SharePoint Security? An oxymoron? An after thought?

You know the old adage, "The only secure computer is one that is off, unplugged, in the back of a closet." Securing data has always been a case of how inaccessible you want the data to be. If accessing data easily from anywhere is the main focus of a product, chances are good that security will not be.

I was recently asked to submit some abstracts to a conference in Toronto (absolutely *love* that city, those people rock). It's a hardcore security conference. And they want me to, since I am so into WSS, to focus on WSS security.

Now I am talking hardcore, 300 to 400 level security; threat modeling, hack-this-box kind of stuff. Real white hat/black hat, exploit people.

So, what would I talk about concerning security to this jaded bunch of experts?

How about being prepared for the disgruntled administrator? About *really* securing Central Administration? Or what damage you can do with knowing the server farm account, or content database accounts? Or what nefarious things can be done with policy for web application? I dunno. I have been so busy, so overwhelmed, with documenting all the normal functions of sharepoint, I really haven't had time yet to focus on exploiting it.

And now, in the middle of editing, maybe I should. I know, I am doing something else, but this is how it happens. You never get opportunities when you can do them, only when you are too busy to think about them. But inevitably, those opportunities come up, like a call for papers, months before the actual event takes place.

So, in order to have a job at all in November, I have to find time to respond now.

I'll let you know what I come up with, and whether or not they are accepted, as soon as I can.