Securing SharePoint Technology Joel Oleson Sr. Technical Product Manager Microsoft Corporation IW316

Agenda Site Collection and below… –Demo: Site Permissions and Item level security Web App Security –Demo: Web Application Policies Farm Security –Demo: Forms based authentication Summary Q/A

Site and List Security Data Protection

Item Level Security and Security Trimming –Permissions from site collections to individual objects. –Default permission inheritance from parent to child objects. –33 default permissions can be assigned to a user or SharePoint group. –Permissions can be specified on items –Returned search results can map back to the security context of the user. –These controls trim the UI to the exclusive user context.

Permission Management Architecture –Sets permissions for SharePoint users, groups, and domain groups. –Default groups include: Owners (get full control) Visitors (get contributor rights) Members (get read rights) –Custom groups can be created and managed by site collection. –Group membership is consistent within the site collection. –Custom groups are reusable across different project sites.

Site Permissions and Item level security Demo Solution Deployment

Information Rights Management (IRM) –Protects sensitive information at the client level, even when business information is taken offline. –This may be essential in order for companies to deal with regulations, such as privacy legislation –Ensure that all the requirements are met in the environment: Windows Rights Management (WRM) Services Client on MOSS Web servers. Microsoft Rights Management Services (RMS) connectivity to the SharePoint farm. Configuration enabled in SharePoint Central Administration then configured in the list or library

SharePoint List and Library IRM integration –IRM integrates with lists through the rights management framework. –IRM imposes access restrictions : “no matter where it is stored or who tries to open it”. –Common IRM policy permits authorized viewing or printing only. –A “protector” is used to provide IRM functionality. Several are installed with MOSS. –A protector manages the encryption process for all files types stored in MOSS. –The architecture supports pluggable protectors for other file types.

IRM Scenarios –Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector. –IRM extended scenarios include: User credential verification after a certain time period Disallow user upload of assets that so not use IRM. Schedule an expiration tag to drop the restriction policy. Bind to a global organization IRM permission policy

IRM Implementation –IRM works directly with SharePoint data store structures such as document libraries to maintain permissions: A user navigates to an IRM-enabled document library and attempts to download a document. binds roles to the document library for the documents. protector encrypts the document and adds an issuance license. Result: 1:1 mapping between item and document permissions. SharePoint roles for the document translate into IRM permission levels on the document. The document is encrypted locally for offline protection.

Content/Audience Targeting Web Part/Content targeting to –Global Audience (SSP Audience Configuration) Based on Active directory attributes Pluggable ASP.NET Membership provider attributes Profile Attributes Compiled in a recurring Timer Job SharePoint Groups – Groups defined based users and groups in Site permissions levels Distribution/Security Groups My Site secure location targeting NOTE: Targeting does not equal permissions or rights

Secure Collaboration –Common Services control access to stored information. –Lockdown permits users to access the authorized information only: Binds an identity to a specific object – from a site collection to a document or list. Enforces granular access controls and explicit membership to an item. UI shows accessible items only.

WEB APPLICATION SECURITY Authentication and Authorization

Pluggable Authentication Provider –MOSS integrates ASP.NET 2.0 pluggable authentication for Windows and non-Windows. –Supports shipped, Windows- based authentication methods. –Sets up Internet-facing SharePoint authentication. –Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture. –ASP.NET 2.0 pluggable providers can employ membership data stores including: LDAP Directories SQL Database Oracle or other ADO.NET/ODBC Compliant data sources XML files or Flat text files

ASP.NET 2.0 Membership Provider –Supports configurable directories in a member data store. –Stores pluggable provider credentials in the machine.config file. –Membership providers include: LDAP V3 directory (with MOSS) SQL Server Active Directory (ASP.NET 2.0) –Pluggable membership providers: Inherit from the ASP.NET MembershipProvider interface; This interface inherits from the ProviderBase class.

Considerations for ASP.NET Authentication –Authentication types, not resolving to a Windows identity, must use a zone. –A mandated PKI infrastructure such as for smartcards typically resolve to a Windows identity. –PKI implementation may require a zone or other configuration. Browser clients only –Search crawler must use Windows –Office client interaction degraded Forms & Windows accounts –Forms user not same as Windows user Company A (Windows Authentication) Company B (Non-Windows Authentication)

Pluggable Single Sign-On (SSO) –The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems. –Aids in retrieving critical information through MOSS mechanisms: Business Data Catalog (BDC) SharePoint DataView Web Parts (DVWP) –Can specify a pluggable SSO provider, instead of SpsSsoProvider. –Registers only one SSO provider per LOB system at a time.

Forms-Based Authentication –Utilizes pluggable authentication and role providers to enable Internet-style security. –Supports a customized login process geared to users' needs. –Forms authentication cookies and authentication tickets are encrypted and tamper-proof. –The form identity provider, called Web SSO, can plug into an external identify management system.

FBA Web Single Sign-On –Employs an HTTP module for external authentication. –Allows external partners to authenticate using their user credentials. –Delegates log in and password reset to provider. –Web SSO authentication requires an extranet zone. Partner Application

Alternate Access Mappings –Provides internal and external URL mappings work correctly. –The URL is mapped by default, but can be extended to additional URLs. –Alternate URLs can be mapped to one physical path –Zones can use different authentication providers / Web application security policies. –Compensates for different application domains, reverse proxies, and other URL redirection mechanisms. toso.com Extranet Users Intranet Users

Zones in Alternate Access Mapping (AAM) –A zone maps Web application to a single set of content databases, allowing greater control over AAM. –Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content. –Recommended: Bind the zone to an authentication mechanism. URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone. Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet. Default

Microsoft Confidential SharePoint Web App Security Policies Central enforced permissions for all sites in the web application GRANT and DENY Bound to web application/zone Scenarios Full read – search crawling accounts, auditors, legal compliance Deny all – security control, regulatory compliance Deny write – extranet lockdown Overrides the granular item level permission settings, managed from SharePoint Central Administration interface.

Web Application Policies Demo Solution Deployment

Encryption of Application Connection Strings –Storing connection string data in plain text in the web.config file creates a security vulnerability. –ASP.NET 2.0 functionality can be used to encrypt application connection string data using either: Windows Data Protection API (DPAPI): Encrypts and decrypts using the MOSS server machine key. RSA encryption: Uses public key algorithms, but adds appropriate containers for the encryption keys. –Pluggable encryption providers can use different encryption tools.

Connection String Encryption Best Practices –For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the node in cipher text: –DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands: –Encrypt the connection strings node specifying the section parameter:

Connection String Encryption Best Practices (continued) –After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values: – –This pluggable model can support custom encryption providers to manage cipher text for relevant MOSS configuration files. –Considerations: Encryption using the local machine key can only use the configuration node on the server on which it was created. If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string. Decryption causes a minor application performance hit.

Shared Service Considerations BDC is available to all web apps consuming from the SSP where it is configured Without security trimmers –Notes search results are not trimmed –BDC Search Results are not security Trimmed WSS Search results are trimmed to site collection by scope, ensure sites are secured appropriately

Microsoft Confidential ADFS – Active Directory Federation Services – includes non trusted federated web services authentication model. Works with browser based functions. Not recommended with rich client requirements Understand - “Enable Client Integration” Matches Office client’s behavior for some FBA providers Active Directory Federation Services

SERVER and FARM SECURITY Architectural Considerations and Lockdown

Secure by Default Anonymous disabled by default Sites secured to site creator Server administrators no access to content web apps Permissions changes audited Self Service not enabled by default

LOCK IT DOWN! Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (i.e. outbound HTTP –Consider RSS/XML web part requirements Secure client communication with trusted SSL certificates (128bit HTTPS) IP Sec – Require or Request: Secure communication between servers and DCs –Careful with NLB and clients (MAC/Unix) Enable Kerberos Authentication (Intranet) *Careful with NLB SQL SSL encrypted Traffic + Non Standard Port Configure Central Admin on App server IP Restrict traffic to Central Admin and SSP App Pools (IIS) Configure Deny Policies on Content/Admin Web Apps for Applicable Groups/Domains Configure ISA Secure Publishing

Forefront Security for SharePoint SQL Document Library Document Users Document SharePoint Server Virus Protection for Document Libraries Integrates scan engines from eight industry leading vendors Real-time scanning of documents uploaded and downloaded from document library Manual and scheduled scanning of document library Content Filtering Policy Enforcement File filtering to block documents from being posted based on name match, file type or file extension Content filtering by keywords within documents for inappropriate words and phrases Protects MOSS 2007 and WSS 3.0

SharePoint API integration Utilizes the SharePoint Virus API to scan files during upload and download –Optimized for performance in a SQL environment Files are not rescanned if engines have not been updated Up to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scan Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly

Secure Web Publishing with ISA 35 Exchange Intranet Web Server SharePoint Active Directory External Web Server Administrator User ISA 2006 DMZ Internal Network Internet HEAD QUARTER S Integrated Security Efficient Management NEW Smartcards & one-time password support NEW Customized logon forms for most devices & apps NEW LDAP authentication for Active Directory NEW Web publishing load balancing Fast, Secure Access NEW Authentication delegation (NTLM, Kerberos) NEW Improved idle-based time- outs for session mgmt NEW Exchange & SharePoint publishing tools NEW Enhanced certificate administration NEW Single sign-on for multiple resource access NEW Automatic translation of embedded internal links

Extranet Architecture Example

Authoring -> Production

Content Deployment

Intranet, Extranet, Internet 2 Farms, 3 SSPs TechNet: Plan Logical ArchitecturePlan Logical Architecture

Architecture Considerations Why more than 1 Farm? –Application/Customization SLAs, Licensing (Internet vs. Intranet CAL), Isolation (No Scale) Why more than 1 SSP? –Isolation and Service Needs Why more than 1 App Pool? –Security Isolation, Memory and CPU isolation, Auth requirements Why more than 1 Site Collection? –Separation/delegation of ownership, quotas, ability to split across databases Why keep them together? –Global Navigation, Inheritance of style/Master page, Security inheritance, Query web parts, Site Collection policy and content types enforcements

Database Considerations Databases can be pre-created and then used to be created for content databases SQL Security, rights and roles should be scrutinized employ least priviledged access considerations Config –Contains list of all servers, site collections, web apps, web parts, solutions (Most critical db in farm from availability ) Content database –Contains all data, blobs, sites webs, etc… (Most Sensitive, Search & SSP Dbs –Optimize… High Disk I/O contains configuration & search property and profile store (index/query - index on disk)

Protocols All protocols are HTTP-based –HTTP/S: Browser sessions –SOAP/Web Services: Editing from Office Applications, Web Services & Indexing –RSS: All lists can be viewed this way –FP-RPC: SharePoint Designer, Usage –Web-DAV: Explorer View, Web Client Access –XMLHTTPRequest - Forms

Additional Architectural Considerations Windows Servers – (SCW) Security Configuration Wizard (verify) IIS – Certificate management, IP restrictions SQL – Use windows auth vs. SQL security Manage domain accounts

Firewall Ports

Security Summary Site and List Security Information Rights Management Integration Information Policies – auditing, expiration Item Level Security Barcodes and Labels, extensibility for signatures Content Approval, Workflows Web Application Security Forms-Based Authentication and Single Sign-on Active Directory Federation Services (ADFS) Search – security trimmed search results Publishing through Internet Security and Acceleration Server (ISA) and Intelligent Application Gateway (IAG) Server and Farm Security Pluggable Authentication – Pluggable Authentication Provider Security Policies; Major and minor versions, Web Application IIS IP restrictions, Windows 2003 R2 SCW to Lock down server

Summary Allows for the easy implementation of Internet-facing environments and extranets. Built to enable support for heterogeneous environments. Supports pluggable forms-based authentication (FBA) providers. Reduces management overhead and improves securely. Offers granular rights management of business assets.

Guidance for a More Secure Infrastructure SharePoint Team Security Related Posts TechNet Securing Your Sites, Servers, and Server Hardening 32efd0667bd91033.mspx?mfr=true 7 New Features that Enhance Security in SharePoint Security and Protection for Office SharePoint Server e932e mspx?mfr=true TechNet Webcast: SharePoint Security from Service Accounts to Item-Level Access US&EventID= &CountryCode=US Forefront Security for SharePoint