Educause Security Discussion mailing list archives

Re: Assessing SharePoint Security

From: "Woodruff, Dan" <dwoodru2 () UR ROCHESTER EDU>
Date: Fri, 1 Jun 2012 11:17:50 -0400

I was not aware Identity Finder had a plugin for SharePoint. We already
have Identity Finder in house so that could be a logical addition. I'll
also give the tools on stachliu.com a try. 

Thank you for the suggestions,

Dan

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Louis Arminio
Sent: Thursday, May 31, 2012 12:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Assessing SharePoint Security

Here is a link to a security company that has some free tools for
evaluating SharePoint sites.  I've seen the search tool demonstrated and
used it to evaluate our SharePoint site.  

http://www.stachliu.com/resources/tools/ 

Their tool is mostly centered around URL discovery, but they are working
on a SharePoint DLP tool as well. 

Their project is really a comprehensive search tool.  It's worth
checking out  even if you don' t have SharePoint.  In addition to
incorporating the GHDB started by Johnny Long and maintained by
Exploit-DB.com, the company has developed their own search DBs.  They
use the Google Custom Search API and Bing 2.0 API to automate searches,
and provide instructions on how to get accounts and set up access to the
APIs.

Lou.
--
Lou Arminio
Senior Information Security Analyst
Northern Arizona University
Information Technology Services
1300 S Knoles Dr, NAU Box 5100
Flagstaff, Arizona 86011
Lou.Arminio () nau edu
Ph:(928) 523-6462
Fax:(928) 523-7407

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Woodruff, Dan
Sent: Thursday, May 31, 2012 8:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Assessing SharePoint Security

SharePoint is used heavily as a collaboration tool and documentation
repository in our environment, and we are trying to determine the best
approach to take to assess its security. One activity we would like to
perform is to scan document repository content for sensitive data. Since
the backend for SharePoint is a database, we'd have to figure out a way
to extract the documents to flat files so they could be examined en
masse. Are there any tools that will automate the extraction? 

Other than assessing the application to standards and policies, how are
other schools assessing SharePoint? Are you performing any kind of
technical assessment such as a penetration test and if so, has it been a
valuable (actionable) exercise? I fear performing a web application
penetration test of such a dynamic and complex application would be a
daunting task with little valuable output.

Thank you for any insight,

Dan Woodruff
University IT Security and Policy
University of Rochester

Current thread:

Assessing SharePoint Security Woodruff, Dan (May 31)
- Re: Assessing SharePoint Security Mayne, Jim (May 31)
- Re: Assessing SharePoint Security Louis Arminio (May 31)
- <Possible follow-ups>
- Re: Assessing SharePoint Security Woodruff, Dan (Jun 01)
- Assessing SharePoint Security Jim Hietala (Jun 01)