Protiviti / SharePoint Blog

SharePoint Blog

February 06
Risk & Health Assessments for Microsoft SharePoint

Organizations have been using Microsoft SharePoint as their collaboration platform and content management solution for over 18 years now. Over the years, SharePoint has grown in its capabilities and continues to become an effective tool that organizations use around the world.

We have found, however, that after an organization’s SharePoint site has been in use for an extended period of time, the site increasing in volume and becomes more complex, but is left without maintenance and are rarely monitored. The result is a complicated SharePoint site, usually with misconfigured permissions, old client information or hacked in code that executes within the sites. For example, there are often many unresolved errors in the Event or ULS logs.

In addition, organizations want to customize their site to not look like SharePoint or would like specific functions that aren’t available in the out of the box version. But, as we have audited these environments, we have found that many customizations live within the sites, and most of them were not added by developers, but by end users. They have found for example JavaScript code snippets online that are freely available and put them into Content Editor or Script Editor Web parts making their task much more manageable and the SharePoint interface better. These are customizations or applications that were never designed to be in the SharePoint site, but needs of the business have allowed this to happen.

The need to perform risk and health assessments is even more critical today. As the sites grow larger and larger, it becomes much more complicated to know what exists in the sites. And, with the move to Office 365 and SharePoint Online that need is even more critical. Our Protiviti team has performed many site assessments and we have realized that it takes not only automated processes but also manual tasks to help understand and build the picture of what is within the SharePoint environment.

Historically, we have executed PowerShell scripts and some 3rd party applications to build the whole picture. The problem with this approach is that they don't give us a full insight into the code that was added to the pages, and even what that code is doing. The biggest issue here with not identifying the code is the potential for security or performance problems if the code is doing something it should not. In many of the data and security attacks performed last year, a high percentage were from old code framework usage, lousy code or even just straight malicious code.

For example, simply adding code like this, though it may look harmless could be used for malicious purposes.



The code itself is not doing anything terrible, however, due to the nature of JavaScript coding it is injecting items into the "DOM" of the browser. The code is injecting a new "Image" directly at load time. The "IMG" tag is pre-populated with arbitrary JavaScript commands. The newly added "IMG" tag is then retrieved and using a common JavaScript "Eval()" function, ensures the hidden code is executed, no matter what that might be.

Understanding why you need to perform this level of Risk Assessment is imperative. If you are not sure, ask yourselves these questions:

Do I know where all the customizations are within my SharePoint environment?

Do I know how many Script Editor web parts are on the site?

Do I know where custom JavaScript is on pages?

Do I know what the code is doing on my site?

If you answer "NO" to any of these questions, then you need to perform a detailed risk assessment.

To help us do this, and for you, as an organization to be better protected, Protiviti is able to utilize a tool provided by our partner Rencore (https://rencore.com). Rencore as a company brings a wealth of experience to us, within the software development space, specifically around SharePoint Development. Their core products initially focused on code analysis and quality, ensuring that all code developed for SharePoint was built per best practices, identifying problems and offering resolutions. In the past year, Rencore has shifted to include application security both within SharePoint On-premises and SharePoint Online, providing tooling that can continuously scan and monitor your environment for changes and code or applications added to the sites.

In the next couple of weeks, a new tool from Rencore will become available allowing us to run a free risk and health assessment on a limited number of site collections either within SharePoint On-premises or SharePoint Online. The purpose of the tool is to inspect the sites looking for customizations which in reality are applications in their own right. The tool scans the sites, producing a report that provides not only details of items found within sites but also provides a rating from Critical to Good for the overall health of your SharePoint sites. Below is a sample report returned by the application.


This tool is available to all, as Rencore feels that all companies should know what they have within their SharePoint environments. In fact, to quote Rencore, "Discover risks before they hurt your business." After executing the tool, you are also able to perform a full risk assessment with the help of the Rencore team (https://go.rencore.com/discover-sharepoint-application-risks). After which you can even utilize the Rencore Platform for consistent monitoring or your environments.

Protiviti has steep expertise in audits and risk assessments and we provide support and assistance in mitigating the application risks found within your SharePoint On-premises or SharePoint Online site. With Protiviti and Rencore working together, we can help you to understand what is in your SharePoint Environment, potential security risks, code vulnerabilities and mitigations for these problems. When the tool is available, we will create a walkthrough of how you can use it and check your SharePoint environment. Let our team know today if you are interested in a personal walkthrough!

 

Quick Launch


© Protiviti 2019. All rights reserved.   |   Privacy Policy