Educause Security Discussion mailing list archives
Re: OneDrive for Business "feature"
From: "Childs, Aaron" <aaron () WESTFIELD MA EDU>
Date: Mon, 27 Aug 2018 17:18:40 +0000
Good Afternoon Michael, It is a configurable option. If you go to https://admin.onedrive.com/?v=SharingSettings you can change the external sharing to "Only people in your organization" Have a good day, Aaron Aaron Childs, Director [cid:image006.jpg@01D2D928.B291E230] Infrastructure Services Information Technology Services Wilson Hall - 577 Western Ave. Westfield MA 01086 P 413.572.5527 F 413.572.5615 aaron () westfield ma edu<mailto:aaron () westfield ma edu> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Menne, Michael S Sent: Monday, August 27, 2018 1:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] OneDrive for Business "feature" Caution External Email: This email originated outside of WSU. Do not click links, open attachments, or respond if it appears to be suspicious. I'm sure it's been a while and I've just discovered it. I'm not in the web interface of OD4B much. I prefer the sync client and thick apps. I don't see any option to turn this feature off. I can change its behavior slightly and make it less permissive. The default is to share with anyone. Changing this to share with specific people might be acceptable. My issue with the feature is that its default configuration causes and exposure to data and triggers a data breach according to our attorney's interpretation of MN Data Practices. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security<applewebdata://E5E98DA9-AEBC-4104-AA47-742D8C5F4644/www.mnsu.edu/its/security> [cid:image001.png@01D341A0.236300E0] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Michael Schalip Sent: Monday, August 27, 2018 12:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] OneDrive for Business "feature" I'm not sure that's going to qualify as a "bug". That capability has been available in O365/OneDrive for quite some time now. However - I believe there are ways to control that behavior through the central console.... M From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Menne, Michael S Sent: Monday, August 27, 2018 10:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] OneDrive for Business "feature" [[-- External - This message has been sent from outside the University --]] FYI ... I just stumbled across a wonderful "helpful feature" in Office 365 OneDrive for Business. Right click on a file in the web interface and select "Copy Link." Voila, that file has now been shared with anyone that can discover the link. Unless you explicitly remove the link or change the sharing properties of the link, it has now been shared with the world. I submitted a Service Request to Microsoft on this as a bug report. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security<applewebdata://E5E98DA9-AEBC-4104-AA47-742D8C5F4644/www.mnsu.edu/its/security> [cid:image001.png@01D341A0.236300E0] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Current thread:
- OneDrive for Business "feature" Menne, Michael S (Aug 27)
- Re: OneDrive for Business "feature" Michael Schalip (Aug 27)
- Re: OneDrive for Business "feature" Menne, Michael S (Aug 27)
- Re: OneDrive for Business "feature" Childs, Aaron (Aug 27)
- Re: OneDrive for Business "feature" Marden Paul (Aug 27)
- Re: OneDrive for Business "feature" Menne, Michael S (Aug 27)
- Re: OneDrive for Business "feature" Michael Schalip (Aug 27)