Presentation is loading. Please wait.

Presentation is loading. Please wait.

Platform and Farm Security

Published byLewis Lindsey Modified over 7 years ago

Similar presentations

Presentation on theme: "Platform and Farm Security"— Presentation transcript:

1 Platform and Farm Security
Johnathan Lightfoot | Title Presenter Name | Title

2 Meet Presenter Name ‏@exnav29
SharePoint Architect SharePoint 2010/2013/2016/Online/Office365/Artificial Intelligence and Bots Microsoft Certified Trainer (Alumni) Developing solutions for the enterprise which move them forward! Brief Experience SharePoint, Office365 ad Bot Framework My SharePoint journey started in 2006, never looked back I love Star Trek and move to make the technology and processes on that world reality.

3 Course Expectations Target Audience and Suggested Prerequisites
Intermediate Level IT Professional Experience running an established SharePoint Farm Have done at least two SharePoint Installations and/or Upgrade Have some experience using PowerShell High Level Learning Outcome A mix of discussion and demos that can easily be referenced from this recording Become familiar with SharePoint Security from a farm and Platform level Be familiar with content being tested in exam (Managing Microsoft SharePoint 2016)

4 Course Topics Modules 01 | Plan & Configure Security Isolation
07 | Plan & Configure Delegated Farm Administrator 02 | Plan & Configure Services Lockdown 08 | Plan & Configure Delegated Service Application Administration 03 | Plan & Configure Antivirus Settings 09 | Plan & Configure Managed Accounts 04 | Plan & Configure Certificate Management 10 | Plan & Configure Blocked File Types 05 | Plan for Kerberos Support for Service Applications 11 | Plan & Configure Web Part Security 06 | Plan & Configure Information Rights Management

5 01 | Plan & Configure Security Isolation

6 Module Overview Physical Isolation Service Application Isolation
Application Pool Isolation Web Application and Zone Isolation Data Isolation

7 SharePoint Nexus

8 Balancing Act of SharePoint
Legal Usability QA Security Features Business Goals

9 SharePoint Isolation Data Web App & Zone App Pool Service App Physical

10 Physical Isolation

11 Service Application Isolation
Replaced Shared Service Applications (since 2010) Each Service App has uses proxies for connections Search Service Application is often separated out.

12 Application Pool Isolation
Application Pools are more related to IIS Application Pools can be created through SharePoint, but actually is an IIS function. Application Pools carve out server resources.

13 Web Application and Zone Isolation
Web Applications start with one URL Can be extended up to four more times (Intranet, Internet, Custom, or Extranet) Zones provide multiple access points to the same web application Allows for using different authentication options in each zone. Also, allows for different load balancing options

14 Data Isolation Separate physical farms is not an option
May have to consider separating data into different tiers. Different teams may support different tiers Sensitive Information Higher level of availability is required Service Level Agreement constraints RTO’s based on type of data

15 02 | Plan & Configure Services Lockdown

16 Module Overview Limited-Access User Permission Lockdown Mode

17 Limited-Access User Permission Lockdown Mode
Limited-Access Users Anonymous Access Users Only works on Sites with Publishing Portal template is used. Used when greater security is needed. Application Pages are not accessible Permission Limited Access - Default Limited Access – Lockdown Mode List Permissions: View Application Pages X Site Permissions: Browse User Information Site Permissions: Use Remote Interfaces Site Permissions: Use Client Integration Features Site Permissions: Open

18 Limited-Access User Permission Lockdown Mode
Can be activated in the Site Collection Settings PowerShell Command To check if it is on - get-spfeature viewformpageslockdown -site To Toggle On – $lockdown = get-spfeature viewformpageslockdown enable-spfeature $lockdown -url To Toggle Off – disable-spfeature $lockdown -url vs-lockdown-mode-sharepoint-2010/

19 Limited Access User Permission Lockdown mode
Demo Limited Access User Permission Lockdown mode

20 03 | Plan & Configure Antivirus Settings

21 Module Overview Anti-Virus Settings What it really is How it works

22 Anti-Virus Settings

23 Anti-Virus Settings Central Administration Security (General Settings) Manage antivirus settings

24 04 | Plan & Configure Certificate Management

25 Module Overview Changed Landscape Types of certificates (inter-farm)
Process

26 Certificate Management
Certificates were optional SharePoint farms were mostly internally facing Central Administration did not need SSL for configuration Server-to-Server communications were not encrypted External services were not required

27 Certificate Management
Setup for the trust Export a root certificate (Consuming farm) Export an STS certificate (Consuming farm) Export a root certificate (Publishing farm) Prepare for the trust Copy the Consuming farm’s root and STS certificates to the Publishing farm Copy the Publishing farm’s root certificate to the Consuming farm Establish the trust (3 step process) Create a Trusted Root Authority (Consuming farm) Create a Trusted Root Authority (Publishing farm) Create Trusted Service Token Issuer (Publishing farm)

28 Certificate Management
Setup for the trust Export a root certificate (Consuming farm) - (Get-SPCertificateAuthority.RootCertificate).Export (“Cert”) | Set-Content “<<Path>>” –Encoding byte Export an STS certificate (Consuming farm) – (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate.Export(“Cert”) | Set- Content “<<Path>>” –Encoding byte Export a root certificate (Publishing farm) – Prepare for the trust Copy the Consuming farm’s root and STS certificates to the Publishing farm Copy the Publishing farm’s root certificate to the Consuming farm

29 Certificate Management
Establish the trust (3 step process) Create a Trusted Root Authority (Consuming farm) $PtrustCert = Get-pfxCertificate “<<path to the Publishing Root farm certificate>>” New-SPTrustedRootAuthority “PublishingFarmRA” – Certificate $PtrustCert Confirm using – Get-SPTrustedRootAuthority Create a Trusted Root Authority (Publishing farm) $CtrustCert = Get-pfxCertificate “<<path to the Consumer Root farm certificate>>” New-SPTrustedRootAuthority “PublishingFarmRA” – Certificate $CtrustCert Create Trusted Service Token Issuer (Publishing farm) $stsCert – Get-PfxCertificate “<<path to the Consuming farm STS certificate>> New –SPTrustedServiceTokenIssuer “<<Name created for STS Certificate>>” –Certificate $stsCert

30 05 | Plan & Configure Kerberos Support

31 Module Overview What is Kerberos Why Kerberos
Usage of Kerberos in SharePoint

32 What is Kerberos Cerberus

33 What is Kerberos Network Authentication protocol Uses tickets
Client authenticates to the Authentication Server (AS) AS forwards username to a Key Distribution Center (KDC) KDC issues a (time-stamped and encrypted) Ticket-Granting Ticket (TGT) to the User’s workstation Network Authentication protocol Uses tickets Allows for secure communications to occur across non-secure networks Default authentication method for Microsoft since Windows 2000

34 Why use Kerberos Default authentication method for Microsoft since Windows 2000 Strongest Windows Authentication Protocol Able to support enterprise-grade encryption Provides for mutual authentication between clients and servers Allows for delegation of credentials Allows clients to authenticate into an environment The environment can then connect to additional servers and services for the client Significant reduction in authentication traffic between to Active Directory Domain Services controllers

35 Usage of Kerberos in SharePoint
Two ways it can be used Basic Kerberos Delegation Can cross domain boundaries in the same forest. Cannot cross a forest boundary Kerberos Constrained Delegation Cannot cross domain or forest boundaries Unless using Windows Server 2012 or greater domain controllers Service Apps require Kerberos delegation so SharePoint users can access other non-SharePoint resources. Less Restrictive Service Apps (Basic Kerberos Delegation): Business Data Connectivity Services, Access Services, SQL Server Reporting Services Restrictive Service Apps (Kerberos Constrained Delegation): PerformancePoint Services, InfoPath Form Services, Visio Services

36 06 | Plan & Configure Information Rights Management

37 Module Overview What is Information Rights Management
Capabilities of IRM Implementing IRM Gotcha with implementing IRM PowerShell Commands

38 What is Information Rights Management
Subset of digital rights management (DRM) Technologies that protect sensitive information from unauthorized access. Sometimes referred to as E-DRM or Enterprise Digital Rights Management. DRM technologies are typically associated with business to consumer systems designed to protect items such as music and video. IRM is a technology which allows for information (mostly in the form of documents) to be protected. Used to protect information in a business-to-business model, such as financial data, intellectual property and executive communications. IRM currently applies mainly to documents and s.

39 Capabilities of Information Rights Management
Information Encryption Encryption to prevent unauthorized access. Permissions Management An IRM user can apply certain access permissions that permit or deny a user from taking certain actions on a piece of information. Controlling copy & paste, prevent screenshots, printing, editing. A rights model/policy which allows for easy mapping of business classifications to information. Offline use allowing for users to create/access IRM sealed documents without needing network access for certain periods of time. Full auditing of both access to documents as well as changes to the rights/policy by business users. It also allows users to change or revoke access permissions without sharing the document again. NOT A SECURITY SOLUTION. MORE OF A POLICY ENFORCEMENT SOLUTION

40 Implementing IRM Central Administration  (Information Policy)  Configure Information Rights Management

41 Gotcha Implementing IRM
Each SharePoint Web Server needs Read & Execute on C:\inetpub\Wwwroot\ADRMS\_Wincs\Certification\ServerCertification.asmx (on the RMS Server) Read & Execute for the AD RMS service group on the RMS Server

42 PowerShell Commands Get-SPIRMSettings Get-SPSiteSubscriptionIRMConfig
Gives the IRM Settings Get-SPSiteSubscriptionIRMConfig Gives the IRM Settings for a specific tenant Set-SPIRMSettings Sets IRM settings Set-SPSiteSubscriptionIRMConfig Sets IRM settings for a specific tenant

43 Demo Implementing IRM

44 07 | Plan & Configure Delegated Farm Administration

45 Module Overview Introduction to Delegated Farm Administration
Farm Level Administrators group Windows Administrators group Shell Access

46 Introduction to Delegated Farm Administration
Farm Admin account has: Full access to each of the databases in the SharePoint infrastructure (create, read, update, delete CRUD) Is the application pool identity for Central Administration website. Process account used for the Windows SharePoint Service Timer Services Choose Administrators and owners for the administration hierarchy in SharePoint 2013.

47 Farm Administrators Group
Have Full Control permissions on all servers in the farm. Can administer the following through Central Administration Delegate service application permissions Administer Managed Accounts Create, delete and edit Application pools Databases Site collections Backups and restores Backup content databases without use of SQL Server Management Studio (SSMS) Cannot Logon locally to servers Permissions cease at the Central Administration level Unable to perform PowerShell activities on the server (by Default)

48 Windows Administrators Group
BUILTIN\Administrators group added to the SharePoint Farm Administrators group by default. Can perform the same functions as the Farm Administrators group Can logon locally to the server Are able to: Do everything the Farm Administrators do, with added: Install binaries to the farm Create new websites Administer services Do not have access to site content. Removal of this group from Farm Administrators Group is not recommended. They can install and configure items from the command line. Audit carefully who is in this group

49 Shell Access If additional privileges are needed for the Farm Administrator group, must be added to the SharePoint_Shell_Access role. Done though PowerShell (Add-SPShellAdmin cmdlet) Adds ability to interact in any combination: Farm Configuration database Central Administration content Individual Content Databases

50 08 | Plan & Configure Delegated Service Application Administration

51 Module Overview Introduction to Delegated Service Application Administration Service Application Administrator Feature Administrator

52 Introduction to Delegated Service Application Administration
Like Farm Administrator access Service Applications also have administrator accounts Sp-serviceapps Sp_content Sp_userprofileservice There are two roles: Service Application Administrator Feature Administrator

53 Service Application Administrator
Farm Administrators designate Service Application Administrators cannot Create new service applications Perform any action which leads to a farm-level change Search example

54 Feature Administrators
Assigned by Service Application Administrators Can only administer a portion of a Service Application

55 09 | Plan & Configure Managed Accounts

56 Module Overview Introduction to Managed Accounts
Register a new Managed Account Password Management Settings

57 Introduction to Managed Accounts
Introduced with SharePoint 2010 Active Directory account* that is used as a service account, with a password that is maintained within SharePoint Password changes: Done through Central Administration Manually (an administrator is needed) Automatically (by SharePoint) Can be configured to follow the enterprise’s password change policy Managed Service Accounts in Active Directory ARE NOT the same as SharePoint Managed Accounts. SharePoint Managed Accounts should not have their passwords changed by Active Directory. Must be done from within SharePoint.

58 Registering a New Managed Account
Central Administration Security(General Security)Configure Managed Accounts Register Managed Account

59 Password Management Settings
Central Administration  Security(General Security)Configure password change settings

60 Register a New Managed Account & Password Management Settings
Demo Register a New Managed Account & Password Management Settings

61 10 | Configure Blocked File Types

62 Module Overview Blocked File Types Web Sensitive Files

63 Blocked File Types Files which cannot be uploaded to SharePoint
Central Administration Security  (General Security) Define Blocked File Types

64 Web Sensitive Files Users with contributor permissions are prevented from uploading files with the following extensions: ASPX MASTER XAP SWF JAR ASMX ASCX XSN XSF A user with contributor rights trying to upload a file with any of the above mentioned extensions will generate a modal dialog "Error: Access Denied" appears. User cannot upload the .SWF file". 

65 Demo Web Sensitive Files

66 11 | Plan & Configure Web Part Security

67 Module Overview Introduction to Web Part Security
SharePoint Web Part Security Configuration

68 Introduction to Web Part Security
Mostly applicable to SharePoint Developers Does not excuse SharePoint Administrators though SharePoint Web Part infrastructure is a child of ASP.NET ASP.NET security guidelines apply to SharePoint development

69 SharePoint Web Part Security Configuration
Central Administration  Security  (General Security)  Manage Web Part Security

70 Demo Title of Activity

71

Download ppt "Platform and Farm Security"

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Understanding Active Directory

Understanding Active Directory
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory

Understanding Active Directory
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
EPM 2007 Implementation and Upgrade Tips Summary June 18th, 2008 Brendan Giles, PMP, MCP.

EPM 2007 Implementation and Upgrade Tips Summary June 18th, 2008 Brendan Giles, PMP, MCP.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Securing Microsoft® Exchange Server 2010

Securing Microsoft® Exchange Server 2010
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Module 8 Configuring and Securing SharePoint Services and Service Applications.

Module 8 Configuring and Securing SharePoint Services and Service Applications.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.

Similar presentations

Ads by Google