Follow me on Twitter @AntonioMaio2

Tuesday, January 8, 2013

Locking Out Farm Admins from Sensitive Content in SharePoint 2010

It’s amazing - I get asked all the time about if there is a way to lock out farm administrators from accessing sensitive content in SharePoint.  Last December, I was asked 3 times within an hour of completing a conference session on SharePoint Security and, in all 3 cases the question was related to SharePoint sites that contained sensitive information and documents related to Mergers and Acquisitions.

This is a common problem that we in the community often hear about.  Often the answer give is “there is no way to do that” or “you have to move that content to Office365”.

Just to restate the problem:  Farm administrators in SharePoint are in effect “super users” and they have access to everything within the SharePoint farm.  The farm administrator role is an IT role, which involves solution deployment, back end configuration and infrastructure management.  By definition the farm administrator is an IT function.  However, in many commercial organizations with sensitive information the IT staff is not permitted to view or access sensitive business date, especially if that information is subject to regulatory compliance or audit requirements.  In the government, military or intelligence community the IT staff is typically not Top Secret cleared, meaning they do not have Top Secret security clearance and therefore are not permitted to access classified or confidential government information.  But remember, farm administrators can access everything.  Yes you can configure farm administrators to not be able to view or access content, however they have sufficient privileges to give themselves back rights to access content.

I’ve thought about this problem over the last few months and tried to come up with some possible solutions to suggest.  Here is one suggestion I made to some people that asked me this question late last year.

The first thing you need to consider is which individual(s) is the content owner for the sensitive content that you are protecting.  You need to ensure that they have ultimate rights to manage permissions to this content.  This person must also be able to serve as a backup to edit or restore permissions should they get truly out of hand in the library holding this content – so an individual with a technical aptitude or some training for the content owners may be required.  Remember you are intentionally locking out the farm administrator (and possibly the entire IT staff) from viewing or accessing content, and this includes managing or restoring permissions as well.  So, the farm administrators can no longer serve as a backup to restore or manage permissions.

Next you should consider using Microsoft's Information Rights Management (IRM) feature within SharePoint to protect and encrypt content as it leaves SharePoint.

So, there is some configuration that needs to be done at the farm level to turn on IRM - this needs to be done by that farm administrator we mentioned above (so this solution is not fool proof).  Once IRM is turned on, it can be pointed to a Microsoft AD-RMS server within the same network.  Microsoft AD-RMS (or Active Directory Rights Management Server) is the server that will generate keys, actually encrypt content and manage the rights that are assigned to individual documents that are protected.  So, this is a server that needs to be setup and managed like any other server. You should ensure that the SharePoint farm administrator is not the same person that administers Microsoft AD-RMS - in fact, in this case ensure that the SharePoint farm admin doesn't have any access to the Microsoft RMS server.  You can find a good overview on Microsoft AD-RMS here.  Once SharePoint IRM is turned on, then site owners can configure on a library by library basis which libraries have IRM applied and what rights will be enforced (this part is not a farm administrator function).

Essentially, when using the IRM feature within SharePoint, when a user downloads a document from SharePoint it will be encrypted on the way out.  As well, it will have certain rights associated with it (like 'do not print' for example).  This protection is built in such a way that to decrypt the document, after it is downloaded from SharePoint, and access the content within is simply a matter of opening the document in the appropriate application (ex. Microsoft Word, Excel or PowerPoint).  An IRM projected .docx file still looks like a .docx file.  It is the payload (or content) within the .docx file that is encrypted.  The encryption and decryption of that content happens completely seamlessly from the end user trying to access the content.  And of course, only users for which the content has been encrypted will be able to decrypt it.  Keep in mind, SharePoint IRM encrypts the documents only when they are downloaded or opened from SharePoint.  Documents actually sit in the clear while they are within SharePoint - this is done so that the contents of the documents is still index-able and searchable.

So, the idea behind using SharePoint IRM being a suggested solution in cases where SharePoint farm admins are not permitted to access sensitive content is:
  • You can certainly turn off their access to see it through out of box SharePoint configuration. 
  • As an additional measure you can use the IRM feature within SharePoint to encrypt sensitive documents on download, so that even if the SharePoint farm admin gives themselves back access to view documents in SharePoint, if they download those documents they will be encrypted for other users and they will not be permitted to access the content within.

There is still a hole in this as mentioned above:  the SharePoint farm admin can completely turn off the IRM feature.  To resolve this at this point, either in SharePoint 2010 or SharePoint 2013, would involve looking for (or developing) an auditing and alerting solution that would monitor this type of configuration change in SharePoint Central Admin and issue alerts if the feature was disabled or modified.

If this is a possible solution for you then I recommend you take at an article I wrote a little while ago on Understanding and Configuring Information Rights Management in SharePoint 2013.