Picture you and your family moving into a new house, but for whatever reason none of the doors or windows have locks. Think about how difficult it would be to get comfortable in such a place! Yes, you may have a room to yourself, but knowing that anybody could waltz right on in and grab your most valuable possessions, and at any time, would be pretty unnerving. And even if it were just your family in the house – wouldn’t it be difficult to feel as if you ever had any privacy if you could never lock the door (especially in the bathroom!)?
In a lot of ways, your SharePoint site is your home. No, it doesn’t have any bathroom-type area (at least I hope not), but it is a place where you and your coworkers feel safe to collaborate, express and share ideas and content freely, and expect a reasonable amount of security and privacy in your own intranet site. You would hope that no outsiders would be able to get into your company’s SharePoint site, and that only people with certain permissions could have access to certain parts of the SharePoint library (the list of employee salaries, for instance). Just like you want locks on the doors and windows of your house, you want to have certain permissions and security measures in place on your SharePoint site.
For many SharePoint users and administrators, though, this is a lot easier said than done. Getting into SharePoint permission and security controls isn’t always intuitive. That’s why we’re here to help ease you into it in the simplest way possible!
Understanding Permission Levels
Permission levels are used to restrict user access to the site and its contents. We recommend you spend time reviewing the Understanding Permission Levels article from Microsoft which covers the topics below to learn about SharePoint permissions so you can develop a permission strategy before you continue.
- Permissions Inheritance
- Default Permissions Levels
- Permission Levels and SharePoint groups
- Site Permissions and permission levels
- List Permissions and permission levels
- Personal permissions and permission levels
- Permissions and dependent permissions
- Plan your permission strategy
The first step in securing your SharePoint intranet portal is to set up the permissions for the people who already have access to your SharePoint site. As a SharePoint admin, you’ll want to make sure only people in certain departments have access to the proper file directories. Not only to make sure private or confidential information does not get distributed, but also simply to clean up your SharePoint users’ library so they only see what they need to.
To get started setting up permissions by department, you’ll want to use the Active Directory groups in Office 365. AD groups are merely groups of users in your company that are organized by role or job function. For example, you may create an “HR Group” for everyone in your HR department, or a “Tech Wizards Group” for all of your SharePoint developers.
Add Office 365 Security Groups
Below are the steps needed to add groups to the Office 365. We like to use the mail enabled security groups so you can also send notifications via workflows or alerts from within SharePoint:
- From the Office 365 Admin Panel Select Groups->Groups
- Select "Add A Group"
- Select the group type (we like to use the Mail enabled security group), name (we recommend using a naming convention) and email address.
- Once you had added the group you will need to add the members.
Securing a SharePoint Site using Permissions
Below are the steps needed to use the Office 365 group you created above to secure your site. Remember that securing your site correctly will require that you understand permissions inheritance and have developed a sound strategy. In some instances it may be best to contact a SharePoint consultant to insure you have followed the correct steps.
- From within the SharePoint site select "Site settings"
- Select "Site permissions"
- Select "Grant permissions"
- Select the Office 365 group you created and assign the correct permission level
To bring back the house analogy, no matter how trusting you are of your friends and neighbors, we still have locks on our front and back doors. Likewise, no matter how trustworthy your company might be to associates or clients who you’ve shared certain SharePoint site information to, you want to make sure strangers can’t access your SharePoint site. In the past, the single login page was ample enough security to thwart wannabe hackers from breaking into your intranet site, but now, with how rapid changes to technology occur, digital criminals have found it easier and easier to bypass simple password protection and access your files.
Enter two-factor authentication. Though not a new technology, two-factor authentication has grown in popularity as the standard for internet security. Instead of a simple username – password login, now for users to access your site users need, after correctly entering a password, a secondary verification method. This often utilizes a physical token the user has on them personally. Now, upon entering the password, a second verification screen will pop up, and will ask the user to enter a code sent to their mobile device via text message. This may seem like a futuristic concept, but in fact it is very simple to set-up for your own SharePoint site! Use the link provided below for detailed instructions.
Now that you have your user permissions settled, and your external logins doubly secured, it’s time for you, as the SharePoint administrator, to set up a way to monitor your security measures. Yes, unfortunately, despite all of the barriers you have put in place to ensure that your SharePoint intranet portal is totally secure, some things may slip through the cracks. But, it’s always better to catch them than to not be looking for them at all.
SharePoint and Office 365 has an easy-to-use security reporting feature built into it, all you have to do is set it up. Just pick the areas that you’re worried about (this may be folders with private content, or areas where you think maybe your permissions weren’t set as well as they should) and SharePoint will automatically send you a report. It’s easy to integrate checking this report and correcting the security oversights presented as a part of your weekly or monthly routine.
Below are the steps needed to setup an alert for users accessing files or viewing access reports in the Office 365 Security and Compliance portal:
- From within the Office 365 Admin Portal select Admin Centers->Security & Compliance
- Select Search & Investigation->Audit Log->New Alert Policy
- Enter the name, description, activities (accessed a file) and recipients of the alert.
We hope this guide provides you with enough information to get started securing your SharePoint Intranet Portal, but if you feel a professional touch may be necessary, give Code A Site a call at 877.228.0901. One of our technical specialists will give you a free consultation on what aspects of your SharePoint security can be improved upon and can work to help create a solution.