At the risk of massive downvotes, I have to admit that a small part of me wants this so that maybe corporations stop using Sharepoint as soon as possible.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
It is instructive that we are seeing the results of DOGE's work:
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
I have spent far too much of my life on SharePoint.
Having it internet facing has never been a good idea.
Not really what it is meant for, though the promo verbiage
on that has changed over different versions.
Some folks wanted SharePoint as their "web server",
I would set that installation up entirely separted from
all other instances they may have on the network.
We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
Meanwhile, Citrix has been on fire causing much worse things (you can just grab any session you want and become anyone who's already logged in). Who needs to break into SharePoint when you're becoming someone who's already got access... including to everything else (not just SharePoint)
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
Haha, Microsoft, the source of all the leaks, it's always Microsoft, quick, let's give Microsoft even more government contracts! They truly are the best!
I was just building a SharePoint integration for some enterprise customers (I do RAG on their data) and I find it brutal, that now, I have access to all their SharePoint data for all SharePoint sites. Even the ones I don't want to index. And I even use user login over admin/service key login.
AFAIK, the Oauth claims of SharePoint don't allow specifying particular projects only.
(BTW: same counts for platforms like ACC/BIM360)
> “Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. “It’s a significant vulnerability.’’
Senior VP at CrowdStrike, so a professional in destroying large amounts of systems.
The root cause might less be whether an entity uses Linux or Windows but whether they use cloud or on-prem. No matter how skilled, the on-prem stuff getting maintained by IT/SOC (often external contractors) are unlikely to deliver the same level of diligence as one of the big cloud vendors.
Things are so complex we have critical bugs everywhere that can not be patched without major breakage. So what does a diligent org do? they make a risk-assessment to explain things away for legal & compliance purposes.
check your SCA/SBOM in any/most stacks if you think this is untrue ...
It’s kind of wild how we end up here over and over, a big government breach, angry headlines, but the tech never seems to change (imo).
If you work in IT, this whole SharePoint story is probably a deja vu,
A few real-world points that stood out to me:
- SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE” and nobody got fired for rolling it out in the 2000s. Once you’re deep into the Microsoft ecosystem, the cost and pain of replaccing is huge!
- Security honestly feels like a service for a lot of giants. When someone asks if it’s the number one priority, the answer from experiencem, is “no.”
Cost, compliance available support, and how easy it is to blame a vendor if things fail tend to matter more.
- When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately. Right now, Windows gets a lot of attention because it’s everywhere. And obviously, attackers like to go where the odds of a big payoff are highest.
- A lot of giants aren’t making decisions based only on security or technical merit. It’s about familiarity, employee training costs, consulting partners, and “safe” bets. If you pick Microsoft and get breached, it’s an industry problem. If you pick something niche and get breached... it’s 100% your fault.
- Resistance to change is real. Swapping out platforms isn’t just a technical lift. Management, end users, even IT staff get pretty set in their ways.
Honestly, unless there’s enough public backlash or a relgulation hammer, I don’t see the inertia breaking any time soon. For most companies, “patch and carry on” still beats “burn it all down and start fresh.”
If Sharepoint was an animal it would be a Duck-billed Platypus. I never understood why it got the degree of use that it did, even as a free product it was always best avoided. Everything seemed to be tacked on at a different angle from the normal one with broken interfaces in between.
this is barely one year after the CSRB recommended: "...Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be
fully and appropriately assessed and addressed before new features are deployed."
These recommendations followed a review of MS practices following the Exchange online compromise. I highly doubt anything changed at MS since then.
My boss spent over a year trying to get me to setup Sharepoint. About 6 months into this, I finally looked into it and what it provided and said no. Eventually he hired a second tech and he set it up "in an afternoon." Good for him. Nobody ever used it. He also stole my high speed USB drive.
I'm not sure which part pisses me off more: that tons of professionals lost their jobs and will likely not work in public service again because of it, or that through all that, they barely found any actual waste at all. A fucking farce.
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
My company has SharePoint and another internal site for documents/notes (think about Notion/Quip/Confluence). The other site works quite well, and most developers write all their notes/docs on it. But some people just insist on uploading Word documents to SharePoint. So now everybody else has to use SharePoint as well, plus search twice whenever they need to find something.
Best practice is to assume the network is compromised - a VPN doesn't provide as much guarantee as people would like. In large fleets, devices are regularly lost, damaged, retired, etc. In organizations with high target value, physical penetration through any number of means should be assumed.
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
As a mid size company that does work with government agencies, it’s near impossible to use anything ‘better’ solution. Cybersecurity requirements are getting so onerous that Sharepoint is too commercially feasible of an option to use anything else for a shared file store between organizations.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
At some point Microsoft tried to sell some automatic DRM system based on SharePoint to some company that I worked for.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
Actually it wasn't too long ago, in the early-2010's, that Microsoft was promoting SharePoint for internet sites; I think at one point some Europoean car manufacturer (BMW? Ferrari?) had their global marketing site on SharePoint. Of course that didn't last long, as Microsoft licensed it at a crazy price ($40k per site or something like that).
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
The product was explicitly promoted as being useful to run public websites. Before cloud took off we had Microsoft sales people in our office announcing the death of Wordpress with the latest Sharepoint release. That position may be old, but plenty of orgs live in the past.
Most enterprise PCs are Windows machines and integrate with Microsoft services easily. The only way Microsoft is going to lose the enterprise market is if enterprise PCs move away from Windows.
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
I do wonder if the fact that these vulnerabilities get exploited so often is because the customers are the likes of DoD. If DoD used Red Hat, maybe we'd see more large-scale linux/freedesktop exploits being discovered.
"Why do Microsoft products enjoy a monopoly on the server ...?"
They don't. There's plenty, even a majority, of non-Windows servers in gov (I know, some depts are true MS shops).
Sharepoint is one of those things that snuck in via the desktop. It was touted by MS as an evolution of shared folders with "Intranet" features included. If you already ran a Windows Server for fileshares, Sharepoint was "free".
The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
For developers, it was a nightmare. Underneat the platform was a frankensteinian horror of bits and pieces of resurected code from many departments and projects across MS crudely bolted together with chewing gum scraped of a park bench and bits of string recovered from old fish guts. Lists (SP's core structure for file directories with exposed metadata properties) could not work reliably, the system fell over under even light load, latency was totaly unaceptable even for basic operations, files did not rountrip through the server unchanged ...
Over the years MS cut it down from "the future platform for custom backoffice apps" to "out of the box Intranet with mainly cosmetic configuration options" to "cloud hosted office 365 shared folders".
" Isn't security the number one priority in those spaces?"
No. It's exacly like every other IT environment of comparable size. Security is considered important, but does not drive sales. Features and cost, but also available expertise from the supplier/channel partners dominates the choice. Security is covered by promises and certifications, but more often than not left to operations to patch up.