https://research.eye.security/sharepoint-under-siege/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-at...
https://www.bleepingcomputer.com/news/microsoft/microsoft-re...
https://research.eye.security/sharepoint-under-siege/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-at...
https://www.bleepingcomputer.com/news/microsoft/microsoft-re...
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th...
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th... | https://archive.is/RZqU0
> The process of reviewing the Epstein and Maxwell files was chaotic, and the orders were constantly changing - sometimes daily. One person I spoke to on the condition of anonymity said that many agents spent more time waiting for new instructions than they did processing files. But here’s what caught my attention: the files were stored on a shared drive that anyone in the division could access. Normally, access is only granted to those working on a project, but because of the hurried nature of the exercise, the usual permission restrictions were not in place. Additionally, the internal SharePoint site the bureau ended up using to distribute the files toward the end did not have the usual restricted permissions. This left the Epstein and Maxwell files open to viewing by a much larger group of people than previously thought.
Microsoft was pushing companies to use its Azure cloud services. Now everything is in the cloud. And accessible to WWW.
Probably not since there are so many of these breaches people just ignore them.
I miss the old days when a breach involved someone breaking into the computer room and grabbing as many mag tapes as they can carry and run :)
The reason orgs use Sharepoint is they are forced to if they use Microsoft. One drive is sharepoint, teams is sharepoint, sharepoint sites is sharepoint, etc...
I'm sure all those things have better alternatives, but Microsoft shoves them down your throat when you license with them.
I'm not saying that wouldn't be better, but it makes sense why an org would be reluctant. Again, not a fan of Sharepoint myself, but from an org's viewpoint, moving to Linux raises more problems than it solves.
To some extent I think Microsoft is largely in the business of building solutions for problems that don't exist.
Most orgs are probably perfectly fine with a document management system + desktop word application and then a commercial NAS for bulk storage / backups.
You’ve got it backwards. Everything M365 is an amalgamation of Entra, SharePoint, and Exchange.
We’re on Microsoft 365 and technically fall into the camp of “uses SharePoint”, but only for “shared network folder” usage which OneDrive seamlessly synchronizes should you dislike the web interface. We don’t actively use any other features of it.
Also worth mentioning that realtime collaboration and automatic versioning of Office documents is seamless for files on SharePoint, even if opened on a desktop on a OneDrive synchronized folder.
Files shared over Teams as well as meeting recordings are also stored on SharePoint.
My point is that SharePoint is used a lot but possibly not in the way one might have assumed.
I don’t know if self hosted SharePoint can do all this.
In 50 % of the time.
But SharePoint is the linchpin for Microsoft 365. Well technically SharePoint and Exchange. You can’t use any Microsoft 365 products without SharePoint.
OneDrive uses SharePoint. Outlook Groups and Teams Channels create Microsoft 365 Groups. Every Microsoft 365 Group creates a SharePoint site. Microsoft Loop uses Microsoft SharePoint Embedded.
SharePoint is now a “file and document management system suitable for use in any application”.
So, if you want an alternative to SharePoint you would need an alternative to any M365 Product, including Outlook and OneDrive.
Fun Fact: Teams messages are actually stored via Exchange Mailboxes.
https://learn.microsoft.com/en-us/sharepoint/dev/embedded/ov...
It's just conflating needs. Document editing and file storage are two different tasks. It's weird that people want everything integrated. It's not much effort to just drag and drop a file into G-Drive, OneDrive, Dropbox, box.com...
See, there’s the problem. Once you touch anything M365, you’re using SharePoint.
People see SharePoint as a document collaboration tool. But, in reality, it’s real use is as a data storage platform.
But SPO uses Azure Blob Storage to store content rather than SQL databases.
Not really, that's managers' speak. All things SharePoint is just a data swamp.
Not if you want to enable multiple users to be live editing the document at the same time.
Google Docs, on the other hand, works great when you're working together on a document. Too bad they don't have a native client.
Many millions of others seem to do it all the time without issue. I've done it practically every day for many years now and haven't run into sync issues for a long time.
It's not made to sync if two people are trying to open the file off a NAS, it's made for people editing files stored in OneDrive/SharePoint.
But as both examples show, you need to have your document editing and document storage closely working together for multi-user live editing to work. That's something that so far practically only integrated editors/storage platforms offer.
Of course it's quite a poor replacement but it does exists.
What trapped a lot of orgs is making use of the whole PowerPlatform around sharepoint. There's a lot of crusty old LoB apps built with MS's no code tools (PowerAutomate, PowerApps) which run on SharePoint as the delivery platform. Some of these even hook into Excel files stored in the various document libraries, etc. There are entire, large business processes being handled by this platform, and so migrating will require actual dev time, which automatically makes it a non-starter for most, unfortunately. Doubly so when you consider that a lot of these "solutions" were built by non-devs, long since gone from the company and no one knows how deep the tentacles go.
Genuinely asking - is there a Microsoft alternative to eBPF, k8s, nginx?
The answer is NO. Alternative to SharePoint is SharePoint. I would argue such project just not needed in general and therefor there is no 'alternative'.
Granted there are countries that act like a Criminal Org., but if you live there you have more issues than your data.
With proprietary software, it is a much larger chance that backdoors exist than in Open Source. Many of us heard of 1 issue where it was claimed a project had a Gov sponsored BH in it. They did a long audit and found that was false.
Eventually Open Source backdoors will found in Open Systems. Proprietary you are SOL unless you do very expensive and very hard testing. Even then it is doubtful you will find a backdoor.
Plenty of closed source products will happily backdoor their products on request, without a warrant, if they are confident they will never be found out. That's the point. Not that FOSS source is somehow inviolable to nation-states with virtually infinite resources, many of which sponsor or contribute to the finance of a huge percentage of the development of FOSS themselves.
It's easier to find backdoors in FOSS if you're looking, because you're allowed to look. But somebody has to be looking.
We didn’t knew it better, back then. We knew it better, now. But migrating is work. So we prefer to suffer! And harm others! This Linux and BSD people are so annoying with their desire for compatibility. They shall suffer, too! And when we buy everything from a Monopoly, we don’t need to think.
Nobody Ever Got Fired for Buying IBM.
"If something happens, we used enterprise grade industry standard software. We did our due diligence."
This outlook is basically why we can't innovate anymore.
I had to recently sit through a meeting where our CTO quoted all the "blogs" he's been reading as a way to slap down my suggestion for an in-house project.
It's all about CYA.
Pay the CYA bill, let the engineers build/choose something that actually works. Win-win.
It's why school boards don't do anything useful, among many many other things in our society. It's an endemic disease.
Most of the time it's extremely exaggerated, but it's trotted out and used as a CYA excuse almost immediately by most in the executive/managerial class. Both due to outright laziness and incompetence, and also as just a... why take any personal risk whatsoever making actual decisions with any impact if I can keep my cushy job and career rolling by being as milquetoast as possible.
Never mind you get the big bucks to make such important and controversial decisions at great personal (career) risk when some inevitably go wrong. Everyone forgot that part. Such roles should be hard, difficult, and risky.
FOSS isn't magically immune to vulnerabilities.
It doesn't help that the FOSS community generally prefers the C programming language over more modern and safer alternatives as a cultural thing. The result is just as many vulnerabilities, if not more, per line of code or per feature. Keep in mind that SharePoint is an enormous product with a 3.6 GB ISO image used to install it. If you think anyone is able to develop that volume of server code and have zero vulnerabilities... I have a bridge to sell you.
An observation I've made about Rust is that because it eschews OOP, it tends not to "scale" to large development teams for single applications. It's great for CLI tools, small web apps, etc... but after some scale it runs out of steam.
This is exacerbated by its glacial compile times compared to other languages, even C++, let alone C#.
I just can't imagine something the size of SharePoint being developed entirely in Rust!
Chromium is similar. It's practically an operating system now, it even has USB drivers! I had to compile Chromium from scratch once, for which I spun up a 120-core cloud VM with 456 GB of memory so that it wouldn't take all day.
With Rust... that would take all week even on that box.
Linux is written in C and "scales" to large teams. If folks were willing, I think most of Linux could be written in Rust.
I contributed to a Tcl/Tk library that I was using at work that had a specific issue with some image files, so I fixed it internally, and contributed the fix back to the FOSS project (with permission from work).
Valid point about the image size. A possible sign for bloat? Bloat is danger.
Second:
C, C++ or Rust are our tools. Everyone prefers another for technical and personal reasons. A religious believe in salvation by the next programming language is not helpful and causing harm. I hope sanitizers for C/C++ improve further - which improved safety a lot. For C++28 or C++3x we can hope for further safety improvements. Which we need.
Most bugs are logic errors. SharePoint is - according to my knowledge - implemented in C#. The CVEs mention deserialization of untrusted data, improper limitation of a pathname to a restricted directory ('path traversal'), improper control of generation of code ('code injection') and so on.
I'm rather careful about people requiring another language and claiming it will fix everything. Reliability needs hard work (design, code, review, testing...more review) even with well selected tools. I guess Microsoft does that. And I guess Microsoft works like the rest of the industry, focus on time-to-market and building a monopoly in every area. That's why we see rapid updates in a lot areas and - worse - enforced updates. And why software is known for it's low quality in comparsion to other industries?
Examples:
GNOME opted to use JavaScript in the hype back in 2010:
* JavaScript reduced compatibility compared to C/C++.
* They suffered a lot from memory-leaks. Due to JavaScript.
* The run-time modification seems not to be a big benefit.
* Extra dependencies for JavaScript. More memory usage.
Java also suffered. This rewrite of C++ to Java with JRE is a example, why rewrites for the sake of rewrites aren't a solution:
https://neilmadden.blog/2022/04/19/psychic-signatures-in-jav...
There is no magic. Only thorough work.
We will always suffer from security issues and we shall be always careful.
Countries are run by politicians. The ability of a politician to remember something is inverse proportional to the sum of money landed in its account.
I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.
I hope so. We're seeing it now though. Germany, Norway.
Not saying there won't be CVEs when they move, but at least there's freedom and openness already available to switch to.
Would the CCP allow their cloud infra to be administrated by US staff in the US? Never.
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
Anyway, from what I can tell being in this industry, a lot of things need to be explicitly illegal to stop companies from doing it.
Edit: The penalities also have to be meaningful. There's a lot of "technically not legal, but sue us lol" going on.
"Hey, this is a really really stupid idea." Isn't going to stop a middle manager from trying to come in under budget.
At most MS will pay a nominal fine, and proceed to learn nothing.
Microsoft also has a captive market here. Realistically you aren't going to migrate millions of employees and servers to another tech stack, even over something egregiously bad.
Something like storing cleared data really should be handled 100% internally with an open source stack that's regularly audited.
But that sounds really difficult, even if it would be cheaper or the same price in the long run.
I didn't suggested preventing the fulfillment of existing contracts. Nobody would change for all costumers. They just wouldn't get any new contractors.
Sanctions already exist.
So after the current contract do you switch stacks, or just have a 3rd partner Microsoft shop maintain your existing stack?
Regardless, I don't think our current legal system has any real ability to hold a company like Microsoft accountable.
But yeah I don't know any party who has such ideas.
Neither is "you can go to jail" when it comes to export controls training
IIS which SharePoint runs atop of is written in presumably primarily C.
You can decompile most of SharePoint if you ever need to peek at the code. That's a huge advantage to figure out how it works.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
I have worked at an org that did the same. We already had Confluence. Somebody decided we needed Sharepoint. We licensed and installed it. Six months later we migrated the handful of documents and files and decommissioned it.
probably so. every corp I've worked for that had Sharepoint used it religiously. that is a whopping 3 different companies, but > 1 anecdotal experience. to be fair though, 2 of the 3 companies used it because the same person was at both companies and was responsible for using it at both companies during their tenure.
This is actually a great day for Microsoft. People will come to their cloud solutions in troves after this and everyone will be happy. Maybe not everyone, but Microsoft for sure.
nevertheless, even NFS is better than sharepoint. At least, NFS works...
Teams is actually SharePoint.
It ain't going anywhere
Here’s just one example:
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
Good lord. It truly is a layer of dung layered upon more layers of dung.
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
very slowly
and why the search doesn't work
Nothing works really well nowadays with exchange (classic, new, web, ...) or Teams. It is a complex layer based on sharepoint, that was not designed for that, because OneDrive is so bad that they have absolutely no way to manage a proper sharing of files between multiple persons, and so even less between teams and orgs.
I once figured out that you can go to the permissions page on the SharePoint site created by Teams and remove access for the corresponding M365 group.
M365 relies on SharePoint and Exchange, but they don’t rely on M365. So, you can potentially break Teams.
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
I used to work within the Office group. The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience. Without going into any gruesome details of how it works, I'll just say that it is a HUGE hurdle to being productive for day-to-day work.
Similarly, I'm not surprised that there's some kooky way that the Teams folks shoehorned their data into the existing Exchange system -- they probably have no other way to operate at that scale without taking years in writing their own database system. (I can't imagine that using SQL Server to do this would be viable, either, given what they want to do and the capabilities already built on top of Exchange.)
I assume you're talking about MAPI, which owes some of its baroque nature to X.400. It definitely comes from another time. It always struck me as over-engineered.
On the other hand, it has also been ridiculously successful.
Contacts and voicemail are stored in Exchange.
Diagram of data storage locations: https://youtu.be/V6B4KraD-FM?feature=shared&t=454
M365 Groups are still SharePoint + Exchange.
Why do I have a useless "General" folder in the root of my SharePoint documents, which I can't delete? I don't even have access to Teams, because I'm using the Teams-less M365 subscription for EU users.
Every day I think more and more that I should just switch provider for my small company.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
[1] https://www.washingtonpost.com/immigration/2025/04/16/medica...
[2] https://www.reuters.com/technology/cybersecurity/whistleblow...
That anyone gives a word they say the time of day is actually crazy.
The problem is that while common sense would dictate those nonsensical expenses as such, they were part of the official process, so it was all legalized, so they avoid the FWA labels because the rule writers have made it so.
Interest is trivially accounted for. We know how much debt is outstanding.
Social Security and Medicare expenditures are well within 5% of what should be expected, given the total population of the US and its age distribution.
Your God Awful amount of waste, fraud and abuse reduces to a fraction of a fraction of the total budget. A tiny fraction of a big number may be a big number, but it simply doesn't matter structurally.
The only way out is to cancel the entire military, slash social security or raise taxes. The rest of the stuff (even if it is purely waste with no useful purpose) simply doesn't add up to enough dollars to fix the budget.
I know this isn't what anyone wants to hear, but numbers are numbers and you can't just wish away unpleasant realities.
Of course in proper propagandist fashion, we only ever hear about how much money the undeserving poors got, and nothing about the millions upon millions of dollars in loans given to private businesses and their owners that were definitely, 100% used for them to weather the pandemic, and later forgiven despite being explicitly loans.
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
What a pity that CISA has been purged down of effective useful people and turned into another sad selected-for-political-compliance-only force.
Arizona recently got attacked from Iranian hackers & didn't even bother trying to get help from CISA. https://archive.is/2025.07.19-143305/https://www.azcentral.c...
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
With a VPN the attack surface of this vulnerability would have been miniscule compared to a publicly accessible zero-day RCE
(And it's not like you have to allow carte-blanche access behind the wall)
Defense in depth!
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
And yet every customer of mine have some of their servers on a VPN. At the very least they enable ssh only on ports on the private network.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
The big difference is once you’re in, with a VPN you have direct access to the whole network.
With a zero trust setup, access has to be granted to you (or your ACL group) on a per-application basis. It makes it much harder for an attacker to move laterally when everything is default-deny.
- You must "VPN in" to access any corporate resources of any type, even ones on the corporate network when you're sourcing from the corporate network
- The client forms a separate "VPN connection" (can be clientless, but same concept) per app you access, rather than assuming a single parent VPN server can get them to any resource
- Every default ruleset started with deny all and only specific allow rules were added over time
Then you've got enough to call it a zero trust implementation. You can also take things the other way, i.e. you could "deconfigure" a zero trust setup to look and function almost exactly as a normal corporate VPN tunnel.
Rather than go through this whole thread each time, people just refer to all of this as "zero trust networking".
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
this is not a requirement of zero trust.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...
TBH several pillars are missing from their entire security posture.
It’s a symbiotic relationship that allows them to stop having to spend resources to compete in the market on merit.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.
How is this PEP better?
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.
This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.
Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.
The Secretary of the Navy's page (at https://www.secnav.navy.mil/Pages/default.aspx) for instance, is a Sharepoint site. I used to maintain a Navy website hosted under there, and had a bunch of Hugo-specific scripts to convert a Hugo static site into something I could upload to the Sharepoint and have it mostly still work (which involved things like rewriting links and renaming files to end in .aspx).
What I was kind of implying is that if the codebase is not that different maybe there has been a complete breach of office365 and Microsoft has stayed quiet about that.
I think the shift away started in 2013 or 2014, but you can imagine the throw away effort spent on it.
Not sure about microsoft.com, but office.com frontend "rendering" SharePoint instances were read-only, not plain SharePoint exposed as-is.
It's the go-to warm-up joke whenever someone in the military gives a speech.
I’m also shaping a Pro tier and would love your input. Some of the things I’m working on:
Full access to all alerts (not just critical)
Fine-grained filtering (vendor, product, CVSS score, tags)
Delivery via webhooks, Slack, Teams, pagerduty, Splunk, other SIEMs
A “Time Machine” view so you can preview what you would’ve received had you been subscribed earlier
Would love to know what you’d want in a tool like this. Anything missing that would help your day-to-day in cybersec or research?
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
Maybe [0] will be one, eventually, but it would take a long long time to replicate the functionality if it were to ever happen. Best case scenario is that the EU were to fund an open source solution.
[0] https://www.techradar.com/pro/mozilla-launching-thundermail-...
https://arstechnica.com/information-technology/2024/04/germa...
Money changing hands between suitable people who pop up together at the right social occasions is the priority.
The country can't go bankrupt and you just found another one.
Yes, when a country messes up they have to actually fix things, there is no way around it. Except getting merged into another country - like my birth country, the GDR, ended up as West Germany's problem (but its people still had to do the work).
Also, if big enough companies (and banks) fail, it is the same. Not having a string government would not help either, in such cases the companies would be the government, as we saw in even wilder times of huge companies and much less state in the US some century or two ago.
At some point in the hierarchy you have to live with not having omniscience and accept that sometimes things don't work out, and that you can't just walk away from the consequences of those failures.
Not in my experience. Connections are most important than competence in big corporations. The bigger the company the most is works like the old Soviet Union.
In my experience you only really get fired when the command from top comes to cut X% of the workforce (sometimes this is yearly due to stack ranking systems) but even then the best way to keep your job is not doing a good job. In actuality it is connections (being good friends with your boss)
For small companies, they just look at the "winner"'s operation, not including the "waste" of the other 39 "losers" that failed.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
For the longest time desktop Linux simply tried to clone Windows/macOS. Eventually Red Hat came to dominate GNOME enough that it developed a bit of its own personality, but the kernel and software distribution approach always held it back from even matching its competitors in usability, which wasn't even close to enough. Apple have executed excellently for decades and even they only made progress in the pure consumer space, the enterprise space is one they never tried to attack despite having the money needed to do so.
Capitalism isn't the problem here. Communist software isn't exactly famous for being impenetrable, in fact it's more famous for hardly existing at all. Google and Apple are highly capitalist, and their security stance is much better. The problems at MS are deeper.
And I also did not say that zero days are a once a month thing, I said that vulnerable Microsoft software is a once a month thing.
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
I would dispute the "hardware support" comment. Linux has pretty good hardware support nowadays. And "enterprise" software is a vague term here. For desktop Windows, of course Microsoft will have that covered every which way, but for things such as authentication, authorization and security, Linux has a place. A comment about adding "Redhat" to the mix is not talking about desktops (necessarily) but servers and security.
Buy your linux laptop fleet from Framework, System76, Starlabs etc and you won't have any problems like that. You might have OTHER problems, but not that one.
Even in corporate, there's basically two vendors - Dell, and a distant second Lenovo, with Apple having a foothold in niche usecases.
There’s a reason why corporations use HP and Dell machines. And there’s a reason why HP/Dell/etc don’t have Linux OSes on their corporate client machines. Well, they do, but companies don’t care to order them for the other reasons people have listed here.
You are right that not all devices don't work perfectly, but the Bluetooth headsets, Bluetooth mouses, conference rooms etc. that the company supports are tested for compatibility before being bought by our IT department.
Why would you use RHEL to manage Windows client machines, when you could use Windows Server/Azure and get Microsoft support?
Microsoft sure has a lot of warts, but even as a Linux enthusiast, I cannot deny that Outlook "Just Works" with a frankly shocking set of basic stuff. Login for the first time, check your email, hey there's your meeting with your manager on your calendar, and now we can add new events just by putting you in this group, etc etc. There's dozens of little integrations baked in here that a tech enthusiast could feasibly replace in isolation, all of which vanish the moment you turn off the Exchange server or whatever it is. It's way more complex under the hood than most people realize, which is why "ditching Microsoft" so often turns into "Adopting Google Apps", as they have a similar turnkey solution to most of the same problems.
Not meaning to be a big ball of negativity, but as I haven't really explored here... in the FOSS space, what is the equivalent? Which tools are the most polished, and what server backends could be hosted on-prem to gain the same basic integrations with login, email, calendar, chat, and video conferencing?
Everyone above middle-manager level lives in meetings, which means that the calendar is a critical piece of productivity software for them, and they want the comforting familiarity of Outlook. Which means they get to impose that on a whole organization.
The company that should be doing this kind of integration is Red Hat, but they've never quite managed it.
The open source solution space is probably LDAP and CalDAV, but as you say, nowhere near as conveniently integrated.
AD integration and desktop management solutions rule the Windows desktop. But not Macs in an organization, which are an absolute pain to manage, and yet somehow persist.
Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
Absolutely. A company isn’t going to create a GitHub issue and wait around. You can’t make service agreements with FOSS. There needs to be market forces to sell this software to corporations and it’s a hard sell.
MS for all its flaws, welcomed, targetted and tried to support scale operations in larger business environments (Imaging, AD, GP, SuS, bitlocker, ...).
Also, if your only fix a hardware problem option was to "visit the 'genious bar'" and wait 6 weeks for a machine to come back, vs the Dell/HP/... service of "same day onsite repair", what is IT going to prefer for client computers?
For large enough businesses Apple will let you do your own self-service repairs too. On-site. Order the part and you're still in warranty.
This is a huge factor. There are a lot of people who’ll curl up into a ball if you try and get them to use something new.
Side 1: the workers, especially the labor portion, are extremely resistant to learning new ways to do things unless you can prove, beyond the shadow of doubt, that the new way will be easier than the old way (aka, less to remember/think about) but also does not diminish the quality of their work or increase the perception that their coworkers might see them as having it easier than them.
Side 2: the people responsible for purchasing and resource allocation often do not know what they are buying. In any shop, if you say "we need new PC's for the office" the first thing the purchaser will do is ask a supplier for a deal on a fleet of Dells because that's just what they've always done. If the company is larger and has an actual IT department, they will just provide Windows PCs because that's what they were trained to support. The alternative, Linux, is never considered because they simply don't know anything about it and it's not being offered by their suppliers anyway, so why learn?
I wonder how quickly that’ll change with the generations. The kids these days use Android and iOS, right?
A huge portion of the desktop and server market are running Windows. It used to be almost all Windows, at least on the desktop. Nowadays mobile computing has become far more important so Windows doesn't have the end user dominance it once did, but there are still a huge portion of end user devices running Windows.
Same on the back end: it's just a big juicy target, and the bang for buck that hackers get from it is huge given how prevalent it remains in corporate and government environments.
SharePoint isn’t Windows. It’s a Microsoft product that’s only available for Windows Server. But it’s not Windows.
The reason I make that distinction is because if you widen the scope of services available on Linux then you might come a lot closer to the same volume of issues.
For example, take a look at how frequently CVEs are raised against popular CMSs.
I mean, Linux isn't even Linux - At the risk of invoking a meme: Linux is actually GNU + Linux; and even then there's a web-server on top, and software that it runs.
So, a working comparison might be Wikipedia? As far as I understand it; that's the largest CMS on the planet.
As mentioned, even if we exclude websites, Linux is a pretty enormous target. Much more enormous than microsoft - by an order of magnitude or more, yet: we don’t seem to have these kind of issues. Curious, don’t you think?
Microsoft’s back office suite is massive. So you’re talking about Nginx + a CMS + online office suite + video conferencing + identity providers and so on and so forth.
There isn’t really a direct comparison in the FOSS world. It’s either smaller in scope or smaller in terms of high profile organisation adoption.
This is why I think it’s easier to ignore the “Linux” part. Not because Linux is technically a kernel, but because there isn’t a directly comparable solution that targets Linux / GNU or whatever other base OS moniker you want to use. Same is true for BSD, Darwin and so on.
The alternatives to Microsoft’s dominance are typically more narrow in scope and usually proprietary too (eg Okta for identities, Google Docs for O365, etc)
Does this mean that Microsoft products are secure? Not really. It just means we cannot make a fair comparison against FOSS when it comes to these specific types of attacks.
and then they say "okay what if we consider everyone's sneakers all together, and how rarely they get stolen compared to cars" as if they've come up with a sensible comparison in complexity...
and then someone suggests "RedHat Linux" as an alternative to your car. Apparently they don't know what section of the world a car fits into, to suggest an alternative - but they're still convinced that you don't need a car and they are genuinely puzzled why more people aren't using "RedHat Linux" instead of cars...
... also only Ford make cars and the only real alternative is something completely different and then pay consultants to customise it and retrain your entire workforce at great cost and upheaval for little to no return, except hoping for an increase in security but not being able to prove same, or even clearly nail down what that means precisely.
But the numbers are the numbers in heterogenous environments, regarding security problems by platform. And if it rains perpetual Windows-based incidents on your security staff, and you don't consider the numbers when evaluating what you will and will not do, compute/services-wise, then you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely.
Isn't it odd that "unreasonable" solutions keep being suggested in threads started by people who first push Linux, and second ask what the thing even does anyway.
> "Thus the tender balance between business needs and business risk emerges as the deciding principle."
There is no tender balance and this is nothing like the deciding principle, and again it's illustrative that in a world where big organizations turn to poor quality software with poor UX for reasons like "nobody got fired for buying IBM" and "I look good on the Gartner report" and "the vendor will bend over backwards to make our auditors and legal team approve it" that Linux people go for the only thing they have going and try to suggest it's the most important thing, even though it's demonstrably an afterthought or a never-thought.
> "you are statistically likely to see the same rate of incidents, at whatever cost that comes to the business, indefinitely."
And you see this happening for literally 30 years and the "whatever cost" being written off as a business expense that has never changed anything, but you still call it "the deciding principle" when the evidence shows that the decision makers barel consider this at all?
Why would that need to be said at all, if businesses are using security as A [prominent] deciding factor already?
My reply "businesses are visibly not using it as a deciding factor" still seems correct.
The common factor there isn’t that 40 year old hatchbacks have better security. It’s that the risk vs reward isn’t there compared to the brand new luxury cars with higher resale value on the black market.
This isn’t something I’ve just made up either. This is what the police told us when my neighbours Merc was stolen while my Skoda, which was accidentally left unlocked, was not.
Thieves target the expensive cars because they’re worth more. It’s really that simple.
They don't target the expensive cars. The most stolen cars in the US are cheap Hyundais And Kias. Before they claimed the top spot on the list of cars taken most often the winner was pick up trucks and old Toyotas.
Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
US != everywhere.
They do target expensive cars in other counties.
As I said earlier, I have firsthand experience of this being the case.
> Thieves target what's easy to take and easy to chop up and sell, not luxury cars with high resale value.
You’re just proving my point here though. Thieves target cars that have the highest resale value.
Whether that’s as a whole, or for parts where the supply chain for genuine parts has become extremely expensive.
Organised crime happens for money.
Yeah there will there will be a subsection of society that steal cars for shits and giggles. But those also aren’t the sort of motives for hackers who’d go after Microsoft Sharepoint. So if we are to compare like-for-like, then you have to discuss organised crime rather than bored teenagers.
———
By the way, I love how your username is accidentally appropriate for this conversation :D
Similarly, looking at vulnerability counts by vendor doesn't paint a rosy picture of our largest vendor Microsoft, either. But it pales in comparison to the incident statistics, which speak for themselves.
To Microsoft's credit, they've managed to turn their weaknesses into a secondary industry, wherein they now no longer sell just the disease, they also sell the cure. "Oh, your Windows systems have security problems? Have we told you about our expansive security solutions? They're only an additional $your_budget_doubled per year!"
Even then, SharePoint is more of a platform. You can build SharePoint apps and extend it.
There isn't a comparison for SharePoint Server. There really isn't any single thing like it for on-premise.
One popular CMS in particular?
Hold on, we are talking about SharePoint here. I don't know any software that could replace it, that is allowing office suite to collaborate in a way SharePoint Server does it (versioning, concurrent editing, online editing, workflows, customizations, OneDrive, IRM, compliance, search etc.)
Even in a windows environment. Can you name more secure, cheaper and widely deployed alternative?
Also, even if we do look at cloud: Workspace isn’t bad (exception: sheets vs Excel), but SharePoint is the center of Teams, Power Platform, PowerBI… to replace M365 with Workspace means a lot of research, setup and testing of 3rd party alternatives to the above.
If you’ve ever worked in a well configured Microsoft stack, nothing beats the integration.
There’s no reason to believe Workspace would be more secure if it had the same feature set/integration configured.
No. Quick iterations and output output output. Security is one of the least concerns in any company I have ever worked in.
Because there is no FOSS solution even coming close to the level of out-of-the-box integration of Office 365. Thunderbird has zero integration with LibreOffice, LibreOffice has zero integration with Owncloud (or whatever else one might use), neither has integration with a softphone software, much less a backend like Asterisk. And some software like Sharepoint or MS Access doesn't have anything on the FOSS side.
And on top of that, many data exchange formats are not just "old", they're "fossil" and don't even come close to meeting the demands that people have come to expect.
In every single company I have been working in the last 15 years, information was spread across so many different tools that integration was a moot point: Office365, Jira, Confluence, a separate ticketing tool, some mkdocs or single markdown files in repositories, spreadsheets, dedicated HR web portal, intranet, internal blog/comm/social media... Even within Office365 information is stored randomly as office files in sharepoint, teams channels, personnal onedrive, emails, copy/paste in teams, teams channel onedrive synched drivees, onenotes...[1] Also RBAC makes sure that whenever you came across one doc containing link to other stuff, you end up having no access to half of the links
Bottom line the tightest integration doesn't reduce any friction because there is not a single toolsuite that fits every use case and people end up making a mess of everything. You never know where you can find the information and every single teams wiki ends up being a collection of links to a myriad of different places. Also half of the people still email people documents instead of the links because they don't understand anything else.
[1] yes it is in the background the same product but people access them and more importantly know or search the information in totally different ways.
Active Directory is the key. A unified management of users, devices, groups, and policies that everything else is built on. Nothing outside of the Windows world even comes close. There's Linux tools to impersonate or talk to Active Directory, but no alternative to it.
Group Policy lets me set up any number of tens of thousands of configuration changes and apply it easily to any group of users or computers with a few clicks, regardless of device manufacturer. Linux distributions aren't even consistent enough about which system tools are onboard, much less what policies can be configured on them. Web browsers all have Group Policy plugins, so everyone's web browser is configured by Active Directory too.
For Linux, I'd probably whip up Ansible these days if I were tasked with it, but getting it off the ground is ... nasty. Set it up as a systemd unit to run on boot, login and network-online.target, and that's it.
They don't. There's plenty, even a majority, of non-Windows servers in gov (I know, some depts are true MS shops).
Sharepoint is one of those things that snuck in via the desktop. It was touted by MS as an evolution of shared folders with "Intranet" features included. If you already ran a Windows Server for fileshares, Sharepoint was "free".
The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
For developers, it was a nightmare. Underneat the platform was a frankensteinian horror of bits and pieces of resurected code from many departments and projects across MS crudely bolted together with chewing gum scraped of a park bench and bits of string recovered from old fish guts. Lists (SP's core structure for file directories with exposed metadata properties) could not work reliably, the system fell over under even light load, latency was totaly unaceptable even for basic operations, files did not rountrip through the server unchanged ...
Over the years MS cut it down from "the future platform for custom backoffice apps" to "out of the box Intranet with mainly cosmetic configuration options" to "cloud hosted office 365 shared folders".
" Isn't security the number one priority in those spaces?"
No. It's exacly like every other IT environment of comparable size. Security is considered important, but does not drive sales. Features and cost, but also available expertise from the supplier/channel partners dominates the choice. Security is covered by promises and certifications, but more often than not left to operations to patch up.
The support problems were INSANE. We ended up spending an entire release cycle pulling the web app out of Sharepoint and just doing a proper stand-alone web site. Support calls plummeted.
Sharepoint is something only a marketer could love.
At no time did MS seem to say “Here’s our vision for Sharepoint as a complete product.”
Instead, you got coming on 25 years of random big customer feature asks + a home for lost MS product bits.
It would surprise no one that performance of that has been atrocious for most of its life (for those not old enough, think non-functional search and 20s page loads for on-prem instances), salvaged only semi-recently via the cloud managed version (that I’d guess runs on a ground-up backend reimplementation).
100% bang on.
The gaslighting around this matter was intense. It destroyed any remaining trust I had at that point.
The protocol was proprietary and an open source implementation in Samba was very slow at catching up. If you decided to host a domain controller using it, you newer knew if a random disconnect was a network issue or the controller or the client.
And here we are. Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
You still have Active Directory on premise and now you have EntraID (formerly Azure AD) in the Azure cloud.
For Windows devices, it is the only mechanism supported to have a centralized management system.
For other systems, such as MacOS, you have alternatives that don't require any centralized user database.
Most cloud-native companies today rely on Okta or Amazon Cognito for their applications. Google Workspace supports this too, but it is incredibly basic at what it can do.
I don't think there's nothing that anyone can do to make this different.
And just to nitpick a little, it's like saying the smartphone reduced the camera market because of its dominant position. It didn't, it just provided convenience when there was none (a phone, a camera, a video recorder...).
https://www.liferay.com/resources/l/content-management-syste...
https://hub.docker.com/r/liferay/portal
I haven't played with it in about 5 years but it was substantially less polished than a well-run Sharepoint 2013 instance.
One of the answers should be for the DoD, or any other such military institution, to try and rely a little bit less on everything being "digitilized", or at least to change it all into a more fragmented data/information "archipelago", with no centralised unique source-of-truth.
I have a ton of customers where the admins are constantly reminding everyone about the certifications they have, all while their basic security is below average.
… but they are certified!
If the government was running Red Hat with 'open source SharePoint alternative' the headline would be 'open source SharePoint on-prem solution exploited'.
I think it's deeply likely that most major intelligence agencies have people burrowed into the various FAANG type companies.
Like this guy, but less foolish about revealing it. https://www.nbcnews.com/tech/social-media/facebook-investiga...
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
Or probably they don't.
I dont know what is worse.
It feels like Microsoft has a (bad) deal with every 3rd rate IT leader where the IT leader eschews Microsoft's BS in exchange for being "unfireable" because "who else knows how all the Microsoft stuff works?"
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.
AFAIK, the Oauth claims of SharePoint don't allow specifying particular projects only. (BTW: same counts for platforms like ACC/BIM360)
Senior VP at CrowdStrike, so a professional in destroying large amounts of systems.
> cybersecurity firm
Sure, might as well call it that.
Things are so complex we have critical bugs everywhere that can not be patched without major breakage. So what does a diligent org do? they make a risk-assessment to explain things away for legal & compliance purposes.
check your SCA/SBOM in any/most stacks if you think this is untrue ...
How is this auditable?
A few real-world points that stood out to me:
- SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE” and nobody got fired for rolling it out in the 2000s. Once you’re deep into the Microsoft ecosystem, the cost and pain of replaccing is huge!
- Security honestly feels like a service for a lot of giants. When someone asks if it’s the number one priority, the answer from experiencem, is “no.” Cost, compliance available support, and how easy it is to blame a vendor if things fail tend to matter more.
- When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately. Right now, Windows gets a lot of attention because it’s everywhere. And obviously, attackers like to go where the odds of a big payoff are highest.
- A lot of giants aren’t making decisions based only on security or technical merit. It’s about familiarity, employee training costs, consulting partners, and “safe” bets. If you pick Microsoft and get breached, it’s an industry problem. If you pick something niche and get breached... it’s 100% your fault.
- Resistance to change is real. Swapping out platforms isn’t just a technical lift. Management, end users, even IT staff get pretty set in their ways.
Honestly, unless there’s enough public backlash or a relgulation hammer, I don’t see the inertia breaking any time soon. For most companies, “patch and carry on” still beats “burn it all down and start fresh.”
No, this is the same sort of defeatism that prevents us from making progress on security. We could engineer usable systems where actual security is a priority, and not just security theater. We don't because nobody in a position to change anything actually gives a shit.
Security is a priority. But it's not the only priority.
It would be difficult engineering even if it was the only priority, but given that there's little point to security for a system you never deploy, it's not likely to ever completely monopolize focus, either for users or implementers.
Ultimately though, they know that no matter how many times their failure to invest in security results in their customer's data being compromised or destroyed they'll keep making money.
Their customers are corporations who have insurance to cover their expenses when Microsoft's failure to make security a priority inevitably leads to a breech and those corporations are able to avoid all accountability for their decision to use Microsoft products no matter who else gets hurt as a result.
Dealing with yet another security issue caused by Microsoft is just another cost of doing business. It's still cheaper and/or easier for the corporations to keep MS and deal with the endless vulnerability/patch cycle than it is to move to something else and pay people who know what they're doing to manage those new systems so nothing changes.
There will always, for example, be a conflict between availability and confidentiality. Ultimate confidentiality might require that the data be stored in an inaccessible bunker with no outside access. Ultimate availability might involve hosting sensitive data on a publicly accessible server with no access controls.
In the real world we must always balance these needs carefully, and triage available resources to achieve an "ideal" outcome. This means that security will never, and can never, be a solved problem.
As an example, diplomacy, open source, shared interests, universal basic income, and education can reduce the desire for attacking. How do these factor into the CIA triad?
I would answer that the triad IS useful in this scenario and further that if we used an alternative model (The 7-C's maybe?) we would still find inherently contradictory requirements for almost every security scenario. In fact, we would just MORE more of those trade-offs, further proving that security can never be "perfect."
For example, I can think of several fundamentals the triad doesn't cover directly. Privacy and non-repudiation spring to mind as concepts that don't neatly fit into the CIA triad, but they are the antithesis of each other!
Perfect privacy would require that nobody (including data-owners) can identify the user, and perfect non-repudiation would require that no access be granted without 100% proof of the current user. Again, you are forced to choose and this means that some aspect will always be less than perfect.
In what world has SharePoint Server and SharePoint Standard + Enterprise User CALs ever been "FREE"?
> Security honestly feels like a service for a lot of giants.
While code security is on Microsoft, infrastructure security is on the organization deploying SharePoint Server.
Remember, the topic you're commenting on is about SharePoint Server. Not M365. Not SPO.
Yeah.. I think people say "bundled FREE" when they really referring to MS enterprise packages. It's similar to how Comcast will sell you TV for $100, land line for $20, internet for $100, but you can get a TV/land line package for $90? or a TV/internet for $130. You can "bundle FREE" phone on your TV/internet package for an extra $5. (And yes, I heard support before tell me "For $10 more a month, you get a free upgrade to 1Gbps". ???? How is that free? They will say "It's the same package, but one level up for $10 more. It comes with free 1Gbps upgrade. what doesn't make sense?"
There wasn't, as far as I recall, "buy SQL Server Enterprise, get SharePoint Server Enterprise SKU for free" type licensing deals.
Yes, I didn't mean to say it was like that. More that you get discounts, credits, etc. Every EA agreement I heard of seemed custom and different for that enterprise needs. Throwing in Azure credits or a discount on a product if you get another product or increase volume, etc seemed to be typical.
I disagree with this take. Linux dominates in the server market.
Meanwhile, Windows is running the crown jewels for operations inside the company, like SharePoint and Active Directory.
SharePoint Server is widely used and is a high value target.
Atlassian Server products have had their fair share of 0-day exploits. Atlassian also EOL their server products and forced a cloud migration.
I do not think that is the only difference between Windows and Linux though.
For one thing Linux has multiple distros, some very varied. Its less of a monoculture. If Linux was more widely used it would also get grater usage for BSDs because a lot of things that run on Linux will run on them too.
Linux IS very widely used on servers, and on Chromebooks, and embedded. The kernel and a few other bits are widely used on phones too.
I bet Oracle and SAP have similar types of things happen to their application suites but no one runs public websites on Oracle eApplications (yeah, plenty of companies have that exposed to the internet, but it's not The Company's Website)
These recommendations followed a review of MS practices following the Exchange online compromise. I highly doubt anything changed at MS since then.
source: https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...
aspenmayer•6mo ago
Related:
ToolShell Mass Exploitation (CVE-2025-53770) - https://research.eye.security/sharepoint-under-siege/ | https://news.ycombinator.com/item?id=44629133