General
This alarm is triggered when a SharePoint Site is set to Public. This can be a new Site or an existing site that was previously Private.
Rationale
When an attacker gains access to an account in your organization, for example, because the login credentials have been leaked, they will look for valuable information. Microsoft SharePoint is certainly a source to consult nowadays, and Public SharePoint sites then provide a wealth of information. Information that may enable the attacker to steal sensitive data or grant themselves higher privileges (for example, files containing shared usernames and passwords) and carry out a ransomware attack. Therefore, it is wise to always minimize the number of public sites.
A SharePoint site can be set with public or private access. A public site is accessible to all user accounts within the tenant, meaning all employees. There are, of course, sites for which this is desirable, such as a site with newsletters for the entire organization or with information that serves as an onboarding program. But often, information is only intended for specific roles in the organization and possibly external guests. In that situation, it is better to make the site Private, as this allows you to precisely set who has what rights to the site.
Typically, SharePoint sites are too easily made "public". This happens, for example, when a new Team is created in Microsoft Teams that is public. Teams uses SharePoint for file storage, so the access setting carries over to the linked SharePoint Site. This seems harmless and convenient at the time, but over time the team can grow into a wealth of information. Generally, it is better to also make a Team "private" and invite specific people to it or instruct them to request access themselves (which is made very easy).
Follow-up
Follow these steps to adequately address this detection:
- Contact the owner of the site to determine if the site should indeed remain Public.
-
If not: as a SharePoint administrator, change the site to Private and invite only the employees or groups who need access.
- If yes: close the Attic incident as resolved
-
If not: as a SharePoint administrator, change the site to Private and invite only the employees or groups who need access.
Comments
0 comments
Please sign in to leave a comment.