Stop Those Prying Eyes Getting to Your Data

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Active Directory Federation Services How does it really work?
Service Manager for MSPs
Gold Sponsors Bronze Sponsors Silver Sponsors Taking SharePoint to the Cloud Aaron Saikovski Readify – Software Solution Specialist.
File Server Organization and Best Practices IT Partners June, 02, 2010.
Intro to SharePoint 2013 Architecture Liam Cleary.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since years.
SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue
Understanding Active Directory
Chapter 7 HARDENING SERVERS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Managing Identity and Permissions
Internet Protocol Security (IPSec)
Understanding Active Directory
Fraser Technical Solutions, LLC
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
EPM 2007 Implementation and Upgrade Tips Summary June 18th, 2008 Brendan Giles, PMP, MCP.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Building Public Facing Websites with SharePoint 2010 Prepared for ILTA’s SharePoint for Legal Symposium June 16 th, 2010 George Durzi Principal Consultant.
Claims Based Authentication
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SharePoint External Login Access – Forms Authentication vs Azure ACS.
Session 11: Security with ASP.NET
Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 8 Configuring and Securing SharePoint Services and Service Applications.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 13 – Network Security
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 11: Remote Access Fundamentals
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Module 5: Configuring Internet Explorer and Supporting Applications.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Module 11: Securing a Microsoft ASP.NET Web Application.
Asia Pacific SharePoint Conference 2007 May 15th to 16th, 2007 Hilton Hotel Sydney.
SharePoint in the Education Space Presented by: Daniel Petersen Director of Business Solutions Applied Tech.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Enable LiveMeeting Audio We will begin the session shortly…
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Building an Extranet with Office 365 Without Spending a Ton of Money SharePoint Fest NYC.
SharePoint Authentication and Authorization
Secure Connected Infrastructure
Secure Single Sign-On Across Security Domains
Contents Software components All users in one location:
Securing the Network Perimeter with ISA 2004
Microsoft
Azure AD Application Proxy
Server-to-Client Remote Access and DirectAccess
Access and Information Protection Product Overview October 2013
SharePoint Online Hybrid – Configure Outbound Search
{ Security Technologies}
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Stop Those Prying Eyes Getting to Your Data Liam Cleary Solution Architect | SharePoint MVP

About Me Solution Architect @ SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2002 Worked on all kinds of projects Internet Intranet Extranet Anything SharePoint Really Involved in Architecture, Deployment, Customization and Development of SharePoint

Agenda SharePoint Security in General SharePoint Topologies Secure Topologies Protecting SharePoint Authentication and Authorization Firewall DRM Data Encryption Guidelines for Protecting SharePoint

SharePoint Security in General Terminologies Permission: They are the unit of access that represents the individual task that can be performed on a securable object. Note that Permissions can not be deleted. Permission Level: Predefined sets of permissions that are given to users. User: Is the smallest object that access can be granted. User could be Active Directory account. User Groups: Is set of users that are grouped for common properties and ease of managing. Securable Object: Web (Site), List, Library and Item. Inheritance: When a securable object is created, it inherits user access of it`s parent object. Site Groups: When a new site is created group of sites are created automatically for the user.

SharePoint Security in General Logical Approach Item List or Library Site Site Collection Web Application Farm Service Applications Cross Farm SharePoint performs Authorization Valid Authentication Token Role Security Group Claim Attribute

SharePoint Topologies – Edge Firewall Advantages This is the simplest solution that requires the least amount of hardware and configuration. The entire server farm is located within the corporate network. There is a single point of data: Data is located within the trusted network. Data maintenance occurs in one place. A single farm is used for both internal and external requests; this ensures that all authorized users view the same content. Internal user requests are not passed through a proxy server. UAG pre-authenticates users. Disadvantage This configuration results in a single firewall that separates the corporate internal network from the Internet.

SharePoint Topologies – Back-to-back Perimeter Advantages Content is isolated to a single farm on the extranet, simplifying sharing and maintenance of content across the intranet and the extranet. External user access is isolated to the perimeter network. If the extranet is compromised, damage is potentially limited to the affected layer or to the perimeter network. Disadvantage The back-to-back perimeter topology requires additional network infrastructure and configuration.

SharePoint Topologies – Back-to-back Perimeter with Cross-Farm Services Advantages Services are centrally managed inside the corporate network. Service applications that involve many contributors, such as Managed Metadata, are located where the contributor accounts are located. Special access is not required for the perimeter network. Disadvantages Some service applications require two-way trust between domains, for example, User Profile and Secure Store Service.

SharePoint Topologies – Back-to-back Perimeter with Content Publishing Advantages Customer-facing and partner-facing content is isolated in a separate perimeter network. Content publishing can be automated. If content in the perimeter network is compromised or corrupted as a result of Internet access, the integrity of the content in the corporate network is retained. Disadvantages Additional hardware is required to maintain two separate farms. Data overhead is greater. Content is maintained and coordinated in two different farms and networks. Changes to content in the perimeter network are not reflected in the corporate network. Consequently, content publishing to the perimeter domain is not a workable choice for extranet sites that are collaborative.

SharePoint Topologies – Split Back-to-back Advantages Computers running SQL Server are not hosted inside the perimeter network. Farm components within both the corporate network and the perimeter network can share the same databases. Content can be isolated to a single farm inside the corporate network, which simplifies sharing and maintaining content across the corporate network and the perimeter network. Disadvantages The complexity of the solution is greatly increased. Intruders who compromise perimeter network resources might gain access to farm content stored in the corporate network by using the server farm accounts. Inter-farm communication is split across two domains.

SharePoint Topologies – Split Back-to-back optimized for Content Publishing Advantages Computers running SQL Server are not hosted inside the perimeter network. Farm components within both the corporate network and the perimeter network can share the same databases. Content can be isolated to a single farm inside the corporate network, which simplifies sharing and maintaining content across the corporate network and the perimeter network. Disadvantages The complexity of the solution is greatly increased. Intruders who compromise perimeter network resources might gain access to farm content stored in the corporate network by using the server farm accounts. Inter-farm communication is split across two domains.

Protecting SharePoint - Authentication and Authorization Windows NTLM Kerberos Basic Anonymous Digest Forms-based Authentication Lightweight Directory Access Protocol (LDAP) Microsoft SQL Server ASP.NET Membership and Role Providers SAML Token-based Authentication Active Directory Federated Services 3rd Party Identity Provider

Protecting SharePoint - Authentication and Authorization Claims Authentication? Wide Support Standards Based WS-Federation 1.1 WS-Trust 1.4 SAML Token 1.1 AuthN Single Sign On Federation Already many providers, Live, Google, Facebook etc. Microsoft standard approach Fed up custom coding everything, every time Gets round (some) Office Integration problems Easy to configure with little effort Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider

Show me the Money

Protecting SharePoint – Server Guidelines Block the standard SQL Server ports Configure SQL Server database instances to listen on a nonstandard port Configure SQL client aliases Bypass the actual server name Implement Windows Firewall / IPsec Policies Custom Rules as needed Utilize Group Policies Utilize Claim Attributes Implement ADFS when using Claims Authentication Add Attribute Store Add Custom Attribute Rules Secure Communication with SSL Follow server hardening plan http://technet.microsoft.com/en-us/library/cc262849.aspx

Protecting SharePoint – General Guidelines Make it Clear What Content Is Permissible Security and Permission Rights Management Services Educate Employees Use Classification to Guide Behavior Don't Forget to Enforce the Policies Utilize Claim Attributes Augmentation using ADFS Use out of the box configuration Users or Active Directory Groups Provider Roles SharePoint Site Groups Permission Groups assigned to SharePoint Site Groups

Expected the Unexpected

Thank You Personal Email: liamcleary@msn.com Work: http://www.susqtech.com Twitter: @helloitsliam Blog: www.helloitsliam.com