Securing Knowledge and Collaboration Systems SharePoint 2010
Securing Sharepoint platform
-
Upload
kenneth-barnes -
Category
Documents
-
view
661 -
download
0
description
Transcript of Securing Sharepoint platform
2012 SharePoint Security Strategy1
1
SharePoint Securing Strategy
University of North Carolina
2012 SharePoint Security Strategy2
Agenda
Introductions The Importance of SharePoint Security Facets of SharePoint Security Resources Plan and strategy Q & A
2012 SharePoint Security Strategy3
What is SharePoint?
Goal To create a Secure SharePoint Environment that will SharePoint to be used as a medium
for collaboration
SharePoint is: “A Site-provisioning engine” A website A series of databases An application platform An Integration possibility
SharePoint touches an Can touch: Your network Your Active Directory Your LOB Systems Your Organization as whole
SharePoint is a platform with a large attack surface
2012 SharePoint Security Strategy4
What are your Next Steps
What needs/should be done: Secure the sites as dictated by Best Practices and Policies Eliminate and Expand some of the vagueness in SharePoint Security Policy All Departments/Schools need to go through Security SharePoint Harding process More intuitive provisioning process for Sites/USERs/AD/OU’s Implement Technology solutions as indicated
• Guest ID Management, UAG, Threat Management 3rd Party solutions for overall Auditing/reporting/compliancy Review Department by Department (internally/externally)
• Audit and Assess to make sure best practices are put in place for Security and Risks Put a project Plan or Strategy plan in place Have individuals take ownership Create Security Classificaiton and Metadata Policy for whole UNC Secured SharePoint Site Create Workflow and Approval process Turn on audits and manage as dicated Develop and conduct Training/Education Implement overall User Experience Review what is available in current environment and check for any sensitive data/content Review and optimize where applicable
• Index, Search, Cache, Installed Components Upgrade and Update F5
Cost should be define People Technology Process Your Organization as whole
2012 SharePoint Security Strategy5
SharePoint is Everywhere
Over 20,000 new SharePoint seats have been added every day for 5 years Over 1,500 high profile websites on SharePoint SharePoint is becoming increasingly “organizational critical” It is great as you want to make it Many Universities are using SharePoint as a collaboration mechanism
SharePoint is commonly and can be used for Intranets Extranets Internet Sites Application platforms
UNC SharePoint sites does not have to UGLY
2012 SharePoint Security Strategy6
How can you do this
Choose SharePoint This phase involves what you want that is best to deploy either to secure your current
SharePoint Farms, incorporating office 365, or to have another separate SharePoint farm for sensitive or non-sensitive. Once this is decide you should have a strategy
Third Party Solutions or assistance Look at best practices, look at cost saving where you can get the Biggies ROI, don’t try to re-
invent where it will cost UNC for more development more money in the long run with less ROI
Pre-Deployment Planning Focus on everything required to prepared for the migration of content
Deployment If you do the above make sure that you communicate, train and define policies and
procedures Post Deployment
Make sure that you adopt and evangelize to consider widespread adoption
2012 SharePoint Security Strategy7
University of Chicago
Various Related Links:Security and Best Practices
2012 SharePoint Security Strategy8
University of Denver Colorado
Various Related Links:PoliciesService RequestsProcedures
2012 SharePoint Security Strategy9
University of Akron
Various Related Links:SharePoint Advice
2012 SharePoint Security Strategy10
University of Louisville
Various Related Links:
2012 SharePoint Security Strategy11
Washington University (Medical base)
Reference:
2012 SharePoint Security Strategy12
Washington State University
Reference:
2012 SharePoint Security Strategy13
Edinburgh University
Reference:
2012 SharePoint Security Strategy14
Types of Security Threats
Threats we’re going to explore today: Data disclosure / theft Data loss System downtime
Types of attacks: Cross-site scripting (XSS) Cross-site request forgery (CSRF) Click jacking Privilege escalation “Man in the middle” / replay attacks SQL injection
If it’s a threat to other websites or databases, it’s a threat to SharePoint
2012 SharePoint Security Strategy15
Facets ofSharePoint Security
2012 SharePoint Security Strategy16
Plan for Security
2012 SharePoint Security Strategy17
Plan UNC Security
Plan personas and define permission matrices Understand content and security contexts Determine authentication, SSO, and federation goals Use the SharePoint 2013 upgrade as an opportunity to apply
governance in a new platform SharePoint RTM release is December 2012 Don’t expect the default settings to protect you Set up Kerberos Use Edge Servers Continue to validate and check again and thank heck again
2012 SharePoint Security Strategy18
Anonymous Access
Carefully decide if SharePoint is the right platform for anonymous access Especially consider implications for public blogs and wikis Consider what you want for public facing information
Always use the site lockdown feature “Get-SPFeature viewformpageslockdown”
Further restrict pages using web.config a Edge Servers E.g. Unified Access Gateway
Add SharePoint to your website security testing Provide policy statements for external collaboration
Consider using Third Party tools Don’t lock out the /_layouts path altogether Define Security Policies and to make sure that it not Vague and map them
accordingly Feature, WebParts, Solution, Documents, Records
If want to have Unsecured area consider Office 365 Separate Farm
2012 SharePoint Security Strategy19
Authentication and Directory Security
Synchronize only the AD users relevant for social features Don’t bring confidential information into user profiles Understand the impacts of third-party federation Track and block rogue SharePoint installations with “Service
Connection Points” Develop a password change / managed account strategy Enterprise SharePoint people search results have no form of
security trimming. If a user can see any people results, they can see them all. Use Fast Search to incorporate a more Robust security model and Robust
Experience Don’t allow SharePoint site owners rely on obfuscation or audience
targeting to try and secure content.
2012 SharePoint Security Strategy20
Content Security
Audiences are not security Search content rollups make bypassing audiences simple
Item-level permissions / broken permission inheritance should be the exception, not the rule
Avoid using policies to override permissions PDFs = Pretty Dangerous Files
The should be managed and rules should be defined Automated PDF from document with proper security should be considered
Consider Information Rights Management and auditing Having the ability to scan content for sensitive data is crucial Making sure that Users are responsible Change Management is crucial Training is crucial Any party who can manipulate SharePoint’s HTML directly or
impersonate third party JavaScript can compromise the site. This is policy that should also be understood and organization rules should be defined
2012 SharePoint Security Strategy21
Network Security
Always use SSL for authenticated access Firewall all nonessential public ports Host all servers on the same vLAN Use IPSec for geo-distributed communication Be aware of “loopback check” implications Use GPO policies where applicable Close ports where applicable Update Firmware where appropriate
E.g. Routers, F5, Firewalls
2012 SharePoint Security Strategy22
Network Security
2012 SharePoint Security Strategy23
Application Security
Never expose SharePoint’s application tier to the internet Don’t host Central Administration on a web front-end Isolate service accounts and use standard naming conventions Use multiple IIS application pools (but not too many) Never use Cnames Example Security threats
InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly
Using Access and access services in secured SharePoint environment should use AD rather than internal groups and permissions
Secure Store should be defined properly Security should be managed for Features and Solutions WebParts that are not in use should be purged
E.g. Fab 40
2012 SharePoint Security Strategy24
Database Security
Isolate SharePoint databases from other systems Minimize the SQL surface area by disabling unneeded features Consider SQL 2008 “Transparent Data Encryption”
Performance impact, backup size impact, and file stream impacts Don’t leave SharePoint backups within the content database or on
web-front ends Never Backup using Sharepoint Backup
SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages
DPM should use encrypted backups and restores and verified Consider using SQL server 2012 with more security possibilities
2012 SharePoint Security Strategy25
Connected System Security
SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.
Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers
Leverage the Secure Store Service for safely accessing external systems via BCS
Avoid reliance on Flash content Consider ForeFront UAG endpoint security Set policies regarding data being stored offline Audit, Report, asses and do it again and Provisioning where applicable
2012 SharePoint Security Strategy26
SharePoint Gaps
SharePoint activity monitoring lacks an intuitive, easy-to-use interface for reporting and analytics. Without a third-party solution, businesses must first decode SharePoint’s internal representation of log data before they can access meaningful information.
SharePoint activity auditing does not provide the ability to automatically analyze access activity and respond with an alert or block.
SharePoint does not include Web application firewall protection. SharePoint enforces access controls for files using Access Control
Lists (ACLs). What makes native permissions challenging, however, is that SharePoint lacks an automated way to ensure that ACLs remain aligned with business needs.
2012 SharePoint Security Strategy27
Security Data Governance Model
2012 SharePoint Security Strategy28
UNC Example Farm
University of North Carolina Communities
Not Sensitive Social CommunitiesOffice 365
Secured Enterprise Collaboration capabilitieshttps://share.unc.edu
Shared CalendarsDiscussion Board
Task Lists Surveys
Versioning
Document Libraries
Podcasting
Comments
Microblogging
Blogs
Tags Profiles
Wikis
Ratings
Records
2012 SharePoint Security Strategy29
SharePoint is currently used at UNC as collaboration platform for the Internal UNC initiatives enterprise
SharePoint enables UNC to Deliver the best productivity experience Cut costs with a unified infrastructure Rapidly respond to business needs Less Dependency on other Departments
SharePoint does this by providingcapabilities
Sites, communities, content,search, insights and composites
Communities
Search
Sites
Composites
ContentInsights
2012 SharePoint Security Strategy30
Jump start UNC efforts
Get ahead of all SharePoint deployments Implement a SharePoint governance policy Put security requirements in place when SharePoint instances go live Look beyond native SharePoint security features Specify what kind of information can be put on SharePoint Only use Features that you want include Train and Educate Implement your SharePoint in Phases and iteratively
Concentrate on business-critical assets first Start with regulated, employee, or proprietary data, and intellectual property Streamline access to a “UNC need-to-know” level Identify and clean up dormant users and stale data Alert on unauthorized access Establish a regular review cycle for dormant users, stale data, and excessive
rights
2012 SharePoint Security Strategy31
Plan the strategy for UNC efforts
Work with data owners to manage user access Locate and define data/content owners Create permission reports so data owners and stake holders have visibility into
who can access their data Validate with owners that access to data is legitimate Create usage reports so owners can see who is accessing their data
Protect Web sites from external attack Identify SharePoint Web applications that work with sensitive data Deploy a Web application firewall to monitor and protect sensitive SharePoint
Web sites, portals, and intranets Respond to suspicious activity such as external users accessing admin pages Monitor with F5, UAG, and Monitoring tools
2012 SharePoint Security Strategy32
Refine the strategy for UNC Efforts
Enable auditing for compliance and forensics Who owns this data? Who accessed this data? When and what did they access? Have there been repeated failed login attempts? Keep rights aligned with business needs. Free up storage space and reduce the amount of data that must be actively
managed. Streamline and automate regulatory compliance Monitor, control, and respond to suspicious activity in real time Balance the need for trust and openness with security concerns Understand who has access to what data or, conversely, what data any given
user or group can access, and how that access was assigned or inherited. Simplify the process of identifying where excessive access rights have been
granted, if there are dormant users, and who owns each item and document. Help administrators and data owners establish a baseline snapshot of access
rights and conduct rights reviews.
2012 SharePoint Security Strategy33
Custom Development Security
Build security testing into the SDLC for all custom and third-party components
Take advantage of CAS policies and the ULS logs Utilize sandbox solutions whenever possible Minimize use of RunWithElevatedPrivilege() With SharePoint 2010, Javascript is now the biggest threat
Silverlight is a threat SharePoint is using HTML 5.0 Avoid fines associated with noncompliance, and data breaches Avoid disclosing breaches for data that is lost or stolen (and which is
encrypted) Secure sensitive information of all kinds, including trade secrets, IP, UNC
information, personnel files, healthcare records, PII, FERPA, etc. Broaden the usage of SharePoint to include even the most sensitive
content while being assured this sensitive content is strongly protected
2012 SharePoint Security Strategy34
Security Maintenance and Monitoring
Keep SharePoint, Windows, and SQL patched to latest service packs Make sure any other application that is integrated up to date Make sure that 3rd Party tools are up to date Make sure a testing system is available
Deploy server-side virus protection E.g. Forefront for Threat Management Use to interface with SharePoint for uploading/Downloading
Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks
Build security assessments and spot checks into other SharePoint maintenance plans
Familiarize self with “Site Permissions > Check Permissions” Use the best Practices that was defined in your Security Strategy Use 3rd Party tools to assist with managing this as well auditing
2012 SharePoint Security Strategy35
Considerations and Summarizations
Work with each of your departments/Schools/Organization to quantify SharePoint Investment
Use an overall User Experience Consider 3rd Party solutions to fortify your Sensitive SharePoint Environment
HiSoftware Titus Quest Qumus Control Metalogix Cipher Point
Create a pristine System and move to it with functionality Have a Training Process in Place Continue to update the Sharepoint Security Strategy Have Change Management Process in Place Put a plan in Place and DO IT!
2012 SharePoint Security Strategy36
Q & A