SharePoint People Picker gives you and your clients away

Separated SharePoint site collections aren’t secure enough – People Picker gives you and your clients away. Now let’s change all that. Scenario: You and your clients are using the extranet site, with separated site collections for security reasons, isolating the People and groups only to the people inside the collection, and not the whole application. This is good, but not good enough. Creative minds and people with SharePoint insight could use the out-of-the-box People Picker inside a SharePoint site, to actually browse your whole Active Directory (depending on how much the SharePoint profile system scrapes when synchronizing information). That is why the People Picker would give you, your clients or your projects away, if someone stumbles upon some secrecy-giveaway-named user accounts, only intentioned for internal use. Now if you are working on a project, with a non-disclosure agreement, you better make sure that this isn’t possible, because the default settings in SharePoint aren’t the secure approach, or you could get into a heap of trouble. Now to the fix: It’s actually quite simple. The SharePoint stsadm tool, allows for changes inside the configuration database, that isn’t possible from the normal web administration interface. The property we will be looking into is the “peoplepicker-onlysearchwithinsitecollection”. You can check your current property flag by typing this in a command prompt: (-o for Operation, -pn for PropertyName and –pv for PropertyValue) stsadm -o getproperty -pn peoplepicker-onlysearchwithinsitecollection -url http://external.mycompany.com/mysecretproject The default feedback would be: Property Exist="Yes" Value="no" To change this, we execute the following command: stsadm -o setproperty –url http://external.mycompany.com/mysecretproject –pn peoplepicker-onlysearchwithinsitecollection –pv no If successful, run the getproperty operation again, and you should now see that the value has changed to “yes”, and by browsing the site, the People Picker, should only look into the people and groups within the Site Collection. If you are running extranet- or site collections like this, you should change this globally by not defining an URL in the operation, like this: stsadm -o setproperty –pn peoplepicker-onlysearchwithinsitecollection –pv no You have now fixed, what should have been default from the beginning.

Related posts