What You Need to Know About Hidden Permissions in SharePoint

SharePoint has long been a backbone of collaboration and file sharing in Microsoft 365, evolving from its origins as SharePoint Server in 2001. Today, SharePoint Online is a critical, yet often overlooked, component of many organizations' IT infrastructure. It underpins OneDrive for Business and Teams, making data governance a complex task.  

This complexity can lead to significant security risks, especially regarding hidden permissions and user access. We did some digging and found that many organizations are unaware of potential data exfiltration within their SharePoint environments. What's worse, once they are made aware of it, there is little they can do to regain control using Microsoft 365's native tools. 

Picture this: there's a monster hiding under your bed, and there's no way you can see it or do anything about it once you find it.  

In this edition of the 'Sting of Security', we'll explore the hidden dangers lurking within many SharePoint environments and provide strategies for preventing data leakage, exposure, and compliance headaches. 

The Hidden Risks in SharePoint

SharePoint's evolution from an on-premises solution to a cloud-hosted service brings with it some inherent security challenges.  

The Visibility Gap

The primary issue is the lack of visibility into permissions, which can lead to serious security vulnerabilities. Did you know that bad actors, such as hackers or rogue employees, can expose all your company secrets in SharePoint? And that you would have no clue?  

Unlike traditional file systems, SharePoint doesn't provide a straightforward folder hierarchy visualization. When you open a folder, many more folders and files may be inside. To comprehend permissions, you have to manually go through every folder and file to locate what you need, and each one of these has several screens and tabs that you need to access. Most companies don't have the resources to handle this. 

Hidden Access Behind Groups 

When checking permissions, you can see which groups have access but not the individual members of those groups. Determining the user accounts within a group requires access to various admin portals, which many users, such as department managers, do not have. 

Some group types are only visible in the SharePoint admin center, adding another layer of complexity. This can lead to a situation where permissions are unknowingly granted to a large number of users. 

Permission Levels 

SharePoint Online offers four basic access levels: Owner, Can Edit, Can View, and Can't Download. In contrast, SharePoint Server provides a more detailed permission model with multiple built-in levels and the ability to create custom permissions. Users can create custom permission levels with the same name as built-in ones, such as "read," which can be misleading. The UI shows the built-in permission, not the custom one, leading to potential security oversights.  

This complexity can result in incorrect assumptions about user access, highlighting the need for careful management and monitoring of permissions. 

Hidden Document Libraries 

Typically, a SharePoint site has a single Documents folder. Still, you can create other document folders and hide them from the site's navigation (so no one else knows it is there), and you can remove everyone else's permissions from it, only granting yourself access. This will create an exfiltration channel where the attacker can copy sensitive documents from the site into their custom Document library, perhaps even returning regularly to capture the latest versions of files and then downloading them to their machine.   

How to Gain Back Control  

Hornetsecurity's 365 Permission Manager addresses these visibility issues, allowing you to see all users with permissions to a site, folder, or file, including whether these permissions are inherited or unique. It also highlights external sharing activities, providing a comprehensive view of your SharePoint environment. 

• Detailed Permission Insights: 365 Permission Manager shows you precisely which sites, folders, and documents a user can access, which is crucial for forensic investigations and data governance. 
• Custom Permission Levels: SharePoint Online's UI can sometimes misrepresent permission levels. Custom permission levels can be created with names identical to built-in ones, leading to potential security oversights. 365 Permission Manager helps identify and manage these custom levels effectively. 
• Site vs. Document Library Permissions: Custom permissions at the document library level can differ from site-wide permissions and may not be easily changeable through the UI. 365 Permission Manager identifies and helps remediate these discrepancies. 
• Hidden Document Libraries: Attackers can create hidden document libraries to exfiltrate data unnoticed. 365 Permission Manager can detect these hidden libraries and their permissions, allowing for prompt action. 

If your SharePoint environment is compromised, swift action is essential. Here's how 365 Permission Manager can help you: 

• Remove User Access: The Offboarding feature allows you to revoke access for compromised accounts instantly, preventing further unauthorized access. 
• View as Feature: This feature enables you to see your SharePoint environment from the perspective of a specific user, helping identify potential areas of unauthorized access. 
• Generate Forensic Reports: Detailed reports provide insights into what files were accessed and by whom, aiding in the investigation and remediation of security breaches.

With the right tools and vigilance, you can regain control of your SharePoint environment and protect your organization’s valuable data from hidden threats.