Technically not the kind of news I’d like to share, our Office 365 SharePoint site had a serious security breach and I'm going to show you how it happened. Two External Users had a lot more access than we thought they had, in fact, they had access to our entire Site Collection. Let me tell you exactly how our security was breached and how we found out it was happening in our Office 365 SharePoint site.
The Sharegate Office 365 SharePoint Site
Nothing extravagant here, a bunch of Site Collections in our Office 365 and one of them for our Sharegate team. Here we collaborate on documents to help us work better together and from anywhere.
We actually migrated just the lists and libraries we wanted from our On-Premises SharePoint to our Office 365 not too long ago. And during this process, changed the permissions on the site to grant more control to a specific person and less to others.
In short, think of this as a typical and very basic SharePoint Team Site originally On-Premises and migrated to Office 365. What happened next however, can happen to anyone whether it’s from a migration or a new site.
Extending the security of a document by sharing externally
A time came where we needed to work with two people outside of our organization on a document. What a perfect time to take advantage of Office 365 External Users.
My colleague Guillaume, yes we're very french here in Montreal, thought to click on Share for the document in question and enter the email addresses of our two external collaborators. This would extend the security of this particular document and allow us to collaborate with people outside of our organization. Again this is a typical scenario for sharing and what he did to share is exactly what we are meant to do.
It was working, we didn’t think too much of it and continued about our business for at least a week.
Checking permissions on our Office 365 Site Collection
If you don’t know it already, Sharegate is a tool that does both Migration and Management for SharePoint and Office 365. And we eat our own dog food, or at least I hope that’s how the expression goes, meaning we use Sharegate to move stuff around and merge them and every week run security tests on our tenant. We have many Site Collections and work with many customers of ours on it, so security is very important to us as I am sure it is for everyone.
This week, our security results were a little different.
Shocking! Running the Sharegate Externally Shared Objects security report we saw that the Site Collection was shared to External Users and so did all the lists and libraries that inherited from it. A little moment of panic for those running the report, not expecting to find an actual problem with our Office 365 security.
“Ah! It must be a problem with our tool, we found a bug!” or so we would have liked to think.
We quickly navigated through our SharePoint, there we would find our official answer and potentially worry even more.
If you want to Check Permissions that a group or user has in a specific location in SharePoint, there is an easy and sure way: navigate to Site Settings and find the Site Permissions menu to click on Check Permissions.
From there, you can enter the email of the user you have shared content with and see what he or she has access to in SharePoint.
Sure enough, our two External Users had access to our Site Collection and everything inside of it with Edit no less. If you're not familiar with Edit, it’s a new permission level granted automatically to the Members Group when you create a site more powerful than “Contribute”.
The results give us some indication as to how they have so much access and more importantly, where it was granted to them. Quickly, we saw that they had access to the entire site through the Members Group of the site.
Our initial thought was that Guillaume must of done a mistake when sharing the document and added them to this Members Group thinking it was just for that document. We deleted all references or traces to these External Users and started over. Sure enough, after explicitly sharing our document with them, they had access to the entire Site again.
Our Office 365 Security seemed a little shaky in this SharePoint Site, what was going on!? Permissions were granted to “Everyone” through the Members Group.
In the past, we would simply add “All Authenticated Users” to the group that fit the permissions we wanted to grant. Due to the nature of the SharePoint Site and the size of our company, we had chosen to allow anyone Authenticated to access it. Except that in Office 365, this has a much bigger impact on the security of our content since it can include External Users.
Auditing our Office 365 SharePoint Site for a security breach
Naturally, we immediately changed the Members Group to only include “Everyone except External Users” and ran the Sharegate Security Report once again.
Next, since they technically had access to our entire Office 365 SharePoint Site with this security mistake, we wanted to see what they viewed and accessed.
SharePoint in Office 365 allows you to do this with some built-in reports available for the Site Collection Administrator in Site Settings.
Sadly, for these to run and give you the information you're looking for, especially after such a breach, it needs to be turned on before or you will get the same results that we had.
In this scenario, a human error in our site’s security led to any Office 365 External User to have access to our entire Site Collection and if they wanted to, create and delete Lists and Libraries as well.
Thankfully, we ran a security report with Sharegate to show all externally shared objects and that saved us. Though due to the Audit Settings, we'll never know if they actually viewed other files there or not.
This experience has taught us quite a bit:
- Never add “Everyone” or “All Users” unless you know exactly what you are doing
- Turn on Auditing Reports in Office 365 SharePoint Sites you’ll store confidential information in prior
- Properly train the people in charge of Sites even if they already were On-Premises
- After adding an External User, Check Permissions on them for the whole site to make sure they weren’t added somewhere else
- Run security reports regularly to prevent something like this from happening
My key takeaway from this is not to panic and turn off External Users in Office 365. It’s actually a very useful feature and we're using it more and more since then. However, be sure that security on your SharePoint sites is maintained, enforced and properly monitored. Mistakes can happen and in some situations can be quite costly. Would you agree?