According to a story released by ZDNet, Canadian and Saudi Arabian cybersecurity agencies warned that hacking attempts have made towards Microsoft SharePoint servers of both corporate and government networks. This blog article will delve into two preventative steps to apply to your SharePoint servers, and 5 best practices to keep your SharePoint servers and all of your information secure.
Two security vulnerabilities affecting SharePoint Server 2010, 2013, 2016, and 2019 have provided a way for attackers to run code on your SharePoint servers as an application pool account or the farm account. These vulnerabilities do not affect SharePoint Online.
- CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability
- CVE-2019-0778 Microsoft Office SharePoint XSS Vulnerability
Microsoft has released security hotfixes that will remove these vulnerabilities from a SharePoint farm and it is critical SharePoint administrators install these hotfixes immediately in all SharePoint farms. The Microsoft Security Response Center articles provide links to the specific security hotfixes or alternatively, the hotfixes are included in the latest Cumulative Updates (CU) for these products. See SharePoint Updates for links to download a CU.
A Brief SharePoint Update Refresher
When installing SharePoint updates, there are two steps that must be performed on every server in the farm running SharePoint:
- Install the update by running the executable or installation package. Reboot if prompted.
- Run the SharePoint Products and Configuration Wizard on each server in the farm, ensuring it completes successfully. If it fails, review the upgrade logs and troubleshoot as necessary.
These vulnerabilities provide a way for an attacker to run code on a SharePoint server as the farm account. In most SharePoint farms the farm account has access (or can gain access) to all content stored in the farm so the impact of these vulnerabilities is considerable for organizations using SharePoint to store records, proprietary information, and personal data.
In April 2019, the Canadian Centre for Cyber Security issued an alert advising SharePoint administrators to patch their SharePoint farms because these vulnerabilities were being exploited to run the China Chopper Web Shell, an easy-to-use interface for connecting to and running code on a compromised machine. See China Chopper Malware affecting SharePoint Servers. Besides SharePoint, this web shell affects web servers running ASPX, ASP, PHP, JSP, and CFM running on Windows and Linux. The server-side code is small at under 100 bytes so it can be easy to miss, but there are methods to detect it. Many of the popular antivirus products will now detect and remove the China Chopper web shell.
Security researcher FireEye published a 2-part series exploring the China Chopper Web Shell:
- Breaking Down the China Chopper Web Shell - Part I
- Breaking Down the China Chopper Web Shell - Part II
5 Best Practice SharePoint Security Tips
- Ensure SharePoint service accounts (farm, web application pools, service application pools, crawl accounts, etc.) are NOT local machine administrators on any machine in the domain including the SharePoint and SQL Servers in the farm.
- Keep SharePoint up to date by installing Cumulative Updates every month. Install security hotfixes ASAP after release.
- Only publish SharePoint sites externally if there is a clear business reason to do so, and when publishing use a reverse proxy to control access to the published sites.
- Use HTTPS and certificates to encrypt connections to the SharePoint servers.
- Keep server-level antivirus systems up-to-date and use a SharePoint antivirus solution to ensure content is scanned when uploaded and downloaded.
Following these five best practices and staying informed on the newest SharePoint features and updates will help you stay vigilant in protecting your business critical information. In addition, using solutions that enhance and fortify your Microsoft environment, such as Collabspace, will ensure that you have properly secured and backed up your data.
*Article thumbnail image courtesy on Microsoft Azure