You Cannot Test Your Own SharePoint Security


Test accounts are fun, but rarely a good thing.

As a typical site owner in a typical company, you are only issued one user account, one username/password. Having a "test account", especially a test account that is shared with multiple site owners is a bad practice, often prohibited, and sometimes grounds for termination. (In any case, your auditors will not like it.)

So why can't you test with your own account?

Consider creating a Permission Level that only allows Edit Items, but not Delete Items and especially not Full Control or Manage Permissions. To test with only your account you will need to grant yourself the Permission Level and then remove yourself from the Owners group. While you can do some testing… you can't make yourself an owner again! You just tested the car door locks by locking the keys inside.

Weird stuff if you do have a test account…
(and the auditors are looking for you!)

You create a list with custom permissions and add 50 items. You can see the 50 items with your account. When you log into the site with the test account you see 0 items. So far so good. Still using the test account, you click on Export to Excel… and you can see everything! Why? You are still logged into your PC as yourself, not the test user. Excel is running with your permissions when it makes the data connection back to SharePoint, not the test user's permissions.The test user's permissions are only being used in the browser. The same "dual accounts" problem applies to all other client side applications including Windows Explorer views.

By the way, this explains a lot of fun security issues when someone asks if they can use your PC to log into SharePoint to check something.


(The following is borrowed from page 219 of my security book. Hint, hint Smile )

As a Site Owner or Site Collection Administrator you have the rights to see everything in your site. To truly test SharePoint:

  • You will need a partner who can do your tests.
    • Before granting any permissions to the user ask them to visit the site, list or item and see if they can get any unexpected access.
    • Grant your new custom permissions to the test user and let them see if they can exceed the permissions granted. I.e. can they delete stuff after you have removed the Delete Items permission?
  • You will need a different computer or virtual machine.
    • Switching between instances of the same browser brand can produce odd results due to the reuse of cookies or cached content. As a minimum you can use Internet Explorer’s “New Session” option or do your testing with two different brands of browsers.
    • When logging in as a different user, and then performing any operation that uses a locally installed application such as Windows Explorer or Microsoft Office, you will be running the browser as your test user, but the local application will still be running as the account used to logon to your PC.
    • The cleanest testing is done with a second computer where you have logged into the computer as the test account.
  • · Delete the browser’s cache frequently to clear the cookies and temporary files.




No comments:

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.