Research for SharePoint (MOSS)

This page contains research notes on Microsoft's SharePoint MOSS and WSS

Resources

Microsoft resources

• Security Architecture for SharePoint Products and Technologies (Word Doc)
• SharePoint Community Portal
• Downloadable book: Security for Office SharePoint Server 2007 - link to 277 page Doc file
• SharePoint End User Security

Other Resources and Documentation

• SharePoint Security Concepts - contains a number of other links to more material
• SharePoint Security Best Practices - $995 Gartner report
• Microsoft Office SharePoint Server 2007 Security Model
• SharePoint Security Concerns Simply a Lack of Governance?
• Governance Key for SharePoint Implementations

Presentations

• OWASP Houston Chapter - August 12, 2009 : SharePoint Auditing and Penetration Testing Presentation by: Shohn Trojacek
• from Denim group:
  • Securing SharePoint (PDF Format) - TASSCC Technology Education Conference in Austin, March 26, 2009
  • Securing Sharepoint (PDF Format) - Texas Regional Infrastructure Security Conference (TRISC) in Austin, March 24, 2009
  • A Primer to SharePoint Security - video

Other interesting resources

• MOSS Security jobs (in Australia)
• Articles on CMSWire about SharePoint

Other Blogs and Articles

• Microsoft SharePoint: A Weak Link In Enterprise Security? - Dark Reading

Security related technical articles

• How to Programmatically Disable Code Access Security

Published Security issues

SharePoint related vulnerabilities and its status

• {Note: Add MSRC case}
• http://milw0rm.com/exploits/8704 & http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

MOSS Security related WebParts, Tools & services

Open Source

• From CodePlex (see more on this search for SharePoint Security
  • SharePoint Security Templates (CodePlex)
  • SharePoint Security Configuration Feature
  • Sharepoint Access Checker Web Part
  • Site Security Management Utility
  • CryptoCollaboration For SharePoint

Commercially Supported

• ARB Security Solutions (www.sharepointsecurity.com)
• AbsoluteProof for MS SharePoint - related article Surety Releases AbsoluteProof for SharePoint

Dangerous MOSS APIs

Map the security implications of MOSS APIs, for example:

• which APIs (if badly used)are vulnerable to: XSS, CSRF, SQL Injection
• configuration settings that have security implications

WebParts Security

• Security ratings & mappings of MOSS Deployed Web Parts
• Security ratings & mappings of 3rd Part Web Parts