Securing & Hardening SharePoint Sites for External Users

For most organizations, it’s not a question of “If” but “When” – when will you want, or need, to collaborate with an external user on an application hosted in within your SharePoint farm? Over the years, CorasWorks has helped customers across numerous verticals, with a myriad of use cases and requirements, improve the efficiency of their solutions by giving external stakeholders direct access to the data they should see. More importantly, our platform and best practices have enabled customers to architect and implement their own secure solutions as well. Let’s look at the key concepts that allow this.

Basic Security

As a favorite childhood cartoon of mine reminded me every Saturday morning, knowing is half the battle. Liam Cleary, a SharePoint MVP, did a great write up in 2012 on educating site owners and SharePoint administrators on just what might be out there and visible to the world with the default settings. I suggest a quick read; after all, the first step in good security is knowing what you’re protecting.

Setting up Your Collaboration Spot

Whether it’s an Intranet-Extranet scenario, a customer/vendor portal, a system for publishing approved content from a private site to a public one or anything else in which you want to decouple source data from the end user, there’s a few basic concepts that the CorasWorks v11 platform will help you leverage to separate & secure your solution.

  1. First, because all the CorasWorks components support full CRUD (Create, Read, Update, Delete) operations across Site Collections and Web Applications, you can securely segment your external partners & users from your internal ones.
  2. The CorasWorks platform also contains numerous features for copying and/or moving content from one place to another; again, across Lists & Libraries, across Sites, across Site Collections and across Web Apps.

    Leveraging our Actions and/or CAPS, you can enable process owners and approvers to push content from a secured, internal site to an open or partner-secured external site. You can also automate the process using Timers (i.e. every Monday at 5AM, check for and publish the newest approved content) or Triggers (i.e. upon Status=Approved for Release, publish to external site).

  3. And perhaps the most powerful option: if you do not want to copy or move data between sites but instead want to give your external users direct access to only the data they should see – say a customer portal that you want to display real-time inventory data – then CorasWorks is the tool to use.Our platform enables the creation of a secure “proxy” within the SharePoint farm that can process requests between say a Customer Portal site and a secured internal site.

    This design allows you to leverage a service account to provide full CRUD operations against any SharePoint data in the farm, but invisible to the end user – so they cannot see anything but the data you choose to expose to them (i.e. think column-level security). The end user is unable to even see where the data comes from, and their account doesn’t have access to it even if they did.

Couple this with some easy changes to secure away some of the “revealing” pages that Liam describes, like the All Site Content page (we’ll cover this in a future blog), and you’ve got a robust yet secure option for collaborating with all your stakeholders, internal or external.

Comments are closed.