Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Randy Williams, MOSS MVP Senior Consultant Synergy Corporate Technologies.

SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue

Introduction To Windows NT ® Server And Internet Information Server.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Managing Identity and Permissions

Understanding Active Directory

Fraser Technical Solutions, LLC

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Securing SharePoint Technology Joel Oleson Sr. Technical Product Manager Microsoft Corporation IW316.

EPM 2007 Implementation and Upgrade Tips Summary June 18th, 2008 Brendan Giles, PMP, MCP.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Creating Business Workflow Using SharePoint Designer 2007 Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP Microsoft SQL Server.

A Close Look Inside the SharePoint Engine Randy Williams, MVP MOSS Synergy Corporate Technologies

SharePoint External Login Access – Forms Authentication vs Azure ACS.

Session 11: Security with ASP.NET

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation

Session 10 Windows Platform Eng. Dina Alkhoudari.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Module 8 Configuring and Securing SharePoint Services and Service Applications.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Designing Group Security Designing security groups Designing user rights.

Basic Developer Knowledge That Every SharePoint Admin Must Have Randy Williams, MVP MOSS Synergy Corporate Technologies

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Overview Scale out architecture Servers, services, and topology in Central Administration.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

HOW SHAREPOINT WORKS By Gary Newman. Root Folder Virtual Directories SP Farm DNS Iterative Forward DNS query for A host record HTTP request HTML & JS.

Searching Business Data with MOSS 2007 Enterprise Search Presenter: Corey Roth Enterprise Consultant Stonebridge Blog:

Module 4 : Installation Jong S. Bok

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

James Akrigg Microsoft Ltd Integrating InfoPath Forms Into Workflow Solutions And Business Processes.

Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |

Module 11: Securing a Microsoft ASP.NET Web Application.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

Module 6 Securing Content. Module Overview Administering SharePoint Groups Implementing SharePoint Roles and Role Assignments Securing and Auditing SharePoint.

Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Impersonation in SharePoint Developers use impersonation when an application needs to.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.

IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.

Module 5 : Security I Jong S. Bok

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Web Content Management with MOSS 2007 Patrick Tisseghem

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Web Services Security Patterns Alex Mackman CM Group Ltd

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

Configuring and Deploying Web Applications Lesson 7.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Windows SharePoint Services Installation and Configuration.

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

ArcGIS for Server Security: Advanced

SharePoint Authentication and Authorization

Deep Dive into SharePoint 2010 Security

Secure Connected Infrastructure

Stop Those Prying Eyes Getting to Your Data

Jon Galloway | Tech Evangelist Christopher Harrison | Head Geek

Common Security Mistakes

SharePoint Online Authentication Patterns

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd Security Fundamentals in Microsoft SharePoint Products and Technologies 2007

Learn about authenticating users in WSS and MOSS Learn about configuring access control within a site collection Learn about configuring access control at Web Application scope Discuss why and how to use MOSS single sign-on service (SSO) Discuss why and how to use Information Rights Management (IRM)

WSS deployment based on a farm – Farm requires Web server(s) and database server – Farm can be single server or multi-server – Each farm has exactly one configuration database

Web Applications provide HTTP entry points – Web Applications based on IIS Web sites – Web Application defines one or more URL spaces – Web Application security configured independently

Sites are partitioned using Site Collections – Site collection is scope for administrative privileges – Site collection always contains top-level site – Site collection may contain hierarchy of child sites – Web application can support 1000s of site collections

Authentication and Identity Authentication based on an identity (i.e. Security Principal) Authentication performed using credentials Authentication produces some form of badge Authorization and Access Control A subsystem is used to define security policy Privileged users to configure security policy on objects Subsystem enforces policy at run time

Support multiple styles of authentication with each style using a different identify management system Map authenticated users to secondary credentials e.g. - associate Windows Authenticated user with SAP credentials Configure entry locations for WSS and MOSS control URL site mapping Sandbox code that should not be fully trusted e.g. configure Web Parts with Code Access Security Protect documents after they are distributed provide client-level protection of sensitive information

IIS Application Pool Identity – Configured with IIS or WSS administration tools – Authenticated when IIS worker process is launched WSS System Identity – New concept introduced with WSS 3.0 – Used by WSS to hide application pool identity User Identity – Used for authorization and auditing – Authenticated by Windows or Forms Authentication Provider

WSS runtime is hosted by IIS Application Pools – Each WSS Web Application runs in a IIS Web site – Each IIS Web site runs with in a specific IIS application pool – Application pool identity configured with local or domain account – Domain account recommended in farms of two or more servers

WSS system code must access SQL Server – WSS must create and access configuration database – WSS must create and access content databases WSS must authenticate against SQL Server – Option #1: Integrated Windows Authentication (recommended) – Option #2: Standard SQL authentication

Question: When code in WSS Web Application accesses a SQL Server database in response a user request, does it do so using the identity of the user or the identity Application Pool?

Answer: It depends

“It depends” in more detail – WSS accesses configuration database and content databases with Application Pool Identity – Custom code (e.g. Web Parts) run with impersonation and access SQL Server database with user identity

WSS V2 had issues with Application Pool Identity WSS 3.0 introduces SHAREPOINT\system account – Hides IIS Application Pool Identity from users – Runs as SUPER ADMIN within WSS authorization system – Removes need to treat Application Pool Identity as site user System account details for the super geek – SID as S (Null SID) – User id as (0x3FFFFFFF) – Account is a internal WSS identity and NOT a Windows identity

Web Server It’s important to understand the difference Pages, Lists & Documents SharePoint content Northwind Database SQL Server XML File local file system Web Application Worker Process Authorized using Windows Identity Authorized using SharePoint Identity

Code typically runs under identity of user – Authorization works as expected in SharePoint – Sometime code must do things which user cannot do Custom code elevate privilege – Advantage: elevated code can do what it want – Disadvantage: elevated code can do what it want Elevation of Privileges

Windows Authentication – IIS performs authentication with client – Users authenticated to Windows account (AD or local) – Only type supported in WSS V2 and SPS 2003 ASP.NET Forms Authentication – Based on ASP.NET 2.0 authentication provider framework – IIS configured for anonymous access Web Single Sign On – Based on Federation

Internet User WSS authentication configured in terms of zones – There is one zone per IIS Web site – Each zone has its own web.config file – Each zone has exactly one authentication provider – Web Application can be extended with multiple zones Extended Web Application Zone 1 Default Zone Windows integrated authentication Zone 2 Internet Zone Forms-based authentication Content Database Intranet User

Ensures internal and public URL mappings work correctly – Main Web Application URL is mapped by default – Web Application and zones can be extended with additional URLs. – Alternate URLs can be mapped to one physical path WSS Site Internet User Intranet User Intranet User Access Mappings

Authentication performed against Windows accounts – Local Accounts can be used in single-server configurations – Active Directory accounts are usually much better choice Most popular Authentication types – Windows Integrated Authentication – Basic Authentication

Authentication using Windows protocols – Enhancements to WSS V3 enable Kerberos protocol – WSS V3 still uses NTLM protocol when necessary – Authentication results in creation of Windows security token Domain Controller Windows Server 2003 Active Directory xoxoxWally oxoxMary xoxoxoBob PWDLogin Desktop Windows XP Application Browser Office 12 Custom App Web Server Windows Server 2003 WSS token

Commonly used in Internet scenarios – Industry-standard, cross-browser, firewall-friendly protocol – No need for client to access Windows domain controller – Authenticates to Windows account and creates security token – User name and password passed in clear text – You must use HTTPS for any reliable level of security Domain Controller Windows Server 2003 Active Directory xoxoxWally oxoxMary xoxoxoBob PWDLogin Desktop Windows XP Application Browser Custom App Web Server Windows Server 2003 WSS token Internet

web.config file configures basic ASP.NET settings – Authentication specifies resolving to Windows accounts – Impersonation is set to true WSS is the entity that adds authorization – ASP.NET configured to allow all user access to everything

WSS 3.0 supports FBA introduced in ASP.NET 2.0 – Decouples SharePoint from Active Directory – Based on pluggable authentication providers – Providers available out-of-box with ASP.NET 2.0 – Companies can create their own providers as well Identity Mgmt App Operating System Identity Store xoxoxWally oxoxMary xoxoxoBob PWDLogin Desktop Windows XP Application Browser Office App Custom App Web Server Windows Server 2003 WSS Intern et Authentication Provider

web.config file configures basic ASP.NET settings – Authentication configured for Forms – Membership provider is configured – Impersonation is set to true (e.g. impersonated IUSR_XXX)

Watch out for this guy

Configuring Forms-Based Authentication demo

This is done at several different levels – Site Collection – Web Application – Farm

Site Collection Owner People and Groups Permissions and Permissions Levels Securable objects

WSS rights managed through permission levels – Each permission level consists of a set of rights – Permission level defines rights required by business roles – Defined on a per site basis – Permissions assigned to people and groups

site collection -- top-level site -- list1 -- item1 -- item2 -- documentlibrary1 -- document1 -- document2 -- childsite1 -- list1 -- item1 -- item2

New with WSS 3.0 – Allows farm administrator to grant or deny access – Web application policy overrides site collection

Provides credential mapping – Maps identities between identity management systems e.g. map authenticated Windows user to SAP credentials – Stores credentials in encrypted form in SSO database Where is it used? – Custom Web Parts, BDC, Excel Services, etc.

MOSS Farm SAP LOB System DB2 some really old database BobBrowser Web Server BDC Web Parts SSO database Custom Web Parts

IRM protects documents after distribution – Requires environment with accessible RMS server – MOSS writes IRM security information into documents – Client must talk to RMS server to open document

Authenticating users in WSS and MOSS Configuring access control within a site collection Configuring access control at Web Application scope MOSS single sign-on service (SSO) Using Information Rights Management (IRM)

blog: