Many Microsoft SharePoint users are outside of the control of IT departments, one of several security issues enterprises need to be on top of when they leverage the technology. Handling external users requires upfront planning and a focus on issues of configuration and management.
Many enterprises are in the dark when it comes to managing external users of Microsoft SharePoint.
Gartner analyst Neil MacDonald estimates as many as 30 percent
SharePoint servers are deployed outside of the management of the IT
department, an estimate underscored by a survey of 269 IT managers
by Osterman Research that found 31 percent allowed affiliates to use
SharePoint. Some 48 percent said they permitted contractors
or consultants to use it.
This can create a blind spot for IT that enterprises need to guard against, MacDonald told eWEEK.
"There's no enterprise-wide strategy for how external users will be
handled - how they will be authenticated and more importantly, who has
the ongoing responsibility for managing these externals users and their
entitlements within [SharePoint]," he said.
Meeting those challenges requires upfront planning. In a report,
MacDonald and fellow Gartner analyst Adam Hils noted SharePoint
offers a few alternatives for authentication that fall into three broad
categories: Windows-integrated authentication, ASP.Net forms and Web
single sign-on (SSO). However, using Active Directory and
Windows-integrated authentication is difficult when it comes to
authenticating external users outside the enterprise domain structure.
"For external organizations, where you trust their ability to manage
and authenticate users correctly, consider a federation relationship -
either via an explicit trust relationship, if they use AD [Active
Directory], or by more-generic federation, if they don't," they wrote.
"In either case, this configuration reduces the amount of
administration required on your site."
Where federation is not possible and external users don't use Active
Directory, enterprises should consider a LDAP-enabled repository if
they have one. If not, they can leverage the built-in SQL
authentication capabilities of SharePoint itself, the analysts wrote.
There are some free tools out there from companies such as Microsoft
and Quest Software that provide
visibility to help enterprises identify unmanaged SharePoint
installations. Going beyond access management, though, there are also
issues of data leak prevention and anti-virus scanning that should not
"The limitation of file server AV [is that] at the heart of
SharePoint is a SQL database which stores and manages the exchange of
files within a SharePoint community," said David Finger, product
marketing manager for Trend Micro. "As this is separate from the
standard file system, files - including malicious ones - are never
scanned by server AV, and in fact, Microsoft recommends
the use of such AV products."
His advice is for enterprises to pursue a layered defensive strategy
when it comes to SharePoint that touches endpoints and SharePoint
severs alike. Enterprises should stay current with patches, and deploy
SharePoint-specific AV to stop file-borne malware from entering and
spreading within the community through repositories, portals, blogs and
the like, he said.
Looking ahead, Forrester Research analyst Chenxi Wang added that
Microsoft should also look to add more controls around data leak
"I believe Microsoft's Forefront for SharePoint product can do virus
scanning of uploaded files, but very little else," she said. "Beyond
access control, organizations may want a deeper level of content-based
controls exerted over SharePoint content. DLP-like mechanisms that
accept access based on content, rather than identities, is ultimately
the way to go. This means that the SharePoint server must have content
recognition and policy enforcement capability built in."