SharePoint Server

This section covers the following topics:

Overview
Licensing
Requirements
- Credentials
- Using Multiple Credentials to Scan a SharePoint Server Target
Set Up and Scan a SharePoint Server Target
- Add SharePoint Server as a New Target
- Scan a SharePoint Server Target

Overview

When a SharePoint Server is added as a scan Target, ER2 returns all root-level Site Collections for the SharePoint Server.

For the example below, "SharePointDBS" is added as a SharePoint Server Target in ER2. When the Target is probed, users can view and scan all root-level Site Collections associated with "Web Application 1" and "Web Application 2", as shown below:

SharePoint Server Host (host name: SharePointDBS) +– SharePoint Server +– Web Application 1 (https://sharepoint.example.com) +– Site Collection 1 (https://sharepoint.example.com/) +– Site Collection 2 (https://sharepoint.example.com/operations) +– Site Collection 3 (https://sharepoint.example.com/marketing) +– Web Application 2 (https://sharepoint.example.com:100) +– Site Collection 1 (https://sharepoint.example.com:100/) +– Site Collection 2 (https://sharepoint.example.com:100/engineering)

When probing a SharePoint Server, only the Site Collections that the credential set has access to will be listed.

Licensing

For Sitewide Licenses, all scanned SharePoint Server Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, SharePoint Server Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.

See Target Licenses for more information.

Requirements

Component	Description
Version Support	SharePoint Server 2013 and above.
Proxy Agent	ER 2.0.28 Agent and newer. Recommended Proxy Agents: Windows Agent with database runtime components Windows Agent
TCP Allowed Connections	All TCP ports used by the SharePoint web applications.

Component

Description

Version Support

SharePoint Server 2013 and above.

Proxy Agent

ER 2.0.28 Agent and newer.

Recommended Proxy Agents:

Windows Agent with database runtime components
Windows Agent

TCP Allowed Connections

All TCP ports used by the SharePoint web applications.

Credentials

To successfully scan all resources for a SharePoint Server Target, use credentials that have the minimum required privileges to access all the web applications and site collections on the SharePoint Server.

To scan all the SharePoint site collections in "SharePoint DBS", use a credential set that has access to "Web Application 1" and "Web Application 2".

Recommended Least Privilege User Approach

To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

Using Multiple Credentials to Scan a SharePoint Server Target

When multiple credentials are required to access the different Site Collections or Sites, a user can upload a text file containing granular access credentials when setting up a SharePoint Server Target. The text file contents must follow these rules:

Each line of the text file defines a credential set for a URL path.

Each line must be formatted as <url_path>|<username>|<password>.

Field	Description
<url_path>	The URL path to a Site Collection or Site. If the <url_path> is left blank, the credentials will be used to access all content in the SharePoint Server.
<username>	User name that has access to the URL path.
<password>	Password for the corresponding user.

Here is an example of a text file with granular access credentials for SharePointDBS:

1	https://sharepoint.example.com/operations\|myUserName1\|myPassword1
2	https://sharepoint.example.com:9999/\|myUserName2\|myPassword2
3	https://sharepoint.example.com:100/engineering\|myUserName3\|myPassword3

Set Up and Scan a SharePoint Server Target

Add SharePoint Server as a New Target

From the New Scan page, Add Targets.
In the Select Target Type dialog box, select Server.
In the Enter New Target Hostname field, enter the host name of the Microsoft SQL Server where the SharePoint Server is hosted.
Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
Click Commit to add the Target.
In the Select Types dialog box, click Server Applications > SharePoint Server.

In the next window, fill in the following details:

Dialog box to configure the path, credentials and proxy agent for a SharePoint Server Target.

Field	Description
Path	Enter the URL of the resource to scan. If the Path field is left blank, all resources in the SharePoint Server (e.g. web applications, site collections, sites, lists, list items, folders and files) will be scanned. See Path Syntax table for more information on scanning specific resources in the SharePoint Server.
Credential Details	If you have stored the credentials, select from Stored Credentials. If not, fill in the following fields: New Credential Label: Enter a descriptive label for the credential set. New Username: User name for the database server. New Password: Password for the database server. Windows Authentication for Microsoft SQL To use Windows authentication, enter your Windows account credentials: Username: Windows domain and username in the <domain_name\user_name> format. Password: Windows password. For more information on Windows or SQL Server authentication modes, see Choose An Authentication Mode. Credentials must have the minimum privileges described in Credentials.
(Optional) API passwords	Upload the text file containing multiple credentials to access different Sites or Site Collections. For example, my_sharepoint_credentials.txt. ER2 will default to the credentials provided in the Username and Password fields for Sites or Site Collections that are not specified in the API passwords file. See Using Multiple Credentials to Scan a SharePoint Server Target for more information.
Proxy Details	Select a suitable Agent.

Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
Click Commit to add the Target.

Scan a SharePoint Server Target

(Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.
Click Next.
On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.
Click Next.
On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Path Syntax

The following options can be defined in the Path field to setup a SharePoint Server scan:

Example of SharePoint Web Application structure: Web Application 1 (https://sharepoint.example.com) +– Site Collection 1 (https://sharepoint.example.com/) +– Site Collection 2 (https://sharepoint.example.com/operations) +– Sub-site 1 (https://sharepoint.example.com/operations/sub-site.aspx) +– Folder 1 (https://sharepoint.example.com/operations/myFolder) +– File 1 (https://sharepoint.example.com/operations/myFolder/myFile.txt) +– Lists (https://sharepoint.example.com/operations/Lists) +– List 1 (https://sharepoint.example.com/operations/Lists/myList) +– Item 1 https://sharepoint.example.com/operations/Lists/myList/myFile.pptx)

Description	Syntax & Example
Scan all resources for the SharePoint Online web application. This includes all site collections, sites, lists, list items, folders and files.	Syntax: Leave Path blank.
Scan a site collection. This includes all sites, lists, list items, folders and files for the site collection.	Syntax: <organization>.sharepoint.com/<site_collection> Example: https://example.sharepoint.com/operations
Scan a site in a site collection.	Syntax: <organization>.sharepoint.com/<site_collection>/<site> Example: https://example.sharepoint.com/operations/my-site
Scan all lists in a site collection.	Syntax: <organization>.sharepoint.com/<site_collection>/:site/:list Example: https://example.sharepoint.com/operations/:site/:list
Scan a specific list in a site collection.	Syntax: <organization>.sharepoint.com/<site_collection>/:site/:list/<list> Example: https://example.sharepoint.com/operations/:site/:list/my-list
Scan all folders and files in a site collection.	Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file Example: https://example.sharepoint.com/operations/:site/:file
Scan a specific folder in a site collection.	Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file/<folder> Example: https://example.sharepoint.com/operations/:site/:file/documents
Scan a specific file in a site collection.	Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file/<file> Example: https://example.sharepoint.com/operations/:site/:file/example-file.txt
Scan a specific file within a folder in a site collection.	Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file/<folder>/<file> Example: https://example.sharepoint.com/operations/:site/:file/documents/example-file.txt