SharePoint is growing more and more prevalent in organizations, and offers a great way for users to interact and share content remotely for collaboration on projects. With the increasing use of SharePoint, however, SharePoint admins are facing the same issues that plagued (and, in many cases, continue to plague) administrators of the distributed file system. Increasingly, sites are growing stale, violating ethical wall regulations, and being deemed “high risk” in terms of access and permissions settings.
Each of these issues have their own steps for mitigating the risk associated with them, which we’ll discuss in more detail below, but it’s worth noting that what they all have in common is the need for data that will help identify the problem. After all, you can't fix it if you don’t know that it’s broken.
High Risk Repositories
Sites classified as being at “high risk” are those that are effectively open to your entire organization. This happens because site managers can assign trustees, who can, in turn, assign permission that expose content to too many people. Some examples of these kinds of permissions are “Authenticated Users,” “Domain Users,” and “Anonymous Logons.” When identifying high risk repositories, it’s important to examine effective rights; just because a user does not have access through one set of permissions does not mean that all of their assigned permissions will keep them from being able to read, write, modify, or even delete content. Explore how users have access to identify what, exactly, is at risk, and then work to lock down permissions.
Controlling Stale Content
Stale content in SharePoint is similar to stale content within Active Directory and the File System – it hasn’t been modified in a long time. Continuous monitoring is required to determine the last time a site was used, and working together with the data custodians who created the sites that you have identified as stale is important to ensure that it’s okay to remove them. Keeping stale sites out of your SharePoint farms will help with simpler management. It’s important to note here that, if a SharePoint site has child sites, SharePoint won’t let you delete the parent site. This is why it’s especially important to reach out to probable owners of sites to gather more information before proceeding.
Ethical Walls
Ethical walls differ by organizations, and apply to most collaborative file systems, including SharePoint. The need for ethical walls stems from the requirement to separate the data that discrete groups within the organization can see. Maybe your organization wants to keep the engineering department’s plans for product upgrades out of the hands of the sales team, or your finance team shouldn’t have access to the investment team’s quarterly assessments. Whatever the reason, one way to identify if ethical wall violations occur is to see where SharePoint group have common access, then corroborate that access within Active Directory to ensure that trustees can only see what they are supposed to.
To learn more about how SMP makes managing SharePoint easy, please view our Controlling SharePoint Sites STEALTHsession, or request a fully-functional product trial.
Friday, February 18, 2011
Tuesday, February 15, 2011
The Exchange Mailbox Mess
Permissions get messy over time. Whether it’s in Exchange, SharePoint, the File System, Active Directory, or elsewhere, people will enter and leave the organization, change roles, and require different levels of access as time goes on. Exchange mailbox permissions offer a particular challenge because of multiple layers of access: permissions associated to mailboxes, delegate rights assigned, and even mailbox rights in Active Directory on the user’s account.
Multiple problems can result: Default and Anonymous access can be set incorrectly, default settings could have been changed, Stale and Zombie SIDs could be applied, or disabled accounts in AD could have been given access. Compounding the problem, effective rights are difficult to discern because of the various “gates” that a person can use to get access.
Largely, the problem stems from the sheer amount of data, exacerbated by time and natural changes in personnel. It’s that same vast number of settings that makes it difficult to solve the problem in an environment; imagine finding an access issue that exists in 500 users’ accounts. Changing them one at a time could take days, and requires the use of precious IT resources.
A complete solution offers the option of making changes in bulk, in accord with data that exactly identifies an issue or anomaly. To learn more about Exchange Mailbox management challenges, and see what STEALTHbits can do to help, check out this video of our Mailbox Action Module STEALTHsession.
Multiple problems can result: Default and Anonymous access can be set incorrectly, default settings could have been changed, Stale and Zombie SIDs could be applied, or disabled accounts in AD could have been given access. Compounding the problem, effective rights are difficult to discern because of the various “gates” that a person can use to get access.
Largely, the problem stems from the sheer amount of data, exacerbated by time and natural changes in personnel. It’s that same vast number of settings that makes it difficult to solve the problem in an environment; imagine finding an access issue that exists in 500 users’ accounts. Changing them one at a time could take days, and requires the use of precious IT resources.
A complete solution offers the option of making changes in bulk, in accord with data that exactly identifies an issue or anomaly. To learn more about Exchange Mailbox management challenges, and see what STEALTHbits can do to help, check out this video of our Mailbox Action Module STEALTHsession.
Subscribe to:
Posts (Atom)
