Configuring SharePoint 2010 for 21 CFR Part 11 Compliance · SharePoint 2013 Configuration Guidance...

SharePoint 2013 Configuration Guidance for 21 CFR Part 11 Compliance Revision 1.00 June 2013 Microsoft Corporation Health and Life Sciences Industry Unit Paragon Solutions Health and Life Sciences Practice

SharePoint Configuration Guidance Rev. 1.0

2

Table of Contents

Introduction ..................................................................................................................... 4 Acknowledgements ......................................................................................................... 6 Document Approach........................................................................................................ 7 I. Electronic Signature Architecture ............................................................................. 7

Architecture for Electronic Signatures for SharePoint On Premises ............................. 7 Architecture for Digital Signatures for SharePoint on Premises ................................... 8 Architecture for SharePoint on Azure Infrastructure as a Server .................................. 9 Architecture for Digital Signatures on Office 365 ......................................................... 9 Windows Server ........................................................................................................ 10 Microsoft Systems Center ......................................................................................... 10 Active Directory Domain Services ............................................................................. 11 Active Directory Rights Management Server ............................................................. 11 Active Directory Certificate Services .......................................................................... 11

What is XAdES? .................................................................................................... 12 XAdES digital signature levels in Office 2013 ........................................................ 12 Time stamping and XAdES-T signatures ............................................................... 13

Active Directory Federation Services ......................................................................... 13 SQL Server 2008 R2 and SQL Server 2012 .............................................................. 14 Database Security ..................................................................................................... 14 SharePoint Designer ................................................................................................. 15

II. Electronic Signature Configuration ........................................................................ 16 Electronic Signature Use Case Process Flow ............................................................ 16 Components for Electronic Signature ........................................................................ 17

Web Service Architecture for Electronic Signatures ............................................... 17 Configuring SharePoint for Electronic Signatures .................................................. 28 Workflow Settings for Electronic Signatures .......................................................... 34 InfoPath Task Form Modification for Electronic Signatures .................................... 44 Save and Publish Form ......................................................................................... 66 Final SharePoint Configuration and Testing ........................................................... 68

III. Digital Signature Architecture ................................................................................ 77 IV. Configuring the Digital Signature Use Case ........................................................ 78

Administrator Configuration for Digital Signatures ..................................................... 78 Configure Document Library Templates ................................................................ 78 Configure Document Library Version Histories ...................................................... 78 Configuring the enforcement of a digital certificate type ......................................... 78 Configure Document Templates for Workflow and Digital Signatures .................... 79 Create workflows for digital signatures .................................................................. 82 Add or Change a Collect Signatures Workflow ...................................................... 82 Set Permissions for the Document Library ............................................................. 82 Set Policies for the Document Library .................................................................... 82

V. Using the Digital Signature Use Case .................................................................... 82 Digitally Signing a Document ..................................................................................... 83 View the Version Histories for Digital Signatures ....................................................... 85

Viewing the Digital Signature Audit in the Document ............................................. 85 21 CFR Part 11 Requirements ...................................................................................... 87 Subpart B Electronic Records ....................................................................................... 88

11.10 Controls for Closed Systems ........................................................................... 88 11.10 (a) Validation of Systems ............................................................................. 88


3

11.10 (b) Record Review and Inspection ............................................................... 90 11.10 (c) Records protection and retrieval ............................................................. 90 11.10 (d) System Access ....................................................................................... 91 11.10 (e) Audit Trail ............................................................................................... 93 11.10 (f) Operational System Checks .................................................................... 93 11.10 (g) Protect records from unauthorized access .............................................. 93 11.10 (h) Data Input Validation .............................................................................. 94 11.10 (i) Training ................................................................................................... 94 11.10 (j) Electronic Signature Policy ...................................................................... 94 11.10 (k) System control ........................................................................................ 95

11.30 Controls for Open Systems ......................................................................... 96 11.50 Signature Manifestations ............................................................................ 97

11.50 (a) Signature Manifestation .......................................................................... 97 11.50 (b) Control of signature information .............................................................. 97

11.70 Signature/Record Linking ........................................................................... 98 Subpart C Electronic Signatures ................................................................................... 98

11.100 General Requirements ............................................................................. 98 11.100 (a) Uniqueness .......................................................................................... 98 11.100 (b) Identity Verification ............................................................................... 99 11.100 (c) Legal Certification ................................................................................. 99

11.200 Electronic Signature Components and Controls ............................................. 99 11.200 (a) Non-biometric Signatures ..................................................................... 99 11.200 (b) Biometric Signatures .......................................................................... 100

11.300 Controls for Identification Codes/Passwords .......................................... 100 11.300 (a) Uniqueness of identity ........................................................................ 100 11.300 (b) Password Policy ................................................................................. 100 11.300 (c) Deactivation of Users .......................................................................... 101 11.300 (d) Unauthorized use of passwords or identification codes ...................... 101 11.300 (e) Identification Code Device Testing ..................................................... 101

Systems Validation and Compliance ........................................................................... 103


4

Introduction With the advent of compliance features in SharePoint 2007, Microsoft has continually added capabilities into the SharePoint platform that allow the system even easier compliance with regulations such as 21 CFR Part 11. This whitepaper, developed jointly between Microsoft and Paragon Solutions, details how Microsoft SharePoint 2013 can be configured to be compliant with regulations such as Part 11. Our approach to this document is fairly straightforward:

The first section deals with the use cases involved in configuring a system for 21 CFR Part 11 compliance and takes the implementing party step by step through those configurations, with screen shots and – where necessary – any code or registry settings necessary to complete the system.

The second section walks the reader through the 21 CFR Part 11 regulation and details how the configurations listed in the first section and the SharePoint platform as a whole can be used in a Part 11 compliant system.

Two notes of importance when approaching this document.

1) No software or hardware system can be 21 CFR Part 11 compliant – despite our statements above for ease of understanding. Part 11 compliance – and validation – are both dependent on how the implementing party uses the system in the context of their own processes. This document provides assistance towards qualification while validation and 21 CFR Part 11 compliance are completely up to the implementing party.

2) Our approach in this document is to take individual use cases and consider their

ramifications across distinct architectures. Each architectural approach is treated differently – where necessary – in both the Use Cases section and in the Part 11 overview section. The three architectures are:

a. Microsoft SharePoint 2013 as implemented in the traditional on premises version of SharePoint.

b. Microsoft SharePoint 2013 as implemented in an Azure Infrastructure as a Service virtual machine

c. Microsoft SharePoint Online as part of Office 365 Again, this document is guidance. It does not guarantee that your implementation will be able to achieve compliance with any given regulation. But it does give you a jump start in your qualification and configuration efforts against 21 CFR Part 11 and thus other relevant regulations for the Life Science industry.


5

Disclaimer The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ©2013 Microsoft Corporation. All rights reserved. Microsoft, Microsoft Office 2013, Microsoft SharePoint 2013, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Rights Management Services, Active Directory, Windows Server 2008 R2, Windows Server 2012, Windows 8, Windows 7, Windows Vista, Windows XP, Microsoft Windows, Microsoft Forefront, Microsoft Visual Studio and other Microsoft products are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


6

Acknowledgements As with any effort of this size, there are a myriad of persons involved in its development. In this case, the efforts of Paragon Solutions (http://www.consultparagon.com) in the development of the demonstration system, SharePoint configurations, workflows, SharePoint Designer configurations and sample source code, all of which were absolutely essential for this project to be successful. It is also necessary to acknowledge the Life Sciences Industry Unit members who wrote and reviewed the configuration text, the use cases, regulation interpretation and guided the development of the end product. Finally, it is necessary to acknowledge the efforts of the Microsoft Consulting Services on the 2007 version of this whitepaper, portions of which remain intact especially in the section that maps each part of 21 CFR Part 11 to the needed configuration step.


7

Document Approach As mentioned in the introduction, this document is split into two major sections, the first that deals with use cases, workflows and configuration steps and the second that deals with the regulations themselves and how those configurations in the first section may be used to comply with those regulations. Within the use case section are detailed the logical architectures needed to support electronic signatures, the configurations for electronic signatures, the end user flow for electronic signatures, and finally the configurations and end user flows for digital signatures.

I. Electronic Signature Architecture Not mentioned in the introduction is a slight change in the approach for the use cases and workflow. In the 2010 version of this document, we took a comprehensive approach, detailing all the possible iterations needed for Part 11 compliance. In this document we take a far simpler approach as Office 2013 permits it. The approach we take in this document is to provide the reader with a single approver workflow use case, either through digital signatures or electronic signatures as defined by Part 11. There are a few advantages to this use case:

It is straightforward to implement, with little additional code needed.

The single approver use case can be modified to multi-approver workflows, either serial or parallel, through documentation that is readily available from numerous sources.

The second approach that we took was to take advantage of the continued support for SharePoint 2010 Workflows. This enabled us to take advantage of both current and previous versions of the Microsoft Platform (Windows Server, Active Directory, and Information Rights Manager). This approach is more “version agnostic” and allows the implementer to either take advantage of the more current features of SharePoint 2013 and/or build on the platforms that they already have in their data centers.

Architecture for Electronic Signatures for SharePoint On Premises


8

Architecture for Digital Signatures for SharePoint on Premises

Windows Server 2008 R2

Windows Server 2012

Active Directory

Information Rights

Management

SharePoint 2013

Microsoft Office 2013


Windows Server 2012

Active Directory

Information Rights

Management

SharePoint 2013



9

Architecture for SharePoint on Azure Infrastructure as a Server

Architecture for Digital Signatures on Office 365 While 21 CFR Part 11 Configuration Guidance for SharePoint Online is not provided for Electronic Signatures in detail in this document, it is possible to enable X.509 Digital Signatures in Office 365. As such we provide architectural guidance in this document. It is also important to note that methods for Electronic Signatures on Office 365 are being investigated. There is third-party documented evidence that details how Office 365 can be qualified by implementing parties. We will build on this qualification guidance as we continue to develop electronic signature features on the Office 365 platform in future versions of this document.

Azure Infrastructure as a Service

Systems Center

Configuration Manager

Systems Center

Operations Manager


Windows Server 2012

Active Directory

Information Rights Manager

SharePoint 2013



10

Windows Server Windows Server is the basis for all the components needed for regulatory compliance. Some of the key compliance features of inherent in both Windows Server 2008 R2 and Windows Server 2012:

The ability to provide Network Access Protection which enforces health requirements by monitoring and assessing the toll of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with the health policy can be provided restricted network access until their configuration is updated and brought into compliance with policy.

The concept of server roles allows server administrators to quickly and easily configure any Windows -- based server to run a specific set of tasks and remove extraneous 0S code from system overhead. Windows Server 2008 R2 further extends this model would support work more rules in a broadening of current role support. The Server Core installation option is important to mention here as it only includes necessary components for running applications such as SharePoint.

Microsoft Systems Center Using Microsoft Systems Center, both Configuration Manager and Operations Manager, further enables compliance by providing capabilities for IQ and OQ, important parts of qualifying the platform. These features include:

The ability to provide detailed IQ reports when used with a software distribution system such as Microsoft Systems Center Configuration Manager


Windows Server 2012

Active Directory

Information Rights

Management

SharePoint 2013



11

The ability to provide detailed OQ reports when used with the systems management provided through Microsoft Systems Center Operations Manager.

Active Directory Domain Services Part of Windows Server Core Infrastructure is Active Directory Domain Services. While SharePoint can utilize an LDAP system, Active Directory provides the means to manage the identities and relationships that make up your organization's network in a way that is easily integrated with the rest of your Microsoft-based infrastructure. It gives out-of-the-box functionality needed to centrally configure and administer system, user, and application settings.

Active Directory Rights Management Server The next component in the identity and access management system is Active Directory Rights Management Services (AD RMS). With AD RMS you can augment an organizations security strategy by protecting information through a persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information such as clinical trial reports, site monitoring documentation or even e-mails from intentionally or accidentally getting into the wrong hands. This is configured through the Information Rights Management (IRM) screen which can be applied at the document library or document library template level. It is important to note that users do not have to have Office installed to read protected documents and messages. SharePoint Web Applications understands rights management, so any user with access to a browser and rights to the document can view the document. It is also important to note that users do not need to reside within your organization, as long as they are granted appropriate rights. Any user with a Hotmail account or a LiveID can be granted access to a document and then able to view it through a SkyDrive account or through e-mail.

Active Directory Certificate Services Active Directory Certificate Services provides customizable services for issuing and managing certificates used in software security systems employing public key technologies. Active directory certificate services allows organizations to deploy a digital certificate infrastructure, creating a web of authentication between devices, users, and applications. AD CD is a role in Windows Server, which provides an integrated public key infrastructure (PKI) that enables capabilities such as digital signatures, strong authentication, and secure communications. These certificates when used in conjunction with Office provide the ability to sign Microsoft Office documents which are compliant with the XML-DSign and XAdES


12

standards for digital signatures. Since XAdES forms the basis of other standards such as Safe BioPharma, this system can be integrated into a SAFE-compliant system in a fairly straightforward manner.

What is XAdES?

XAdES (XML Advanced Electronic Signatures) is a set of tiered extensions to XML-DSig, the levels of which build upon the previous to provide more and more reliable digital signatures. By implementing XAdES, Office complies with the European Union Advanced Electronic Signature Criteria in Directive 1999/93/EC as well as a new Brazilian government directive which defines XAdES as the accepted standard for digital signing in Brazil. Users can digitally sign documents by using Excel 2013, PowerPoint 2013, and Word 2013. They can also use Excel 2013, InfoPath 2013, or Word 2013 to add a signature line or signature stamp. Digitally signing a document that has a digital certificate but does not have a signature line or stamp is known as creating an invisible digital signature. Visible and invisible digital signatures both use a digital certificate for signing the document. The difference is the graphical representation in the document when a visible digital signature line is used. More about this aspect of the digital signature will be discussed in the section on Configuring Digital Signatures. By default, Office 2013 creates XAdES-EPES digital signatures, when either a self-signed certificate or a certificate signed by a CA is used during the creation of the digital signature. The XAdES digital signature levels, which are based on the XML-DSig digital signature standard and available in Office 2013, are listed in the following table. Each of the levels builds upon the previous level and contains all the capabilities of the previous levels. For example, XAdES-X also contains all of the capabilities of XAdES-EPES, XAdES-T, and XAdES-C, in addition to the new functionality that is introduced in XAdES-X.

XAdES digital signature levels in Office 2013

Signature level Description XAdES-EPES (Base) Adds information about the signing certificate

to the XML-DSig signature. This is the default for Office 2013 signatures.

XAdES-T (Timestamp) Adds a time stamp to the XML-DSig and XAdES-EPES sections of the signature, which helps protect against certificate expiration.

XAdES-C (Complete) Adds references to certification chain and revocation status information.

XAdES-X (Extended) Adds a time stamp to the XML-DSig SignatureValue element, and the –T and –C


13

sections of the signature. The additional time stamp protects the additional data from repudiation.

XAdES-X-L (Extended Long Term) Stores the actual certificate and certificate revocation information in addition to the signature. This allows for certificate validation even if the certificate servers are no longer available.

Time stamping and XAdES-T signatures

Time stamping digital signatures (XAdES-T signatures) is an important scenario we focused on in Office. In order to create a time stamped signature, you’ll need to:

Set up a timestamp server that complies with RFC 3161.

Configure signature policy to let the client systems know where to locate the timestamp server. You’ll also need to add the timestamp server’s root certificate to the root certificate store.

Once everything is configured, you can just create signatures like you normally would. A timestamp from a trusted timestamp server extends the life of your signature, because even after the certificate expires, the timestamp proves that the certificate had not expired at the time of signing. As a result, time stamping protects against certificate expiration, and if the certificate was revoked after the signature was applied, the signature is still valid. Additional information on Planning Digital Signature Settings can be found on Microsoft Technet at http://technet.microsoft.com/en-us/library/cc545900.aspx and further in this document in the section on Configuring Digital Signatures.

Active Directory Federation Services While not a hard and fast requirement for Part 11 compliance, ADFS provides simplified access and single sign-on for on premises and cloud-based applications in the enterprise, across organizations, and on the web. In the case of access to compliant SharePoint sites, it allows IT administrators and end users to grant access to known entities, even users outside their organizational boundaries. ADFS and SharePoint together accomplish this by using SAML 2.0 standard claims-based authentication and security. Once the ADFS servers of two organizations are “pointed” at each other through a simple configuration, end users from both organizations are free to collaborate, participate in workflow and even execute electronic or digital signatures in both organizations SharePoint sites.

http://technet.microsoft.com/en-us/library/cc545900.aspx


14

SQL Server 2008 R2 and SQL Server 2012 Both Microsoft SQL Server 2008 R2 and SQL Server 2012 contain a complete set of enterprise ready technologies and tools that provide the database and business intelligence technologies for SharePoint and many of the other Microsoft platforms. As a database management platform, SQL Server manages databases more efficiently and effectively. It provides your people with built-in tools for greater control and oversight. It manages at scale, automate automates tasks, and streamlines troubleshooting. As the business intelligence platform, it is a comprehensive platform for business intelligence that includes enhanced reporting, deeper and more powerful analysis, rich data modeling, master data management capabilities, and full integration with Microsoft Office. Microsoft SQL Server also provides the database and business intelligence platform for SharePoint 201e. This “better together” capability means that not only does SQL Server store the objects and configurations of SharePoint, but it also provides on-demand and self-service business intelligence, list generation and PowerPivot capabilities.

Database Security 21 CFR 11.10(d) notes that access to IT applications must be limited to authorized individuals. In addition to internal safeguards built into a computerized system, external safeguards and policies should be put in place to ensure that access to the computerized system and to the data is restricted to authorized personnel. Staff should be kept thoroughly aware through training and procedures of system security measures and the importance of limiting access to authorized personnel. Procedures and controls should be put in place to prevent the altering, browsing, querying, or reporting of data via external software applications that do not enter through the protective system software. IT guidelines, standard operating procedures and controls typically ensure that access to back-end servers and applications is controlled. There is a potential security issue where a person with elevated permissions to the WSS-Content-Database could alter records in the database table and impact the Signed Person, Date signed, and Purpose of Signing tables. Per typical IT operating measures, people with elevated permissions are typically authorized and working under strict operating procedures. The likelihood of malicious changes is low. However, if someone did alter the underlying database tables, SharePoint will not recognize these changes; hence the signature would become invalidated. There are other options for achieving this level of check and balance to ensure that a malicious activity at the database level is discovered and accounted for. However, for most organizations internal IT operating procedures preclude unauthorized access to servers and applications.


15

SharePoint Designer SharePoint Designer is the mechanism the IT Professionals and Power Users can use to create workflows, design custom pages and other tasks that are not available in the SharePoint interface itself.


16

II. Electronic Signature Configuration The following use case details the configurations and resulting process for applying an electronic signature to a document. Again, note that this use case can be modified for multiple signatures, parallel or serial, in a straightforward fashion using the Workflow Manager tool. The description of using that tool will be provided as we go through the workflow.

Electronic Signature Use Case Process Flow

Start

User enters data

All Fields Entered

Authenticate AD

Valid?

Active Directory

Update List Item to “Signature Collection”

= completed

Declare Record

End

Render Error Message

Complete Signature Task

Workflow


17

Components for Electronic Signature To handle the “signing signature” referred to in Part 11 documentation, a couple departures from standard SharePoint are needed. The first is an InfoPath form that captures the username and password of the person signing the record. The second is a web service that authenticates that user. The third is a workflow that handles the approval from start to finish. To accomplish this there are a few components necessary to configuring and developing the workflows and approvals necessary to handle Part 11 compliant electronic signatures on SharePoint 2013.

Web Service for Approval Signatures

SharePoint Configuration

InfoPath Task Form Modification

Workflow

SharePoint Configuration Finalization

Testing

Web Service Architecture for Electronic Signatures

To handle the approval signature portion, we have made a key architectural improvement by enabling the signature authentication to be conducted from a Web Service. This has the advantage of platform independence in that the web service can be run on-premises or in a public or private cloud environment. In the on premises implementation or on the Azure IaaS implementation, the web service is contained within the server itself. In the Office 365 / SharePoint Online implementation, the web service may be contained in either an Azure Web Service (calling the Azure Active Directory) or within a Custom Activity calling an Azure Web Service. We give you this information as guidance to what our current thinking may be – this may change as development continues. Within the web service there are three steps that we will review:

Building

Deploying

Testing


18

Building Web Service for Electronic Signatures

The web service solution can also be downloaded from Codeplex.com @ https://part11compwithsp13.codeplex.com/ Creating the Web Service Solution Step by Step Visual Studio Setup

1. Open Visual Studio (E.G. Visual Studio 2010) – Start > All programs > Microsoft

Visual Studio 2010/2013 > Microsoft Visual Studio 2010/2013

2. Select File > New > Project - Use SharePoint 2010 Template – Empty

SharePoint Project

3. Name the Project and Solution Name = ADUserQuery

4. Click OK

5. Deploy as a Farm Solution and provide a local site for debugging (Your solution

will not be automatically deployed here)

6. Click Finish

7. Add all references if they do not exist(Usually under .Net tab or browse to them –

may have to search your computer first)

a. Microsoft.SharePoint

b. Microsoft.SharePoint.Security

c. System

d. System.Core

e. System.Data

f. System.Data.DataSetExtensions

g. System.DirectoryServices –

Path=C:\windows\microsoft.NET\Framework\v2.0.50727\System.Director

yServices.dll

h. System.Web.Services

i. System.Xml

j. System.Xml.Linq

8. Remove all references that are not needed

a. System.Runtime.Serialization

b. System.ServiceModel

c. System.ServiceProcess

9. Right click on the solution root – It should say ADUserQuery

a. Add “SharePoint Layouts Mapped Folder”

10. Right click on the solution root – It should say ADUserQuery

a. Add Class

b. Choose Windows Service

c. Name it - ADQueryClass.cs

d. Click Finish

e. Expand ADQueryClass.cs

f. Delete ADQueryClass.Designer.cs

11. Right click ADUserQueryClass.cs and View Code

https://part11compwithsp13.codeplex.com/


19

a. Click inside the code window – press Control +A

b. Delete all Code

c. Copy (“AdUserClass.cs” Section) and Paste code from below into

AdUserClass.cs code window

12. Expand Layouts, then right click on ADUserQuery folder

a. Add Class

b. Choose Windows Service

c. Name it = ADCustomWebService.asmx

d. Delete - ADCustomWebService.Designer.asmx

e. Copy and Paste code from below into ADCustomWebService.asmx code

window

13. Right Click Features and Add Feature

a. Name it = ADUserQuery (Right click Featrure 1 and rename)

b. Open up feature and rename the title to “ADUserQuery” as opposed to

ADUserQuery.feature1

14. Expand Package

a. Open Package.package (Double click on it)

b. Move “ADUserQuery (ADUserQuery)” into the “Items in the solution”

section

c. Items in the package section should only have Layouts (ADUserQuery)

with a single file - ADCustomWebService.asmx in it.

Your Solution should look like this

Strong Name your assembly 15. In Visual Studio, Go to Tools –> External Tools.

16. Click on “Add” to add a tool, and put in the following values:


20

a. Title: Strong Name

b. Command: Powershell.exe

c. Arguments: -command

"[System.Reflection.AssemblyName]::GetAssemblyName(\"$(TargetPath)

\").FullName"

d. Check “Use Output Window”

17. Uncheck everything else – here’s how it should look –

18. In your project, go to Tools –> Strong Name

19. In the output window, it will give you the assembly name – All you will need is the

PublicKeyToken


21

20. Right click and “View Code” for ADCustomWebService.asmx file

21. Copy your newly generated and paste that replacing the “PublicKeyToken” with

your new one that you just generated

22. Close out all open forms and code pages and save when prompted

23. Right click on the solution “ADUserQuery” and build solution – If no errors exist

then proceed to next step

a. If errors exist, fix them

24. Right click on the solution “ADUserQuery” and package

Code Filename = ADQueryClass.cs

using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Web.Services; using System.DirectoryServices; namespace ADUserQuery { class ADQueryClass : WebService {


22

[WebMethod] public string ValidateActiveDirectoryLogin(/*string domain,*/ string username, string password) { Boolean success = false; string fullname = string.Empty; //DirectoryEntry Entry = new DirectoryEntry("LDAP://" + domain, username, password); DirectoryEntry Entry = new DirectoryEntry(); Entry.Username = username; Entry.Password = password; DirectorySearcher searcher = new DirectorySearcher(Entry); searcher.SearchScope = System.DirectoryServices.SearchScope.Subtree; try { searcher.Filter = "(SAMAccountName=" + username + ")"; //searcher.PropertiesToLoad searcher.PropertiesToLoad.Add("cn"); System.DirectoryServices.SearchResult results = searcher.FindOne(); #region OtherProp //var userFullName = results.GetDirectoryEntry().Properties["CN"].Value.ToString(); //var a1 = results.GetDirectoryEntry().Properties["displayName"].Value.ToString(); //var a2 = results.GetDirectoryEntry().Properties["name"].Value.ToString(); //var a3 = results.GetDirectoryEntry().Properties["samAccountName"].Value.ToString(); #endregion var first = results.GetDirectoryEntry().Properties["givenName"].Value.ToString(); var last = results.GetDirectoryEntry().Properties["sn"].Value.ToString(); success = (results != null); if (success) { fullname = first + " " + last; } } catch (Exception) { success = false; //lblMessage.Text = "Error: " + ex.Message; } return fullname; } } }


23

FileName = ADCustomWebService.asmx – This string is partially created by your strong name (The Bold is code you can reuse. The Underlined will have to come from your strong name public key token output.)

<%@ WebService Language="C#" Debug="true" Class="ADUserQuery.ADQueryClass, ADUserQuery, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eab87ead4547e21c" %>

Building, Packaging and Deploying the Solution

Building the Solution

Step 1: Open Web Service Solution Open Visual Studio Web Service Solution, Right Click on Package

Step 2: Solution Copy from Development to Production Copy solution from your Dev to your Test or Prod environment Navigate to: Your solution’s “bin\debug” directory where the WSP was packaged to, then open up your deployment directory on your production Web Server

Open Visual Studio Web Service

Solution; Right click and package


24

Step 3: Add the Solution to your Solution Store

Add spsolution

Provide the literal path that would include the file name Navigate to: Start > All Programs > Microsoft SharePoint 2013 Products > SharePoint 2013 Management Shell


25

Deploying the Web Service

Step 1: Within Solution Properties, click on Deploy Solution Navigate to: Start > All Programs > Microsoft SharePoint 2013 Products > SharePoint 2013 Central Administration; Navigate to System Settings > Farm Management = Manage Farm Solutions > Click on “aduserquery.wsp”

Step 2: Deploying Solution Continued Within the Deploy Solution Dialog, Choose “Now” to deploy now and click on OK


26

Testing the Web Service

Step 1: Check the Web Service Root Web App URL + _Layouts + Folder Name + Web Service Name.asmx = Web Service URL E.G. http://YourWebAppURL/_Layouts/ADUserQuery/ADCustomWebService.asmx


27

Step 2: Check the Web Service WSDL URL Append “?WSDL” to the end of your Web Service URL E.G. - E.G. http://YourWebAppURL/_Layouts/ADUserQuery/ADCustomWebService.asmx?WSDL


28

Configuring SharePoint for Electronic Signatures

There are a few basic steps to configuring SharePoint for Electronic Signatures:

Activate Site Collection Features

Create Content Admin Security Group

Record Declaration Settings

Library Permissions

Version and Audit Settings Step 1: Activate Site Collection Features The two site collection features needed for both the electronic signatures and the digital signatures are the In Place Records Management and Workflow Navigate to: Site Contents > Settings > Site Collection Features

Step 2: Create New Content Admin – Security Group The purpose of this SharePoint Security Group is for isolation of list administrators at the document library level. We will create it, then add it to our document library. List administrators will have the ability to delete and modify undeclared records. The next step is to create a new content admin security group that will be used to limit the rights of the content administrators of Part 11 compliant document libraries. Navigate to: Site Contents > Settings > Site Permissions > Create Group


29

Step 3: Security Group Permissions Action:

Choose Full Control for the Security Group Permissions in the Create Group Dialog

Click Create


30

Step 4: Adding your Content and List Admins The Users in this group will have the ability to undeclared records if need be. You now want to add the content and list admins to the newly created security group. Navigate to: Taken here by previous step Action:

Add ONLY proposed List Administrators to this group.

Step 5: Site Collection Record Declaration Settings The next step is to set the site collection record declaration settings. This will set how documents are treated within the site collection once they are declared to be a record. Navigate to: Home > Site Contents > Settings > Record Declaration Settings Actions:

Set Record Declaration Settings: o Block Edit and Delete o Not available in all locations by default o All list contributors and administrators o Only list administrators

Click OK


31

Step 6: Create the Document Library for Electronic Signatures Navigate to: Home > Site Contents > Add an App > Document Library Action:

Name the document library

Step 7: Set the Library Record Declaration Settings Navigate to: Home > Site Contents > Settings > Site Libraries and Lists > Customize “eSig Documents” Actions:


32

Click on Record declaration settings

Set the library record declaration settings: o Use the site collection default setting

Click OK

Step 8: Set Library Permissions Navigate to: Same navigation as previous step Actions:

Set unique permissions and remove all other groups except the minimal groups seen below

Add Content Admin Security group to library

Set ONLY Content Admin Security Group to Full Control


33

Step 9: Turn on Library Versioning Settings Navigate to: Same navigation as previous step Actions:

Set Versioning Settings o Require content approval for submitted items? No o Create major versions - minimum

Click OK

Step 10: Configuring Site Auditing Settings Once all the permissions and library settings are complete, it is time to set the site collection audit settings. Navigate to: Home > Site Content > Settings > Site Collection Audit Settings Action:

Set the Site Collection Audit Settings o Automatically trim the audit log for this site? No o Documents and Items > Specify the events to audit: Select all o List, Libraries and Sites > Specify the events to audit: Select all


34

Workflow Settings for Electronic Signatures

There are five basic parts to set the workflow settings for electronic signatures, with multiple steps within each part. Those parts are:

Copying and modifying a workflow

Setting Email messages

Setting Record Declaration Action

Save and Publishing Workflow

Viewing Available Site Workflows

Copying and modifying a workflow

Step 1: Open SharePoint Designer 2013 – Open Site Navigate to: Start > All Programs > Microsoft Office 2013 > SharePoint Designer 2013 > Click Open Site > Type in the URL of your Site Action:

Input the appropriate site name

Enter any credentials as necessary


35

Step 2: Copy and modify existing out of the box workflow Actions:

Click Workflows in the left navigation

Right click on the “collect signatures” workflow

Select “Copy and Modify”


36

Step 3: Name the copied workflow Actions:

Fill in with the name for the new workflow

Click OK

Click Save


37

Modifying the Email Message

These steps will modify the e-mail message sent to those who need to approve or sign the document record. Step 1: Edit the new workflow Actions:

Right Click on your new workflow

Select Edit Workflow

Left Click on Collect Signatures Workflow Task

Left Click on “Change the behavior of a single task”

Step 2: Update Task Information in E-Mail Actions:

Update the Current Task: Assigned To

Update Workflow Context: Initiator


38

Step 3: Modifying the Current Task: Assigned To E-Mail Actions:

Insert new line in the workflow e-mail

Change the Hyperlink


39

Step 4: Modify the Task Completion Hyperlink Actions:

Click Add or Change Lookup

Change the Data Source

Change the Field From Source


40

Step 5: Change the Task Completion Conditions

Click Change the Completion Condition for this Task Process


41

Step 6: Insert a New Action: Declare Record

Click on the space before “then End Task Process”

Click on Insert Action : Declare Record


42

Save and Publish the Workflow

Click on Save

Click on Publish


43

Viewing Available Site Workflows

Navigation to: Home > Site Contents > Settings > Site Libraries and Lists > Customize “eSig Documents” > Workflow Settings > Step 1: Navigate to the Site Library

Verify the New Workflow is in the Site Library


44

InfoPath Task Form Modification for Electronic Signatures

The InfoPath Task Form is necessary for capturing the electronic signature.

• Add New Web Service Data Connection • Add new fields • Add Authentication View • Add Rules • Save and Publish

To begin, Open SharePoint Designer 2013 with a blank form and add in any design elements you desire. Add New Web Service Data Connection Step 1: Create new receive data connection Navigate to: Start > All Programs > Microsoft Office 2013 > SharePoint Designer 2013 > Click Open Site > Type in the URL of your Site > Click on workflows > Click on your copied workflow > Click on “Collect Signature Workflow Task Form in the Forms Section of SharePoint Designer 2013 > Click Data Tab > Click Data Connections Actions:


45

Add Connection

Create anew connection to: o Receive Data

Click Next

Step 2: Select source of data Navigate to: From previous dialog Actions:

SOAP Web Service

Click Next


46

Step 3: Insert Web Service definition: Navigate to: From previous dialog Actions:

SOAP Web Service Defintion

Click Next


47

Step 4: Data Connections List Navigate to: From previous dialog Actions:

Choose remaining defaults Uncheck “Automatically receive data when form is opened” check box ValidateActiveDirectoryLogin - Data Connection now available


48

Add New Fields to InfoPath Forms

Navigation to: Click on Data Tab > Show Fields > Show Advanced view > Right Click “myfields” > Add group > provide the names seen above Step 1: Actions: Right click myfields > Click add


49

Step 2:

o Actions: Set ValuesName = AuthenticationGRP o Type = Group o Repeating = unchecked o Click OK


50

Step 3: Navigation to: Right Click “my:AuthenticationGRP” Group” > Add Field > provide values below Actions: Set Values

o Name = UserID o Type = Field o Data type = Text o Default Value = blank o Repeating = unchecked o Cannot be blank = unchecked o Click OK


51


o Name = UserPassword o Type = Field o Data type = Text o Default Value = blank o Repeating = unchecked o Cannot be blank = unchecked o Click OK


o Name = Results o Type = Field o Data type = Text o Default Value = blank o Repeating = unchecked o Cannot be blank = unchecked o Click OK

Step 6: Actions: Right click myfields > Click add


52

Step 7: o Actions: Set ValuesName = AuthenticationErrorMessage o Type = Group o Repeating = unchecked o Click OK

Step 8: Navigation to: Right Click “my:AuthenticationErrorMessage” Group” > Add Field > provide values below Actions: Set Values

o Name = ErrorMessage o Type = Field o Data type = Text o Default Value = blank o Repeating = unchecked o Cannot be blank = unchecked o Click OK


o Name = ErrorFlag o Type = Field o Data type = True/False o Default Value = FALSE o Repeating = unchecked o Cannot be blank = unchecked o Click OK


o Name = ErrorMessageNote o Type = Field o Data type = Text o Default Value = blank o Repeating = unchecked o Cannot be blank = unchecked o Click OK

Add Authentication View

Navigation to: Click on Page Design Tab > New View Step 1: Name the View = Authentication View


53

Step 2: Insert Tab > custom Table = 5 Row x 3 Column Step 3: Add UserID and UserPassword from AuthenticationGRP into top two middle columns of the two top rows > color text of UserPassword Field White Step 4: Add button Call It Submit Step 5: Merge cells on rows 4 and 5 > Add UserID and UserPassword from AuthenticationErrorMessage group into Table on rows 4 and 5 Step 6: Insert default values into fields, color them bold red and make them “read only”

Adding Rules into the InfoPath Form

Adding Rule to Submit Button

Navigation to: Click on Submit Button > Click on Home Tab > Manage Rules


54

Step 1: Set UserName = UserID

Create new rule

Condition = none

Action add “Set a fields Value where Field=username and value=UserID


55


56

Step 2: Set Password

New - Action add “Set a fields Value where Field=password and value=UserPassword


57

Step 3: Add Query for Data

New - Action add “Query for Data; Data connectioValidateActiveDirectoryLogin


58


59

Step 5: Add Active Directory Logon Result

Continue Rule 1 – New - Action add “Set a fields Value where Field=results and value=ValidateActiveDirectoryLoginResult


60


61

Create Rule 2 – Authentication View – Submit Button

Step 1: Create new rule

Step 2: Set Condition where Results = Blank


62

Step 3: Add Error flag

Add “Set a field’s value where Field=ErrorFlag and value=true()


63

Create Rule 3 – Authentication View – Submit Button

Step 1: Click New Rule (Rule 3)

Step 2: Set Condition where results = blank


64

Step 3: Add Action = Submit data; Data Connection = Signed

Step 4: Add Action Close this form

Create Rule 1 – Main View – Sign Button

Navigation to: Click Page Design Tab > Change view to “Main View” > Click on Sign Button > Click on Home Tab > Click Manage Rules Step 1: New Rule; Conditions = none


65

Step 2: Set action = Switch Views; Views = Authentication View


66

Save and Publish Form

Quick Publish


67

Save Form to Local System

Publishing Completed


68

Final SharePoint Configuration and Testing

There are two parts to the final SharePoint Configuration and Testing:

Adding the workflow to the document library

Testing the new workflow

Adding the Workflow to your library

Step 1: Choose your newly published workflow Step 2: Name the workflow Step 3: Create a new task and history list

Optional – Choose a Default Signer


69

Test the New Signature Process

Navigation to: Home > Site Contents > eSig Documents


70

Step 1: Begin the Signature Process

Upload a document to the library o Click Files Tab o Click upload document then browse and click ok

Start the eSig- Workflow o Click Ellipsis next to document name o Click the Ellipsis in the next window o Click on workflows

Step 2: Choose a Signer


71

Step 3: Signer Receives E-Mail with Instructions

Step 4: Signer is brought to their history and tasks


72

Review document before signing

Click task link for Task Form


73

Step 5: Task Form – Main View

Click Sign

Step 6: Task Form – Authentication View

Insert your password

Receive message if wrong password is typed

Click Submit


74

Step 7: eSig Workflow = Completed

Lock is displayed showing declared Record

eSig-Workflow Status = Completed

Step 8: Compliance Details on Document

Policy Status

Record Declaration Status


75

Step 9: E-Mail Showing Workflow Completed


76


77

III. Digital Signature Architecture The following use cases will detail the configurations and resulting process for applying a digital signature to a document either in a single signature scenario or in a multiple signature scenario.

While the overall architectural components are important, it is also key to identify proper organization, sizing of the server farm, navigation and other concepts. Those elements are largely outside scope of this document. For information on the concepts of sizing, navigation and geographical disbursement, please visit http://msdn.microsoft.com as well as http://www.microsoft.com/itshowcase for best practice information on SharePoint implementation on an enterprise scale.


Windows Server 2012

Active Directory

Rights Management

Services

Certificate Services

FAST Enterprise

Search

SQL Server 2008 R2

SQL Server 2012

SharePoint 2013

Document Mgmt

Policy Mgmt

Workflow Records Mgmt

Electronic & Digital

Signature Workflow

http://msdn.microsoft.com/

http://www.microsoft.com/itshowcase


78

IV. Configuring the Digital Signature Use Case

Administrator Configuration for Digital Signatures Similar steps are required for creating workflows for Digital Signatures as they are for Electronic Signatures.

Configure Document Library Templates

Creating the document library templates is essential, as this provides the signature blocks that will be used during the X.509 certificate signature process. As with the electronic signatures, you first select the document library that will be used for the Digital Signatures. When there, click on the “Library Tools > Library” tab in the Ribbon Bar. This brings you to the “Document Library Settings” page which enables you to add the necessary columns for digital signatures.

Configure Document Library Version Histories

While digital signatures are more secure than electronic signatures, it is still important to create and set version histories for the audit trail capabilities of the document library. The steps for doing this are the same as for configuring electronic signatures.

Configuring the enforcement of a digital certificate type

Inserting the appropriate registry settings to enforce a type of digital certificate is extremely important. This will provide the type of certificate that complies with 21 CFR 11. These settings are per user and can be easily enforced via a GPO (Group Policy Object) or logon Script. These settings enforce the minimum requirements for a digital certificate. What they do not enforce is a compliant “Time Server.” In order for a digital certificate to comply with 21 CFR 11, the “Time Server” also has to comply with RFC 3161. Please ask your domain administrator if your Domain Controllers comply with this policy. Action: Create a registry file:

1. Open up notepad 2. Insert text from below 3. Save file as signature.reg 4. Double click on file or right click and merge


79

This is an EXAMPLE Registry setting:

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Signatures] "XAdESLevel"=dword:00000005 "MinXAdESLevel"=dword:00000002 "TimestampRequired"=dword:00000001 "TSALocation"="http://timestamp.globalsign.com/scripts/timstamp.dll" "LastSigningCert"=hex:52,a6,c8,4b,5d,4a,e4,18,3c,d0,4d,7c,5b,a4,8b,af,0f,17,82,\ d0 "SignatureUISettings"=dword:000001c3

Configure Document Templates for Workflow and Digital Signatures

Setting the document templates for digital signatures is straight forward. First you need to set the document library to open documents in the client application – not the browser. Once that is complete, you create the document template inside Word 2013 that has the document signing block. The final step is to create workflow that sends the document for final approval. Open Documents in the Client – Not Browser Step 1: Set Documents to Open in Word 2013 Navigate to: Document Library > Document Library Settings > Advanced Settings

http://timestamp.globalsign.com/scripts/timstamp.dll


80

Step 2: Open in Word 2013 Action:

Select Open in the Client Application

Click OK

Create the Word Template Step 1: Create the Word Template Navigate to: Document Library > Document Library Settings > Advanced Settings Action:

Click “Edit Template” in the Document Template section under the Template URL


81

Step 2: Add the Signature Block to the Word Template To add a visual representation of a signature, it is necessary to add a signature block to the template. You can add as many signature blocks as will be necessary for the workflow and document type. Navigate to: Insert > Signature Line > Microsoft Office Signature Line

Step 3: Add details to the Signature Block Action

Complete details in the Signature Block


82

Create workflows for digital signatures

Creating workflows that utilize digital signatures is actually more straightforward than for electronic signatures. These workflows can either be created in SharePoint itself, or through SharePoint Designer. In fact, as mentioned previously, SharePoint 2013 contains out of the box workflows for digital signatures called “Collect Signatures”. This is the same signature workflow as copied for use in the Electronic Signature use case.

Add or Change a Collect Signatures Workflow

The Collect Signatures Workflow is as defined in the electronic signatures section.

Set Permissions for the Document Library

These steps are the same as for electronic signatures.

Set Policies for the Document Library

These steps are the same as for electronic signatures.

V. Using the Digital Signature Use Case The Digital Signature Use Case is very straight forward: Creating a new document from the document template for that document library, right click on the signature block, select sign (with a digital signature) and provide the signature. The signature marks the document as final and prevents further revisions to the document. This workflow mechanism minimizes the need to declare the document to be a record, as the signed version of the document is immutable: it cannot be changed without invalidating the signature. Of course, it is possible to view all the version histories of the document, with all the same versioning and audit trail mechanisms possible as with the electronic signatures.


83

Digitally Signing a Document Step 1: Open the Template Document from the Library Actions:

Click on New Document in the Document Library

Step 2: Author document as necessary, making necessary changes Step 3: Initiate Collect Signatures Workflow Step 4: Sign the Document


84

Step 5: Define the Signature New to Office 2013 is the ability to determine the type of signature and the reason for signing. This is particularly important for 21 CFR Part 11. Not shown is the signing ceremony, where the user choose the digital certificate they want to use for the signature and provide the PIN or Password for the certificate. Action:

Define Commitment Type

Define Purpose for Signing


85

View the Version Histories for Digital Signatures Auditing digitally signed documents can be done in a couple ways: within the document itself as XAdES requires the signing history be kept with the document and also through the SharePoint version history.

Viewing the Digital Signature Audit in the Document

Step 1: Open the file that contains the signatures that you want to view and view the

signatures applied to the document.

Navigate to: File > Info > View Signatures

Step 2: Audit information on the signature

When viewing the signature details, the following signature information appears:

What the signature signs


86

Date and time the signature was applied

The version of the Microsoft Windows operating system installed

The version of Microsoft Office installed

The version of the Microsoft Office program used

Action:

Click on Signature Details next to the signature to be audited.


87

21 CFR Part 11 Requirements

Subpart B Addressed / Not Addressed

11.10 Controls for closed systems Addressed

11.10 (a) Validation of systems Addressed

11.10 (b) Record review and inspection Addressed

11.10 (c) Records protection and retrieval Addressed

11.10 (d) System access Addressed

11.10 (e) Audit trail Addressed

11.10 (f) Operational system checks Addressed

11.10 (g) Protect record from unauthorized access Addressed

11.10 (h) Data input validation Addressed

11.10 (i) Personnel training Not applicable

11.10 (j) Electronic signature policy Addressed

11.10 (k) System control Addressed

11.30 Controls for open system Addressed

11.50 Signature manifestation Addressed

11.50 (a) Signature information Addressed

11.50 (b) Control of signature information Addressed

11.70 Signature/record linking. Addressed

Subpart C

11.100 General requirements. Not applicable

11.100 (a) Uniqueness Not applicable

11.100 (b) Identity verification Not applicable

11.100 (c) Legal certification Not applicable

11.200 Electronic signature components and controls Addressed

11.200 (a) Non-biometric signature Addressed

11.200 (b) Genuine use of biometrics signature Not applicable

11.300 Controls for credentials Addressed

11.300 (a) Maintain of credentials uniqueness Addressed

11.300 (b) Credential maintenance Addressed

11.300 (c) Process for lost or compromised credentials Addressed


88

11.300 (d) Safeguard to unauthorized credential use Addressed

11.300 (e) Device maintenance Not applicable

Subpart B Electronic Records

11.10 Controls for Closed Systems Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. As the previous configurations demonstrate, SharePoint Server addresses authenticity, integrity and confidentiality of electronic records through access control and permission to the records on either the individual record level or a document library level. Users are assigned permissions to content and records through permissions which limit what they can do by administrators. Documents identified as records can be sent to a record center for safe keeping and have separate access control than when the document was authored and reviewed. To protect confidentiality of an electronic record, documents can be protected by Information Rights Management (IRM) policy that could restrict users from copying or printing documents even after the document is saved outside of the SharePoint Server. SharePoint also addresses non-repudiation through audit trails as demonstrated. The auditable system of records are implemented through policies which can be configured for documents and items in SharePoint 2013 to specify which events will be audited for each Content Type or site level, via the Information Management Policy capabilities. An audit trail is kept with a document throughout the document and record life cycle.

11.10 (a) Validation of Systems

Systems validation ensures accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

How Office 2013 System addresses the requirement

Addressing this requirement takes a couple forms: 1) Validation of the system as a whole, and 2) validation of the individual documents or records. To address validation of the system, there are three areas of validation that implementing parties need to be concerned with: IQ (Installation Qualification), OQ (Operational Qualification) and PQ (Performance Qualification). In the case of Installation Qualification, the focus is on ensuring that the application is installed correctly, and all Microsoft product generated installation logs are maintained which detail the installation as well as any errors that may arise during the installation process.


89

In addition, Microsoft Systems Center can provide installation audit trails for SharePoint implementations to ensure that all components installed properly. Operational Qualification begins with the development methodology utilized to create the software. Most Microsoft products, and all the products detailed in this whitepaper, adhere to the “Security Development Lifecycle” methodology. This methodology, which encompasses steps traditionally employed in software development methodology, places a particular focus on development of software that is secured by design, in development, and through implementation. All major software releases from Microsoft, beginning with the Office 2007 and Vista/Longhorn “wave” of software releases are required to go through the internal processes and checkpoints detailed in the Security Development Lifecycle methodology, and must be signed off on by a Security Officer before the particular software can be released to the general public. The details of the methodology are available on MSDN as well as through published works by Steve Lipner and Michael Howard (see the Reference section for more information). In addition, there is a whitepaper available entitled “Mapping Microsoft Development Methodology to the V-Model” that is available on MSDN as well. Operational Qualification extends to the operation of the software. To that end, most Microsoft software, and all the products detailed in this whitepaper, provide detailed error logging and troubleshooting information that can be gained through a proper implementation of the Microsoft Systems Center Operations Manager. In fact, any software release must include a management pack for Operations Manager before the particular software can be released to the general public. The details of the management pack for all relevant software are available in the References section of this document. Performance Qualification always includes the question -- “Does the software perform to the end users’ needs?” As that question can only be answered by the implementing party, the final step in validation of the software needs to be the development of test plans and testing of the software in the environment in which it will be utilized. These test plans can be modeled on this whitepaper to assist with the proper configuration of the software. While the overall validation of the software is up to the implementing party, Microsoft has assisted in the validation through the creation of the development methodology, implementation of management packs, implementation of the installation logs, and development of this whitepaper to give guidance in the configuration of the software and development of the test plans for performance qualification. Finally, Microsoft recommends that companies periodically audit their own implementation of the software, in order to ensure that the guidelines specified herein are applied to their production systems and are enforced throughout. To address validation of the individual documents, SharePoint provides auditing features to facilitate the validation process.


90

As SharePoint server is designed as an auditable system, the administrator can configure the system to audit document creation, specifically document modification and deletion among other things so all changes to a document are audited. Additionally, you can also extend the auditing capabilities to include additional information such as version and workflow status. All these capabilities related to SharePoint were demonstrated in the configurations detailed in the use cases section of this Whitepaper

11.10 (b) Record Review and Inspection

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.


As shown in the configuration methods, SharePoint has the ability to generate accurate and complete copies of records in both human readable and electronic form. Additionally, when the documents in question are written in the Office 2013 system, the OpenXML file format allows the document to be accessible electronically (i.e. machine readable in XML in its component parts) while still maintaining the ability to be viewed as a whole through Word, Excel, or PowerPoint as appropriate. Saving the document in XML Paper Specification (XPS) format provides the best of both worlds: a machine readable document (in XML) whose formatting does not change regardless of the printer, screen, or viewing application used to display the document. A description of the OpenXML format is found at: http://www.ecma-international.org/publications/standards/Ecma-376.htm A description of the XML Paper Specification (XPS) is found at: http://www.microsoft.com/whdc/xps/downloads.mspx Both XPS and OpenXML are native file formats for Office 2013 and are understood and readable by the Windows 7 operating system as well. Agencies and inspectors can be given read-only access to documents during the review process. Electronic documents will be viewed either natively or in other formats via document converters or viewers.

11.10 (c) Records protection and retrieval

Protection of records to enable their accurate and ready retrieval throughout the records retention period.


As discussed in the configuration section, SharePoint 2013 protects documents through content policies that prevent documents from being changed. In addition, the system then takes the documents declared as records and can flag them for retention for a specific period of time.

http://www.ecma-international.org/publications/standards/Ecma-376.htm

http://www.ecma-international.org/publications/standards/Ecma-376.htm

http://www.microsoft.com/whdc/xps/downloads.mspx


91

1) Automatically receive/route records declared from other sources—Records

Centers are able to determine how the Content Type of a declared record translates to an appropriate record series in the file plan, and then file the record into the appropriate location.

2) Hold orders—The Records Center includes a powerful hold order system to locate records relevant to particular event requiring a hold order, suspending disposition of those records for the duration of the event, and for resuming normal disposition once those events have ended.

3) Separate access controls—Records Center can give you the flexibility to specify

whether users can access any section of the Records Center, whether they can view or add items, independent of the permissions those users have on authoring and collaboration sites.

As demonstrated, documents can be attached to a policy that defines content expiration and version control policy. Microsoft Office technology allows content that is outside the repository to be secured on the basis of policies as well by using the Rights Management Server. With the 2013 system, an access control policy set up for a SharePoint site can also be maintained for documents on the desktop. These rights also extend to expiration, printing, forwarding, and copying, thereby ensuring a higher level of content security than has been possible with traditional approaches.

11.10 (d) System Access

Limiting system access to authorized individuals


SharePoint sites containing information or documents to be protected should not allow anonymous access. The User will need to be authenticated before access to the site is granted. The following are authentication methods for SharePoint (or any ASP.NET application):

Windows integrated (NTLM, Kerberos, or certificate) – user is authenticated when they log on their computer. This is enforced by IIS.

Basic authentication – user enters domain credentials for authentication before access to the site is granted. This is enforced by IIS. As credentials are sent as plain text by default, this option should use SSL or other mechanism to encrypt the http traffic.

Forms based or SSO – user enters credentials assigned to them that may not be their domain credentials. As with Basic Authentication, HTTP traffic needs to be encrypted to protect the credentials. This requires additional settings on web.config file for the web application.

Authentication setting is set per web application (the container that hosts portal and collaboration sites) and is configured through SharePoint Central Administration Application.


92

The following is a sample web.config file used to setup forms-based authentication, role-based access, and denies access to unauthenticated users: <configuration> <connectionStrings> <add name="MySqlConnection" connectionString="Data Source=MySqlServer;Initial Catalog=aspnetdb;Integrated Security=SSPI;" /> </connectionStrings> <system.web> <authentication mode="Forms" > <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" /> </authentication> <authorization> <deny users="?" /> </authorization> <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="MySqlConnection" applicationName="MyApplication" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" passwordFormat="Hashed" /> </providers> </membership> <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="MySqlConnection" applicationName="MyApplication" /> </providers> </roleManager> </system.web>


93

</configuration> After authentication, the user will also need to be assigned appropriate rights to access specific features and contents. Details on how to configure user roles and rights are discussed in Section 11.10 (g) of this paper.

11.10 (e) Audit Trail

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.


As discussed in 11.10 (a) audit trails in SharePoint are provided at the document level, document library level and at the site level. These capabilities were demonstrated in the configuration section of this document.

11.10 (f) Operational System Checks

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate


As demonstrated in the configuration section, SharePoint 2013 can enforce workflow, audit trails and electronic signatures on any given document.

11.10 (g) Protect records from unauthorized access

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.


As demonstrated, SharePoint 2013 controls access to Web sites, lists, folders, and list items through a role-based membership system by which users are assigned to roles that authorize their access to Windows SharePoint Services objects. The creation and authentication of the user and to which role the user is assigned is discussed in Section 11.300 – Controls for Identification Codes / Passwords. To give a user access to an object, you either add the user to a group that already has permissions on the object, or create a role assignment object, setting the user for the role assignment and then adding the assignment to the collection of role assignments for the object (such as list item, folder, list, or Web site). By default, objects inherit permissions from their parent (document from document library or folder, document library from site, site from parent site). Following are the screen shots of defining a unique permission setting for a document.


94

11.10 (h) Data Input Validation

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.


Transport level encryption (such as SSL) can be used to secure the content (data input) from users. ASP.NET (which SharePoint is built on) uses the Message Authentication Code (MAC) technique to protect key information, such as view state data and authentication tickets, to make sure that the data are not illegally modified. For cookie-based authentication (such as forms authentication), administrators can configure cookie timeout parameters to be reasonably short to reduce the cookie reply security risk. For additional protection, Microsoft has developed Forefront Security for SharePoint, which helps businesses protect their SharePoint Server 2013 servers from viruses, unwanted files and inappropriate content. With a layered, multiple scan engine approach, Forefront Security for SharePoint helps stop the latest threats before they impact your business and users.

11.10 (i) Training

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.


Microsoft product teams follow rigorous development and testing processes for its product development including the Office 2013 systems, as described in Section 11.10(a) Validation of Systems. Microsoft and many of its partners offer extensive training courses, technical resources, and certifications for .NET, SharePoint and related technologies to help organizations to educate and train their people for specific tasks.

11.10 (j) Electronic Signature Policy

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.


While the establishment of a Electronic Signature Policy is the responsibility of the implementing organization, the Office 2013 can assist in the adherence to those written policies by implementing Records Management that reflect and enforce those policies. Creating a successful Records Management system starts with mapping out the organization’s records management goals, anticipating the challenges an organization


95

will face in making that vision a reality within the company, and developing a policy and implementation that fits these needs. Since planning is a key to both the policy development and solution implementation phases, it is important to outline the challenges faced at each stage so these can be kept top of mind when working out both the organization policy plan and implementation strategy. At the policy planning stage, the major challenge is to devise a system that encompasses an organization’s current records-keeping needs: content types, media types, storage requirements, business processes, and policies. It also needs to meet present legal and audit requirements, and be extensible and flexible enough to accommodate future content types and retention requirements. Another important goal is to enhance information retrieval, which will help employees do their jobs more efficiently and give an organization a competitive advantage. In developing the policy for an organization, the challenge is to create an overarching policy document that is comprehensive but short, easy to read, and accompanied by actionable retention schedules that can then be put into practical use. Furthermore the policy needs to be integrated with the organization’s other enterprise content management policies, and be able to absorb and integrate previous record keeping efforts. At the implementation stage, the major challenge is to create a system that suits the organization’s workflow, one that will actually be adopted by users and integrated into their daily activities. The implementation must be simple enough for employees to grasp quickly, easy enough to require only few extra steps (or clicks), but rigorous enough to meet the organization’s overall need for record keeping within the organization. Furthermore, any technology rollout must be manageable for the organization as a whole – and not significantly disrupt normal business operations. SharePoint 2013 includes multiple information management policy features to help an organization manage content type as shown in Section 11.10 (c):

Document expiration

Document auditing

Document labels

Document bar codes

11.10 (k) System control

Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

How Office 2013 System and Rights Management Services (RMS) address the requirement

Microsoft Active Directory Rights Management Services (RMS) augments an organization’s security strategy by providing protection of information through persistent usage polices, which remain with the information. Content is protected with RSA 1024-


96

bit Internet encryption and authentication so that information will be safe in transit and will remain with the document, no matter where it goes. For example, encrypted content stored on a lost USB drive will not be accessible and viewable to any unauthorized viewer, regardless of location. This information protection technology works with RMS–enabled applications to help safeguard digital information from unauthorized use—both online and offline, inside and outside of the firewall. Record managers and administrators can define exactly how users can use data and can place limitations on who can open, modify, print, copy, and forward certain confidential information. Revision and change control can be enforced through checkout and audit trail policies as discussed previously in this document.

11.30 Controls for Open Systems Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in Section 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.


SharePoint can leverage the underlying ASP.NET infrastructure to authenticate users through various means which are discussed in Section 11.300 – Controls for Identification Codes / Passwords. Together with SSL (or other transport level security measures), user access and data transport can be secured from the point of creation to the point of receipt. Office 2013 enables three use-case scenarios with the out-of-the-box digital signature functionality to protect documents starting from their point of creation.

Authenticity & Tamper Resistance – Signing an Office document to prove that it hasn’t been modified since it was signed. You can also view the digital certificate used to sign the document to verify the authenticity of the document and prove that it came from a trusted individual or organization.

Digital Signature – Signing an Office document with both a specific identity and an assertion about why this document was signed (for example, “Approved for Publication”). This type of signature does not print with a document and does not affect the on-page content of a document, but can be viewed and verified with software, including Office 2010 applications.

In Document Signature – Signing an Office document in a special “signature line” object that visually shows who signed the document. This feature is designed to mimic the experience of pen and ink signatures. It is this type of signature that was created in the earlier configuration of electronic signatures discussion.


97

As discussed, Office 2013 documents support digital signatures out of the box and are extensible. For digital signature of non-office based documents, there is 3rd party vendor support in the market place. In addition to the digital signature controls and SSL used to transmit the electronic record, Forefront Security for SharePoint can provide further assurance that the record is valid by protecting SharePoint 2013 servers from viruses, unwanted files and inappropriate content.

11.50 Signature Manifestations

11.50 (a) Signature Manifestation

Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.


As demonstrated in the configuration example, SharePoint 2013 can use workflow to enforce document approval and signoff. Information collected during the approval and signoff process can be customized to include all information required under this rule and more. Custom solutions built on top of the SharePoint 2013 can also add relevant entries to the audit log, such as when an approval workflow is completed.

11.50 (b) Control of signature information

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).


Office 2013 documents store digital signatures as a separate stream from the content stream and are part of the document package. In compliance with XAdES, the entire signature process, including the validity of the signature at time of signing is kept with the document package. In addition, as shown in previous screen shots, the digital signature of an Office 2013 document can mimic the paper and ink signature experience. In the case of Electronic Signatures, the signature, date and time of signature, and the signature meaning are linked to the document through metadata that is associated with the document in SharePoint; are kept with and linked to the document throughout the document life cycle; and can be viewed with the document in SharePoint. Together, the metadata and document consist of a record once declared as such during the workflow process. As demonstrated, it is possible to integrate the metadata into the body of the document, as it would appear in a printed version of the document, through the use of a document template that reads the metadata from SharePoint, stores the metadata in the


98

document as part of the OpenXML, and then allows for display of the metadata inline in the document.

11.70 Signature/Record Linking Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.


Digital signatures for Office 2013 documents are stored as part of the document. As demonstrated earlier, Office 2013 provides a task pane to help users view and verify the signatures stored within a document. This pane is designed to differentiate signatures based on whether they are requested, valid, or invalid. This task pane is a built-in part of the signature platform and automatically displays information about the signature objects regardless of whether they come from our built-in implementation or a custom written signature add-on. Electronic signature and approval information are stored as part of the audit trail and metadata associated with the document. The linkage between signature and document is maintained by the server and can be read in the document through document templates as discussed in the previous section. Digital signature and approval information are stored as part of the audit trail and metadata associated with the document when signed as part of a workflow.

Subpart C Electronic Signatures

11.100 General Requirements

11.100 (a) Uniqueness

Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.


Policies and procedures should be developed to verify each user’s identity prior to a user being assigned a username and password and to dictate that users should not share credentials. These policies and procedures should be included as part of the compliance and system training process. The creation, maintenance, and authentication of the user are discussed in Section 11.300 – Controls for Identification Codes / Passwords.


99

11.100 (b) Identity Verification

Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.


This should be part of the compliance solution planning and training process.

11.100 (c) Legal Certification

Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC 100), 5600 Fishers Lane, Rockville, MD 20857. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.


In addition to this being part of the compliance solution planning process, a step can be added to the signing workflow to verify that a certification check is in place (by looking at a lookup list of authorized signers).

11.200 Electronic Signature Components and Controls

11.200 (a) Non-biometric Signatures

Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (1) (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (1) (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.


SharePoint supports variety of authentication mechanisms supporting 2 factor schemes (combination of user id and password). This includes windows integrated (NTLM and


100

Kerberos) authentication, basic authentication, forms authentication as well as Claims Based Authentication using SAML 2.0 tokens.

11.200 (b) Biometric Signatures

Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

How Microsoft Windows and Office 2013 addresses the requirement

There are 3rd party vendors who provide biometric-based authentication to the Windows system, including most major hardware vendors. With respect to the Office 2013 system, a biometric identity is handled as any other identity, as the biometric information is associated with either a username or a digital certificate. Regardless, a password is still required for authentication (in the case of electronic signatures), or a PIN is required for authentication (in the case of a Digital Certificate).

11.300 Controls for Identification Codes/Passwords Persons who use electronic signatures based upon the use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include the following:

11.300 (a) Uniqueness of identity

Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

How Microsoft Windows and Active Directory addresses the requirement

This is enforced by Windows or Active Directory if using integrated authentication and Basic authentication in an organization’s SharePoint setup. For detailed discussion as well as a step-by-step configuration guide of windows accounts and password policy, please refer to the articles listed in the Reference section of this paper. For Forms authentication, this is enforced by the authentication provider.

11.300 (b) Password Policy

Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

How Microsoft Windows and Active Directory addresses the requirement

Windows and Active Directory infrastructure can enforce password policy for complexity and expiration. Windows integrated authentication and Basic authentication can leverage this automatically. For detailed discussion as well as a step-by-step configuration guide of windows accounts and password policy, please refer to the articles listed in the Reference section of this paper.


101

A similar mechanism will need to be implemented by the authentication provider if Forms authentication is used.

11.300 (c) Deactivation of Users

Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.


Windows and Active Directory administrators can deactivate users, change users passwords, or require users to change passwords after issuing a temporary password. Windows integrated authentication and Basic authentication can leverage this automatically. These capabilities can be extended to Digital Signatures through Active Directory and the use of Microsoft Active Directory Certificate Manager.

11.300 (d) Unauthorized use of passwords or identification codes

Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report on an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.


The Microsoft Windows family of products, including Microsoft Windows Server 2012 and Windows 8 can both audit logon changes and failed attempts. Group policy can enforce account lockout policy to help to prevent brute force password guessing. Lockout policy is based on failed attempts for a time window and users can be locked out for specified times before they can attempt again (or not). Group policy can also enforce password policy to mitigate the risk of unauthorized credential use. Password policy can be set to enforce complexity of the password (including minimal length and combinations), password aging (expiration), and password history (reuse of previous passwords). Similar policies can be extended to Digital Certificates through the use of Microsoft Active Directory Certificate Services.

11.300 (e) Identification Code Device Testing

Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.


102


This should be part of the operational procedure that is written into the compliance policies and procedures.


103

Systems Validation and Compliance

Systems validation and compliance is covered in depth in a Microsoft whitepaper entitled “Validation and the Microsoft Platform”. The whitepaper covers the following topics:

Microsoft software development practices and how they map to the industry “v-model”

Installation Qualification methodology using Microsoft tools and system resources

Operational Qualification methodology using Microsoft tools and system resources

This whitepaper is available on MSDN at the Microsoft Life Sciences Developer Center

(http://msdn.microsoft.com/architecture/lifesciences).

http://msdn.microsoft.com/architecture/lifesciences

Configuring SharePoint 2010 for 21 CFR Part 11 Compliance · SharePoint 2013 Configuration Guidance...

Documents

Transcript of Configuring SharePoint 2010 for 21 CFR Part 11 Compliance · SharePoint 2013 Configuration Guidance...