Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing SharePoint Technology Joel Oleson Sr. Technical Product Manager Microsoft Corporation IW316.

Published byBrianna Freeman Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing SharePoint Technology Joel Oleson Sr. Technical Product Manager Microsoft Corporation IW316."— Presentation transcript:

1

2 Securing SharePoint Technology Joel Oleson http://blogs.msdn.com/joelo Sr. Technical Product Manager Microsoft Corporation IW316

3 Agenda Site Collection and below… –Demo: Site Permissions and Item level security Web App Security –Demo: Web Application Policies Farm Security –Demo: Forms based authentication Summary Q/A

4 Site and List Security Data Protection

5 Item Level Security and Security Trimming –Permissions from site collections to individual objects. –Default permission inheritance from parent to child objects. –33 default permissions can be assigned to a user or SharePoint group. –Permissions can be specified on items –Returned search results can map back to the security context of the user. –These controls trim the UI to the exclusive user context.

6 Permission Management Architecture –Sets permissions for SharePoint users, groups, and domain groups. –Default groups include: Owners (get full control) Visitors (get contributor rights) Members (get read rights) –Custom groups can be created and managed by site collection. –Group membership is consistent within the site collection. –Custom groups are reusable across different project sites.

7 Site Permissions and Item level security Demo Solution Deployment

8 Information Rights Management (IRM) –Protects sensitive information at the client level, even when business information is taken offline. –This may be essential in order for companies to deal with regulations, such as privacy legislation –Ensure that all the requirements are met in the environment: Windows Rights Management (WRM) Services Client on MOSS Web servers. Microsoft Rights Management Services (RMS) connectivity to the SharePoint farm. Configuration enabled in SharePoint Central Administration then configured in the list or library

9 SharePoint List and Library IRM integration –IRM integrates with lists through the rights management framework. –IRM imposes access restrictions : “no matter where it is stored or who tries to open it”. –Common IRM policy permits authorized viewing or printing only. –A “protector” is used to provide IRM functionality. Several are installed with MOSS. –A protector manages the encryption process for all files types stored in MOSS. –The architecture supports pluggable protectors for other file types.

10 IRM Scenarios –Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector. –IRM extended scenarios include: User credential verification after a certain time period Disallow user upload of assets that so not use IRM. Schedule an expiration tag to drop the restriction policy. Bind to a global organization IRM permission policy

11 IRM Implementation –IRM works directly with SharePoint data store structures such as document libraries to maintain permissions: A user navigates to an IRM-enabled document library and attempts to download a document. binds roles to the document library for the documents. protector encrypts the document and adds an issuance license. Result: 1:1 mapping between item and document permissions. SharePoint roles for the document translate into IRM permission levels on the document. The document is encrypted locally for offline protection.

12 Content/Audience Targeting Web Part/Content targeting to –Global Audience (SSP Audience Configuration) Based on Active directory attributes Pluggable ASP.NET Membership provider attributes Profile Attributes Compiled in a recurring Timer Job SharePoint Groups – Groups defined based users and groups in Site permissions levels Distribution/Security Groups My Site secure location targeting NOTE: Targeting does not equal permissions or rights

13 Secure Collaboration –Common Services control access to stored information. –Lockdown permits users to access the authorized information only: Binds an identity to a specific object – from a site collection to a document or list. Enforces granular access controls and explicit membership to an item. UI shows accessible items only.

14 WEB APPLICATION SECURITY Authentication and Authorization

15 Pluggable Authentication Provider –MOSS integrates ASP.NET 2.0 pluggable authentication for Windows and non-Windows. –Supports shipped, Windows- based authentication methods. –Sets up Internet-facing SharePoint authentication. –Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture. –ASP.NET 2.0 pluggable providers can employ membership data stores including: LDAP Directories SQL Database Oracle or other ADO.NET/ODBC Compliant data sources XML files or Flat text files

16 ASP.NET 2.0 Membership Provider –Supports configurable directories in a member data store. –Stores pluggable provider credentials in the machine.config file. –Membership providers include: LDAP V3 directory (with MOSS) SQL Server Active Directory (ASP.NET 2.0) –Pluggable membership providers: Inherit from the ASP.NET MembershipProvider interface; This interface inherits from the ProviderBase class.

17 Considerations for ASP.NET Authentication –Authentication types, not resolving to a Windows identity, must use a zone. –A mandated PKI infrastructure such as for smartcards typically resolve to a Windows identity. –PKI implementation may require a zone or other configuration. Browser clients only –Search crawler must use Windows –Office client interaction degraded Forms & Windows accounts –Forms user not same as Windows user Company A (Windows Authentication) Company B (Non-Windows Authentication)

18 Pluggable Single Sign-On (SSO) –The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems. –Aids in retrieving critical information through MOSS mechanisms: Business Data Catalog (BDC) SharePoint DataView Web Parts (DVWP) –Can specify a pluggable SSO provider, instead of SpsSsoProvider. –Registers only one SSO provider per LOB system at a time.

19 Forms-Based Authentication –Utilizes pluggable authentication and role providers to enable Internet-style security. –Supports a customized login process geared to users' needs. –Forms authentication cookies and authentication tickets are encrypted and tamper-proof. –The form identity provider, called Web SSO, can plug into an external identify management system.

20 FBA Web Single Sign-On –Employs an HTTP module for external authentication. –Allows external partners to authenticate using their user credentials. –Delegates log in and password reset to provider. –Web SSO authentication requires an extranet zone. Partner Application

21 Alternate Access Mappings –Provides internal and external URL mappings work correctly. –The URL is mapped by default, but can be extended to additional URLs. –Alternate URLs can be mapped to one physical path –Zones can use different authentication providers / Web application security policies. –Compensates for different application domains, reverse proxies, and other URL redirection mechanisms. http://extranet.con toso.com Extranet Users http://contoso Intranet Users http://MOSS

22 Zones in Alternate Access Mapping (AAM) –A zone maps Web application to a single set of content databases, allowing greater control over AAM. –Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content. –Recommended: Bind the zone to an authentication mechanism. URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone. Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet. Default

23 Microsoft Confidential SharePoint Web App Security Policies Central enforced permissions for all sites in the web application GRANT and DENY Bound to web application/zone Scenarios Full read – search crawling accounts, auditors, legal compliance Deny all – security control, regulatory compliance Deny write – extranet lockdown Overrides the granular item level permission settings, managed from SharePoint Central Administration interface.

24 Web Application Policies Demo Solution Deployment

25 Encryption of Application Connection Strings –Storing connection string data in plain text in the web.config file creates a security vulnerability. –ASP.NET 2.0 functionality can be used to encrypt application connection string data using either: Windows Data Protection API (DPAPI): Encrypts and decrypts using the MOSS server machine key. RSA encryption: Uses public key algorithms, but adds appropriate containers for the encryption keys. –Pluggable encryption providers can use different encryption tools.

26 Connection String Encryption Best Practices –For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the node in cipher text: –DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands: –Encrypt the connection strings node specifying the section parameter:

27 Connection String Encryption Best Practices (continued) –After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values: – –This pluggable model can support custom encryption providers to manage cipher text for relevant MOSS configuration files. –Considerations: Encryption using the local machine key can only use the configuration node on the server on which it was created. If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string. Decryption causes a minor application performance hit.

28 Shared Service Considerations BDC is available to all web apps consuming from the SSP where it is configured Without security trimmers –Notes search results are not trimmed –BDC Search Results are not security Trimmed WSS Search results are trimmed to site collection by scope, ensure sites are secured appropriately

29 Microsoft Confidential ADFS – Active Directory Federation Services – includes non trusted federated web services authentication model. Works with browser based functions. Not recommended with rich client requirements Understand - “Enable Client Integration” Matches Office client’s behavior for some FBA providers Active Directory Federation Services

30 SERVER and FARM SECURITY Architectural Considerations and Lockdown

31 Secure by Default Anonymous disabled by default Sites secured to site creator Server administrators no access to content web apps Permissions changes audited Self Service not enabled by default

32 LOCK IT DOWN! Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (i.e. outbound HTTP –Consider RSS/XML web part requirements Secure client communication with trusted SSL certificates (128bit HTTPS) IP Sec – Require or Request: Secure communication between servers and DCs –Careful with NLB and clients (MAC/Unix) Enable Kerberos Authentication (Intranet) *Careful with NLB SQL SSL encrypted Traffic + Non Standard Port Configure Central Admin on App server IP Restrict traffic to Central Admin and SSP App Pools (IIS) Configure Deny Policies on Content/Admin Web Apps for Applicable Groups/Domains Configure ISA Secure Publishing

33 Forefront Security for SharePoint SQL Document Library Document Users Document SharePoint Server Virus Protection for Document Libraries Integrates scan engines from eight industry leading vendors Real-time scanning of documents uploaded and downloaded from document library Manual and scheduled scanning of document library Content Filtering Policy Enforcement File filtering to block documents from being posted based on name match, file type or file extension Content filtering by keywords within documents for inappropriate words and phrases Protects MOSS 2007 and WSS 3.0

34 SharePoint API integration Utilizes the SharePoint Virus API to scan files during upload and download –Optimized for performance in a SQL environment Files are not rescanned if engines have not been updated Up to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scan Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly

35 Secure Web Publishing with ISA 35 Exchange Intranet Web Server SharePoint Active Directory External Web Server Administrator User ISA 2006 DMZ Internal Network Internet HEAD QUARTER S Integrated Security Efficient Management NEW Smartcards & one-time password support NEW Customized logon forms for most devices & apps NEW LDAP authentication for Active Directory NEW Web publishing load balancing Fast, Secure Access NEW Authentication delegation (NTLM, Kerberos) NEW Improved idle-based time- outs for session mgmt NEW Exchange & SharePoint publishing tools NEW Enhanced certificate administration NEW Single sign-on for multiple resource access NEW Automatic translation of embedded internal links

36 Extranet Architecture Example

37 Authoring -> Production

38 Content Deployment

39 Intranet, Extranet, Internet 2 Farms, 3 SSPs TechNet: Plan Logical ArchitecturePlan Logical Architecture

40 Architecture Considerations Why more than 1 Farm? –Application/Customization SLAs, Licensing (Internet vs. Intranet CAL), Isolation (No Scale) Why more than 1 SSP? –Isolation and Service Needs Why more than 1 App Pool? –Security Isolation, Memory and CPU isolation, Auth requirements Why more than 1 Site Collection? –Separation/delegation of ownership, quotas, ability to split across databases Why keep them together? –Global Navigation, Inheritance of style/Master page, Security inheritance, Query web parts, Site Collection policy and content types enforcements

41 Database Considerations Databases can be pre-created and then used to be created for content databases SQL Security, rights and roles should be scrutinized employ least priviledged access considerations Config –Contains list of all servers, site collections, web apps, web parts, solutions (Most critical db in farm from availability ) Content database –Contains all data, blobs, sites webs, etc… (Most Sensitive, Search & SSP Dbs –Optimize… High Disk I/O contains configuration & search property and profile store (index/query - index on disk)

42 Protocols All protocols are HTTP-based –HTTP/S: Browser sessions –SOAP/Web Services: Editing from Office Applications, Web Services & Indexing –RSS: All lists can be viewed this way –FP-RPC: SharePoint Designer, Usage –Web-DAV: Explorer View, Web Client Access –XMLHTTPRequest - Forms

43 Additional Architectural Considerations Windows Servers – (SCW) Security Configuration Wizard (verify) IIS – Certificate management, IP restrictions SQL – Use windows auth vs. SQL security Manage domain accounts

44 Firewall Ports

45 Security Summary Site and List Security Information Rights Management Integration Information Policies – auditing, expiration Item Level Security Barcodes and Labels, extensibility for signatures Content Approval, Workflows Web Application Security Forms-Based Authentication and Single Sign-on Active Directory Federation Services (ADFS) Search – security trimmed search results Publishing through Internet Security and Acceleration Server (ISA) and Intelligent Application Gateway (IAG) Server and Farm Security Pluggable Authentication – Pluggable Authentication Provider Security Policies; Major and minor versions, Web Application IIS IP restrictions, Windows 2003 R2 SCW to Lock down server

46 Summary Allows for the easy implementation of Internet-facing environments and extranets. Built to enable support for heterogeneous environments. Supports pluggable forms-based authentication (FBA) providers. Reduces management overhead and improves securely. Offers granular rights management of business assets.

47 Guidance for a More Secure Infrastructure SharePoint Team Security Related Posts http://blogs.msdn.com/sharepoint/archive/tags/Security/default.aspx TechNet Securing Your Sites, Servers, and Server Hardening http://technet2.microsoft.com/Office/en-us/library/763613ac-83f4-424e-99d0- 32efd0667bd91033.mspx?mfr=true 7 New Features that Enhance Security in SharePoint http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx Security and Protection for Office SharePoint Server 2007 http://technet2.microsoft.com/Office/en-us/library/6cc7cbec-bbb8-4473-83a2- 65149e932e901033.mspx?mfr=true TechNet Webcast: SharePoint Security from Service Accounts to Item-Level Access http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en- US&EventID=1032313270&CountryCode=US Forefront Security for SharePoint http://www.microsoft.com/forefront/serversecurity/sharepoint/default.mspx

48

Download ppt "Securing SharePoint Technology Joel Oleson Sr. Technical Product Manager Microsoft Corporation IW316."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Secure Lync mobile Authentication

Secure Lync mobile Authentication
OFC323 Dot-Com Meets SharePoint: Building an Internet-Facing Web Site Using Microsoft Office SharePoint Server 2007 Jim Masson Lead Program Manager Microsoft.

OFC323 Dot-Com Meets SharePoint: Building an Internet-Facing Web Site Using Microsoft Office SharePoint Server 2007 Jim Masson Lead Program Manager Microsoft.
Welcome to the Minnesota SharePoint User Group September 9 th, 2009 Building Extranets with SharePoint Brian Caauwe Meeting.

Welcome to the Minnesota SharePoint User Group September 9 th, 2009 Building Extranets with SharePoint Brian Caauwe Meeting.
27. to 28. March 2007 | Geneva, Switzerland. Fabrice Romelard ilem SA Level 200.

27. to 28. March 2007 | Geneva, Switzerland. Fabrice Romelard ilem SA Level 200.
Enterprise Search With SharePoint Portal Server V2 Steve Tullis, Program Manager, Business Portal Group 3/5/2003.

Enterprise Search With SharePoint Portal Server V2 Steve Tullis, Program Manager, Business Portal Group 3/5/2003.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Understanding Active Directory

Understanding Active Directory
Module 2 Deploying SharePoint Portal Server 2003.

Module 2 Deploying SharePoint Portal Server 2003.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Enterprise Search. Search Architecture Configuring Crawl Processes Advanced Crawl Administration Configuring Query Processes Implementing People Search.

Enterprise Search. Search Architecture Configuring Crawl Processes Advanced Crawl Administration Configuring Query Processes Implementing People Search.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
WSS 3.0 Architecture and Enhancements Ashvini Shahane Member – Synergetics Research Lab.

WSS 3.0 Architecture and Enhancements Ashvini Shahane Member – Synergetics Research Lab.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google