One of the biggest concerns many organizations have when they store files and document in SharePoint is the security and integrity of their content. I have no doubt Microsoft goes above and beyond to keep files secure and encrypted in SharePoint. However, at the end of the day, SharePoint is used by humans. And humans are prone to errors. So what can you do as the site owner or SharePoint administrator to help make the content secure and prevent any wrongdoing or accidental loss of important information?
Maybe you want to build a secure library for company executives. Or a policies library for the whole organization, or some confidential library used by HR personnel. Are there additional steps and checks you can do (as a site owner) to make the content even more secure? The answer is yes, there are few things you can do to make your document library with very important documents even more secure and turn it into a somewhat of a secure vault. Let me list those steps with you.
Step 1: Implement the 10 steps to secure a site
The first step to a secure library is the secure site. I have published a very comprehensive guide on how to secure a SharePoint site. I suggest that you first review that post and implement all the 10 steps on a site where the super secure document library will reside on.
Step 2: Only add people who need access
I know this might be pretty obvious, but you won’t believe how many times when I access client sites, it looks more like a flea market in terms of security. Only add users/groups who need to have access. Also watch out for those Domain groups like “Everyone” and “Everyone except external users“. Many times they are used for convenience to add everyone at once, but might also inadvertently grant access to those who don’t need it. Also, if you are using Active Directory (AD) Groups in SharePoint, make sure those AD Groups only contain those who require access.
Step 3: Disable sharing
I listed this as a technique in my Site Security post (Steps 7 and 8). However, it is worthwhile repeating it here again. This is really crucial. If you do not disable sharing for a site, anyone in the members group (those with Contribute privileges) will be able to freely share the whole site, files and documents with anyone else in the organization without the site owner or an IT Admin knowing about this.
Step 4: Disable sync
Another thing you can do in cases where content is confidential and represents your Intellectual Property (IP) is prevent offline synchronization of the document library to users’ computers. This will ensure that the content (entire document library) will not end up in the wrong hands should the laptop be stolen. To disable sync, please follow instructions in this post.
Step 5: Disable file deletion
Another mechanism to prevent accidental loss of data is to prevent file deletions. By default, any user with Contribute access can Add, Edit, Delete the files. So if you want your (regular) users to only be able to add and edit documents, and not delete, you can do that. The easiest way to achieve this is to create a custom Permission level. I explain how this works in this blog post.
Step 6: Setup alerts
If you are really a control freak and want to know what is happening to documents in the library at any point of time, you can setup an alert on the document library. Depending on your alert scenario, you will be notified instantly about everything that is happening to the documents from additions, to changes, to deletions. This will allow you to react to changes and address accordingly.