Beyond Zero Day: Best Practices for a Secure SharePoint Environment

On July 19, 2025, Microsoft discovered a critical zero-day vulnerability (CVE-2025-53770) in on-premises Microsoft SharePoint Server that put dozens of organizations into immediate cybersecurity risk. This remote code execution attack, which likely began on July 18th, has already compromised several organizations, including major corporations, U.S. federal and state government agencies, universities, and energy companies.

This breach is a stark reminder that even the most powerful and well-resourced organizations require vigilant security practices. So how can you keep your SharePoint environment secure? Let’s look at some best practices. 

Best Practices for Securing Your SharePoint Environment

1 - Reinforce Identity & Access Management

Implement Role-Based Access Control (RBAC)

• Assign permissions to groups instead of individual users with Role- or Account-Based Access Controls. 
• Avoid creating or using an "Everyone" group.

Embrace the Principle of Least Privilege

• Assign users and groups the minimum permissions necessary to perform their tasks only.
• Review and audit roles and permissions regularly to ensure they are still appropriate.

Avoid Item-Level Permissions

• Assign permissions at higher levels (site, library, folder) rather than the item level, as item-level permissions unnecessarily complicate management.

Control External Sharing

• Share only what is needed, only when it’s absolutely necessary. 
• Disable “Share with Anyone” links or change the default link setting to "Only people in your organization" and set expiration policies.

Authenticate Rigorously

• Enforce Multi-Factor Authentication for all user accounts, especially privileged accounts with admin or super admin access. 
• Create and enforce strong password policies (forced resets, criteria for length and complexity, etc.)
• Consider adopting conditional policies that manage access based on user location, device, and risk level.

2 - Manage System and Infrastructure Security

Keep SharePoint Up-to-Date

• Update all SharePoint servers with the latest security upgrades and ensure they are protected by anti-virus software and Endpoint Detection and Response (EDR) solutions.

Harden Servers

• Follow Microsoft's recommendations for hardening your Windows Server operating systems.
• Properly configure Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols and ensure you are operating with the latest versions.

Secure API Endpoints

• If you are using SharePoint APIs, ensure they are properly secured with HTTPS, IP whitelisting, and API gateways.
• Apply the principle of least privilege to API permissions.

Secure Your Networks

• Isolate your SharePoint servers from other critical systems with network segmentation.
• Configure firewalls to protect SharePoint servers from malicious traffic.

3 - Enhance Data Security and Governance

Classify Data

• Use Microsoft Information Protection (MIP)’s sensitivity labels to tag and track documents with rules like "View Only" or "Do Not Forward."

Prevent Data Loss

• Implement policies to prevent unauthorized sharing or exfiltration of sensitive information by configuring rules to detect and block sensitive data.

Encrypt Your Data

• Ensure data is encrypted while at rest (e.g., BitLocker) and in transit (TLS/SSL).

Monitor User Activity

• Implement comprehensive auditing to monitor user actions (who accessed it, what was modified, what was deleted, etc.). 

Define and Enforce Retention Policies

• Define retention policies to ensure data is stored for the required period and then properly disposed of.

4 - Monitoring, Auditing, and Incident Response

Audit SharePoint Activity Regularly

• Use Microsoft Purview’s audit logs to monitor configuration changes, user activities, and access events.
• Monitor human and non-human identities for unusual behaviors, such as bulk downloads, access from unusual locations, or excessive file sharing.

Automate Security Risk Reviews

• Use automated tools and scripts to regularly review permissions, shared links, and other security configurations.

Implement a Zero-Trust Strategy

• Combine conditional access, MFA, continuous monitoring, and encryption to verify every request. 
• Grant the minimum amount of access needed for daily functions.

Develop an Incident Response Plan

• Develop a plan for detecting, containing, mitigating, and recovering from security incidents specific to your SharePoint environment.
• Back up your SharePoint data regularly.

Monitor for Threats

• Deploy 24/7 security operations for real-time threat detection and automated responses.

Looking Ahead

The recent zero-day exploitation of SharePoint servers reminds us that cybersecurity is a continuous process of detection, mitigation, and prevention. For on-prem SharePoint users, the immediate priority is to mitigate this breach by applying Microsoft’s security patches and hotfixes. You can learn more about the steps you should take now here. 

Beyond patching, organizations must maintain an aggressive posture against potential compromise, monitoring for signs of post-exploitation activity and leveraging comprehensive solutions for monitoring to detect and respond to these threats in real-time.