Follow me on Twitter @AntonioMaio2

Tuesday, August 20, 2013

How to Disable the Windows Explorer View in SharePoint

In working with several customers to secure sensitive information in SharePoint, we've found that there are times where some customers still want to use the Windows Explorer view in SharePoint. This is due to a couple of reasons:
  • The fact that many users are used to copying/moving files and folders through an Explorer window.
  • Its one of the only ways in SharePoint to copy multiple folders at a time into a SharePoint library.
However, we have found that the Windows Explorer view does have several inherent security holes and these holes do pose significant risk to customers in the military or DOD environments. For example, if SharePoint permissions only give a user read access to a file, often users are still able to rename the file through the Windows Explorer view. In some cases users with read access to certain files are even able to delete those files.  There are other similar holes.

As well, Microsoft has stated that when using claims based authentication with SAML security tokens that the Windows Explorer view in SharePoint 2010 does not work:  It goes on to say that this feature (and others) do not work because claims based authentication does not generate a Windows Security Token which is required for this feature.  From my experience in this situation the explorer view partially works in that it can be accessed but it does not respect ACLs correctly.

As a result, we often recommend to customers that they "turn off" the Windows Explorer view in SharePoint and force users to use the web view. With SharePoint 2013, this option is even more viable because the web view now allows users to drag and drop files from their Windows desktop into the web browser and have those files copied into the SharePoint library. An awesome feature if I may say so!

"Turning off" the Windows Explorer view is a bit of a misnomer though. There is no way, that I can find to completely turn off the Explorer View to SharePoint from the SharePoint server. However there are several methods for preventing end users from accessing these Windows Explorer view. This blog post will describe each of these methods in detail.

Method #1

Administrators can disable access to the Windows Explorer view by modifying the “User Permissions” on the web application. This is done within Central Administration:
  • Click Manage Web Applications and select your web application
  • Click the User Permission button in the ribbon
  • Find the “Use Remote Interfaces” permission in the list and uncheck it (this will also automatically uncheck the “Use Client Integration Features” permission as well)
This will disable the “Open in Explorer” button in the SharePoint ribbon for all libraries in all sites in the web application.

There is a problem with this method though - it also disables all access to open documents in SharePoint from the open dialog in MS Office applications. As well, access from SharePoint Designer and access from all client object model applications will be also be disabled. Please note that the Open Dialog, like the Windows Explorer view also does not fully respect SharePoint permissions. So, this method may or may not work for your environment.

Method #2

I have found that simply removing the “Open in Explorer” button all together from the SharePoint ribbon can be an effective way to prevent access through the Explorer view. There is a good blog post here on how to accomplish this here.

[previous link was incorrect - this is now fixed]

This method is effective because you open Windows Explorer on your desktop and paste the URL to a SharePoint library Windows will automatically open a web browser and navigate to the SharePoint web view of the library. It does not actually open in Windows Explorer. This allows the open dialog in Windows to still navigate to a file in a SharePoint library and open it, but prevents users from effectively using the Explorer view.

This method of course may not be fool proof, meaning a malicious user may still find a way around it. However it would cover 95% of cases where end users are simply trying to open documents that they are permitted to access. As well, this method still allows users to open SharePoint documents from the Open dialog in MS Office applications, SharePoint Designer and client object model applications.

Method #3

A third method that is effective and allows you to still maintain client object model access and access through the Microsoft Office open dialog is the following procedure which modifies the permissions required to access the Open in Explorer button. This procedure will result in the “Open in Explorer” button in the SharePoint web interface to still be visible and enabled, but to only be accessible by users that have the “ManageWeb” permission on the site. This would allow you to configure SharePoint to allow site owners to have access to the Windows Explorer interface, but not regular users that only have contribute permissions. Follow these steps to accomplish this:
  • On the SharePoint 2010 server navigate to the folder \Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\CONTROLTEMPLATES
  • Make a copy of the file DefaultTemplates.ascx
  • Open DefaultTemplates.ascx in Notepad:
  • Search for the following string ID=”OpenInExplorer”
  • Below that string change PermissionString=”UseClientIntegration” to PermissionString=”ManageWeb”
  • You will find 2 instances of ID=”OpenInExplorer” – you’ll need to make the change in both places
  • Save the file and issue an IIS Reset
You’ll then find that a user that is a site owner can click on the “Open in Explorer” button and still access SharePoint through the Explorer interface, but users that are not site owners (or who do not have the Manage Web Site permission) can click on the button but they’ll get an “Access Denied” message. This works even if a user tries to create a shortcut to a URL and access the Explorer view from that shortcut, or if they try to map a network drive to the SharePoint library URL - if they don't have appropriate permissions they will receive an "access denied" message:

Method #4

A 4th and probably more extreme method is to in fact disable WebDAV itself on the IIS Web Server. To accomplish this follow these steps:

  • Click the Windows "Start" button on your Web server, and select "Administrative Tools." Click "Internet Information Services Manager" to open the configuration utility.
  • Click the Web server name in the left panel. A list of websites expands. Click the website name you want to edit, and click "Web Services Extensions" in the website directory.
  • Right-click the WebDav entry in the list of extensions, and click "Prohibit," then click "OK" to confirm that you want to disable WebDav.

Please note: I have not tested this last method myself so your mileage may be different. Ensure that if you go this route that you fully test the SharePoint server and determine if access to files through other mechanisms (MS Office Open dialog, SharePoint Designer, client object model applications) is also affected. As well, these instructions may vary slightly depending on your version of IIS.

- Antonio

Wednesday, August 14, 2013

Today's Presentation at SPTechCon: Introduction to Security in Microsoft SharePoint 2013

Thank you to everyone that attended my session this morning at SPTechCon Boston 2013.  We had a pretty packed room and some really great questions.  I really appreciate everyone making the time to attend at 8:30am after the excellent party that Axceler hosted last night.

Its been an awesome show here!  This is my first time speaking at SPTechCon and I have to say that the show staff have provided great support to the attendees and the speakers.  Big thanks to Dave, Staci, Katie and their crew.

In addition to the conference site, my presentation slides can also be found here: 

My contact info is in the slides and on this site.  Please do reach out if you have any questions or feedback at all.

Enjoy the rest of SPTechCon and Boston.

Monday, August 12, 2013

Why do Enterprises or Governments secure their information?

This post is the first in a series that will review fundamental security features in Microsoft SharePoint 2013.

When I speak about SharePoint security I often start off with a discussion about why organizations secure their information. What really drives people to implement secure measures to control and govern information?  For a business owner or C-level executive it may be obvious, but for the average employee it may not be.

To be clear, this article is not intended to deal with people’s personal information. It specifically talks to how enterprises or governments deal with and secure their sensitive internal business information. So let’s begin here...

What drives people to secure information?

We’ve all heard statistics about how the information we’re creating and storing is growing at an exponential rate. Many of us now regularly measure database sizes in Petabytes. In fact, most enterprise content is unstructured data (ex. documents) which of course poses its own challenges for management and security. In a 2013 eWEEK article, Gartner analysts predicted that enterprise data will grow by 800 percent over the next five years, and that 80 percent or more of that new data will be unstructured.

We often hear how organizations are centralizing the storage and access to information in order to promote better collaboration, but for many this raises security concerns that must be dealt with – by the way, SharePoint provides just such an excellent platform on which to accomplish this.  We also know that every organization has some meaningful amount of information that is considered sensitive. We often hear about how that sensitive information must be secured, controlled and governed. 

However, for many individuals who own or have responsibility for this information usually treat its security as an afterthought. Why is that? With all the statistics and talk about the amount of information we’re generating, how centralizing it promotes collaboration but raises security concerns and with the large amount of that information that’s considered sensitive to organization, why is its security not top of mind.

From my experience in the security industry over the last 15 years, working with many large organizations around the world and with many individuals who own content or are responsible for content, I’ll put forward a theory: people feel a true need to secure information when they have a personal connection to it, when they truly understand the risk which exposure of that information poses and when the impact of such an exposure affects them directly.

Rarely do people secure information for the good of securing information or because it’s the right thing to do. There are of course exceptions, but in general people are looking out for themselves, not the good of the organization. This isn’t a pessimistic view. I believe it’s just natural human behavior... at least it is today. Culture is slowly changing on this front so who knows how people will feel or think of securing information in the next few years.

Let me summarize the cases in which I have seen people really driven to secure their information. I have found that certain people (outside the security industry) will be driven to secure information for very specific reasons. I’ve categorized each as a set of risks and summed them up in a high-level driver.

1. Reducing Your Liability
For many industries, the exposure of sensitive corporate information can have very negative impacts to business. The risks include:
  • Compliance violations that result in extremely heavy fines (depending on the industry)
  • Sanctions and legally imposed restrictions on business
  • Loss of business reputation (this could be bad PR and of course possibly result in loss of customers)
These are of course very significant risks to the business - they are liabilities to the business. I group these types of risks under “Reducing your liability”.

Exposure of this type of information may be malicious, but more likely it will be inadvertent or accidental. A business owner or a C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. Business owners, C-level executive, board members are typically very motivated to reduce these liabilities. This is typically because they are better positioned to understand the risk and the impacts can directly affect them personally (bottom line, law suits, the buck stops with them, loss of employment, etc.).

The same risks exist for government departments, when you consider government departments can have their budgets cut, such exposures can hit the media very hard or department heads can lose their jobs.

The average employee may or may not be concerned about these risks to the business or department. Depending on the employee, they very likely don’t even understand how these impacts can affect the business nor what information is sensitive to the business.

2. Protecting Your Investments
This particular category of risks typically applies to enterprises, much more so than governments. The risks include:

  • Loss or theft of intellectual property (know how, designs, plans, budgets, vision documents, etc.)
  • Exposure of customer lists
  • Exposure of acquisition/merger information or budgetary/accounting data
  • Loss of competitive advantage
  • Compromising of internal (or external) business systems – which could have a trickle-down effect of loss of customers of course

Once again, a business owner or C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. This type of data loss or exposure of sensitive information can greatly affect the business’ performance. For these types of individuals their compensation or bonus is typically highly tied to the business’ performance. A CIO or CISO will typically be measured critically (or terminated) when these types of exposures occur.

For a typical employee, although part of their salary/bonus might be tied to company performance that percentage is typically much lower than that of executives. As well, they often will not understand which information is sensitive and how the loss of that information will affect the business. Unless you have a clear way to identify which information is sensitive and can effectively educate employees on how they should handle that information, their ability (and desire) to help protect against data loss will be limited.

3. Public Safety or Mission Success
This category typically applies to government agencies like departments of defense throughout the world, Homeland Security in the US, as well as other government departments. The risks include:
  • Exposure or theft of classified mission data (which can compromise military missions and endanger personnel)
  • Exposure of homeland security information (which can endanger the general public)
  • Compromising of critical government services and security systems
In these cases, the personnel that deal with the data involved are typically well trained in how to handle this type of sensitive information. As well, often people go into these areas of work because they have a desire to be part of the public service, or they wish to work in a military or service that protects the public safety. As such, this particular category may be an exception to the theory I put forward earlier. 

There have been some high profile leaks of classified government information in the last few years, but in general the people that work and deal with this type of information do tend to protect it because they understand the very negative and dangerous impacts that can happen with its exposure and because typically protecting this information is the right thing to do.

4. Health Information
This represents a new risk category in recent years that I’ve been researching lately. I’ve been to a few sessions that specifically talk about the impacts that can occur when personal health information is stolen or exposed. This leans more towards the personal information side (which I said I wasn’t going to talk about) because we are talking about personal health information. However, it’s included here because it affects the companies and government agencies which store/manage that information.

For example, in the state of Florida a personal health identity can be illegally purchased for approximately $56,000. For a non-insured individual purchasing such an identity they can make use of it to illegally get health care, causing the original owner of that insurance plan to have their premiums used without their knowledge. Even more dangerous than that, the person illegally using the health identity can cause data within the health record to be modified. For example, if their blood type is type A and that gets applied to the original health record, but the original owner has type B-negative. If the original owner of the insurance plan is then in an accident and needs a transfusion, this record modification could have extremely dangerous consequences.

In this case, government agencies and health care organizations that manage personal health information must insure that proper security measures are put in place in order to prevent these types of risks or exposures from happening. In these cases, typically both the administrators and the employees working in the health care industry do care about these types of risks, and are starting to get a sense for the very dangerous impacts that can occur. The health care industry has traditionally been slow to adopt technology solutions, but that has been changing in recent years.

(I realize this first post in fact has nothing to do with SharePoint, but I believe these concepts are important to understand when we generally look at implementing security measures.)

To summarize, in many businesses and organizations the average person tends to feel a true need to secure information when they have a personal connection to it, when they truly understand the risk which exposure of that information poses and when the impact of such an exposure can affect them directly.

The ideal situation in any organization would be if each and every individual does in fact care about securing and properly handling sensitive information. This is really what we should be striving for, and many of organizations are starting to tackle this head on.

We have found that the best way to achieve that is to involve all employees in the organizations security strategy. This is done through education, as well as traditional security mechanisms - education of employees so that they understand which information is sensitive and how they should handle it, and so that they are aware of the very real impacts of information exposure, both to the business and to them personally. As well, make employees accountable when they handle sensitive information, and that accountability needs to be obvious (for example, if someone prints a sensitive document their name should be stamped all over it, so that if they leave it in a hall way everyone knows who left it).

This type of education and accountability helps ensure all employees feel the real need to secure the organizations information and its one of the best lines of defense against both inadvertent and malicious exposure of sensitive information.

Sunday, August 11, 2013

SPTechCon Boston 2013 – Introduction to Security in Microsoft SharePoint 2013

Session: 8:30am to 9:45am on Wednesday August 14, Room: Back Bay D

I’m at the SPTechCon Conference in Boston this week. This conference is held twice a year, once in San Francisco and once in Boston, and it always gets a good crowd - today (Sunday) is no exception. The SPTechCon crew always puts on a great show!

On Wednesday morning this week, starting at 8:30am, I’m giving a session titled “Introduction to Security in Microsoft SharePoint 2013”. You can find details about the session here: It’s an intermediate session providing high-level information about why we secure our information and on SharePoint security features, but it also it dives deeper into a couple of those security features that are fundamental to organizations securing their information.

While at the conference I’m going to blog about some of the topics I talk about in my session. I’ll be spending some time in the exhibit hall at the TITUS booth as well, so if you’d like to connect please feel free to stop by.

Hope to see you there.