Gartner Blog Network

SharePoint Security Best Practices

by Neil MacDonald  |  February 25, 2009  |  14 Comments


I’m sure you’ve experienced the growth of SharePoint in your organizations firsthand (and those are only the deployments you know about!). SharePoint is a flexible product with a pretty powerful security architecture and it got even more powerful with the latest release. But j0433130[1]with this flexibility comes complexity. In discussions with clients on securing SharePoint deployments, there are several issues that come up again and again. To be clear, it’s not that SharePoint is insecure, it’s that it frequently is deployed insecurely. My colleague, Adam Hils, and I have just completed an in-depth research note outlining the major issues we have observed in SharePoint deployments and our specific recommendations to address them:

Security Considerations and Best Practices for Securing SharePoint

Since Adam covers the network security side of things, we were able to collaborate and provide a comprehensive framework to discuss and address these issues including SharePoint policy and governance, access control, information protection, as well as networking and server protection. In the research, we refer to multiple third party tools that can improve and augment the security of your SharePoint deployments. There are also pointers to additional Gartner research content and advice that will help you securely expand your use of SharePoint.

An entire book could be written about SharePoint Security. Microsoft provides extensive documentation. I found this one to be the best – and it is the size of a small book. Our goal was not to create a SharePoint security tutorial or to rehash the installation documentation. Instead, we wanted to focus on the most pressing issues that we encounter daily in real-world deployments. In other words, what should I be worried about that the installation guide didn’t tell me?

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: sharepoint-security  

Tags: best-practices  sharepoint  sharepoint-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on SharePoint Security Best Practices

  1. We specialize in a enterprise solution that allows organizations to securely extend SharePoint to the extranet. Much more than a provisioning tool, we offer security, compliance and auditing features to insure a scalable and secure SharePoint extranet deployment.

    Our clients include the US Air Force, Praxair, Covanta Energy & University of Pittsburgh Medical Center.

    For more info, please go to to view our pre-recorded webinars.

  2. Conceived as a solution to remedy ‘Difficulties with enforcing governance’, ‘Security Risks and Compliance Issues’ and ‘Business inefficiencies’, Omada’s SharePoint Governance Manager leverages our award winning Role Engine for managing permissions and site ownerships to ensure that employees and partners have accurate access rights at all times.

    Enterprises now have a solution for resolving site creation chaos, unauthorized access to sensitive data and driving greater efficiencies in the business.

    For more information check the link above for more details and to download a solution sheet.

  3. Neil MacDonald says:

    Thanks for sharing these.

    In addition to the ones above, here’s a list of useful security reporting and governance tools out of this research note:

    Quest Software

    If anyone has more, just add them as comments.


  4. The first step for many customers in SharePoint, is just to move documents sitting on a file share into a SharePoint document library. Not much thought is given to security. And the standard inheritance security model for SharePoint makes this more difficult. At Titus Labs we’ve developed a set of SharePoint tools that help administrators protect information in SharePoint document libraries.

    For the basics on SharePoint document library security see my YouTube video:

    For more information on our products, see

  5. MAPILab provides a very good SharePoint usage reporting solution: MAPILab Statistics for SharePoint. Detailed reports on visitors, documents, lists, search, etc. You can try its free trial version, or look through the online demo:

  6. […] in my conversations with clients that are looking for guidance on where to get started with SharePoint security. I pulled all of this together in this research note on SharePoint security on which the […]

  7. Nathi says:

    Hi All

    We implemented WSS3.0 and extended as extranet. We found that session hijacking is possible in the setup. How do we address this issue? Does sharepoint server / ISA provide anyway to prevent this?

    All users will be authenticated using forms authentication / AD.

    Need your help. Any suggestions?


  8. […] This post was mentioned on Twitter by Sam Hunt, SharePoint. SharePoint said: RT @proactivedefend News Update: SharePoint Security Best Practices […]

  9. […] and foster secure collaboration with external entities. The massive uptake I see from clients using SharePoint in extranet scenarios is a testament to […]

  10. Mehul Doshi says:

    Nathi, since you have extended the WSS 3.0 via the public domain, the most critical security piece is to publish via Reverse proxy which can enable resource cloaking. My personnel pick is from Vendor F5 Networks which as Application security manager and is supported with Sharepoint application, The vendor has plenty of whitepapers and deployment guides for ease of use and we have good success with the technology. You may also want to think of improving the performance of the portal by 2x to 3x by doing trial of web accelerator on the LTM platform. Best of luck.

  11. Mehul Doshi says:

    Neil, While many players focus on reporting, engineers at our organization are working to test a vendor by name Coradiant which claims that Real time user monitoring usp would not only enable tracking of web activities but also help in reporting the source of errors. Am not sure if others have similar experience or can share the perspective but the approach by vendors like coradiant looks promising. Suprising they do not market product in all the markets as the focus seem to be restricted to certain regions which could be the other weaklink.

  12. Neil MacDonald says:

    re: Coradiant

    Using their own search capability on their site, I don’t get any matches for SharePoint – at least today as I type this

    It really is a web app performance management solution first and foremost and, yes, most SharePoint access is via a web browser so there should be value. However, what about SharePoint access via Office directly?

    Also the types of things clients look for, they won’t see (inside of SharePoint) – like site growth monitoring, access control lists, and so on.

  13. Social comments and analytics for this post…

    This post was mentioned on Twitter by proactivedefend: News Update: SharePoint Security Best Practices

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.