Educause Security Discussion mailing list archives
Re: OneDrive for Business "feature"
From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Mon, 27 Aug 2018 17:12:54 +0000
I'm sure it's been a while and I've just discovered it. I'm not in the web interface of OD4B much. I prefer the sync client and thick apps. I don't see any option to turn this feature off. I can change its behavior slightly and make it less permissive. The default is to share with anyone. Changing this to share with specific people might be acceptable. My issue with the feature is that its default configuration causes and exposure to data and triggers a data breach according to our attorney's interpretation of MN Data Practices. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security<applewebdata://E5E98DA9-AEBC-4104-AA47-742D8C5F4644/www.mnsu.edu/its/security> [cid:image001.png@01D341A0.236300E0] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Michael Schalip Sent: Monday, August 27, 2018 12:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] OneDrive for Business "feature" I'm not sure that's going to qualify as a "bug". That capability has been available in O365/OneDrive for quite some time now. However - I believe there are ways to control that behavior through the central console.... M From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Menne, Michael S Sent: Monday, August 27, 2018 10:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] OneDrive for Business "feature" [[-- External - This message has been sent from outside the University --]] FYI ... I just stumbled across a wonderful "helpful feature" in Office 365 OneDrive for Business. Right click on a file in the web interface and select "Copy Link." Voila, that file has now been shared with anyone that can discover the link. Unless you explicitly remove the link or change the sharing properties of the link, it has now been shared with the world. I submitted a Service Request to Microsoft on this as a bug report. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security<applewebdata://E5E98DA9-AEBC-4104-AA47-742D8C5F4644/www.mnsu.edu/its/security> [cid:image001.png@01D341A0.236300E0] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Current thread:
- OneDrive for Business "feature" Menne, Michael S (Aug 27)
- Re: OneDrive for Business "feature" Michael Schalip (Aug 27)
- Re: OneDrive for Business "feature" Menne, Michael S (Aug 27)
- Re: OneDrive for Business "feature" Childs, Aaron (Aug 27)
- Re: OneDrive for Business "feature" Marden Paul (Aug 27)
- Re: OneDrive for Business "feature" Menne, Michael S (Aug 27)
- Re: OneDrive for Business "feature" Michael Schalip (Aug 27)