Sharepoint & Data Encryption

SharePoint Security: Why SharePoint is not secure

  Free Trial & Demo

“Fantastic product… outstanding support.”

“We would recommend Locklizard to others”

“The clear leader for PDF DRM protection”

“Our ebook sales have gone through the roof”

“Simple & secure – protects IPR from theft”

Trusted by:

  Is SharePoint secure?

SharePoint Security Issues

At first glance, SharePoint seems like a secure way to share and collaborate with documents and other digital content online and ensure compliance.  Data is encrypted, you can restrict access to documents, disable sharing, prevent download and printing, and lock files for editing.

However, there are many security failings:

  1. Documents can be copied, printed, and edited offline even if they have been assigned Restricted View or Read access.
    • Security is based on ACL permissions (Read, Write, Execute, Create, Delete).  This is fine for controlling if files can be created or deleted, but provides limited control over how content is used.  For example, restricted view permissions prevent editing of the original file but don’t prevent copying (copy and paste) and printing.  Users can therefore print to PDF files and open them in Word for editing.
  2. Sharing documents securely with external users increases the security risks to your SharePoint site, which is why Microsoft advises you to create separate sites for this purpose.
  3. While blocking or preventing downloads in the browser does prevent downloading and printing of the original files, users can copy and paste text or run scripts to automate saving of content to a new file.  We cover this later in this blog in the section on preventing SharePoint downloads.
  4. Data is encrypted in transit and at rest, but not at the individual file level.
  5. Because permissions can be applied at multiple levels it can be easy to give the wrong access by mistake.

Here we cover how you can make SharePoint secure and prevent printing, editing, and copying of documents even after they have left the SharePoint environment.

  SharePoint Permissions & SharePoint Online Security

One of the biggest challenges facing enterprises when working with SharePoint is having users with more access privileges to documents than they should.

Proper planning and assignment of permissions is a crucial part of every content and document management system, not just because of the confidentiality of enterprise content, but because inconsistent security plans can become a hindrance to the document generation process.  Different documents may require different levels of security for different users and document access permissions may need to be adjusted during a document’s life cycle.

Assigning permissions becomes more complex in environments with lots of documents or where documents are constantly moved around – you can easily lose track of permissions, suffer from performance issues, and compromise document security.

And what happens if a secure document leaves the SharePoint environment?  How does a company share documents securely with external users, and how do you ensure that access controls remain with downloaded documents?

  SharePoint permission levels

In SharePoint, you can assign permissions (access controls) to control access and secure sensitive documents at the site, library, list, folder and document level

To complicate matters further, you can also set permissions at the user and group level, and users can be members of multiple groups each with different permissions assigned to them.  You therefore need to have a good understanding of which permissions override the other and keep track of how these effect file access and use.

Site permissions

The files you store on a SharePoint site are available to everyone with permission to access the site, so it is a good idea to set security at the site level first.  You can then set different permissions for folders and documents that contain confidential and sensitive information.  Using this hierarchy, for example, you can restrict editing for all users but allow certain users to edit specific folders and documents.  This enables you to control how that content is accessed and used.

By default, all SharePoint sites are created with the three security groups below:

  • Owners – Have full control over the site
  • Members – Can add and edit the content (files, lists, etc) on the site
  • Visitors – Can only read

You can also create your own security groups.  Each group can be assigned one or multiple permission levels.

Library permissions

A library is a location on a site where you can upload, create, update, and collaborate on files with team members.  A library can have multiple folders and files which inherit the permissions set at the library level.

Folder permissions

Folder permissions provide automatic protection for any document placed inside a “secure” folder, based on the permissions assigned to that folder.

However, this strategy relies on users placing documents into designated folders and not copying them to other folders when collaborating with other users.  If the folder structure becomes overly complex or users become uncertain where to place the files, they will abandon SharePoint and copy documents to their desktop or other devices.  They may also choose to use folders they can work with but are likely not protected.  Once sensitive documents are placed in folders that do not have the appropriate permissions, the SharePoint environment and the documents are no longer secure.

Therefore, SharePoint folder security relies on a simple folder structure where users want to obey the rules.  It only works if everyone consistently puts files back in the right folder.

File permissions

File-level permissions in SharePoint take precedence over folder permissions, enabling you to restrict access and use of individual files.

User and group permissions

You can add users or groups to the default security groups and also create custom ones.

The default permissions levels in SharePoint are as follows.  The ones shown to you depend on the template you select (team site, publishing, etc.).

  • Full Control – Has full control – there are no restrictions over use.
  • Manage Hierarchy – can create sites and edit pages, list items and documents.
  • Design – Can view, add, update, delete, approve, and customize items and pages.
  • Approve – can edit and approve pages, list items and documents.
  • Edit – Can add, edit and delete lists; can view, add, update, and delete list items and documents.
  • Contribute – Can view, add, update, and delete list items and documents.
  • Read – Can view pages and list items and download documents.
  • View Only – Can view pages, list items & documents.  Document can be viewed in the browser but not downloaded.
  • Restricted Read or Restricted View – can view pages and documents, but cannot list items, view historical versions or user permissions.  Documents can be viewed in the browser but not downloaded.
  • Limited Access – Assigned to a user or group when sharing an item. Can access the site and view the selected item.

If all this sounds highly complex, then it’s because it is.  It is easy to lose track of who has access to what files and the permissions assigned to them, and the effect of different permissions overriding others.  And that is before you even consider external sharing.

  Sharepoint External Sharing & Secure File Sharing

For most organizations, the ability to share with external users is a key requirement of doing business, and luckily SharePoint provides this functionality.  But is it secure for handling sensitive data?

SharePoint has external sharing settings at both the organization level and the site level.  To allow external sharing on any site, you must allow it at the organization level.  You can then restrict external sharing for other sites.

However, external sharing in SharePoint may put files at risk.  Microsoft provides the following warning “If you have confidential information that should never be shared externally, we recommend storing the information in a site that has external sharing turned off. Create additional sites as needed to use for external sharing. This helps you to manage security risk by preventing external access to sensitive information.” 

That statement clearly does not provide much confidence in the use of security permissions or your ability to configure them correctly) for limiting access.

In addition, just as with internal use, documents can be copied, printed, and edited offline even if they have been assigned Restricted View or Read access.

  How to share SharePoint files with external users

Sharing files and folders securely with third parties involves giving them limited access to your SharePoint site using folder or file permissions.  To share a file in SharePoint externally, you can do one of the following:

  1. Add a user to your directory and let them sign into your site through a Microsoft account.
  2. Send them a link to a file or folder with an optional password to gain access.

Links can be a security risk since they can be passed around freely and you can’t verify the user’s identity.  They are valid until they are deleted or expire (assuming you have set an expiration date).

You can password protect a SharePoint folder or file that you share and users must enter the password to gain access.  However, just like links, passwords can be shared.

Preventing downloads and printing

To prevent users downloading and printing content (PDF documents, videos, etc.) you must enable the option to ‘block downloads’.  However because content is displayed in the browser, this is not totally foolproof.

  1. Just like secure data rooms and other ‘secure’ web viewer solutions, users can highlight text in the document, open their browsers development mode, search for the text and copy and paste it.
  2. There are numerous scripts available on the web that automate the process of screen capture of all document pages and saving as a PDF file.  Other sites explain how you can download videos.  Examples include ‘How to download view only files from SharePoint‘ and ‘How to download view only videos from SharePoint‘.  These apply equally to Google Drive security, Dropbox and other cloud storage systems because you cannot prevent screen capture in a browser environment or users from using a browsers development mode to edit content.
  3. Once a file is outside of the SharePoint environment it is no longer protected.  Users can therefore copy, print and edit files even when control is disabled since those restrictions are no longer enforced.

Given these limitations, you should think twice about sharing your SharePoint site with external users unless you also employ additional security such as IRM or DRM controls and prevent users from viewing documents within a browser environment.  A dedicated app installed on a device is much more secure since you can lock documents to the device to prevent sharing and users cannot control or manipulate the Viewer environment.

  How secure is SharePoint?

In summary, SharePoint enables businesses to configure security at the document, folder, site, and library level.  Additional permissions can be assigned to users and groups.  Files are encrypted in transit and at rest (disk encryption), and hidden from the user’s view if they don’t have the required level of access.  You can apply editing restrictions and expire links to files you share with external users.  However there are multiple data security issues to consider.

  10 SharePoint data security risks and issues

  1. You cannot prevent printing unless you prevent downloads, and as explained above, there are ways to bypass the protection.
  2. Links and login info can be shared with non-authorized users.  In addition, users may click on a malicious link thinking it is a genuine one.
  3. You cannot prevent editing of documents outside of the SharePoint environment – i.e. documents that are printed to PDF or downloaded.
  4. Even with restricted view/read permissions applied and preventing of SharePoint downloads, users can copy and paste text from a document using the browsers development mode and/or run scripts to automate capture of content.
  5. Users can take screenshots using screen grabbing applications.
  6. You cannot add watermarks when content is viewed or printed to identify users.
  7. You cannot lock use to devices and locations.
  8. Individual files are not encrypted with their own key – encryption is only applied at the disk level.
  9. It is complex to set up and maintain, which could easily result in users gaining access to content they are not supposed to.
  10. Microsoft recommends you create separate sites if you want to have external sharing of content and links and passwords can be freely shared with unauthorized users.

The bottom line is that Microsoft did not build SharePoint with security in mind.  Protection was added later as an afterthought, and it is clearly not designed for secure external sharing of documents and other files.

To provide additional control over information, you must use the Information Rights Management Service – AD RMS for on-premise or Azure Information Protection for SharePoint Online.  Microsoft IRM encrypts information at the file level and applies persistent controls to content such as preventing printing and copy and paste.  However, as well as being time-consuming and expensive to set up and maintain, it has major security flaws.  A user with write access can remove editing and printing protections by simply running an exe file.  At the time of writing, this bypass reportedly still works, despite being published seven years ago.

  A secure & simple alternative to SharePoint Security

  Providing protection for PDF documents hosted in SharePoint

Locklizard’s DRM security makes securing PDF documents in SharePoint simple.  Administrators do not have to worry about assigning access permissions in SharePoint.  Instead, they can use Locklizard to secure documents before uploading them.  This guarantees protection against unauthorized use and misuse, regardless of whether they’re stored inside or outside of SharePoint or who they are shared with.  It’s a simple matter of protecting documents, adding them to SharePoint, and then assigning which users should have access to those documents in the Safeguard Admin system.

Locklizard enables you to provide additional security for confidential and sensitive PDF files stored in SharePoint and ensure they can be securely shared with third parties as required.  Users logging into SharePoint will be shown the documents available to them, but will still be subject to the overarching rules governing use, as well as the watermarks, start and end dates and other DRM controls that Locklizard applies.  Users cannot change these controls and they will remain with the documents wherever they go.  If protected documents are given to unauthorized users, then they will be unable to view or modify them.  This allows SharePoint administrators to achieve greater overall security regardless of the end environment.

Despite this, protected PDF documents (.PDC files) can be stored in SharePoint just like any other file type.  You don’t have to worry about any integration issues.

  Document Encryption and Rights Management Security

Locklizard enables you to protect PDF files from sharing, and prevent printing, copying (copy and paste), editing and screen grabbing in one single action.  Here’s how to lock a document or file securely:

  1. Right-click on a PDF in File Explorer and select “Make secure PDF”.
  2. Protect the PDF from unauthorized use by ticking the relevant controls.  We recommend that you add a watermark to identify users.  Safeguard creates permanent dynamic watermarks that cannot be removed using PDF editing software.
  3. Locklizard will automatically protect a PDF from copying text and images, but you may want to take additional steps to protect your PDF from screen capture.  Without screen capture protection, a user can screengrab your PDF and import it into an optical character recognition tool to make the text editable.  To prevent this, open the “Environment Controls” tab and tick “Disallow screen capture”.
  4. Press the “Publish” button at the bottom of the window.

    Your protected PDF file will be encrypted and output to its source folder in the .pdc format.  You can safely share it or upload it to SharePoint, knowing that nobody can access it without a valid license.
  5. Add a user account and send them their license via the Safeguard admin portal.

    See how to add a new user and grant them document access.

Why Locklizard for ensuring data is protected in SharePoint?

Locklizard provides many security advantages over SharePoint:

  • No Passwords

    With Safeguard, there is no need to password protect documents.  Documents are encrypted using public key technology – there are no keys to manage or distribute.

    There are no passwords or codes for users to enter in order to access encrypted document – keys are transparently and securely transferred to authorized devices, and files are decrypted on-the-fly in memory.

  • DRM Controls

    Safeguard provides additional document security controls beyond SharePoint permissions or access rights.  These ensure persistent document protection regardless of where documents are located and enforce secure document sharing.

    • Prevent sharing – documents are locked to authorized devices
    • Block screen grabbing (even from remote locations)
    • Prevent printing (or limit the number of prints)
    • Stop copying and prevent copy paste
    • Prevent editing
    • Expire documents after a number of days use, views, prints, or on a fixed date
    • Revoke documents instantly (regardless of where they are located)
    • Lock document access to specific locations
  • Document Expiry & Retention

    Documents can be set to expire:

    • on a specific date
    • after a number of days use
    • after a number of views
    • after a number of prints

    Automatically enforce document retention policies and ensure that documents can no longer be used after a period of time.  Safeguard provides flexible document expiry so you can retire documents or user access depending on your requirements:

    • The same document can be set to expire at different times for different users, or not expire for some users but expire for others.
    • If you want to change document expiry dates for individual or all users, you can easily do that after a document has been distributed.
    • User accounts can also be set to expire on a fixed date (which you can change at any time) so that individual user access to all documents is automatically revoked when this timeframe is reached.
  • Device & location locking

    • Lock use to authorized devices to stop users sharing documents with others
    • Control the number of devices users can view your protected documents on
    • Lock use to locations (e.g. the office) to prevent users viewing confidential documents from unauthorized locations (e.g. at home)
  • Dynamic Watermarks

    Add watermarks that automatically display the user’s name, email and a date and time stamp when the document is viewed and/or printed.

  • Document Access Tracking

    • Track when documents are accessed (viewed and printed).
    • Track who opened a document, when it was read and/or printed, at what location and on what device.
  • Simple to use

    You don’t have to worry about configuring complex SharePoint document access rights, document groups, or folder permissions to control access to confidential and sensitive documents.

    Safeguard allows you to restrict document access, add encryption, and apply DRM controls in one easy step, with persistent protection.  By protecting your documents using Safeguard and then storing them in SharePoint, you retain control over their sharing and use even if they are removed from the SharePoint environment.

Locklizard enables you to protect documents securely without insecure passwords or plug-ins, and enforce access, location, expiry, and usage controls.  Our DRM technology ensures your sensitive and confidential data is protected in SharePoint regardless of its location with US Gov Strength encryption, licensing, and DRM controls.  PDF files are individually encrypted,  and content is only ever decrypted in memory- no temporary files are used.


What is SharePoint Security?

SharePoint security enables you to limit access to sites, libraries, folders, files, groups and users through the use of permissions.  SharePoint uses AES 256 bit encryption for content encrypted at rest and in transit.  Authentication is required through Active Directory (AD), a valid Microsoft account, or a link which can be password protected.

Can Locklizard Safeguard protect .docx and other MS Office files?

No, Locklizard only protects files in the PDF format.  You have to save Microsoft Office files such as Word documents as a PDF to protect them.

Can you send a secure file through SharePoint?

Yes, but external sharing can create security risks.  Microsoft recommend that you create a separate site to share files with external users in case they inadvertently gain access to other files.  For additional security you should protect it with information rights management or an external DRM solution such as Locklizard Safeguard first.

Is SharePoint safe for confidential information?

The complexity of SharePoint restrictions, limited permissions and the ability for users to easily bypass them, make it difficult to recommend for use with sensitive data.  It is best used in combination with more focused document security systems such as Information Rights Management (IRM) or Digital Rights Management (DRM) solutions.

Is SharePoint more secure than Dropbox?

Yes, it is.  Microsoft SharePoint has a more advanced set of security controls, including permissions, tracking, encryption systems and optional Information Rights Management.  However, as we have outlined above, SharePoint is far from perfect either and requires additional measures to be implemented for external sharing.

Which is more secure – Google Drive, Docs, or Microsoft SharePoint?

Again, SharePoint wins.  Not because it uses an effective document security method, but because Google Drive’s security is so poor and so is Google Docs – see How secure are Google Docs.  At the risk of sounding repetitive, however, it is a good idea to protect your documents with DRM before uploading them to either service, especially if you want to share documents with external users.

How secure is SharePoint online?

SharePoint Online Security is about as secure as any online document collaboration platform – which is to say, not very.  While Microsoft makes a lot of noise about the fact that SharePoint content is BitLocker encrypted, this is designed to protect content when it is at rest on the server.  Ultimately, SharePoint Online still delivers its content to users in the browser, which cannot have the same level of control over the operating system as a dedicated application.  This means it cannot stop screenshots and can be manipulated further through the use of the browser’s developer mode or extensions to remove security features.

Does SharePoint have a good security record?

Over the past decade or so, SharePoint has been on the receiving end of over 80 vulnerabilities considered “critical”.  Flaws allowing remote code execution are the most commonly seen serious SharePoint vulnerabilities, and open the risk of hackers infecting users with malware or extracting sensitive information.

How can I make my SharePoint site more secure?

Follow SharePoint best practices as outlined here.  This includes conducting regular audits, defining a proper topology and recovery plan, ensuring permission levels are justified, using SAML, and more.  You can also protect your documents with DRM before they are uploaded to SharePoint to ensure that malicious users won’t be able to open files even if they leak outside of your organization.

Can you password protect a SharePoint folder?

Yes, but since users can share the password with others, it may not provide the level of security you require for confidential and sensitive business documents.

Can you prevent download of files in SharePoint?

Yes, but there are ways to bypass this as we cover in the section above on blocking SharePoint downloads.

Can you prevent printing in SharePoint?

You can prevent printing of the original document if you block downloads but users can use methods to bypass this.  You can prevent printing if you activate Azure information protection or Information Rights Management (IRM).

Can you prevent sharing in SharePoint?

Not really, since users can save to PDF or copy and paste content to a new document outside of SharePoint – see the section above on blocking SharePoint downloads.  They can then share that with others.  You need to use IRM or DRM that does not rely on a web browser environment to prevent sharing.

Can you prevent deletion of folders and files in SharePoint?

Yes.  If you assign Read or View permissions to a folder or file then users cannot delete it.

Can you prevent copying or copy paste in SharePoint?

No.  You can only prevent copying if you activate Azure information protection or IRM or upload DRM protected files into SharePoint.  Otherwise, users can copy document content using copy and paste or make full copies by saving files to PDF using automated scripts.

Can you prevent printing to PDF in SharePoint?

No.  Even if you prevent the ability to download a PDF users can still save a copy using automated scripts.  See blocking SharePoint downloads.

Can you prevent editing in SharePoint?

You can prevent users from editing files in SharePoint (i.e. within the SharePoint environment) but users can modify copies they have downloaded.  They will have to first OCR the downloaded PDF files however to make them editable.

Can external users you share documents with from SharePoint open files in Word?

Yes, since they can save to PDF and then open the PDF document in Word.

Does Locklizard prevent users from downloading documents?

No, there is no need to do so.  Only authorized users can view protected PDFs.  If an unauthorized user downloads a protected file they won’t be able to open it.

Does SharePoint support watermarks?

No.  If you want to watermark PDF documents in SharePoint then protect them using Locklizard Safeguard.  You can add both text watermarks (static and dynamic watermarks that identify users) and image watermarks.

Customer Testimonials