Description
- Type: CUSTOMER
- Severity: WARNING
- Protection against: Misconfiguration (Human Error)
- CIS: -
This Monitoring Check verifies if new sites have been created within SharePoint with public access, allowing everyone in the organization to access them.
Why this check?
When an attacker has obtained an account in your organization, for example, because its login credentials have been leaked, they will look for valuable information. Microsoft SharePoint is certainly a source to consult nowadays, and Public SharePoint sites then provide a wealth of information. Information that may enable the attacker to steal sensitive data or to grant themselves higher privileges (for example, files containing shared usernames and passwords) and execute a ransomware attack. Therefore, it is wise to always minimize the number of public sites.
A SharePoint site can be set up with public or private access. A public site is accessible to all user accounts within the tenant, meaning all employees. Of course, there are sites for which this is desirable, such as a site with newsletters for the entire organization, or with information that serves as an onboarding program. But often, information is only intended for specific roles within the organization, and possibly external guests. In that situation, it is better to make the site Private, as this allows you to precisely configure who has what rights to the site.
Typically, SharePoint sites are made "public" too easily. This happens, for example, when a new Team is created in Microsoft Teams that is public. After all, Teams uses SharePoint for file storage, so the access setting carries over to the linked SharePoint Site. This seems harmless and convenient at the time, but over time, the team can grow into a wealth of information. It is generally better to also make a Team "private" and invite specific people to it or instruct them to request access themselves (which is made very simple).
What are the possible outcomes of the check?
This check has two possible outcomes. In Attic, this is reflected as follows:
- Okay: No new Public SharePoint site found
- Warning: At least 1 new Public SharePoint site found
The check keeps track of which Public sites have already been found and thus does not repeatedly report the same site.
How should this be followed up?
If the output is Warning , we advise reviewing the public SharePoint sites and determining whether it is necessary for the respective sites to remain Public. If not, ask the owner of the respective site to make it Private or do so via the SharePoint admin panel.
Comments
0 comments
Please sign in to leave a comment.