We are trying to deploy a SECURE instance of a SharePoint 2013 server farm and are finding it to be a nightmare.
Perhaps, someone here can help us start off on-the-right-foot? Our problem is that we need to setup a portal for Customers to access SharePoint and that portal must be highly secure. We need it secure for internal use and both must comply with numerous laws, rules, and regulations.
When we create sites, they are automatically having social features added that violate our business use and they do not comply with any reasonable security standard. The links to newsfeeds, links to share access to others, links to everything I would expect on Facebook, not what I would expect for a secure business-related portal are embedded everywhere. Everywhere we find it posting user names and details of who has permissions to what.
What is going on here with this release?
I have high-level Microsoft partners involved who keep tossing their hands up in the air because every time we think we blocked these ridiculous features, they somehow pop-up somewhere else.
For example, we try to create a site and immediately there are links/buttons in the top menu to news feeds, share with others, etc. Imagine us having a customer login to a website that we tell them is a secure website and they immediately see these links? This is horrendous!
To this point, we have found no easy way to eliminate these links. We have to customize the master page templates to programmatically throw them out.
Q: Problem solved, right?
Why? Because we learn there are ellipses or any of many buttons/features embedded in list views or any of many other areas where a user clicks on one of these buttons/choices and "poof" another popup window shows up with more of these social features made available.
I could go on and on into why it is a never-ending barrage of built-in options that keep offering undesired social features.
My question: IS THERE ANY BUILT-IN WAY TO CREATE SITES IN SHAREPOINT THAT ARE ACTUALLY SECURE AND START-OFF WITH NO AVAILABLE SOCIAL-RELATED MENUS/LINKS - INCLUDING SUB-MENUS/POPS-UPS?
Think of it this way: I want to create a workflow where we ADD what users can see and do and KNOW that the site is secure. We simply cannot anticipate every sub menu and option available within SharePoint.
Please, tell me someone there at Microsoft, when adding all these (in my opinion stupid) social features, actually figured out that many businesses not only do not "want" these social features, they CAN'T have them on because of one or many requirements to complying with laws, rules, and regulations. We "CAN'T" have these features enabled!
I am so confused: Our internal studies have found no business benefit for users having access to Facebook or any other social site, but we have found a massive drop in productivity related to these sites. Whomever decided to focus SharePoint on mimicking social sites has massively degraded the value and usefulness of the product for us. Look at all the products out there to allow businesses to control internet access. These social sites and porn sites have massively been a NEGATIVE for businesses; hence, the reason so many are buying products to block and/or limit access. What company out there wants these features for their SharePoint installation? I can see having a few sub sites where these features are desired. Its absurd to think it's wanted on every SharePoint site.
Think of this: Do we want to have our accounting staff working on highly private financial documents have links for those documents where they can invite other, inappropriate, people to view them, or where they could be uploaded to the cloud? Do want any of many possiblesecret drawing or formulas or employees personal information or whatever placed in SharePoint with all these social features enabled for them?
Please, tell me someone thought this through at Microsoft and realized there needs to have an On/Off switch for social website features? That it should be an option building a new website or list or whatever and with one-click those features are unavailable?
I really need this On/Off switch ASAP? It is costing us a fortune trying to manually yank these features out and so-far its not working... there are far too many embedded pieces that keep showing up.
HELP! This is horrid and unusable! Please, tell me we are just unaware of something simple to make this problem go way?
- Edited by TrevorWesterdahl Wednesday, April 10, 2013 6:00 PM grammar
To enable users or groups to use personal and social features
Verify that you have the following administrative credentials:
To use the SharePoint Central Administration website to enable users or groups to use personal and social features, you must be a member of the Farm Administrators group, or you must have been delegated permission to administer the User Profile service application that is running in the farm. For more information, see Delegate administration of User Profile service applications in SharePoint Server 2013.
In Central Administration, in the Application Management section, click Manage service applications.
In the list of service applications, click User Profile Service Application.
On the Manage Profile Service: User Profile Service Application page, in the People group, click Manage User Permissions.
On the Permissions for User Profile Service Application page, type or select a user or group account, and then click Add.
In the Permissions for box, check the feature or features that you want the user or group to be able to use, and then click OK.
- Proposed as answer by Devendra VelegandlaMVP Thursday, April 11, 2013 12:04 AM
It works with all authentication types.
MCTS,MCPD Sharepoint 2010. My Blog- http://www.sharepoint-journey.com
If a post answers your question, please click "Mark As Answer" on that post and "Vote as Helpful
the user profile permissions mentioned above are for a subset of the features you mention and are effective for some of the more "facebook" style features. however, the share buttons are really a response to customers from pervious versions of SharePoint where it was too difficult for the average user to navigate the arcane permissions pages. While I feel your pain here, remember this is a collaboration platform. I would not lump in the "share" buttons with social features.
Now having said that, to address your issue you could always create custom permission sets that disallow all but certain admin type users from being able to assign user permissions. I cant tell you offhand if a user not having this right will cause the share button to not be visible or not, but I can tell you that it will disable its use.
And there are a finite number of places where "share" shows up. The Share button is in the master page at a site level, in the ribbon for a list/library and in the individual item menu. I suspect it is possible to remove these using the object model. I say this because I am certain it is possible to add items to these menus with the object model.
If those permissions in the user profile service are not adequate , there are ways to disable the newsfeed and the follow functionality. I will look into that if you still don't have a solution. I can think of a few ways offhand, but I not sure if they are the best way to do it, but it can definitely be done. Although the ability to "follow" a document to me is a feature with a lot of business value for communication and collaboration.
We have been trying alternatives like adding scripts to pages that remove these features (I.e. newsfeed button)dynamically.
When you say they aren't in that many places, that I have learned is just not true. What is true is that they are embedded very subtly. So, for example, I remove the buttons on the menu bar at the top of the site and then notice those ellipses on every row for a document list. If I click in the ellipses (logged in as the limited user, it open a popup form that has all of those feature available. Even worse, it lists all the names of who has access.
Here are screenshots to elaborate. Notice in the first image, that names of who has access to the document show up. We do NOT want that and can't help but wonder what will happen with documents that can be shared with 50+ users anyway.
Here I click that ellipse:
Argh! I used to be able to post three pictures per post, now its only two, so I will continue...
Note, that even is the users were removed from the above list shown above, they could be found here:
It is even worse when I show what options become available on the ribbon.
Understand, we are exchanging highly secured and very private documents. The social features are unacceptable and they would result in us being dropped as a customer. Consider the documents we are exchanging within SharePoint to be Military, Top-Secret, type of documents. This is a very serious issue for us to address.
Thanks for posting this, trevor. I feel your pain. I have been tasked with standing up a SharePoint farm for my organization, which also handles thousands of confidential documents daily. These features are utterly unacceptable, and I'm hopeful I can derail this project using, among many arguments, the documentation you've provided above. Considering that Microsoft's only reply here is that you've got to live with these nasty features, I suspect nobody is going to want to use this product in our organization. I, too, am shocked that no thought was apparently given by the dev teams at Microsoft to the security nightmare they were creating by not including a way to disable all of these really, really bad ideas. What has happened at Microsoft? It's amazing how many blog and forum posts are out there that combine the terms "SharePoint" and "nightmare" somewhere in their text.
As a manager in a State of California department, we had some concerns as well with our many confidential documents. Its not unlike file and print and use of a shared or group drive. The same user mistakes cause files to be accessed by parties they are not intended for.
However, the social features are the way of the digital age, and you are doing your young staff a disservice. There are many good business reasons for using the social features - but what you are lacking is management of people and people behaviors. We rolled out SharePoint 2013 with a SharePoint acceptable use standard and lots of user education. We can deal with the problems as they arise, but we are not going to be afraid of the newer ways of doing business. Our primary purpose of SharePoint is collaboration, so that probably makes a difference too in how we choose to use the tool.
You shock me with this response. Yes, social features have their place but to say I am doing is disservice is, honestly, ridiculous.
Your description of managing your department sounds incompetent. Let me start with FACTS:
UNDER THE LAW, we are REQUIRED to control who has access to what resources AND to control who receives copies of classified documents. Under ITAR (International Trade and Arms Regulations) a fine of up to one million dollars and 10 years in prison can be assessed for every ONE INCIDENT of releasing information to unauthorized recipients. If, for example, a user sends ONE documents to FOUR unauthorized recipients in ONE email message, that is FOUR INCIDENTS.
Go look at actual prosecutions and accidental releases of what many would consider minor violations resulted in fines of $250,00 plus and prison time. Your management would result in fines and imprisonment here.
I suggest you go look at a product by Titus Labs http://www.titus.com/
I would fire you.
If you want/need something with more control than SharePoint as standard then IRM would be a good place to start, that helps prevent unauthorised releases of documents, including the 'oh i'll just attach an email' option.
Beyond that a lot of your arguments don't make sense. If you're dealing with higher security items you'll (in every case i can think of) be on an air-gapped network and everyone on that network will have clearance for the content on there, even if not need-to-know or access. For those, and for lower levels, you'll also have existing processes and procedures to deal with users gossiping in public, emailing secure content around and taking stuff home with you. Dealing with secure content is all about assessing risks and mitigating the most dangerous to a point where it can be accepted.
Finally, policies and protection don't have to be in code to be valid. If you do need to put in place a more secure system then i advise finding a full time security profesional to architect the system for you. That should include physical access controls, disaster recovery, network design and only at the end the applications that sit on the network.
- Edited by Alex BrassingtonMicrosoft community contributor Thursday, December 12, 2013 5:05 PM
Should I post a link to a video published by Microsoft about SharePoint? In that video, they have customers in the restaurant/food business that discuss having "top secret" recipes and they discuss how SharePoint allow them to have top security AND collaboration.
Actually look at the videos of the Titus Labs product. It helps ENFORCE policy rather that just "teach" security policy. No way could we just discuss security and have that work.
When Coke say their mix is top secret they are telling the truth as they see it, it's their top secret (well, it probably isn't but that's another thread).
In that sense out of the box SharePoint is more secure than just using folders and emails and it is fit for the most secret content the vast majority of companies have. It gives you better control, more visibility than most systems people migrate from and very good auditing capability. With IRM it allows you to enforce policies and prevent that super top secret reciepe being spread about too easily. With third party tools like Titus, i looked into that once, you can get even more control.
The problem is that you appear to be an amateur in this area. That isn't meant to give offense but as a statement of fact, this isn't your day job. As such you seem to be missing a sense of proportion that you will develop if you spend a lot of time on this. There must be a balance of security and usability and one that is relevant to the situation and threats that you face. You keep shouting (please, i'm reading your post, no need for the capitals) about national security matters when it sounds like you are closer to Coca Cola.
Trevor, two things to point out here
1- This forum is mostly manned and posted by volunteers that will try to assist as best able. If you find the responses thus far exasperating, I'd suggest logging a call with MS Premier Support
2 - You may need to accept that SharePoint isn't the product for you. If you need to re-engineer the product to such an extent , it probably isn't the right one.
SharePoint Business Analyst: LiveNation Entertainment
Twitter: Follow @backpackerd00d
My Wiki Articles: CodePlex Corner Series
Please remember to mark your question as "answered" if this solves (or helps) your problem.
First off, the original post was something that should be simple. Between SharePoint 2010 and 2013 new features were added: the social features I mentioned. It should be a no-brainer that not all SharePoint sites would be best-suited having these features enabled.
What should be simple turned out not to be simple. I cited security as the primary reason. Then,when responses were basically that I don't understand or respect how valuable these features are: I should let them grow on me. I then tried to point that the social features were simply unacceptable for our needs.
The next basic response I received is that I should not expect security from SharePoint. What? I pointed out that SharePoint has been sold and marketed as a HIGHLY secure product. It was advertised as a "top-secret" level of product. It actually was until these social features were enabled in 2013.
NOW: My original post was some time ago. The issues have been resolved for me and the recent areposts are wow - off-target.
SharePoint is great for what do: but the work to get it there should not have been so difficulty (IMO). The recent reference to rights management techniques, for example, are just way off base in that it just doesn't take into account the total picture. Those options are more aligned with dropping files on flash drives or mobile devices or for other channels of communication and not for our complete set of needs.
My issues are complicated and these simple answers are just wrong. I work in the steel manufacturing industry. We manufacture parts and assemblies out of steel-based materials. Some of customers are defense-based and we have to maintain strict security. We also work with CAD files and drawings and have hundreds of thousands of files for a single customer, let alone all our customers. Thus, we need a search engine like SharePoint. It is NOT just rights management.
For those who want to know:
1) We now use Ontolica Preview and Ontolica Search so that we can refine our searches better than SharePoint offers "out-of-the-box" and because there are 500 file formats supported (and growing) where preview thumbnail images are listed and where they can be exploded into larger images - for nearly all of our files. This has been HUGE! Wonderful! I an auto CAD view to search for the correctly file I need. I don't open and close and open and close documents. anymore. None of our users do that anymore. SharePoint is something much more productive with Ontolica. I mention this because it is why we can't just use some other product. Nothing works as well as SharePoint and Ontolica to find the one file we need in seconds out hundreds of thousands available.
2) We needed metadata associated for our files (like security classifications, or references to projects, or whatever). There really aren't a lot of products that offer SharePoint-like meta-data and searching. There truly is nothing when I combine option 1 above.
3) We needed security and control. The Social features were a disaster. Products like Titus Labs solve those problems. Even when the social features are offered on a page, the security control offered by Titus stops actual breeches. Not only are the files secure in SharePoint, if the files are emailed, or stored on a network share, or on a desktop... the Titus Labs security products still apply outside of SharePoint. Their product is fantastic for companies with security needs like ours. In addition, we didn't want the sites to even "appear" insecure. We had to customize the master pages and design of SharePoint sites to override and remove the social features when they were problematic. This was my "beef" It should be built-in and is not. It took tremendous effort to complete this task and it was the point of this post.
I appreciate all who try to help here, but this topic went way off base. SharePoint is the "right" product. It is working beautifully now. I highly recommend Titus Labs and Ontolica. I also would warn people that you will have to get your hands really dirty customizing the sites if you want control of just what features are or are not enabled.
I do recommend to Microsoft that they allow ALL SharePoint menu options (like social features) to be enables or disabled by role. It should be that way. It should be simple. It was not.