Secure Your SharePoint Extranet!

Or any extranet really… I presented tonight at the Baltimore SharePoint Users Group on Planning and Configuring Extranets in SharePoint 2010, and had the idea to make a quick post like this.

If you are opening your organizations virtual doors to the outside world, please, please,  PLEASE, only open up port 443, and use a secure certificate (or Secure Sockets Layer certificate), a/k/a, SSL certificate, to secure it.

Even if you do not have anything resembling a budget – you can still be secure. GoDaddy offers SSL certificates for as little as $12.99 – just use this link.

Why? Well… take this scenario. Say you are connecting to your extranet from a café, and they do not have a secure WiFi setup, and you can just connect and browse. I bet you that somewhere in there, there is some pimply kid with his Macbook his parents bought him, in his Misfits T-Shirt, sniffing the unsecured WEP network, and watching you log into your Forms Based Authentication extranet, over an unencrypted port 80. Not only does he see the URL you are visiting, and your username and password. He can also see everything you do. Confidential documents, payroll information – you name it. And there you go, your company’s data has been breached.

Now, if you take the extra time, and spend a few dollars – this would not have happened. SSL encrypts the connection from the end user’s browser, all the way to the server, so all the pimply faced hacker would see is just gobbledygook.

So a login session may just look like this (encrypted using SSL):

OIHP(@Q*YPR*Y@*(Y@C*(YR(*@YUP&@G&*T(*@&^$&@()&*CNHUSHLKSJLSHGLRWCTBLSUGL*r(*n^N(*#9693r562095876209387652097cUYTOIWESOFIY#3tyiuGi IWOLIWJdILW#T&@RLIU@HDIWUYR(Q*&#@yrOiu32H  lu hr*#@y*ry b@r*hsdiu wOIU8H9WQ83H RL iuliug # iqq&*g(iU3RG qiu

That looks a lot better than this (unencrypted – not using SSL):

http://intranet.mytopsecretcompany.comJohnSmithPass@word1secretdocument1.txt012-34-5678

While I do not have specific details, certificate providers also can actually insure your SSL certificates, in case a data breach does take place. GoDaddy, Network Solutions, GeoTrust, Thawte, etc. Look around, find what is right for you. And secure your extranet. Not tomorrow, but NOW. Pay for some security, it is worth it to pay money up front and be secure, than be involved in lawsuits, and corporate losses, all due to a yearly fee of up to a couple of hundred dollars. Protect your company, protect yourself, and protect your clients.