Assessing SharePoint Security

["Woodruff, Dan" <dwoodru2 () UR ROCHESTER EDU>]

SharePoint is used heavily as a collaboration tool and documentation
repository in our environment, and we are trying to determine the best
approach to take to assess its security. One activity we would like to
perform is to scan document repository content for sensitive data. Since
the backend for SharePoint is a database, we'd have to figure out a way
to extract the documents to flat files so they could be examined en
masse. Are there any tools that will automate the extraction? 

 

Other than assessing the application to standards and policies, how are
other schools assessing SharePoint? Are you performing any kind of
technical assessment such as a penetration test and if so, has it been a
valuable (actionable) exercise? I fear performing a web application
penetration test of such a dynamic and complex application would be a
daunting task with little valuable output.

 

Thank you for any insight,

 

Dan Woodruff

University IT Security and Policy

University of Rochester