Ways (besides educating) to prevent IT staff from elevating privilege in Sharepoint

We had a past incident of an IT staff who elevated his/her sharepoint privilege
to Site Admin.

What are some of the easier ways to prevent this from happening other
than educating??

Any free tools or low-cost tools are welcome as well
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
We had a past incident of an IT staff who elevated his/her sharepoint privilege to Site Admin.
I assume this staff member had farm, site collection etc. rights? Do not assign this level of permission
btanExec ConsultantCommented:
Review and adopt least privileged administration in Sharepoint. Ultimately the SharePoint Farm Administrator Account is the one that no user should be holding and that is the one that you need to watch over on the activity trails. User must and does not need any domain or local admin privileges. Back to basic check.
  1. Each SharePoint administrator should use a separate account to clearly identify activity performed by the administrator on the farm.
  2. Day-to-day operations, remove two SQL Server server-level roles from all other accounts that are used for SharePoint administration i.e. Dbcreator and Securityadmin.
  3. Remove the ability to create new databases from SharePoint Server service accounts. Other than the account under which the timer service runs (typically the farm account), no SharePoint Server service account should have the sysadmin role on the SQL Server instance and no SharePoint Server service account should be a local Administrator on the server that runs SQL Server.

Review also the audit report
generated on regular basis. Knowing who is taking what action on which content in your site collection can be critical in helping you singled out anomalous action or attempts. It is not a foolproof means but acts as deterrence.

Ideally having a privileged identity management server to centralised all administration activity through this gatekeeper will be preferred though at a cost that is more worthy to invest to prevent recurrence and stay on top of critical administrative activities.
sunhuxAuthor Commented:
I might have budget for a Sharepoint auditing tool to track changes:
any recommendations?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

sunhuxAuthor Commented:
Attached is a product's brochure that I have in mind but not sure if it helps as just got it from googling:
it integrates with all SIEMs
btanExec ConsultantCommented:
I am thinking the need for a granular permission-based tool to focus on the designated permissions across SharePoint Sites and at Farm level. It gives overall oversight on the changes and assignments which revirw can catch anomalies in a regular basis. If alerting is needed, it is best done at SIEM level which gives more correlated activities on the anomalies.

DeliverPoint is a in-context permissions reporting and management tool for SharePoint.

- Provides daily, weekly, monthly or yearly scheduled report to enable you to analyze permissions over given periods of time. It can be scoped at Farm, Web Application, Site Collection, or Site Level.

- Produce lists of all documents with broken permission inheritance. Report can be generated by running against single site level, multiple sites, lists, libraries, folders items and documents, displays all users with permissions granted to that object exactly, how, and assigned by who.

- Produces a report of all users who have permissions within SharePoint, despite the Active Directory Account being disabled or deleted.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
I forgot to mention we are using Sharepoint in O365 cloud:
so does DeliverPoint works for the O365's Sharepoint
permissioning as well?
btanExec ConsultantCommented:
Yes it does
DeliverPoint Professional Add-In for Office 365 SharePoint Online is a permissions management tool that empowers your Site Collection Administrators to be able to report and manage SharePoint permissions more effectively. SharePoint permissions are too important to get wrong! Broken permissions, incorrectly assigned permissions, limited access, and duplicate permissions are some of the issues faced in SharePoint by all organizations. DeliverPoint helps your Site Collection Administrators to be able to take control of the permissions with accurate reporting and the tools to manage permission in bulk.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.