Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

SharePoint Secure Score questions

Iron Contributor

Noticed two things for Secure Score on SharePoint:

 

Title:  Review list of external users you have invited to documents monthly
Description: You should review the list of external users that you have invited to sensitive documents on a weekly basis. Attackers that have compromised accounts with sharing privileges will be able to expose sensitive data to external users for long periods of time without regular review of who has access. We found that the last time you reviewed this report was on 2/13/2018.

 

The Title says to review monthly but the description says weekly.  

 

The other question I have is for the SharePoint links:

 

Title: Configure expiration time for external sharing links

Description: You should restrict the length of time that anonymous access links are valid. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared. We found that your external link expiration time is set to False. If you set an expiration time, your score will go up 2 points.

 

We have it set up not to share links outside of our tenant.  We are not given the option to set an expiration.  I have tried to set it to allow anonymous links and set the time and then set it back to the original setting thinking that it would see something is set, to no avail:

 

SharePoint SettingsSharePoint Settings

Can we get credit for the score if we are not sharing externally <smile> ?

 

 

 
5 Replies

Why do people care so much about the score? The main benefit from the Secure Score tool is getting used to following some of the best practices when it comes to security and compliance in Office 365. Whether the number goes up or down is surely not as important? :)

Hi Zeff,

 

For the first comment, this control is deprecated and I can only find it in the control list spreadsheet where it is tagged so.  Are you seeing this in the user interface?

 

For your second comment, the setting the control is looking for is in the screenshot below.  I will talk with the team about giving points if you disable but I think the idea of the control is that anonymous links are ok to use but you should expire them.

 

anonoymoussharing.png

1) I show mine being scored:

SharePointLinks.jpg

 

2) Would love to put some number into the expiration, but with our present setup, I am not given the opportunity <smile>  So, it will go as a recommendation that cannot be fulfilled.

The score is nice to be maintained. It reminds me if I forgot to check some reports. Albeit, many reports have nothing in them, but it keeps me in a good habit of checking and making sure that I keep on top of administration

@Zeff Wheelock How do we secure score ONLY our SharePoint instances