Preventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson
-
Upload
joel-oleson -
Category
Technology
-
view
2.915 -
download
1
description
Transcript of Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson
Microsoft Office SharePoint Server 2007 Security, Compliance and Policy from Service Accounts to Item Level Permissions
Joel Oleson
Sr. Product Manager
Key Take Aways
• Learn in this session– Configure authentication– Manage permissions– Securely configure your web farm– Enable auditing for compliance– Manage retention policies– Report on security related events
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
SharePoint 2007 Feature AreasDocs/tasks/calendars, blogs,
wikis, e-mail integration, project management “lite”,
Outlook integration, offline docs/lists
CollaborationBusiness
Intelligence
Portal
Enterprise Portal template, Site
Directory, My Sites, social networking,
privacy control
Enterprise scalability,contextual relevance, rich people and business data
search
Rich and Web forms based front-ends, LOB actions, pluggable SSO
Server-based Excel spreadsheets and data visualization, Report Center, BI Web Parts, KPIs/Dashboards
Integrated document management, records management, and Web content management with policies and workflow
BusinessForms
SearchContentManagement
PlatformServicesWorkspaces,
Mgmt, Security, Storage, Topology,
Site Model
SharePoint 2007 Feature Areas
CollaborationBusiness
Intelligence
PortalBusinessForms
SearchContentManagement
PlatformServicesWorkspaces,
Mgmt, Security, Storage, Topology,
Site Model
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
User Authentication
• Authentication = Who are you?– User identity– User groups/roles as defined by the directory– Same in WSS and MOSS!
• Windows– Windows integrated, Basic, Digest, etc
• ASP.NET Pluggable Authentication– Forms – locally hosted login form– Web SSO – remotely hosted login form
Windows Authentication
• Provided by IIS – SharePoint consumes
• Windows Integrated– Kerberos/Negotiate– NTLM
• Basic
• Digest
• Certificates (Must use IIS to configure)
Configuring Kerberos
• KDC Service Principal Name must match SharePoint application pool account
ASP.NET Authentication
• Pluggable authentication framework– User identity is independent from
Operating System (OS) identity– Custom code to handle authentication– Two related providers
• Membership – user identities• Role – roles/groups/attributes for a user
• Out-of-the-box providers– LDAP (Office SharePoint Server)– SQL Server (ASP.NET)– AD – single domain only (ASP.NET)
ASP.NET Pipeline
AuthenticationModule
RoleManager
MembershipProvider
SharePoint ContentDatabase
User/GroupDirectories
User Identity
Client Redirects
Groups/Roles
Authorization
Invitations
Web.config<membership>
<providers><add name=“YourMembershipProviderName“connectionStringName=“YourConnectionString" …/>
</providers></membership>
<roleManager><providers>
<add name=“YourRoleProviderName“connectionStringName=“YourConnectionString“… />
</providers></roleManager>
<connectionStrings><add name=“YourConnectionString" connectionString="data source=127.0.0.1;Integrated Security=SSPI;Initial Catalog=aspnetdb" />
</connectionStrings>
ASP.NET Authentication Limitations
• Browser clients only– Search crawler must use Windows– Office client interaction degraded
• One authentication type per web application– No Windows and Forms in same domain– One provider pair per domain
• Forms over Windows accounts– Forms user not same as Windows user
Authentication & Alternate Access Mappings
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
Sample Deployment Governance Model
PermanentEnterprise SearchNewsKPIs - Business Intelligence
CorporateBusiness TaxonomyWith DivisionalStakeholders
Exists withAD User
Ad hoc SelfServicew/ Retention Policies
PermanentBusiness Process ManagementDashboardsDivision Scoped SearchGroup Reporting & ScorecardsSite Directories & Site Maps
AS NeededDocument & Records MgmtAggregationProject Reports
Short LivedCollaboration
Semi PermanentPrivate & SharedContextual Collab
Common Information Management RolesInformation Worker
Consumes and creates content
Site AdministratorCreates lists, manages site roles & manages permissions
Business Owner/Application OwnerResponsible for architecting the departmental top down solution for Enterprise Search, Profiles, Site Hierarchy/Site Map, Site Directory, branding
IT Pro/Farm AdministratorManages the Server Farm, installs & deploys servers, web parts, manages capacity planning
Three Tier AdminWeb-basedRole & task delineatedControlled delegationSecure isolation
Shared ServicesService AuthorizationService ConfigurationMOSS only
Central AdminAuthenticationSecurity PoliciesFarm Configuration
Site SettingsContent Authorization
Administrative Architecture
Content Admins
IT Admins
Shared Content Admins
Site TopologiesPortals are Sites with a special template and *features*
Office SharePoint Server
Web Application(s)
SSP Admin Central AdminPortal Template
Portal Template
Authorization Tools• Authorization = What can you do?
SharePointContent
Configuration
Data Services
What can you view, update, delete, and customize?
What services and tools can you use?
What rules are enforced everywhere in the application?
Permissions Management
• Group-based permissions management
• Role-based permissions management
• Fine-grained permissions control– List, library, folder, item, and document
• Anonymous access
• Security trimmed user interface!
• Explicit access denied experience!
SharePoint Groups
• New permissions management experience– Three default groups
• Owners – full control• Members – contribute to existing lists and libraries• Visitors – read only
– Integrated with user information list
• SharePoint groups can be assigned permissions anywhere in the site collection
• Group administration scales better
Permission Levels
• Collections of rights, not people– Full Control – Has full control– Design – Can view, add, update, delete,
approve, and customize– Contribute – Can view, add, update, and delete– Read – Can view only
• Customizable
• Inheritable across site collection
Fine Grained Permissions
• New securable objects– Web site– Lists and libraries– Folders within list or library– Document or list item
• Consistent user interface top to bottom– Permission levels– Inherit from parent or unique permissions
Site Collection Administrators
• Users with full control over all content in the site collection– Fix lock out problems– Recover items from 2nd stage recycle bin– Cannot be removed from permissions
New Permissions• Edit User Information – display name, e-mail, etc• Approve Items – promote minor to major version• View Versions• Delete Versions• Create Alerts – separated from view items• Manage Alerts – create alerts for other people• Enumerate Permissions – read, but not change• Open Items – view source of server files (ASPX)• View Application Pages – e.g. _layouts pages• Use Remote Interfaces – e.g. SOAP• Use Client Integration Features – e.g. Office
Permissions Management
Shared Services
• Business data catalog– Impersonation/delegation
• Kerberos constrained delegation• Office server SSO
– Trusted subsystem
• Excel trusted locations
• User profile rights– Property visibility
• Audiences are NOT for security
Shared Services Provider
Resource optimization
Security isolation
Delegation of administration
Can be shared across farms
Shared Services
Web AppWeb App Web AppWeb App
CorpWeb WinWebOfficeWeb LegalWeb
Office Server SearchDirectory importUser profile synchAudiences
TargetingBusiness data catalogExcel calculation serviceUsage Reporting
Shared Services
App PoolApp Pool App PoolApp Pool
Shared Services: Audiences
Security Policy
• Central enforced permissions for all sites in the web application– GRANT and DENY– Bound to web application/zone
• Scenarios– Full read – search crawling accounts, auditors,
legal compliance– Deny all – security control,
regulatory compliance– Deny write – extranet lockdown
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
Business Benefits
Reduce costs of retrieving information for legal discovery
Reduce risk of non-compliance and legal liability
Retain vital records for business continuity
Compliance• Auditing
– Content Modifications
– Content Viewing
– Deletion
– More
• Bar Codes (for tracking)• Expiration• Security Report• Policy Modification• Custom Report
Organizational Styles
Library
Folder
Site
Library
Server
Site Collection
Document Center
Portal\Team Site
Distributed
Structured Autonomous
Records Repository
Managing Collaborative Spaces
Office SharePoint Server
Sales
Asia Pacific Region
Employment Claims
Contracts
Content Types to classify content
Policies toaudit and
expire information
Serverside IRM
Declared records sent to
Records Repository
Records Repository
Records Manager
Records Repository
ContractsContracts
Asia Pacific Asia Pacific RegionRegion
FinancialsFinancials MortgageMortgage
Doc Mgmt Systems
Records Repository template
Transfers document context
Configure policies as per
retention schedule
Configure repository as per file plan
Physical Assets
E-mail/services Interface
Compliance Auditing
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
Web Farm Configuration
• Application pool accounts– Full control over content– Act as the “SharePoint\system” account
• Timer service accounts– Timer – Admin Service – must run as Local System
• SQL Servers– Kerberos SPN issue applies here too!
Security Configuration
• Rights mask
• Blocked file types
• Form digest timeout
• Safe control list
• Code access security
• Code execution paths
• Virus scanning
Office Server SSO
• Credentials for server-to-server hop• Unique or shared
Client SharePointExternal
Data
Credentials
Admin Access To Data
• Central administrators no longer have default full access to content
• Central administrators can grant themselves access to any content– Security policy– Site collection owners/administrators– Both actions are audited in NT Event Log
WSS Topology
Web Servers Web Servers
Router
Web Servers
Content DBContent DB Config DB
Search Search
MOSS Shared Services
Web Servers Web Servers
Router
Web Servers
Content DBContent DB Config DB
App Servers: Index, Query, Excel,
InfoPath, User Profile, etc.
App Servers: Index, Query, Excel,
InfoPath, User Profile, etc.
Shared Services DB
Example Multi-Farm Topology
Configuration Best Practices
• Unique accounts– Central administration– Shared services process– Shared services shared web service account– Content app pools
• Kerberos on (default = NTLM)– Each process account must be a registered SPN to work– SQL 2005 defaults to Kerberos with non-system process ID!
• SSL enabled (default = off)– Turn on for admin sites and server to server– Warning provided on credentials pages if SSL is off
• SPAdmin service– Single server: Off (recommend ‘On’ for OSS)– Farm: On
Session Summary• Pluggable authentication
– Windows – Kerberos, NTLM, Basic– ASP.NET – Forms and Web SSO
• Managing permissions– Site settings: Site, list, folder, and item– Shared services– Central admin policies and configuration
• Web farm configuration– Application pool accounts– Other process accounts
Call To Action
• Use Kerberos!– More secure than NTLM– Better performance than NTLM
• Evaluate Authentication– Ready for Forms authentication?
• Evaluate content topology– Does folder and item level permissions change
how you deploy SharePoint content?
• Model your groups
References
• Kerberos Protocol Transition and Constrained Delegation
• ASP.NET Developer Center: Provider Toolkit
• SharePoint Server 2007 Tech Center• Planning Logical Architecture
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.