Ways (besides educating) to prevent IT staff from elevating privilege in Sharepoint

sunhux
sunhux used Ask the Experts™
on
We had a past incident of an IT staff who elevated his/her sharepoint privilege
to Site Admin.

What are some of the easier ways to prevent this from happening other
than educating??


Any free tools or low-cost tools are welcome as well
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
We had a past incident of an IT staff who elevated his/her sharepoint privilege to Site Admin.
I assume this staff member had farm, site collection etc. rights? Do not assign this level of permission
btanExec Consultant
Distinguished Expert 2018
Commented:
Review and adopt least privileged administration in Sharepoint. Ultimately the SharePoint Farm Administrator Account is the one that no user should be holding and that is the one that you need to watch over on the activity trails. User must and does not need any domain or local admin privileges. Back to basic check.
 
  1. Each SharePoint administrator should use a separate account to clearly identify activity performed by the administrator on the farm.
  2. Day-to-day operations, remove two SQL Server server-level roles from all other accounts that are used for SharePoint administration i.e. Dbcreator and Securityadmin.
  3. Remove the ability to create new databases from SharePoint Server service accounts. Other than the account under which the timer service runs (typically the farm account), no SharePoint Server service account should have the sysadmin role on the SQL Server instance and no SharePoint Server service account should be a local Administrator on the server that runs SQL Server.

Review also the audit report
generated on regular basis. Knowing who is taking what action on which content in your site collection can be critical in helping you singled out anomalous action or attempts. It is not a foolproof means but acts as deterrence.

Ideally having a privileged identity management server to centralised all administration activity through this gatekeeper will be preferred though at a cost that is more worthy to invest to prevent recurrence and stay on top of critical administrative activities.

Author

Commented:
I might have budget for a Sharepoint auditing tool to track changes:
any recommendations?
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Author

Commented:
Attached is a product's brochure that I have in mind but not sure if it helps as just got it from googling:
it integrates with all SIEMs
QuestChangeAuditor7_SIEMintegrationG.pdf
Exec Consultant
Distinguished Expert 2018
Commented:
I am thinking the need for a granular permission-based tool to focus on the designated permissions across SharePoint Sites and at Farm level. It gives overall oversight on the changes and assignments which revirw can catch anomalies in a regular basis. If alerting is needed, it is best done at SIEM level which gives more correlated activities on the anomalies.

DeliverPoint is a in-context permissions reporting and management tool for SharePoint.

- Provides daily, weekly, monthly or yearly scheduled report to enable you to analyze permissions over given periods of time. It can be scoped at Farm, Web Application, Site Collection, or Site Level.

- Produce lists of all documents with broken permission inheritance. Report can be generated by running against single site level, multiple sites, lists, libraries, folders items and documents, displays all users with permissions granted to that object exactly, how, and assigned by who.

- Produces a report of all users who have permissions within SharePoint, despite the Active Directory Account being disabled or deleted.

https://lightningtools.com/products/sharepoint-permissions-management/

Author

Commented:
I forgot to mention we are using Sharepoint in O365 cloud:
so does DeliverPoint works for the O365's Sharepoint
permissioning as well?
btanExec Consultant
Distinguished Expert 2018
Commented:
Yes it does
DeliverPoint Professional Add-In for Office 365 SharePoint Online is a permissions management tool that empowers your Site Collection Administrators to be able to report and manage SharePoint permissions more effectively. SharePoint permissions are too important to get wrong! Broken permissions, incorrectly assigned permissions, limited access, and duplicate permissions are some of the issues faced in SharePoint by all organizations. DeliverPoint helps your Site Collection Administrators to be able to take control of the permissions with accurate reporting and the tools to manage permission in bulk.
https://lightningtools.com/products/sharepoint-online-permissions-management-tool/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial