
Below is a script from http://www.sharepointdiary.com to run in PowerShell, the only variables you need to worry about are the –admin URL and a path to where the CSV file can be written.
#Admin Center & Site collection URL, replace admin-URL and path to a location where the CSV report can be written to.
$AdminCenterURL = "https://HOSTNAME-admin.sharepoint.com"
$CSVPath = "C:UsersUserNameDocumentsGroupReport.csv"
#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential (Get-Credential)
$GroupsData = @()
#Get all Site collections
Get-SPOSite -Limit ALL | ForEach-Object {
Write-Host -f Yellow "Processing Site Collection:"$_.URL
#Get all Site Groups
$SiteGroups = Get-SPOSiteGroup -Site $_.URL
Write-host "Total Number of Groups Found:"$SiteGroups.Count
ForEach($Group in $SiteGroups)
{
$GroupsData += New-Object PSObject -Property @{
'Site URL' = $_.URL
'Group Name' = $Group.Title
'Permissions' = $Group.Roles -join ","
'Users' = $Group.Users -join ","
}
}
}
#Export the data to CSV
$GroupsData | Export-Csv $CSVPath -NoTypeInformation
Write-host -f Green "Groups Report Generated Successfully!"
In addition to open access groups, Access links are direct links to a SPO resource and depending on the type of link, can be considered open access. A link can be shared with ‘People in My Organization with the link’ or it can be shared with ‘Anyone’ which is essentially ‘Everyone’ since the link does not require authentication. For example here’s an Anonymous Access link I created which gives view access to anyone with the link: Link
There are a number of settings at your disposal for controlling how your users are allowed to create access links, I go more in-depth on how these work, as well as other SharePoint, sharing controls in my earlier blog post if you’re looking for more information on these. Knowing about what active Anonymous Access Links exist in your environment is important, I recommend mandating an expiration date on access links as a fail-safe to any that may slip through the cracks. To mandate an expiration date on Anonymous Access Links navigate to the SharePoint Admin center, underneath ‘Policies’ click on ‘Sharing’ and the settings in the screenshot below will be available to you. You’ll see there are a number of settings available for managing access to links like the type of access allowed via the link and the expiration date. Even more granular external sharing settings are available if you click on the ‘Limit external sharing to specific security groups’ hyperlink underneath Other Settings.
To find these anonymous links in SPO manually you will have to check who each resource is shared with by going to each resource and selecting it.
So, What’s the Plan?
There are 5 key steps that we encourage here at STEALTHbits for an approach to securing your data:
How STEALTHAudit Can Help
With StealthAUDIT, reports are generated which will highlight the sites which have the most high-risk conditions (open access in this case). This is broken down at the site, list and library level and broken down further in a details table below the report which contains locations of the open access and what level of permission it has.
Using STEALTHAudit you would also be able to view information on open access links in our High Risk permissions report group where we have a report specifically for anonymous access links highlighting Site Collections (shown below) with Anonymously Shared Files.
We break down this data further in the Anonymous Sharing Details table which includes the location of the anonymous link, whether it’s shared externally or not and whether it gives access to Sensitive Data.
As seen in the example below, the Access Details report breaks down open access for you revealing where the open access exists via the URL path, what access the group has (Read, Write, Delete, Manage), and how they are getting the access – in this case via the Members group.
In summary, the more open access you have in your environment the larger your attack surface is. You want to know who has access to your data, especially the sensitive data in order to protect it. To make all of this easier, with our approach you can identify your open SharePoint resources, locate your sensitive data and then control the access to that data. In addition to high-risk conditions we also audit and report on Sensitive data, stale data, broken inheritance, activity and make suggestions on probable owners of your data to help with delegating data ownership and much more. For a full list of our SharePoint offering check out https://www.stealthbits.com/sharepoint-auditing.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply