One of the areas that has been really important for me over the past few years, has been Security. Not just “does a user a have access”, but more around the options available for Authentication and Authorization, all the way to protecting Environments from potential hacking attempts and data breaches. SharePoint as a platform has grown very large over the past few years and as such means we now need to start looking at the surface area of attack for each system and server that makes up the solution. Our ability to now secure platforms has become a little more complicated as everything has to be online all the time, and we are fighting the battle of security versus usability all the time.
So where do we start?
This is where understanding how “hackers” think and work can help us in securing any system. Most people who would say they are “hackers”, all appear to have the same attitudes and ideas. The solving of “puzzles”, “see what I can do or break” or just wanting to really know how something works is a common trait among “hackers”. Of course there are the other kinds of “hackers” that use these type of skills to cause damage and for the wrong reasons, however the logic of thinking like this does work in figuring out how to protect systems.
Now that we know what the “special trait” is, now we can adopt this and start to reverse the process a little. Instead of staying with the “how do I break”, we need to change it to “how do I break and then fix”.
SharePoint as a product, as we discussed in the last post, connects and interacts with many other systems than itself. This means that the surface area of attack is not isolated to just the SharePoint Servers. Knowing how all the pieces go together is step one of the protection that is needed.
If this is step one, what are the other steps?
So yes, step one is to understand the entire solution not just its core components but everything that interacts with and is connected to. This model follows the same steps that a Penetration Test would take.
The core steps are that a “Hacker” would take are:
Reconnaissance
This is about gathering information about the target. In our case it would be a SharePoint environment. For us as IT Professionals, that means asking ourselves simple questions:
What content is being stored in SharePoint?
Can I find PII data stored there?
Is there a spreadsheet with Username and Passwords?
Is there identifiable information that should not be in SharePoint?
Are there controls in place to identify this?
Can I find information by simply looking at the SharePoint site that would help me to perform Social Engineering attacks?
Are their areas of the site that are externally available?
Is anonymous access enabled and secured correctly?
Scanning and Enumeration
This one is simple, the ability to run a tool or scripts that will try to identify the SharePoint solution. Common tools such as regular Ping Commands (ICMP) and or SYN commands help with this. These tools can be used to identify the Operating System and even down to the running services. The sample Nmap command line output display a lot of information that has been found by just running the right command.
Some of these tools go further and allow for testing of other attacks such as SQL Injection, Cross Site Scripting as well as the ability to bypass core network defenses.
To protect from these types of tools, then you need to look at using detection systems, ensure firewalls are enabled on the servers and then even look at some of the Anomaly Detection products such as the new Microsoft Advanced Threat Analytics or similar tools. These tools look for usage patterns for users and devices. Once it has a picture of what is “normal” it is able to identify what should not be happening.
Images Courtesy of: https://blogs.technet.microsoft.com/ad/2015/05/04/microsoft-advanced-threat-analytics-public-preview-release-is-now-available/
Gaining Access
Gaining access to a system as a different user or even the ability to elevate permissions of an existing account is what “Hackers” are aiming for. With an elevated account, nothing can really stop the hacker’s ability to move between systems and the network. However often the goal here is to simply break passwords and escalate for use later. Weak passwords on SharePoint Services accounts, or even all the SharePoint Administrators using the Farm Service account for administration are easy ways of gaining access to SharePoint.
Often people use “known” passwords, these are ones that have been found from previous data breaches and are added to large password dictionary lists that many tools can now use when brute forcing them using something like Medusa, Metasploit Modules or even custom scripts.
Ensuring passwords and account are secure can mitigate against the ability for someone to figure them out and then use them in an attack.
Maintaining Access and Covering the Attack
Once the attack is successful, privileges escalated, accounts compromised then the goal of the “hacker” is to keep the door open and cover their tracks. Using something like Metasploit to open a persistent backdoor into an environment is very simple and works really well.
Ensuring the servers are patched with the most recent security updates, along with using technology such as “AppLocker” to whitelist and blacklist processes from running will help in the blocking these types of persistent backdoors.
To learn about “AppLocker” you can visit the Microsoft TechNet pages.
As you start to think like a “hacker” by thinking more about the four key things that they think and act on we can defend ourselves better.
- Reconnaissance
- Scanning and Enumeration
- Gaining Access
- Maintaining Access and Covering Attack
These focal points are not just for SharePoint, they work for anything from your home wireless router to your corporate Active Directory infrastructure. The following posts give a little more insight on some of the technical things you can do to break into SharePoint, as well as some of the Security Mistakes you may already be making.
