Making Sense of the SharePoint World

Aug-162010

SharePoint Saturday Columbus Wrap-up

Another Successful SharePoint Saturday in the Books

I'm back and settled after SharePoint Saturday, Columbus. There was plenty of SharePoint knowledge to be had, with 6 tracks and over 20 speakers.

My session was "Who's Afraid of SharePoint Designer". There were only a few slides - which you can download here, if you like. Most of the session was taken up demonstrating some of the governance features of SharePoint Designer 2007 and 2010.

I would like to give a warm thank you to the organizers, sponsors, and (of course) the attendees for making the day as great as it was!

Published: Aug-16-10 | 0 Comments | 0 Links to this post
Tagged as: Best Practices, Conferences, Governance, SharePoint, SharePoint 2010, SharePoint Designer

Jul-272010

Speaking at SharePoint Saturday: Columbus, Ohio

Back to My Old Stomping Grounds...

When I was a "wet behind the ears" high school graduate, I ended up attending Ohio Institute of Technology (OIT) to study Electronics Engineering Technology. While I was there, OIT became DeVry Institute of Technology, Columbus. Today it is known as DeVry University, Columbus and offers a whole lot more than electronics. I ultimately ended up living and working in Columbus for many years, and it holds a special place in my heart.

Today, I'm pleased to announce that I've been selected to present at the SharePoint Saturday in Columbus, Ohio. This takes place on August 14th, 2010 at The Conference Center at OCLC. Click on the link or logo above for all the details, including registration, a list of the other presenters, as well as the Twitter feed of #SPSColumbus commentary.

A SharePoint Saturday is a free to attend event that serves as a mini SharePoint conference. SPS Columbus will be an educational, informative & lively day filled with sessions from respected SharePoint professionals & MVPs, covering a wide variety of SharePoint-oriented topics. SharePoint Saturday is FREE, open to the public and is your local chance to immerse yourself in SharePoint!

So, if you're in Central Ohio, and interested in SharePoint - whether you need the latest information on SharePoint 2010 or are still trying to make the best use of SharePoint 2007, this is the place to be! I hope to see you there...

Published: Jul-27-10 | 0 Comments | 0 Links to this post
Tagged as: Best Practices, Conferences, SharePoint, SharePoint 2010, SharePoint Designer

Apr-292010

SharePoint 2007 Security Vulnerability - Action Required

Stop the Presses!

Microsoft has announced the discovery of a cross-site scripting vulnerability in the SharePoint 2007 (and WSS 3.0) Help system. Although they are still investigating the root cause and working on a long-term solution, they have provided a workaround which will mitigate the only known (at the time of this writing) attack vector. You can read the details of the vulnerability and a server-side workaround in Security Advisory 983438. The Security team have also posted some more explanations about this class of vulnerability and some client-side mitigations in this blog post.

A Little More Info

The vulnerability is what is known as an "injection attack". Essentially, arbitrary JavaScript can be run by being passed as a carefully crafted parameter to the built-in SharePoint Help page. This script will run in the context of the current user's client session, and can therefore perform any actions against the SharePoint site that the user could.

This does not turn the user into an administrator, or otherwise elevate their own privileges. As far as I can tell, it does not (as some reports have suggested) expose the user's password. Update: This is with the default SharePoint authentication. Custom authentication methods could potentially store credentials in an accessible manner. I have no way to test that scenario, but any attacker would need intimate knowledge of how that authentication module worked in order to exploit it. So, while your passwords are probably safe, this vulnerability could allow an attacker to probe for and read any information in SharePoint that the user does have access to, or to vandalize or destroy information the user is permitted to update. Therefore, for the time being I strongly suggest disabling the help.aspx file in the Layouts folder of your SharePoint servers, either by following the instructions in the security advisory or through other means. (At this time, I don't suggest just deleting the file.)

Update #2

It has been pointed out that, although the attack itself cannot (usually) directly glean the user's credentials, an injected script could prompt an unsuspecting user into providing them, thinking the request was coming from your site. This does not change my advice (applying the mitigation procedures), but it should increase your priority in doing so.

Published: Apr-29-10 | 0 Comments | 0 Links to this post
Tagged as: Administration, Governance, Patches, WSS, SharePoint, Search Server

Mar-72010

It's a Date!

SharePoint and Office 2010 to Launch on May 12th

On Friday, Arpan Shah announced the official debut date for Microsoft Office 2010 and, of course SharePoint 2010, on the Microsoft SharePoint Blog. In the same post, he mentioned that the RTM (Release to Manufacturing) will come a few weeks earlier, some time in April.

There are a lot of changes coming in the new versions, so there is also lots of planning to do. I know many of you are planning to move forward aggressively, while many of you will also be on older versions of SharePoint long into the future. Whichever path you choose, it might be helpful to keep the following in mind:

Your current stuff will still work, even once the new software comes out. You don't "need" to upgrade immediately.
SharePoint Server 2010 requires Windows Server 2008. It also requires that your entire stack, including both Windows Server and SQL Server, be 64-bit.
Although you will always get the best results when keeping both the Office client and SharePoint versions in sync, you will still get reasonable functionality with staged upgrades. (Look for information about just how the different version combinations interact soon.)
One exception to the previous statement is SharePoint Designer. SharePoint Designer 2007 will not work for SharePoint 2010 sites. Conversely, SharePoint Designer 2010 will not work with anything except SharePoint 2010 sites.
On the Office client side, even if you are using 64-bit Windows, you can still use the 32-bit Office. This is critical, because you cannot mix and match 32 and 64 bit versions of Office on the same system. Naturally, you can't use 64-bit Office on 32-bit Windows in any case.
No matter what version of SharePoint you are on, a failure to plan is a plan to fail. Think about how you want to use SharePoint in your company before you deploy it.

This is going to be an exciting Spring in the SharePoint world, and I can't wait to help you make sense of it!

Published: Mar-07-10 | 0 Comments | 0 Links to this post
Tagged as: Office 2010, SharePoint 2010, SharePoint Designer, SharePoint, Upgrade, Architecture, Governance

Next >>

Woody Windischman - The Sanity Point

Search

Categories

Links

Blog Roll

Archives