Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

SharePoint Security Best Practices

by Neil MacDonald  |  February 25, 2009  |  14 Comments


I’m sure you’ve experienced the growth of SharePoint in your organizations firsthand (and those are only the deployments you know about!). SharePoint is a flexible product with a pretty powerful security architecture and it got even more powerful with the latest release. But j0433130[1]with this flexibility comes complexity. In discussions with clients on securing SharePoint deployments, there are several issues that come up again and again. To be clear, it’s not that SharePoint is insecure, it’s that it frequently is deployed insecurely. My colleague, Adam Hils, and I have just completed an in-depth research note outlining the major issues we have observed in SharePoint deployments and our specific recommendations to address them:

Security Considerations and Best Practices for Securing SharePoint

Since Adam covers the network security side of things, we were able to collaborate and provide a comprehensive framework to discuss and address these issues including SharePoint policy and governance, access control, information protection, as well as networking and server protection. In the research, we refer to multiple third party tools that can improve and augment the security of your SharePoint deployments. There are also pointers to additional Gartner research content and advice that will help you securely expand your use of SharePoint.

An entire book could be written about SharePoint Security. Microsoft provides extensive documentation. I found this one to be the best – and it is the size of a small book. Our goal was not to create a SharePoint security tutorial or to rehash the installation documentation. Instead, we wanted to focus on the most pressing issues that we encounter daily in real-world deployments. In other words, what should I be worried about that the installation guide didn’t tell me?


Category: SharePoint Security     Tags: , ,

14 responses so far ↓

  • 1 Aaron Stillwell   May 7, 2009 at 11:32 am

    We specialize in a enterprise solution that allows organizations to securely extend SharePoint to the extranet. Much more than a provisioning tool, we offer security, compliance and auditing features to insure a scalable and secure SharePoint extranet deployment.

    Our clients include the US Air Force, Praxair, Covanta Energy & University of Pittsburgh Medical Center.

    For more info, please go to to view our pre-recorded webinars.

  • 2 Richard Blackham   May 13, 2009 at 5:41 am

    Conceived as a solution to remedy ‘Difficulties with enforcing governance’, ‘Security Risks and Compliance Issues’ and ‘Business inefficiencies’, Omada’s SharePoint Governance Manager leverages our award winning Role Engine for managing permissions and site ownerships to ensure that employees and partners have accurate access rights at all times.

    Enterprises now have a solution for resolving site creation chaos, unauthorized access to sensitive data and driving greater efficiencies in the business.

    For more information check the link above for more details and to download a solution sheet.

  • 3 Richard Blackham   May 13, 2009 at 5:42 am

    Sorry here is the link:

  • 4 Neil MacDonald   May 13, 2009 at 7:36 am

    Thanks for sharing these.

    In addition to the ones above, here’s a list of useful security reporting and governance tools out of this research note:

    Quest Software

    If anyone has more, just add them as comments.


  • 5 Charlie Pulfer   July 3, 2009 at 3:17 pm

    The first step for many customers in SharePoint, is just to move documents sitting on a file share into a SharePoint document library. Not much thought is given to security. And the standard inheritance security model for SharePoint makes this more difficult. At Titus Labs we’ve developed a set of SharePoint tools that help administrators protect information in SharePoint document libraries.

    For the basics on SharePoint document library security see my YouTube video:

    For more information on our products, see

  • 6 Nick Kharchenko   July 15, 2009 at 9:02 am

    MAPILab provides a very good SharePoint usage reporting solution: MAPILab Statistics for SharePoint. Detailed reports on visitors, documents, lists, search, etc. You can try its free trial version, or look through the online demo:

  • 7 From the Gartner Information Security Summit on SharePoint Security   July 27, 2009 at 8:25 pm

    […] in my conversations with clients that are looking for guidance on where to get started with SharePoint security. I pulled all of this together in this research note on SharePoint security on which the […]

  • 8 Nathi   November 9, 2009 at 9:03 pm

    Hi All

    We implemented WSS3.0 and extended as extranet. We found that session hijacking is possible in the setup. How do we address this issue? Does sharepoint server / ISA provide anyway to prevent this?

    All users will be authenticated using forms authentication / AD.

    Need your help. Any suggestions?


  • 9 Tweets that mention SharePoint Security Best Practices --   November 23, 2009 at 6:34 am

    […] This post was mentioned on Twitter by Sam Hunt, SharePoint. SharePoint said: RT @proactivedefend News Update: SharePoint Security Best Practices […]

  • 10 Six Trends That Will Further Reshape Information Security in 2010   January 4, 2010 at 12:58 pm

    […] and foster secure collaboration with external entities. The massive uptake I see from clients using SharePoint in extranet scenarios is a testament to […]

  • 11 Mehul Doshi   January 5, 2010 at 8:49 am

    Nathi, since you have extended the WSS 3.0 via the public domain, the most critical security piece is to publish via Reverse proxy which can enable resource cloaking. My personnel pick is from Vendor F5 Networks which as Application security manager and is supported with Sharepoint application, The vendor has plenty of whitepapers and deployment guides for ease of use and we have good success with the technology. You may also want to think of improving the performance of the portal by 2x to 3x by doing trial of web accelerator on the LTM platform. Best of luck.

  • 12 Mehul Doshi   January 5, 2010 at 1:59 pm

    Neil, While many players focus on reporting, engineers at our organization are working to test a vendor by name Coradiant which claims that Real time user monitoring usp would not only enable tracking of web activities but also help in reporting the source of errors. Am not sure if others have similar experience or can share the perspective but the approach by vendors like coradiant looks promising. Suprising they do not market product in all the markets as the focus seem to be restricted to certain regions which could be the other weaklink.

  • 13 Neil MacDonald   January 5, 2010 at 3:14 pm

    re: Coradiant

    Using their own search capability on their site, I don’t get any matches for SharePoint – at least today as I type this

    It really is a web app performance management solution first and foremost and, yes, most SharePoint access is via a web browser so there should be value. However, what about SharePoint access via Office directly?

    Also the types of things clients look for, they won’t see (inside of SharePoint) – like site growth monitoring, access control lists, and so on.

  • 14 uberVU - social comments   February 4, 2010 at 9:03 am

    Social comments and analytics for this post…

    This post was mentioned on Twitter by proactivedefend: News Update: SharePoint Security Best Practices