1. PCT401 – Security for the SharePoint Developer Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com

2. Overview What does security refer to? Code access security User authentication User authorization Changes in SP2 for WSS and SPS The SharePoint authorization model Robust authentication code

3. Why worry about security? Why worry about security? If the code or the user cannot do something, there will be an exception. ● Cryptic or vague error messages lead to more helpdesk calls. ● Bad way to do things, especially with a multi- step process. Can lead to data loss or inconsistent data. ● Don’t show options users don’t have rights to.

4. Types of security Code Access Security ● Security for executing code User security – comes in two flavors ● Authentication – proving that a user is who he/she says he/she is Actual credentials Mapping credentials – think SSO ● Authorization – making sure that a user has access to the resources he/she should and nothing else

5. Code Access Security Why have CAS? ● ASP.Net and SharePoint allow administrators to install black-box software that run in process with other components ● Lack of CAS would allow unproven code to access any resource on the network without administrator knowledge ● One component could access private fields, properties, and methods from another component

6. Working with Code Access Security SharePoint trust modes affect what resources assemblies can access Use demand statements to check for code permissions before collecting data from users or beginning implicit transactions Provide administrators with informative error messages to configure systems to give your code correct access security

7. User Authentication Accessing remote resources with Default Credentials - the double hop ● Pre SP2 this may fail ● SP2 supports Kerberos ● Can’t rely on a Kerberos enabled site ● Steps to enable Kerberos on a site

8. SharePoint Trust Modes Located in: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\CONFIG C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CO NFIG WSS_Minimal – wss_minimaltrust.config WSS_Medium – wss_mediumtrust.config Full High – web_hightrust.config Medium – web_mediumtrust.config Low – web_lowtrust.config Minimal – web_minimaltrust.config

9. User Authentication Issues What happens when users authenticate with PKI certificates? ● Remote web resources cannot be accessed using Default Credentials ● The remote web request does not have access to the private key that was used to authenticate to the portal site ● Server side code (ASPX pages and web parts) can detect PKI certificates and make alternate access provisions

10. Changes with WSS and SPS SP2 Strongly signed assemblies must be in the GAC ● The error SharePoint reports is “The assembly is not registered as safe” ● This is a requirement even if the site is configured to run in Full trust mode Kerberos is now a selectable security mode for IIS sites ● Allows default credentials to work properly in web parts and ASP.Net applications that access remote resources

11. The SharePoint authorization model Authorization is stored at three levels – Area, Site, List Any object (area, site, list) may contain a reference to another object for authorization inheritance The SiteData web service returns a _sWebMetadata structure that contains the ACLs list for sites and areas

12. The _sWebMetadata structure Relevant items: ● InheritedSecurity The Permissions member will contain a URL to the site or area from which permissions are inherited ● Permissions If InheritedSecurity is false, an XML document that contains the site groups and Windows users and groups with authorizations to the site or area, as well as their permissions

13. Permissions XML <Permission MemberID="1073741828" Mask="1029638927" MemberIsUser="False" MemberGlobal="False" RoleName="Web Designer" /> <Permission MemberID="1073741827" Mask="1027801615" MemberIsUser="False" MemberGlobal="False" RoleName="Contributor" /> <Permission MemberID="1073741826" Mask="138608641" MemberIsUser="False" MemberGlobal="False" RoleName="Reader" /> <Permission MemberID="1073741825" Mask="134283264" MemberIsUser="False" MemberGlobal="False" RoleName="Guest" />

14. Parsing the Permission XML MemberIsUser indicates whether the Permission element is a role, or a Windows user or group Mask is a bit mask that corresponds to values in the SPRights enumeration. Example: To check for AddListItems (0x00000002) permission, use: (Mask & 0x00000002) == 0x00000002 For Windows users or groups, the Permission element may contain these attributes: IsDomainGroup, IsSiteAdmin, LoginName, Name, SID, UserLogin If the Permission element is not a Role but the IsDomainGroup attribute is not present, we can look up the user information by using: UserGroupService.GetUserInfo(permission.UserLogin) If the Permission element is a Role, we can resolve the user membership for role by using: UserGroupService.GetUserCollectionFromRole(perm.RoleName)

15. GetAllUserCollectionFromWeb sample return <User ID="1" Sid="S-1-5-21-1935655697-287218729- 682003330-1934" Name="Eugene Rosenfeld" LoginName=“meanwesel\erosen03" Email=“erosen03@hotmail.com" Notes="" IsSiteAdmin="True" IsDomainGroup="False" />

16. Robust Authentication Code Request use SP 2 Kerberos so default credentials can be passed to remote resources Support multiple authentication models to access remote resources ● Encapsulate login process in code ● Passing default credentials ● Using SSO to map credentials when site is not running in Kerberos or when user is authenticating with PKI – Storing credentials as web part properties is not secure!

17. Questions Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com http://www.blackbladeinc.com