Download presentation
Presentation is loading. Please wait.
Published byOscar Lyons Modified over 9 years ago
1
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |
2
Designing Secure SharePoint External Access
3
Why Enable internal users to access from outside Share portal access with business partners
4
How Forefront Threat Management Gateway Forefront Unified Access Gateway
5
Challenges Secure authenticated access Smooth document access from Office applications Repeated password prompts Endpoint compliance Intrusion prevention
6
Designing Secure SharePoint External Access
7
SharePoint Authentication Classic Mode Authentication NTLM or Kerberos Claims Based Authentication NTLM or Kerberos Basic ASP.NET Forms Active Directory Federation Services
8
SharePoint Authentication
9
Extending Web Applications WFE LAN Internet Intranet Web Site http://intranet Extranet Web Site https://extranet.idtt.com Web Application Content DB Kerberos Forms.PDF/.DOC Visitors READ LDAP AD
10
Extending Web Applications
11
Designing Secure SharePoint External Access
12
SharePoint Authentication External access for internal users Basic NTLM (no SSO) Kerberos (only on intranet) SSL client certificates Not suitable for external users accounts in AD possibly other access
13
SharePoint Authentication for Internal Users Basic plaintext password works from internet no SSO NTLM less secure, MD5 performance problems at 200 +/- users per WFE no SSO Kerberos secure, mutual authentication, AES, smart cards faster, smoother intranet only SSL Client Certificates the most secure, mutual authentication SSO from outside
14
Internal Users Authentication MethodSSOMutual Authentication Used from internet SecurityNotes Basicno yeslittle NTLMno yespassword hashperformance problems Kerberosyes nopassword hash SSL Certificate yes private key
15
Basic Authentication with Port Forwarding
16
Simplest to deploy Less secure direct access to the farm Must use public certificates on the farm NTLM would require custom IE configuration and has performance problems
17
Basic Authentication with TMG Inspection
18
Authenticates users at the gateway level Forms authentication (cookies) Basic authentication Inspects clear HTTP plus URL filters etc. intrusion prevention signatures Automatically forwards the basic credentials Offloads SSL encryption or hides the internal certficates on the farm
19
TMG and Forms Authentication
20
TMG Inspection with Kerberos Delegation
21
SSO or smart cards and tokens No Basic authentication on the internal part SharePoint “developers” do not receive your full password Mutual authentication with client certificate No password guessing
22
UAG Inspection with Kerberos Delegation
23
TMG features plus Predefined URL and application inspections User portal access Endpoint policies and compliance
24
UAG Portal and Forms Authentication
25
Windows Authentication Recap Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance TMG can also authenticate certificates and/or use Kerberos Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”
26
Designing Secure SharePoint External Access
27
SharePoint Forms Authentication No SSO Separate accounts for external users AD LDS, SQL DB, XML text file,... You manage the account database create accounts reset passwords
28
AD LDS Active Directory Lightweight Directory Services Standalone LDAP/S server Part of Windows Server 2008 and newer previously free download ADAM Installs on Windows 7 as well Managed manually using ADSI Edit
29
AD LDS User Accounts
30
AD LDS Authentication with Port Forwarding
31
AD LDS Authentication with UAG Inspection
32
AD LDS with UAG and Certificates
33
AD LDS Authentication with UAG Inspection Pre-authenticates users at the gateway level double login prompt or certificates Predefined set of URL and application inspections User portal access Endpoint policies and compliance
34
Designing Secure SharePoint External Access
35
AD FS HTTPS/XML authentication protocol Replacement for AD trusts Free download RTW – released to web Accounts managed by Account Partner Resource Partner just accepts identity claims Requires level of management on the Account Partner part
36
AD FS Principles
39
Designing Secure SharePoint External Access
40
Takeaway Use certificates and/or Kerberos for internal users Use AD LDS for external partners without AD FS Use AD FS for larger external partners who do want to manage their own accounts
41
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.