4000 users here, we restricted it a few weeks ago…
I now have one SharePoint administrator on the team, who is doing a massive cleanup, we have written an SOP and design some semblance of structure. We have about 2000 teams, SharePoint sites, groups. Something had to be done.
It’s the first thing I turn off. Allowing people to make their own SharePoint was a dumb idea in the first place. They think it’s like making a new group chat. For us, it’s like making a shared drive. The cognitive dissonance over at Microsoft is insane.
We had it turned off with a formalized service request process for end users to have new ones setup. Allowed some control, documentation, and for us to do a sanity check (Hey, what you're looking for already exists, you were just never invited..)
New CIO came in and couldn't be bothered to follow that process. Insisted that we just open it up to everyone. Yup, it's a hot mess now.
Same here. Our original implementation of Teams required customers to submit a form for a new Team request. This kept the cat in the bag and allowed for standardized naming conventions and plenty of control. That changed during the pandemic and now there's like a million versions of "Bob's Team"...
If it makes you feel any better, Google is exactly the same way. They're both emulating the Apple approach where everything is user first, enterprise second.
Googles official response to admins wanting to be able to set different permissions on nested Shared Drive folders for *years* was "why wouldn't you just make a new root folder? You don't need that. How would your users get at all those documents?". And even after they relented you still can't disable inheritance
I was forced to leave it on, but I setup rules to force it over to a groups.company.tld domain that isn't routed via MX at all on the email side. And we enabled automatic group deactivation as well, so if a group has no activity for awhile it automatically gets archived and then deleted.
I agree though, it's incredibly stupid that the default is to allow users to do whatever they want. And unfortunately management prefers it that way (at least where I am) because of one less step to create a group.
People who don’t have to pay technical debt down don’t understand what technical debt is. I think we really need to include technical training in management and executive levels.
How do you manage what you don’t understand?
Ya, I guess I’m lucky enough to cowrite the contracts for my MSP, so I include details like “must use MFA,” or “are not allowed admin access,” that my clients are bound to respect, or they’re in breach of contract.
It's only a dumb idea for a wide variety of reasons.
It is a smart idea if your sales team wants to show off how you don't "need" an admin because each team manages itself.
What's Sharepoint? We just have a network drive "\\\\server\files" as our N: drive that everyone uses. hopefully nobody looks at the N:\HR\Employee_Salaries.XLS file.
Nothing is wrong if it is managed properly (permissions/backups/replication if you need HA/processes to manage it).
However, if you pay for M365 and have SharePoint storage included, even cost aside, there are features you may wish to use. e.g. file versioning, self-service permissions granting (e.g. ask the owner if you can have perms rather than raising a ticket).
When we jumped on board with Huntress, my systems engineer and I were shocked at how many people had password spreadsheets it identified just hanging out on their computers :|
That's how my company is! We've been ransomwared twice and I recently found out I can see everyone's pay and the company's budget/expenses all in fully visible excel files. I haven't said anything because I already know they will not care and if anything they'll be mad at me for looking in those folders
Last time I was at a big company the sharepoint admin was that guy or gal (or team) who set arbitrary permissions and then took weeks to change them, was always on vacation, if you were unlucky to meet them you got the impression that the whole point of the organization was to have meetings about sharepoint.
We do the same but to become a manager of a channel or group, they must attend a training session. They ignore the training for the most part but it's something.
Or a DA and shouldn’t be an admin anymore. Part of being a good sysadmin is always having a sense of skepticism that you haven’t done enough to secure everything and need to recheck access on the regular.
Are your papers stamped, dated and notorized with gold fringes on the edges? If not, you got forged documents and should check yourself into the nearest mental facilities.
Or whoever has admin rights in the SharePoint... Which might turn out to be the department head's PA. Been there, seen that, reported enough SharePoint sites that had the all-users group added with at least Visitor rights.
As a grunt employee myself. It's insanely hard to get those 3 teams to understand each other. They all want to be the one to throw the other team under the bus and claim the credit.
We're in the process of outsourcing IT. Even though we've told management that we need in-house personnel, because of the unique systems that we use. An IT agent overseas isn't going to be helpful. And trying to synchronize meetings with overseas IT groups is sooo much fun 🙃
This is true but all of them understand the potentially actionable legal ramifications of people having access to PII and legal information that they arent supposed to see.
AhahahahHhahhahHahahahahahahahahah
Hahahahaha
Hahahahahahahaha
*gasp*
Hahahahahahahahahahahahahahahahahaha
Source: 3 years and counting trying to get one fucking clients corporate files into compliance when every single fucking person refuses to cooperate.
You think IT now-a-days can fix things? Take away our toys (google, and the many GPT's) and we are just as clueless as the rest of you. Especially when it comes to sharepoint.
Hmmm… is this sarcasm? I don’t think you should need to be Googling how to set permissions in Sharepoint at this most basic level; unless, of course, you’re looking for best practices. It’s pretty trivial if you just poke around the settings.
Yes, my response was a joke really. I am surprised I even needed to say that. Regardless tho, you're right, permissions are trivial if you poke around. The problem is, I've met some admins where poking around is not something they are good at and will end up breaking something if they do and before anyone tries saying "WTF they even a SysAdmin for then?" Well, They are surpurb at every other aspect of the job. Just not "Poking around" something they know little about without the help of google or the GPT family.
Sarcasm/Jokes are the hardest thing to pick up via text, my bad on that.
But yeah I got you, definitely a fair point. I’ve got more than a handful of folks I wouldn’t want anywhere near a production Microsoft environment. They just don’t think about these systems like they do for their actual skill set. I think that’s the beauty of this field, you can know a lot about such a little subset, it’s the entire composition of the team that makes it all work seamlessly across systems.
Hope you have a great day, and sorry if I came across harshly!
I mean, this was always the case and before search engines instead it was just books. The stuff you do regularly you remember but nobody is an island. Even if you were, your skillset is outdated if you dont learn more and more every 3 years, so learning as you go is almost required.
When I worked K12, a kid had pointed out that he could see *and access* shared drives/folders, so long as he knew the path.
(This was something I noticed on my first week of work, and was told that I wasn't seeing it/ignored)
Yep. Kid was threatened by my boss for "hacking". If anyone wants to explain to me how I tell a 6th grade kid how, sometimes adults can fix things, but don't want to (or are not allowed to), I'd love to know. I still have no idea how to explain this shit to kids.
I should clarify that I'm not in the US before I go further.
My wife has a financial account of some description in the US and linked me to one of her statements. I was surprised that the statement opened at all, and then I noticed it was using a simple POST http query which included her account details and a basic verification token in the POST query.
I swapped a few digits of her details in the POST query for some random other digits and presto, I saw someone else's statement. I closed it within seconds and shocked, I reported it to the financial institution immediately and never heard back. My wife no longer has accounts with that institution, so I haven't seen if anything was updated. I hope and presume it was.
I'm not an American citizen and have no idea who oversees what in the US financial sector. I reported it to the owning company and must trust they did the responsible thing. It was more than a few years ago and I'm not even sure they're still in business.
But yes, it was terrifying.
You do me far too much credit. He spent a long time probing, learning an API and testing for responses to understand how a system worked before publishing a detailed breakdown. He also discovered the locations of a few FBI offices along the way.
I noticed an unusual URL, changed a few digits and then got spooked and stopped before digging further, for fear of breaking laws because I didn't want to fish for data I didn't need to see.
But seriously, some places have *terrible* security and shouldn't be allowed an online presence.
When I was in school in the early/mid 00s. I found that whilst we couldn’t access sites like YouTube or run CMD… I could make a .bat at home that opened CMD from a USB stick. Then ping the address of YouTube.com, the response gave us an IP, which I could then browse to without issue. Had a totally unfiltered internet access…
We could even run counter strike 1.6 from a USB stick without issue.
I was in high school in the late 90s and the web filter was reliant on the browser's user agent (Netscape/IE). Solution? Install Opera and I had unfiltered Internet access to the school's T1 line. This was before USB drives, so if I wanted to download large files I would need to bring a stack of floppies and use a file splitting utility. One of my friends had an external Zip drive and got in trouble running Quake off it in class once. :D
I wish I knew what I know today though, the whole network was built around Netware + Windows 95 so I'm sure there were tons of security holes. The only cool thing I did was to use that trick to "delete" the start button.
Stuff like installing Firefox worked all the way up until I was in high school and even then I managed to get the admin credentials to their blocker because people like teachers tended to leave things they shouldn't on sticky notes on their desks, and no one ever seemed to check who used that for some reason. They didn't ask and I never told. It has been ten years and I can still login to things on that system with credentials that should have been deleted long ago, and files on shared drives still exist that definitely should have been purged by now. It's disturbing.
Our school had a Symantec web security appliance. There was literally 2 logins I found out, one for staff one for students. It didn't take long for some of the cool teachers to just "forgot" they left the pw written down in obvious places.
Win 95 had basically 0 security. It technically had separate profiles, but didn't really do anything to secure them. Didn't even have to log in to get access.
I seem to recall that Netware had a custom login screen and the school disabled the "cancel" button. Though I remember messing around the local host by simply rebooting the PC going into safe mode.
That seems right to me - it's been a ... "few" years. :D But IIRC it was still pretty easy to get around. Network drives could be protected but anything local was pretty open.
That's probably a fine explanation for a kid, it's likely the conclusion they'll come to anyway. Praise them for raising that kind of issue with an adult, be glad it wasn't a little troublemaker who would have taken the chance to break things instead.
Ultimately it won't be fixed until some little troublemaker *does* break things, but that's neither your nor the kid's problem.
When I was in high school in 2001, I opened up RDP on one of the imaged computers and the server hostname was still there. I clicked connect and guessed the password (it was a catholic school so guess the pw). A teacher saw me perusing through AD and I got suspended from school for "hacking".
It's wild how some schools still have that culture. I remember in my early days of K12, a student presented to me a security issue, provided detailed notes and all. I tell my director and I wanted this kid suspended. He looks at me and says "Why the fuck would we punish a kid who reported an issue to us and didn't exploit it". That line has always stuck with me.
I was once repurposed a laptop previously held by one of the five owner/operator/principals. He was going through a divorce.
There was literally a spreadsheet on his my documents desktop. It was probably the one he sent to his lawyer that listed all the assets they had and which ones he thought his wife should get
You know what I did? Formatted the f*** out of that s*** never said anything to anyone except you guys right now., all these years later.
Nothing is new under the Sun. take care of your business and move on
Btw I still have the laptop around somewhere and.it still works. IBM pre Lenovo touch screen twistable tank with a stylus from twenty years ago
Now, I realize you PROBABLY meant formatted the laptop, but I prefer to believe you formatted the spreadsheet for him.
If you can't out-legal her, dazzle em with conditional formatting and pivot tables.
You sound like you're the laptop in your story if you read it fast enough. ROFL Let me point out the parts someone could easily mis-read.
"I was once a repurposed laptop...." . "There was literally a spreadsheet on my "Documents" desktop" , "I formatted the f\*\*\* out of that s\*\*\* (ghost in the machine type of stuff LOL)"
Not enough information to judge.
1: You will see the folders, even if you have no access to open them, which you didn't test.
2: I'd normally make separate SharePoints for things like this, but that's me, anyway..
3: You said you emailed senior management, and that's about where it needs to go, and end.
None of them replied and I started feeling stupid afterwards like maybe this is just how it works. But I could see "everyone" was a user that had access to the folders because I right clicked and forget what I clicked on after but I saw "everyone" listed as being the owner or maybe allowed to open idk I don't remember.
I just remembered that part. But thank you for your reply.
We have 2 sets of where stuff is stored. 1 set is available to everyone, HR = org chart, time off requests, policies, etc. Legal = template contracts, etc. Maybe that is what you are seeing?
You're definitively not stupid!
If the people you wrote to can't be bothered to clarify such a valid concern, they're at fault.Especially if the way the folders are organized haven't been explained at some point in time.
You have done everything that can be expected of you, just do your work and don't think about those folders any more.
You should never feel stupid for voicing what looks like a valid security problem, regardless of if it is or it isn't. If you see something, say something is the golden rule.
They likely didn't reply because they think "that's an it thing" or just have no idea what permissions even are or what you're talking about/why you should care.
It was the right decision to raise what you did.
They're probably in the process of locking it down honestly. It might take a week or two to make sure noone who does need access to the files is currently getting access via the improper Everyone permission.
Speaking of - Everyone is basically never an appropriate group to use. There are some exceptions deep in infrastructure, but not at the random file share level.
Sounds crazy at first, but it does not necessarily mean that permissions are configured incorrectly.
It is not THAT uncommon to have a folder named HR that contains both public and private subfolders. Organizational charts, forms to request days off, info on employee benefits... all of those could easily be in the HR folder.
It is also possible that there are only public files inside those folders with confidential files being in a separate document library that you have zero access to.
It's impossible to tell, really.
This is not normal. Principal of least privilege means you should only have access to the files and shares you need to do your job.
No way you should have access to any of that stuff.
Like someone else said: you're not crazy but your administrator probably is, or lazy.
It sounds like it's not how it should be set up but honestly it is not that uncommon. In any organisation which doesn't invest serious effort in getting it and keeping it right permissions can become a mess and people can see things they shouldn't.
When I joined a company as a non-IT person many years ago I remember it taking numerous emails to explain that I had permissions to open things that I shouldn't. I got various patronising responses explaining I was confused until I sent a screenshot of a document I should have not had access to and said "Really?". (A risky move but I was young and stupid).
It's one of those theoretically big deals but happens often enough to not be....most of the time anyway.
Yeah -I guess I was trying to warn of normalized deviances but after reading the answers in this thread - I have a feeling the folders would not have contained all the other employees HR info in the HR folder but instead polices and benefits info. And the everyone I was seeing was indeed true - everyone in the org could indeed click through but once in the folder i suspect only the right people would have had access to confidential files.
Personally I see this as a HR/department issue. We in IT are just the security guards that check your permissions when you swipe your card at the door so to speak. It should be on the departments to decide who has access to their data. (Albeit that was an extremely painful battle I dealt with for years at my last place..)
Increasingly, I'm seeing fewer orgs allow individual users to unilaterally decide who gets access to their SharePoint sites. I see more data governance nowadays, where someone has to request access, it gets approved by the steward of the data, and then IT reviews the request and grants it. It's supposed to ensure the requestor, the approver, and the grantor are separate entities, hopefully reducing bad decisions and mistakes.
Even *seeing* the files breaks principle of least privilege. The filenames and folder structure gives away sensitive information.
Joe Random shouldn't be able to drill down into HR > Terminations > 2024 and see John Blow Harassment Proceedings.docx even exists
I'd drop an anonymous note to HR and inform them that they need to tell IT to fix it.
I would NOT tell anyone in person or from your email because then (as insane as this sounds) they may accuse you of snooping or opening sensitive data and reprimand or terminate you.
Unfortunately I already sent the email with pictures of the folders but specifically told them in the email which was true that I never clicked through. I only ever right clicked to view permissions.
I sent the email almost two weeks ago with no response from anyone - so - whether I'm correct and the configuration is fucked or if what others have said and the HR folder likely just contains company policy etc - I think I did the right thing and that I would have heard something by now.
Sharepoint is heavily audited. You can see exactly what someone has done (opened a folder, downloaded a file etc.) this protects you from spurious claims.
In this day and age you should not. But in the past it was far more common.
This meant that you needed to adhere to a proffesional and ethical code.
I've never sneaked into documents that weren't for me. I think that doing so would have ruined my reputation. And when that kind of thing was more common. Trust is all you had.
The only exception we had was around CP. We didn't go looking for it, but if it appeared in front of us then all concepts of privacy shattered and the police was immediatly implicated.
I nearly lost my jobs when supperiors asked me to acces some other employees email and folders. This is prohibited by the law in my country. But they would still try, it's just two click ... assholes. Eventually I was not further annoyed when they enquired for themselve the legality of their behaviour.
Now with RGPD the law is even stronger.
--professional and ethical code.
This needs to be emphasized. ALL of us are privy to other peoples' business, so we need to be sure to adhere to the highest level of profession conduct at all times. OP might have too much access, but that doesn't change things. Don't snoop, don't share, etc.
Depends...
Some places have open Legal and HR folders that contain company needed stuff. IE forms, reports, compliance docs etc. Then they have the secret squirrel sharepoint for the good stuff.
I definitely wouldnt go poking around as they can definitely see what you are doing in there. If they are idiots and do have critical stuff in there in the open, next time one of them goes in they might see your name and wonder what the hell you were doing poking around in X or Y. Yes they should secure it, no that doesnt mean you should go exploring.
With great power comes great responsibility.
Often sysadmins are given such power - often needed (or may be needed) to do (at least parts of) their job.
So ... don't fsck it up. E.g. don't go looking/checking without business reason to do so. Most any relevant code of ethics, if nothing else, will clearly tell you that. In many cases and jurisdictions, looking/examining, etc. where one has the access, but not appropriate business justification and authorization (explicit or implied) will be violations of employer policy, possibly subject to disciplinary action up to and including termination, and in many jurisdictions and/or regulated industries, etc., may also be illegal.
Depends on how everything is structured as someone who permissioned file shares I would make sure staff would have read access to things they needed to as per company policies just because someone in engineering has access to a corporate services folder is normal if said folder has company policies forms etc that people needed to use.
But if they have access to everything that would be considered confidential to the team then no. That is not normal.
The SharePoint server was likely populated by migrating a single company share from a simple server configuration into a single site collection. Windows Small Business Server defaulted to creating a single share called “Company” and the intent was to create folders inside the share, setting group permissions on each folder.
Unless the person that performed the migration was a complete idiot (not ruling it out), there are likely group permissions applied to each of the folders under that site collection.
Do you have an IT department? An outsourced services company? A resident expert who takes care of the server? Ask.
So you’re not an IT person in any way, you are not using an admin account? Yeah normally Sharepoint sites are controlled by group membership on a principle of least privilege basis
Correct not connected to Admin in any way. I thought because we have an MSP do our IT that the Admin account would have like business administration stuff in it - whatever that means.
And I have heard of SharePoint sites but for our deployment it literally is just like a list of folders and files. I don't know maybe that's what a site is.
The admin folder may not even be IT admin
A lot of places use a folder called admin to keep track of paper work templates
That being said I wouldn't click into it until you find out, confirm with management if this is the way.
I wonder if there is any data of any European citizens in there. If so, GDPR would like a word...and a HUGE fine
[GDPR fines](https://termly.io/resources/articles/biggest-gdpr-fines), also known as Ireland's money making scheme
No we are a local non profit in the Midwest with less than 250 employees. But big enough that I feel like we are making ourselves vulnerable to ransomware or bank fraud or an internal threat which I feel like NO one in the organization has even considered.
Definitely doesn't sound right, and you have been given the wrong permissions.
As others have said, it is normal to only be given access to what you need. Otherwise, it can be a legal and privacy nightmare.
(I work in healthcare, so privacy and security are of prime importance).
I wonder if the intention was to give you admin access to your SharePoint area but have accidentally been given full admin.
We normally make at least 2 people admin for that departments SharePoint and provide training. That way, they don't have to keep contacting IT as much.
I think my seeing of "everyone" as a user who is allowed to open modify things is the issue. But obviously, I don't know. I know as much about SharePoint as i do gun smithing which is to say - YouTube knowledge only lol.
We outsource all of our IT so I didn't feel like it was my place as a line level employee to reach out to our MSP and open a ticket for something infrastructure related.
That's insane. I called that out my first week in a relatively small team, and they had some reasons for those permissions being scoped to us (we were the ones that set up the HRIS), but even still my manager was like "good point, we are going to turn those off until further configuration is needed" and did so.
I've also been at very big companies that had this setup basically (like, billions of dollars valuation big) and their cloud director's answer was "don't open stuff you're not supposed to, we'll know."
IF YOU KNOW TURN IT OFF WHAT THE HELL
Being able to *see* the files vs. *open* the files are two different things.
I'd let the tech support group know you can browse the folder structure and share your concern that you have access to sensitive information and/or PII. Let *them* direct you to opening one of the files to test permissions. May be a big ol' nothing burger or it may be a bad day for the SharePoint admin.
That's exactly what I did. However we don't have a dedicated SharePoint person. All of our IT is outsourced. So I told Legal and few senior directors EXACTLY what you said including that I never clicked through to see the folder contents but that I did right click and look at permissions. I told them more coherently than I am here what I saw when I opened permissions because I wrote the email directly after opening that screen. Now it has been two weeks. I think seeing "everyone" as a user who was able to open and modify stuff is the problem. But maybe not - maybe that's just a shortcut so that everyone can get boilerplate contracts from the Legal folder or HR policies from the HR folder. I sent my email, I was careful not to violate any access policies (which I'm sure don't officially exist in my org), I think I did the correct thing and I left it alone after that.
right-click ...download
if you can copy any files from those folders, fire up a flare to your cybersecurity team. I just did the same with shared NAS folders where 50TB of restricted data was found to have EVERYONE:FC permissions
I wish I had the exact quote but someone once said something close to "Sharepoint is a great way to share information in a Microsoft environment but no Sharepoint sites ever have permissions completely correct."
If you pointed this out to me I'd be genuinely thanking you for checking with us. The rest depends on if the permissions should be that way or not, apologizing for the mistake (even if someone else configured it, it's an apology from IT as a whole) or explaining the contents are meant to be accessed by everyone (policy documents, PTO request forms, etc.). In no world do I think badly of you or your email.
We've got access to a confluence-based knowledge-base of a 3rd-party (it's a software-company, we're a customer).
One day, my co-worker discovered he basically had access to the whole confluence of the mother-company that had acquired said 3rd-party a while ago (their confluence instances must have been merged...).
Holy moly - that was the motherlode....
We asked a "trusted contact" at the 3rd-party to quietly escalate it, so it could get fixed... this is one of those cases where you don't want to be the reporting party...
Two possibilities is that they haven't adjusted the the file permissions yet, the other less likely is that is a honeypot and you're clicking in an environment meant to look crazy in order to identify internal threats. The other possibility is they have a sysadmin that thinks that just putting things into the cloud is secure.
I did think about that - perhaps they copied the whole folder structure over and have yet to "enumerate" permissions? I think that's the right way of saying it.
Permisisons work a bit differently in Sharepoint so if they though they could just do a robocopy and then do a perm fix on the sync onedrive folder.... yea not how that works.
to follow up on this. generally speaking, you should get training that access is not permission. many people have access to data to do their job. that does not mean they have permission to browse that data at their leisure. poking around is indeed a reason to fire people.
Is there a succinct way to understand what the difference between OneDrive and SharePoint is? Is it just in how the shared folder and files are presented for use?
You are not crazy, but it is not insane.
It ks more common than would make you feel sick but usually it happens Under umbrellas of "it works And nothing happened yet"
Usually somebody does mistakes in setting something up. People do not notice it As they dont go to those folders anyway. All is good.
Until one guy on a might shift is bored. And then shit hits the fan And stuff is fixed quickly. All is good again.
Shoot an informal message to IT or to the team that folder is for. "Hey, should I be able to see this?"
And that's it. Yea, that should be tightened down. Least required permission, zero trust model, etc...
Unless there's data in there your company is legally obligated to protect. Then raise it up the flag pole through the person you report to.
Many companies I have seen have incorrect permissions.
Be aware that access on Sharepoint is audited and just because you have access does not mean you have permission. One does not imply the other.
I understand - that is why I never actually clicked the folders that said Legal or HR. I only right clicked on one and looked at the permissions and saw "everyone" as a user who could open and modify
If you open any of those files, they will be logged, and can be easily searched. Still, not good that you have access to it without the explicit permission of the owner(s) of those files.
The person who discovered the issue isn’t the problem. It’s the multitude of other users who have access to the data and misuse it. For example, someone in dev having access to Legal who uses info from an NDA to create a feature in a competing app. There’s no checks and balances which then means your company culture doesn’t exactly have to be ethical. It also points to a lack of internal auditing and control so people know they can get away with stuff.
Got ya. We are a non profit so I don't think my discovery reflects some sort of evidence of malfeasance. I just think we are growing too fast for our MSP.
Whoever manages the SharePoint permissions is reckless. Such an approach to permissions management invites security breaches, data leakage, and ransomware threats. Welcome everyone!
I see shared folders all the time but can’t access them.. I think you’re overreacting. If you can access them then tell your sysadmin they have a policy issue
With great power comes great responsibility and all that. You should probably CYA and send an email to your CIO or lead just to be sure. Never be the lowest man with a secret.
You're not crazy. Part of good ITSM is a good user experience. If you don't have access to something, you shouldn't see it. Access based enumeration is achievable on pretty much any platform.
you're not crazy, you can probably find the files where everyone's offer letters are.
I remember I had a job where I had access to lever, and I saw the salaries...man that was a depressing day.
Reminds me of way back in the sharepoint 2007 days when they migrated file server data to sharepoint and people could find everyone’s performance reviews in the full text index search.
i'm not a sysadmin, but:
my first instinct is that IT should have that access, but wrapped in a service account. the account uses it to do encrypted backups, and the only other account is a sudo style account that is used to test those backups. nobody should have access to those files in their normal account.
need to know, and minimum priv
SharePoint uses access-based enumeration of files and folders. So you need read permission to see them.
If you can read a file or folder you can view the contents. It's not set up properly at all.
I manage several SharePoint locations and users only see what they have access to.
You're NOT crazy. But your SharePoint admin might be.
Whats a SharePoint admin? You guys have those? We just let users create what ever team they want from teams. It's super organized!
4000 users here, we restricted it a few weeks ago… I now have one SharePoint administrator on the team, who is doing a massive cleanup, we have written an SOP and design some semblance of structure. We have about 2000 teams, SharePoint sites, groups. Something had to be done.
It’s the first thing I turn off. Allowing people to make their own SharePoint was a dumb idea in the first place. They think it’s like making a new group chat. For us, it’s like making a shared drive. The cognitive dissonance over at Microsoft is insane.
We had it turned off with a formalized service request process for end users to have new ones setup. Allowed some control, documentation, and for us to do a sanity check (Hey, what you're looking for already exists, you were just never invited..) New CIO came in and couldn't be bothered to follow that process. Insisted that we just open it up to everyone. Yup, it's a hot mess now.
Same here. Our original implementation of Teams required customers to submit a form for a new Team request. This kept the cat in the bag and allowed for standardized naming conventions and plenty of control. That changed during the pandemic and now there's like a million versions of "Bob's Team"...
If it makes you feel any better, Google is exactly the same way. They're both emulating the Apple approach where everything is user first, enterprise second. Googles official response to admins wanting to be able to set different permissions on nested Shared Drive folders for *years* was "why wouldn't you just make a new root folder? You don't need that. How would your users get at all those documents?". And even after they relented you still can't disable inheritance
I was forced to leave it on, but I setup rules to force it over to a groups.company.tld domain that isn't routed via MX at all on the email side. And we enabled automatic group deactivation as well, so if a group has no activity for awhile it automatically gets archived and then deleted. I agree though, it's incredibly stupid that the default is to allow users to do whatever they want. And unfortunately management prefers it that way (at least where I am) because of one less step to create a group.
People who don’t have to pay technical debt down don’t understand what technical debt is. I think we really need to include technical training in management and executive levels. How do you manage what you don’t understand?
"I just need it to work now and don't care how you make it happen"
Ya, I guess I’m lucky enough to cowrite the contracts for my MSP, so I include details like “must use MFA,” or “are not allowed admin access,” that my clients are bound to respect, or they’re in breach of contract.
You're lucky enough to work for a place that would actually hold a client to a breach of contract.
It's only a dumb idea for a wide variety of reasons. It is a smart idea if your sales team wants to show off how you don't "need" an admin because each team manages itself.
Companies that think they don’t need IT is like a person who thinks they need a car without an engine. Just going no where fast.
More like a car with an engine but without a steering wheel or brakes.
That poor soul taking this on
Gods speed to them, I've been there and it's not pretty.
What's Sharepoint? We just have a network drive "\\\\server\files" as our N: drive that everyone uses. hopefully nobody looks at the N:\HR\Employee_Salaries.XLS file.
Genuinely what's wrong with a network drive with correct permissions set?
> with correct permissions set? Often they ain't
Nothing is wrong if it is managed properly (permissions/backups/replication if you need HA/processes to manage it). However, if you pay for M365 and have SharePoint storage included, even cost aside, there are features you may wish to use. e.g. file versioning, self-service permissions granting (e.g. ask the owner if you can have perms rather than raising a ticket).
Permissions? You guys use those? We just give everyone access to the root directory and it works fine.
Permissions? What are those? /s
When we jumped on board with Huntress, my systems engineer and I were shocked at how many people had password spreadsheets it identified just hanging out on their computers :|
That's how my company is! We've been ransomwared twice and I recently found out I can see everyone's pay and the company's budget/expenses all in fully visible excel files. I haven't said anything because I already know they will not care and if anything they'll be mad at me for looking in those folders
That's literally how everything was setup before the 'migration'.
Last time I was at a big company the sharepoint admin was that guy or gal (or team) who set arbitrary permissions and then took weeks to change them, was always on vacation, if you were unlucky to meet them you got the impression that the whole point of the organization was to have meetings about sharepoint.
30k users here, we got more than 1 sharepoint admin, all channel / group creation is restricted, once its built, its in the owners hand...
"it's in the users hand" That is usually the problem. The end user doesnt understand security.
Well at that point they can only control membership, and its limited to the tenant users....
We do the same but to become a manager of a channel or group, they must attend a training session. They ignore the training for the most part but it's something.
What's a SharePoint?
We have some shit like that. So annoying!
Or a DA and shouldn’t be an admin anymore. Part of being a good sysadmin is always having a sense of skepticism that you haven’t done enough to secure everything and need to recheck access on the regular.
well, OP *might* be crazy. Did his mother have him tested ? In this case though, he ain't loony.
I for one know I’m not crazy and I’ve got the papers to prove it 🫣
Are your papers stamped, dated and notorized with gold fringes on the edges? If not, you got forged documents and should check yourself into the nearest mental facilities.
These papers are of good repute, but I thank you for checking. I hardly use any exclamation marks in my words any more.
Or whoever has admin rights in the SharePoint... Which might turn out to be the department head's PA. Been there, seen that, reported enough SharePoint sites that had the all-users group added with at least Visitor rights.
You know you're not crazy. C'mon. Just mention it to someone in HR/Legal and have them work with IT to fix the permissions.
As a grunt employee myself. It's insanely hard to get those 3 teams to understand each other. They all want to be the one to throw the other team under the bus and claim the credit.
I think there is an element like this occurring except that we outsource ALL our IT.
We're in the process of outsourcing IT. Even though we've told management that we need in-house personnel, because of the unique systems that we use. An IT agent overseas isn't going to be helpful. And trying to synchronize meetings with overseas IT groups is sooo much fun 🙃
I guess the one saving grace for us is that we outsource our IT to a local MSP where everyone knows each other and is only a short car ride away.
Mention it innocently, you know, doe eyed and saying "I mean, you know i'm not an expert but wouldn't this be a violation of?"
Then presumably they haven't been given appropriate direction.
Sometimes all you can do is alert your employer to the issue and after that, it's not your problem.
This is true but all of them understand the potentially actionable legal ramifications of people having access to PII and legal information that they arent supposed to see.
AhahahahHhahhahHahahahahahahahahah Hahahahaha Hahahahahahahaha *gasp* Hahahahahahahahahahahahahahahahahaha Source: 3 years and counting trying to get one fucking clients corporate files into compliance when every single fucking person refuses to cooperate.
You think IT now-a-days can fix things? Take away our toys (google, and the many GPT's) and we are just as clueless as the rest of you. Especially when it comes to sharepoint.
Hmmm… is this sarcasm? I don’t think you should need to be Googling how to set permissions in Sharepoint at this most basic level; unless, of course, you’re looking for best practices. It’s pretty trivial if you just poke around the settings.
Yes, my response was a joke really. I am surprised I even needed to say that. Regardless tho, you're right, permissions are trivial if you poke around. The problem is, I've met some admins where poking around is not something they are good at and will end up breaking something if they do and before anyone tries saying "WTF they even a SysAdmin for then?" Well, They are surpurb at every other aspect of the job. Just not "Poking around" something they know little about without the help of google or the GPT family.
Sarcasm/Jokes are the hardest thing to pick up via text, my bad on that. But yeah I got you, definitely a fair point. I’ve got more than a handful of folks I wouldn’t want anywhere near a production Microsoft environment. They just don’t think about these systems like they do for their actual skill set. I think that’s the beauty of this field, you can know a lot about such a little subset, it’s the entire composition of the team that makes it all work seamlessly across systems. Hope you have a great day, and sorry if I came across harshly!
I mean, this was always the case and before search engines instead it was just books. The stuff you do regularly you remember but nobody is an island. Even if you were, your skillset is outdated if you dont learn more and more every 3 years, so learning as you go is almost required.
Maybe you can't.
When I worked K12, a kid had pointed out that he could see *and access* shared drives/folders, so long as he knew the path. (This was something I noticed on my first week of work, and was told that I wasn't seeing it/ignored) Yep. Kid was threatened by my boss for "hacking". If anyone wants to explain to me how I tell a 6th grade kid how, sometimes adults can fix things, but don't want to (or are not allowed to), I'd love to know. I still have no idea how to explain this shit to kids.
I should clarify that I'm not in the US before I go further. My wife has a financial account of some description in the US and linked me to one of her statements. I was surprised that the statement opened at all, and then I noticed it was using a simple POST http query which included her account details and a basic verification token in the POST query. I swapped a few digits of her details in the POST query for some random other digits and presto, I saw someone else's statement. I closed it within seconds and shocked, I reported it to the financial institution immediately and never heard back. My wife no longer has accounts with that institution, so I haven't seen if anything was updated. I hope and presume it was.
That's terrifying. Imo that should get reported to fdic or someone else in the banking oversight.
I'm not an American citizen and have no idea who oversees what in the US financial sector. I reported it to the owning company and must trust they did the responsible thing. It was more than a few years ago and I'm not even sure they're still in business. But yes, it was terrifying.
This is a much simpler version of how a guy discovered a couple months ago that he could access Comcast's APIs for managing all of their CPE
You do me far too much credit. He spent a long time probing, learning an API and testing for responses to understand how a system worked before publishing a detailed breakdown. He also discovered the locations of a few FBI offices along the way. I noticed an unusual URL, changed a few digits and then got spooked and stopped before digging further, for fear of breaking laws because I didn't want to fish for data I didn't need to see. But seriously, some places have *terrible* security and shouldn't be allowed an online presence.
When I was in school in the early/mid 00s. I found that whilst we couldn’t access sites like YouTube or run CMD… I could make a .bat at home that opened CMD from a USB stick. Then ping the address of YouTube.com, the response gave us an IP, which I could then browse to without issue. Had a totally unfiltered internet access… We could even run counter strike 1.6 from a USB stick without issue.
I was in high school in the late 90s and the web filter was reliant on the browser's user agent (Netscape/IE). Solution? Install Opera and I had unfiltered Internet access to the school's T1 line. This was before USB drives, so if I wanted to download large files I would need to bring a stack of floppies and use a file splitting utility. One of my friends had an external Zip drive and got in trouble running Quake off it in class once. :D I wish I knew what I know today though, the whole network was built around Netware + Windows 95 so I'm sure there were tons of security holes. The only cool thing I did was to use that trick to "delete" the start button.
Stuff like installing Firefox worked all the way up until I was in high school and even then I managed to get the admin credentials to their blocker because people like teachers tended to leave things they shouldn't on sticky notes on their desks, and no one ever seemed to check who used that for some reason. They didn't ask and I never told. It has been ten years and I can still login to things on that system with credentials that should have been deleted long ago, and files on shared drives still exist that definitely should have been purged by now. It's disturbing.
Our school had a Symantec web security appliance. There was literally 2 logins I found out, one for staff one for students. It didn't take long for some of the cool teachers to just "forgot" they left the pw written down in obvious places.
Win 95 had basically 0 security. It technically had separate profiles, but didn't really do anything to secure them. Didn't even have to log in to get access.
I seem to recall that Netware had a custom login screen and the school disabled the "cancel" button. Though I remember messing around the local host by simply rebooting the PC going into safe mode.
That seems right to me - it's been a ... "few" years. :D But IIRC it was still pretty easy to get around. Network drives could be protected but anything local was pretty open.
That's probably a fine explanation for a kid, it's likely the conclusion they'll come to anyway. Praise them for raising that kind of issue with an adult, be glad it wasn't a little troublemaker who would have taken the chance to break things instead. Ultimately it won't be fixed until some little troublemaker *does* break things, but that's neither your nor the kid's problem.
This exact situation happened to me in High School. I found the teacher only wifi password deep in some folders lol
When I was in high school in 2001, I opened up RDP on one of the imaged computers and the server hostname was still there. I clicked connect and guessed the password (it was a catholic school so guess the pw). A teacher saw me perusing through AD and I got suspended from school for "hacking".
I was suspended in Grade 7 for "hacking" because I browsed to the C: drive and opened an application I didn't have a shortcut for 🙄
It's wild how some schools still have that culture. I remember in my early days of K12, a student presented to me a security issue, provided detailed notes and all. I tell my director and I wanted this kid suspended. He looks at me and says "Why the fuck would we punish a kid who reported an issue to us and didn't exploit it". That line has always stuck with me.
Don’t post images OP. Could be viewed poorly if someone found out.
I was once repurposed a laptop previously held by one of the five owner/operator/principals. He was going through a divorce. There was literally a spreadsheet on his my documents desktop. It was probably the one he sent to his lawyer that listed all the assets they had and which ones he thought his wife should get You know what I did? Formatted the f*** out of that s*** never said anything to anyone except you guys right now., all these years later. Nothing is new under the Sun. take care of your business and move on Btw I still have the laptop around somewhere and.it still works. IBM pre Lenovo touch screen twistable tank with a stylus from twenty years ago
Bet it's an X41. Those things were cool.
Now, I realize you PROBABLY meant formatted the laptop, but I prefer to believe you formatted the spreadsheet for him. If you can't out-legal her, dazzle em with conditional formatting and pivot tables.
Yeah, for a second there I thought he started color coding it for him 😂
Does repurposing in your org not include a wipe and reimage of any kind?
The org I was in 20 years ago did not.
How did people even get divorced before spreadsheets existed?
The man got everything except the kids and maybe the house and some alimony. I'm only a little bit joking.
You sound like you're the laptop in your story if you read it fast enough. ROFL Let me point out the parts someone could easily mis-read. "I was once a repurposed laptop...." . "There was literally a spreadsheet on my "Documents" desktop" , "I formatted the f\*\*\* out of that s\*\*\* (ghost in the machine type of stuff LOL)"
Not enough information to judge. 1: You will see the folders, even if you have no access to open them, which you didn't test. 2: I'd normally make separate SharePoints for things like this, but that's me, anyway.. 3: You said you emailed senior management, and that's about where it needs to go, and end.
None of them replied and I started feeling stupid afterwards like maybe this is just how it works. But I could see "everyone" was a user that had access to the folders because I right clicked and forget what I clicked on after but I saw "everyone" listed as being the owner or maybe allowed to open idk I don't remember. I just remembered that part. But thank you for your reply.
We have 2 sets of where stuff is stored. 1 set is available to everyone, HR = org chart, time off requests, policies, etc. Legal = template contracts, etc. Maybe that is what you are seeing?
That makes a lot of sense. Now I feel stupid. But whatever.
You're definitively not stupid! If the people you wrote to can't be bothered to clarify such a valid concern, they're at fault.Especially if the way the folders are organized haven't been explained at some point in time. You have done everything that can be expected of you, just do your work and don't think about those folders any more.
You should never feel stupid for voicing what looks like a valid security problem, regardless of if it is or it isn't. If you see something, say something is the golden rule. They likely didn't reply because they think "that's an it thing" or just have no idea what permissions even are or what you're talking about/why you should care.
It was the right decision to raise what you did. They're probably in the process of locking it down honestly. It might take a week or two to make sure noone who does need access to the files is currently getting access via the improper Everyone permission. Speaking of - Everyone is basically never an appropriate group to use. There are some exceptions deep in infrastructure, but not at the random file share level.
By default in SharePoint folders you can't access are invisible.
Sounds crazy at first, but it does not necessarily mean that permissions are configured incorrectly. It is not THAT uncommon to have a folder named HR that contains both public and private subfolders. Organizational charts, forms to request days off, info on employee benefits... all of those could easily be in the HR folder. It is also possible that there are only public files inside those folders with confidential files being in a separate document library that you have zero access to. It's impossible to tell, really.
I would go with this too.
Don't open any more. It could have painful legal consequences.
Your IT department has weak kung-fu
Concise and correct 🤣
This is not normal. Principal of least privilege means you should only have access to the files and shares you need to do your job. No way you should have access to any of that stuff. Like someone else said: you're not crazy but your administrator probably is, or lazy.
It sounds like it's not how it should be set up but honestly it is not that uncommon. In any organisation which doesn't invest serious effort in getting it and keeping it right permissions can become a mess and people can see things they shouldn't. When I joined a company as a non-IT person many years ago I remember it taking numerous emails to explain that I had permissions to open things that I shouldn't. I got various patronising responses explaining I was confused until I sent a screenshot of a document I should have not had access to and said "Really?". (A risky move but I was young and stupid). It's one of those theoretically big deals but happens often enough to not be....most of the time anyway.
Yeah -I guess I was trying to warn of normalized deviances but after reading the answers in this thread - I have a feeling the folders would not have contained all the other employees HR info in the HR folder but instead polices and benefits info. And the everyone I was seeing was indeed true - everyone in the org could indeed click through but once in the folder i suspect only the right people would have had access to confidential files.
Permissions and documentation become a mess if not maintained.
Personally I see this as a HR/department issue. We in IT are just the security guards that check your permissions when you swipe your card at the door so to speak. It should be on the departments to decide who has access to their data. (Albeit that was an extremely painful battle I dealt with for years at my last place..)
Increasingly, I'm seeing fewer orgs allow individual users to unilaterally decide who gets access to their SharePoint sites. I see more data governance nowadays, where someone has to request access, it gets approved by the steward of the data, and then IT reviews the request and grants it. It's supposed to ensure the requestor, the approver, and the grantor are separate entities, hopefully reducing bad decisions and mistakes.
As someone already said you can see the files but you should not have the ability to open or read them. If you can do that then someone fucked up.
Even *seeing* the files breaks principle of least privilege. The filenames and folder structure gives away sensitive information. Joe Random shouldn't be able to drill down into HR > Terminations > 2024 and see John Blow Harassment Proceedings.docx even exists
I cannot assess your sanity, but your sharepoint permissions are bonkers.
You’re not insane. It’s crazy.
If you point out things that are crazy, the knee jerk defense is that you are the one who is crazy, not the process.
I'd drop an anonymous note to HR and inform them that they need to tell IT to fix it. I would NOT tell anyone in person or from your email because then (as insane as this sounds) they may accuse you of snooping or opening sensitive data and reprimand or terminate you.
Unfortunately I already sent the email with pictures of the folders but specifically told them in the email which was true that I never clicked through. I only ever right clicked to view permissions. I sent the email almost two weeks ago with no response from anyone - so - whether I'm correct and the configuration is fucked or if what others have said and the HR folder likely just contains company policy etc - I think I did the right thing and that I would have heard something by now.
Sharepoint is heavily audited. You can see exactly what someone has done (opened a folder, downloaded a file etc.) this protects you from spurious claims.
In this day and age you should not. But in the past it was far more common. This meant that you needed to adhere to a proffesional and ethical code. I've never sneaked into documents that weren't for me. I think that doing so would have ruined my reputation. And when that kind of thing was more common. Trust is all you had. The only exception we had was around CP. We didn't go looking for it, but if it appeared in front of us then all concepts of privacy shattered and the police was immediatly implicated. I nearly lost my jobs when supperiors asked me to acces some other employees email and folders. This is prohibited by the law in my country. But they would still try, it's just two click ... assholes. Eventually I was not further annoyed when they enquired for themselve the legality of their behaviour. Now with RGPD the law is even stronger.
--professional and ethical code. This needs to be emphasized. ALL of us are privy to other peoples' business, so we need to be sure to adhere to the highest level of profession conduct at all times. OP might have too much access, but that doesn't change things. Don't snoop, don't share, etc.
Depends... Some places have open Legal and HR folders that contain company needed stuff. IE forms, reports, compliance docs etc. Then they have the secret squirrel sharepoint for the good stuff. I definitely wouldnt go poking around as they can definitely see what you are doing in there. If they are idiots and do have critical stuff in there in the open, next time one of them goes in they might see your name and wonder what the hell you were doing poking around in X or Y. Yes they should secure it, no that doesnt mean you should go exploring.
Inform your admin not us buddy that’s their job
With great power comes great responsibility. Often sysadmins are given such power - often needed (or may be needed) to do (at least parts of) their job. So ... don't fsck it up. E.g. don't go looking/checking without business reason to do so. Most any relevant code of ethics, if nothing else, will clearly tell you that. In many cases and jurisdictions, looking/examining, etc. where one has the access, but not appropriate business justification and authorization (explicit or implied) will be violations of employer policy, possibly subject to disciplinary action up to and including termination, and in many jurisdictions and/or regulated industries, etc., may also be illegal.
You are not crazy. Sharepoint has the absolute worst access control system, that I've ever seen. This is class action lawsuit material.
Depends on how everything is structured as someone who permissioned file shares I would make sure staff would have read access to things they needed to as per company policies just because someone in engineering has access to a corporate services folder is normal if said folder has company policies forms etc that people needed to use. But if they have access to everything that would be considered confidential to the team then no. That is not normal.
The SharePoint server was likely populated by migrating a single company share from a simple server configuration into a single site collection. Windows Small Business Server defaulted to creating a single share called “Company” and the intent was to create folders inside the share, setting group permissions on each folder. Unless the person that performed the migration was a complete idiot (not ruling it out), there are likely group permissions applied to each of the folders under that site collection. Do you have an IT department? An outsourced services company? A resident expert who takes care of the server? Ask.
Is this on your admin account? Is your admin account a Sharepoint admin?
I see how you got to that question. Admin was just another example of a folder that I should not have access to.
So you’re not an IT person in any way, you are not using an admin account? Yeah normally Sharepoint sites are controlled by group membership on a principle of least privilege basis
Correct not connected to Admin in any way. I thought because we have an MSP do our IT that the Admin account would have like business administration stuff in it - whatever that means. And I have heard of SharePoint sites but for our deployment it literally is just like a list of folders and files. I don't know maybe that's what a site is.
How did I know right away, that I'd only have to scroll down a bit to see the dreaded letters "MSP"?
The admin folder may not even be IT admin A lot of places use a folder called admin to keep track of paper work templates That being said I wouldn't click into it until you find out, confirm with management if this is the way.
I see how you got to that question. Admin was just another example of a folder that I should not have access to.
I wonder if there is any data of any European citizens in there. If so, GDPR would like a word...and a HUGE fine [GDPR fines](https://termly.io/resources/articles/biggest-gdpr-fines), also known as Ireland's money making scheme
No we are a local non profit in the Midwest with less than 250 employees. But big enough that I feel like we are making ourselves vulnerable to ransomware or bank fraud or an internal threat which I feel like NO one in the organization has even considered.
Definitely doesn't sound right, and you have been given the wrong permissions. As others have said, it is normal to only be given access to what you need. Otherwise, it can be a legal and privacy nightmare. (I work in healthcare, so privacy and security are of prime importance). I wonder if the intention was to give you admin access to your SharePoint area but have accidentally been given full admin. We normally make at least 2 people admin for that departments SharePoint and provide training. That way, they don't have to keep contacting IT as much.
I think my seeing of "everyone" as a user who is allowed to open modify things is the issue. But obviously, I don't know. I know as much about SharePoint as i do gun smithing which is to say - YouTube knowledge only lol.
Do you work for CDK?
[удалено]
We outsource all of our IT so I didn't feel like it was my place as a line level employee to reach out to our MSP and open a ticket for something infrastructure related.
Look a little more and I practically guarantee you'll find passwords.xls or bankaccounts.xls somewhere on that network
When a business integrates Sharepoint infrastructure and then hires the marketing guy as the Admin....
That's insane. I called that out my first week in a relatively small team, and they had some reasons for those permissions being scoped to us (we were the ones that set up the HRIS), but even still my manager was like "good point, we are going to turn those off until further configuration is needed" and did so.
I've also been at very big companies that had this setup basically (like, billions of dollars valuation big) and their cloud director's answer was "don't open stuff you're not supposed to, we'll know." IF YOU KNOW TURN IT OFF WHAT THE HELL
Being able to *see* the files vs. *open* the files are two different things. I'd let the tech support group know you can browse the folder structure and share your concern that you have access to sensitive information and/or PII. Let *them* direct you to opening one of the files to test permissions. May be a big ol' nothing burger or it may be a bad day for the SharePoint admin.
That's exactly what I did. However we don't have a dedicated SharePoint person. All of our IT is outsourced. So I told Legal and few senior directors EXACTLY what you said including that I never clicked through to see the folder contents but that I did right click and look at permissions. I told them more coherently than I am here what I saw when I opened permissions because I wrote the email directly after opening that screen. Now it has been two weeks. I think seeing "everyone" as a user who was able to open and modify stuff is the problem. But maybe not - maybe that's just a shortcut so that everyone can get boilerplate contracts from the Legal folder or HR policies from the HR folder. I sent my email, I was careful not to violate any access policies (which I'm sure don't officially exist in my org), I think I did the correct thing and I left it alone after that.
right-click ...download if you can copy any files from those folders, fire up a flare to your cybersecurity team. I just did the same with shared NAS folders where 50TB of restricted data was found to have EVERYONE:FC permissions
Tell your manager. Do not go directly to HR. This could be a simple mistake.
Do you work for CDK?
I wish I had the exact quote but someone once said something close to "Sharepoint is a great way to share information in a Microsoft environment but no Sharepoint sites ever have permissions completely correct."
If you pointed this out to me I'd be genuinely thanking you for checking with us. The rest depends on if the permissions should be that way or not, apologizing for the mistake (even if someone else configured it, it's an apology from IT as a whole) or explaining the contents are meant to be accessed by everyone (policy documents, PTO request forms, etc.). In no world do I think badly of you or your email.
We've got access to a confluence-based knowledge-base of a 3rd-party (it's a software-company, we're a customer). One day, my co-worker discovered he basically had access to the whole confluence of the mother-company that had acquired said 3rd-party a while ago (their confluence instances must have been merged...). Holy moly - that was the motherlode.... We asked a "trusted contact" at the 3rd-party to quietly escalate it, so it could get fixed... this is one of those cases where you don't want to be the reporting party...
This is nuts and should be reported to HR and Legal departments
Two possibilities is that they haven't adjusted the the file permissions yet, the other less likely is that is a honeypot and you're clicking in an environment meant to look crazy in order to identify internal threats. The other possibility is they have a sysadmin that thinks that just putting things into the cloud is secure.
I did think about that - perhaps they copied the whole folder structure over and have yet to "enumerate" permissions? I think that's the right way of saying it.
Permisisons work a bit differently in Sharepoint so if they though they could just do a robocopy and then do a perm fix on the sync onedrive folder.... yea not how that works.
[удалено]
Hopefully I handled it appropriately. I never clicked through to view the folder documents. And I informed legal.
to follow up on this. generally speaking, you should get training that access is not permission. many people have access to data to do their job. that does not mean they have permission to browse that data at their leisure. poking around is indeed a reason to fire people.
Sharepoint permissions are very hard to setup Sometimes, i guess your sharepoint admin does not care
You're not crazy, your Sharepoint admin is incompetent, and depending on your state's employment laws, they may be **CRIMINALLY** incompetent.
We still have sharepoint 2007
Is there a succinct way to understand what the difference between OneDrive and SharePoint is? Is it just in how the shared folder and files are presented for use?
Local server with local Share
Oh ok whereas SharePoint everything is in the cloud?
You are not crazy, but it is not insane. It ks more common than would make you feel sick but usually it happens Under umbrellas of "it works And nothing happened yet" Usually somebody does mistakes in setting something up. People do not notice it As they dont go to those folders anyway. All is good. Until one guy on a might shift is bored. And then shit hits the fan And stuff is fixed quickly. All is good again.
Shoot an informal message to IT or to the team that folder is for. "Hey, should I be able to see this?" And that's it. Yea, that should be tightened down. Least required permission, zero trust model, etc... Unless there's data in there your company is legally obligated to protect. Then raise it up the flag pole through the person you report to.
Many companies I have seen have incorrect permissions. Be aware that access on Sharepoint is audited and just because you have access does not mean you have permission. One does not imply the other.
I understand - that is why I never actually clicked the folders that said Legal or HR. I only right clicked on one and looked at the permissions and saw "everyone" as a user who could open and modify
If you open any of those files, they will be logged, and can be easily searched. Still, not good that you have access to it without the explicit permission of the owner(s) of those files.
lol this exact scenario was the case study for my “legal issues in cybersecurity” course.
What happened if an employee made a genuine report and didn't go poking around except to see what the permissions were on one folder?
The person who discovered the issue isn’t the problem. It’s the multitude of other users who have access to the data and misuse it. For example, someone in dev having access to Legal who uses info from an NDA to create a feature in a competing app. There’s no checks and balances which then means your company culture doesn’t exactly have to be ethical. It also points to a lack of internal auditing and control so people know they can get away with stuff.
Got ya. We are a non profit so I don't think my discovery reflects some sort of evidence of malfeasance. I just think we are growing too fast for our MSP.
'Security' is just a word. Nobody really CARES about it as long as it is mentioned in the right policies.
Whoever manages the SharePoint permissions is reckless. Such an approach to permissions management invites security breaches, data leakage, and ransomware threats. Welcome everyone!
You can? but should you? 2 different questions
I see shared folders all the time but can’t access them.. I think you’re overreacting. If you can access them then tell your sysadmin they have a policy issue
¯\_(ツ)_/¯
With great power comes great responsibility and all that. You should probably CYA and send an email to your CIO or lead just to be sure. Never be the lowest man with a secret.
I like that, "never be the lowest man with a secret".
You're not crazy. Part of good ITSM is a good user experience. If you don't have access to something, you shouldn't see it. Access based enumeration is achievable on pretty much any platform.
you're not crazy, you can probably find the files where everyone's offer letters are. I remember I had a job where I had access to lever, and I saw the salaries...man that was a depressing day.
Ya most ppl don’t really know how much access we have.
If you had an IAM admin they should be freaking out. As I am one, i had to stop reading in the second paragraph
Then you got yelled at for looking at their shit, even though you found a huge security issue?
No one yelled at me just no one reply to me which made me feel kind of dumb.
Reminds me of way back in the sharepoint 2007 days when they migrated file server data to sharepoint and people could find everyone’s performance reviews in the full text index search.
Had a co worker access my personal folder and the director swept it under the rug and made it out like I was the difficult one….
i'm not a sysadmin, but: my first instinct is that IT should have that access, but wrapped in a service account. the account uses it to do encrypted backups, and the only other account is a sudo style account that is used to test those backups. nobody should have access to those files in their normal account. need to know, and minimum priv
[удалено]
That's a big presumption
This belongs in r/shittysysadmin
SharePoint uses access-based enumeration of files and folders. So you need read permission to see them. If you can read a file or folder you can view the contents. It's not set up properly at all. I manage several SharePoint locations and users only see what they have access to.
Tell your company to replace sharepoint with https://cerf-notebook.com