1. SharePoint Lockdown: Security and BI Chris Conte Premier Field Engineer 25 Feb 2014 Welcome. Microsoft Services helps businesses around the world maximize their investment in Microsoft products and technologies.

2. The Threat Authentication & STS Authorization Applying Permissions SQL Server Call to Action OBJECTIVE Understand the basics of SharePoint Security and an overview of good practices for securing a sensitive data environment 2

3. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION Distrust and caution are the parents of security. – Benjamin Franklin 3

4. Authentication Providers CMA (Classic-Mode) CBA (Claims Based Authentication) SAML (Security Assertion Markup Language) FBA (Forms-Based Authentication) Classic = BAD! Name Email Job Title

5. STS (Security Token Service) Authorization not Authentication Membership and Role Providers

6. User Permissions Permission levelDescriptionPermissions included by default Limited Access Allows access to shared resources in the Web site so that the users can access an item within the site. Designed to give users access to a specific list, document library, folder, list item, or document, without giving them access to the entire site. Cannot be customized or deleted. View Application Pages Browse User Information Use Remote Interfaces Use Client Integration Features Open Read View pages, list items and download documents. Limited Access permissions, plus: View Items Open Items View Versions Create Alerts Use Self-Service Site Creation View Pages Contribute View, add, update, and delete items in the existing lists and document libraries. Read permissions, plus: Add Items Edit Items Delete Items Delete Versions Browse Directories Edit Personal User Information Manage Personal Views Add/Remove Personal Web PartsUpdate Personal Web Parts Design View, add, update, delete, approve, and customize items or pages in the Web site. Approve permissions, plus: Manage Lists Add and Customize Pages Apply Themes and Borders Apply Style Sheets Full ControlAllows full control of the scope. All permissions

7. Applying Permissions Groups (and Nesting) Farm Admins (Web App / Policy) Site Collection Inheritance SharePoint Group AD Group User

8. SQL Server Security Security starts with code, then patching Separate roles of SQL Server engine, reporting services, ETL, etc. Separate accounts for Engine, Agent, SSIS, SSRS, etc. Limit access, use AD groups, use SQL Roles Do not turn on unnecessary components under SP_CONFIGURE Auditing, log transfer, ACS Encryption of DBs, IPSec Secured backups/media BPA, STIG/Hardening Remember, with enough time and resources, nothing is hack-proof, only resistant. All we can do is harden and monitor

9. Governance Who Does the Security Work? How we handle SharePoint Security Who is responsible for Authentication? Group Management? Privilege user requirements? Determining appropriate data storage? New Web Application/Site Collection/Site/Library/List Anonymous, what does that mean?

10. Reporting (PowerShell) Search AD $strFilterStart = “(&(objectCategory=group)(cn=“ $strFilterEnd = “))” $strFilterDisplayName = “filter” $strFilter = $strFilterStart + $strFilterDisplayName + $strFilterEnd Write-Host $strFilter objDomain = New-Object System.DirectoryServices.DirectoryEntry objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.PageSize = 1000 $objSearcher.Filter = $strFilter $objSearcher.SearchScope = “SubTree” $PropList = “name” Foreach ($i in $PropList) { $objSearcher.PropertiesToLoad.Add($i)} $objResults = $objSearcher.FindAll() Foreach ($objResult in $objRestults) { $objResult}

11. Reporting (PowerShell) Pull Farm Permissions $webApps = Get-SPWebApplication –Identity http://URL/http://URL/ foreach($webApp in $webApps) { “Web Application = “ + $webApp >> e:\test.csv $SPSites = Get-SPSite –WebApplication $webApp} foreach($SPSite in $SPSites) { “Scanning Site” >> e:\test.csv “Site = ” + $SPSite >> e:\test.csv “Owner = ” + $SPSite.owner >> e:\test.csv “Secondary Owner = “ + $SpSite.SecondaryContact >> e:\test.csv $SPWebs = Get-SPWeb –site $SPSite –Limit All foreach($SPWeb in $SPWebs) { “SPWeb = “ + $SPWeb >> e:\test.csv “Permissions Below” >> e:\test.csv $SPWebRoleAssignments >> e:\test.csv “Finished Scanning “ + $SPWeb >> e:\test.csv} $Groups = $SPSite.RootWeb.sitegroups foreach ($Group in $Groups) { “” >> e:\test.csv “Group “ + $Group.Name >> e:\test.csv foreach ($User in $Group.users) { “user: “ + $user.name >> e:\test.csv}}}}

12. Reporting (PowerShell) PowerShell Basics\extras Add-PSSnapin Microsoft.SharePoint.Powershell –ea 0 Write-host to troubleshoot | FL Get-help Get-command This is an exert that can be added to pulling farm permissions for additional details under SPWeb $RoleAssignments = $SPWeb.roleassignments foreach ($roleAssignment in $RoleAssignments) {foreach ($RoleDefinitionBinding in $RoleAssignment.Roledefinitionbinding) {if ($RoleDefinitionBinding –eq “fullmask”) {$roleAssignment $GroupName = $RoleAssignment.member }}} $groups = $SPSite.RootWeb.SiteGroups Foreach ($group in $groups) {if($group.name –eq $groupname) { $Group.name foreach ($user in $group.users) {$user.name} }}

13. Use Service Accounts Start a Governance Plan; Create Policy and Process Inventory – Organize Get Help – Get Your Help Trained KPIs – You need them Call To Action

14. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION Contact Chris Conte Premier Field Engineer (813) 494-4849 chris.conte@microsoft.com www.microsoft.com/microsoftservices