You Cannot Test Your Own SharePoint Security

 

Test accounts are fun, but rarely a good thing.

As a typical site owner in a typical company, you are only issued one user account, one username/password. Having a "test account", especially a test account that is shared with multiple site owners is a bad practice, often prohibited, and sometimes grounds for termination. (In any case, your auditors will not like it.)

So why can't you test with your own account?

Consider creating a Permission Level that only allows Edit Items, but not Delete Items and especially not Full Control or Manage Permissions. To test with only your account you will need to grant yourself the Permission Level and then remove yourself from the Owners group. While you can do some testing… you can't make yourself an owner again! You just tested the car door locks by locking the keys inside.

Weird stuff if you do have a test account…
(and the auditors are looking for you!)

You create a list with custom permissions and add 50 items. You can see the 50 items with your account. When you log into the site with the test account you see 0 items. So far so good. Still using the test account, you click on Export to Excel… and you can see everything! Why? You are still logged into your PC as yourself, not the test user. Excel is running with your permissions when it makes the data connection back to SharePoint, not the test user's permissions.The test user's permissions are only being used in the browser. The same "dual accounts" problem applies to all other client side applications including Windows Explorer views.

By the way, this explains a lot of fun security issues when someone asks if they can use your PC to log into SharePoint to check something.

So…

(The following is borrowed from page 219 of my security book. Hint, hint )

As a Site Owner or Site Collection Administrator you have the rights to see everything in your site. To truly test SharePoint:

• You will need a partner who can do your tests.
• Before granting any permissions to the user ask them to visit the site, list or item and see if they can get any unexpected access.
• Grant your new custom permissions to the test user and let them see if they can exceed the permissions granted. I.e. can they delete stuff after you have removed the Delete Items permission?
• You will need a different computer or virtual machine.
• Switching between instances of the same browser brand can produce odd results due to the reuse of cookies or cached content. As a minimum you can use Internet Explorer’s “New Session” option or do your testing with two different brands of browsers.
• When logging in as a different user, and then performing any operation that uses a locally installed application such as Windows Explorer or Microsoft Office, you will be running the browser as your test user, but the local application will still be running as the account used to logon to your PC.
• The cleanest testing is done with a second computer where you have logged into the computer as the test account.
• · Delete the browser’s cache frequently to clear the cookies and temporary files.

 

 

.

SharePoint – Use PowerShell to get all Owners, Full Control Users and Site Collection Administrators

Updated 6/12/2015

The following works for both SharePoint 2010 and 2013.

 

So who has control in your SharePoint?

Some users are members of the site's Owners group while others have been directly given Full Control. Some may be Site Collection Administrators or even have "super powers" granted at the Web Application level. How do you find these?

PowerShell to the rescue!

 

Get all users who are members of the "Owners" groups.

Get-SPSite -Limit All | 
  Get-SPWeb -Limit All | 
  where { $_.HasUniquePerm -and $_.AssociatedOwnerGroup -ne $null } | 
  foreach { $TTNweburl = $_.Url; $_ } | 
  Select -ExpandProperty AssociatedOwnerGroup | 
  Select -ExpandProperty Users | 
  Select {$TTNweburl}, UserLogin, DisplayName

 

Get all users directly given Full Control

Get-SPSite -Limit All | 
  Get-SPWeb -Limit All | 
  Where { $_.HasUniquePerm } | 
  foreach { $TTNweb = $_; $_ } | 
  Select -ExpandProperty Users | 
  Where { $TTNweb.DoesUserHavePermissions($_,[Microsoft.SharePoint.SPBasePermissions]::FullMask) } | 
  Select {$TTNweb.Url}, UserLogin, DisplayName

You could also find users with Full Control like roles by testing for "ManageWeb" or "ManagePermissions". For a list of the permission types use:

[System.Enum]::GetNames("Microsoft.SharePoint.SPBasePermissions")

 

Get all users who are Site Collection Administrators:

Get-SPSite -Limit All | 
  Get-SPWeb -Limit All | 
  where { $_.HasUniquePerm } | 
  foreach { $TTNweburl = $_.Url; $_ } | 
  Select -ExpandProperty Users | 
  Where { $_.IsSiteAdmin } | 
  Select {$TTNweburl}, UserLogin, DisplayName

 

Who else can see the content, and might have Full Control?

Some users may have access to site content via Web Application level policies. These are set in Central Administration in the Web Application Management section.

Get-SPWebApplication | 
  foreach { $TTNwebappUrl = $_.Url; $_ } | 
  Select -ExpandProperty Policies |  
  Select {$TTNwebappUrl}, DisplayName, IsSystemUser, PolicyRoleBindings, UserName | FT

 

.

SharePoint Saturday Cincinnati!

SharePoint Saturday is this weekend!   October 11th, 2014

Free sessions... 25 and counting!
Free food!
Free door prizes!
Free networking!

Talk about it! Blog about it! Tweet about it! (@spscincinnati)  Let everybody know!

Register here: http://www.spsevents.org/city/cinci/cinci2014

This year the event will be at the Sharonville Convention Center located at 11355 Chester Rd, Cincinnati, OH 45246​. Easy to get to and closer for those from points North.

 

My topic:

Changes to SharePoint 2013 and Office 365 Security You Must Know      

For ScarePoint Saturday the title might be "SharePoint 2013 security... Things that go bump in the night!"

 

Track: IT Pro, Developer, End-User, Business

           

SharePoint 2013 and Office 365 / SharePoint Online change many of the assumptions about managing end user security. It has buttons that break previous best practices and changes permission defaults in ways that can lead to loss of entire lists and libraries. This session will cover things that you need to know about SharePoint 2013 Authorization if you are responsible for SharePoint security or SharePoint governance and is very important for Site Owners and Site Collection Administrators.

 

 

Register here: http://www.spsevents.org/city/cinci/cinci2014
 

 

See you there!

   Costume optional... 

 

 

Hint, hint... Register here: http://www.spsevents.org/city/cinci/cinci2014

.

Did you ever want to take a Microsoft exam from home or the office?

 

Starting today, if you are a U.S. resident (and if you’re not stay tuned—they’ll be expanding soon), you can take dozens of the MCP and MTA exams from the comfort of your home or office through a process called online proctoring by Pearson VUE. Or as Ken Rosen says "Come on, admit it: you’ve always wanted to take one of our exams in your pajamas. I can’t be the only one."

See Ken's blog article here and the details, rules and regulations here.

When you look at the list of exams available you will find numbers like 462-OP (on premise?). Add a 70 in front of the number and remove the "-OP" to find the equivalent exam ID. (70-462).  The "98" series exams just have the normal number with "-OP" added to the end.

Here are some of the "OP Beta" exams that are "in my world" (SharePoint, SQL, etc.):

346-OP Managing Office 365 Identities and Requirements
347-OP Enabling Office 365 Services

410-OP Installing and Configuring Windows Server 2012
411-OP Administering Windows Server 2012
412-OP Configuring Advanced Windows Server 2012 Services

461-OP Querying Microsoft SQL Server 2012
462-OP Administering Microsoft SQL Server 2012 Databases
463-OP Implementing a Data Warehouse with Microsoft SQL Server 2012

480-OP Programming in HTML5 with JavaScript and CSS3

.