Many enterprises are in the dark when it comes to managing external users of Microsoft SharePoint.

Gartner analyst Neil MacDonald estimates as many as 30 percent of SharePoint servers are deployed outside of the management of the IT department, an estimate underscored by a survey of 269 IT managers by Osterman Research that found 31 percent allowed affiliates to use SharePoint. Some 48 percent said they permitted contractors or consultants to use it.

This can create a blind spot for IT that enterprises need to guard against, MacDonald told eWEEK.

“There’s no enterprise-wide strategy for how external users will be handled – how they will be authenticated and more importantly, who has the ongoing responsibility for managing these externals users and their entitlements within [SharePoint],” he said.

Meeting those challenges requires upfront planning. In a report, MacDonald and fellow Gartner analyst Adam Hils noted SharePoint offers a few alternatives for authentication that fall into three broad categories: Windows-integrated authentication, ASP.Net forms and Web single sign-on (SSO). However, using Active Directory and Windows-integrated authentication is difficult when it comes to authenticating external users outside the enterprise domain structure.

“For external organizations, where you trust their ability to manage and authenticate users correctly, consider a federation relationship — either via an explicit trust relationship, if they use AD [Active Directory], or by more-generic federation, if they don't,” they wrote. "In either case, this configuration reduces the amount of administration required on your site.”

Where federation is not possible and external users don't use Active Directory, enterprises should consider a LDAP-enabled repository if they have one. If not, they can leverage the built-in SQL authentication capabilities of SharePoint itself, the analysts wrote.

There are some free tools out there from companies such as Microsoft and Quest Software that provide some visibility to help enterprises identify unmanaged SharePoint installations. Going beyond access management, though, there are also issues of data leak prevention and anti-virus scanning that should not be overlooked.

“The limitation of file server AV [is that] at the heart of SharePoint is a SQL database which stores and manages the exchange of files within a SharePoint community,” said David Finger, product marketing manager for Trend Micro. “As this is separate from the standard file system, files - including malicious ones - are never scanned by server AV, and in fact, Microsoft recommends the use of such AV products.”

His advice is for enterprises to pursue a layered defensive strategy when it comes to SharePoint that touches endpoints and SharePoint severs alike. Enterprises should stay current with patches, and deploy SharePoint-specific AV to stop file-borne malware from entering and spreading within the community through repositories, portals, blogs and the like, he said.

Looking ahead, Forrester Research analyst Chenxi Wang added that Microsoft should also look to add more controls around data leak prevention (DLP).

“I believe Microsoft’s Forefront for SharePoint product can do virus scanning of uploaded files, but very little else,” she said. “Beyond access control, organizations may want a deeper level of content-based controls exerted over SharePoint content. DLP-like mechanisms that accept access based on content, rather than identities, is ultimately the way to go. This means that the SharePoint server must have content recognition and policy enforcement capability built in.”