Peer to Peer Magazine

attacker could launch a denial of service (DOS) attack by trying to log in with an ID multiple times. When you have account- locking in place, all user accounts could be locked out after three to five failed attempts, and no one would be able to log in to the system. Remedies: There are several ways to address the issue of providing unauthorized access to information on your site: • Lock down the identity of the user viewing the site by securing the _layouts/people.aspx page: • Navigate to the root of your site collection • Click Site Actions, point to Site Settings and click People and Groups • In the Quick Launch, click All People • On the toolbar, click Settings and then click List Settings • In the General Settings section, click Advanced Settings • In the Read Access section, select Only Their Own • In the Edit Access section, select Only Their Own • Allow only admin-level access to files, such as people.aspx, on your root site or sites where you don't intend to provide user access. • Put custom logic on the page to prevent direct access, either page by page or by creating a custom HTTP handler, and control access to pages based on a user's identity. Cross-Site Scripting (XSS) Vulnerability SharePoint provides a document-attachment feature with its collaborative list objects, such as announcements, tasks and calendars. When you create a new calendar or announcement, you can upload and attach any document format, including an HTML file. When a user clicks on the link, SharePoint will display the HTML page. If the HTML page has JavaScript in it, it will execute it because the browser trusts your site. This means that a malicious user or a hacker could potentially trick users into clicking on harmful links or track cookies and other vulnerabilities. Remedies: There are a couple of approaches you can take to mitigate cross-site scripting vulnerability: • Prevent the attachment of HTML or HTM files. Peer to Peer 19

• Cover