480 likes | 592 Views
IW316. Securing SharePoint Technology. Joel Oleson http://blogs.msdn.com/joelo Sr. Technical Product Manager Microsoft Corporation. Agenda. Site Collection and below… Demo: Site Permissions and Item level security Web App Security Demo: Web Application Policies Farm Security
E N D
IW316 Securing SharePoint Technology Joel Oleson http://blogs.msdn.com/joelo Sr. Technical Product Manager Microsoft Corporation
Agenda • Site Collection and below… • Demo: Site Permissions and Item level security • Web App Security • Demo: Web Application Policies • Farm Security • Demo: Forms based authentication • Summary • Q/A
Site and List Security Data Protection
Item Level Security and Security Trimming • Permissions from site collections to individual objects. • Default permission inheritance from parent to child objects. • 33 default permissions can be assigned to a user or SharePoint group. • Permissions can be specified on items • Returned search results can map back to the security context of the user. • These controls trim the UI to the exclusive user context.
Permission Management Architecture • Sets permissions for SharePoint users, groups, and domain groups. • Default groups include: • Owners (get full control) • Visitors (get contributor rights) • Members (get read rights) • Custom groups can be created and managed by site collection. • Group membership is consistent within the site collection. • Custom groups are reusable across different project sites.
Site Permissions and Item level security Demo Solution Deployment
Information Rights Management (IRM) • Protects sensitive information at the client level, even when business information is taken offline. • This may be essential in order for companies to deal with regulations, such as privacy legislation • Ensure that all the requirements are met in the environment: • Windows Rights Management (WRM) Services Client on MOSS Web servers. • Microsoft Rights Management Services (RMS) connectivity to the SharePoint farm. • Configuration enabled in SharePoint Central Administration then configured in the list or library
SharePoint List and Library IRM integration • IRM integrates with lists through the rights management framework. • IRM imposes access restrictions : “no matter where it is stored or who tries to open it”. • Common IRM policy permits authorized viewing or printing only. • A “protector” is used to provide IRM functionality. Several are installed with MOSS. • A protector manages the encryption process for all files types stored in MOSS. • The architecture supports pluggable protectors for other file types.
IRM Scenarios • Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector. • IRM extended scenarios include: • User credential verification after a certain time period • Disallow user upload of assets that so not use IRM. • Schedule an expiration tag to drop the restriction policy. • Bind to a global organization IRM permission policy
IRM Implementation • IRM works directly with SharePoint data store structures such as document libraries to maintain permissions: • A user navigates to an IRM-enabled document library and attempts to download a document. • binds roles to the document library for the documents. • protector encrypts the document and adds an issuance license.Result: 1:1 mapping between item and document permissions. • SharePoint roles for the document translate into IRM permission levels on the document. • The document is encrypted locally for offline protection.
Content/Audience Targeting • Web Part/Content targeting to • Global Audience (SSP Audience Configuration) Based on • Active directory attributes • Pluggable ASP.NET Membership provider attributes • Profile Attributes Compiled in a recurring Timer Job • SharePoint Groups – Groups defined based users and groups in Site permissions levels • Distribution/Security Groups • My Site secure location targeting • NOTE: Targeting does not equal permissions or rights
Secure Collaboration • Common Services control access to stored information. • Lockdown permits users to access the authorized information only: • Binds an identity to a specific object – from a site collection to a document or list. • Enforces granular access controls and explicit membership to an item. • UI shows accessible items only.
WEB APPLICATION SECURITY Authentication and Authorization
Pluggable Authentication Provider • MOSS integrates ASP .NET 2.0 pluggable authentication for Windows and non-Windows. • Supports shipped, Windows-based authentication methods. • Sets up Internet-facing SharePoint authentication. • Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture. • ASP.NET 2.0 pluggable providers can employ membership data stores including: • LDAP Directories • SQL Database • Oracle or other ADO.NET/ODBC Compliant data sources • XML files or Flat text files
ASP .NET 2.0 Membership Provider • Supports configurable directories in a member data store. • Stores pluggable provider credentials in the machine.config file. • Membership providers include: • LDAP V3 directory (with MOSS) • SQL Server • Active Directory (ASP .NET 2.0) • Pluggable membership providers: • Inherit from the ASP.NET MembershipProvider interface; • This interface inherits from the ProviderBase class.
Considerations for ASP .NET Authentication • Authentication types, not resolving to a Windows identity, must use a zone. • A mandated PKI infrastructure such as for smartcards typically resolve to a Windows identity. • PKI implementation may require a zone or other configuration. • Browser clients only • Search crawler must use Windows • Office client interaction degraded • Forms & Windows accounts • Forms user not same as Windows user Company A (Windows Authentication) Company B (Non-Windows Authentication)
Pluggable Single Sign-On (SSO) • The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems. • Aids in retrieving critical information through MOSS mechanisms: • Business Data Catalog (BDC) • SharePoint DataView Web Parts (DVWP) • Can specify a pluggable SSO provider, instead of SpsSsoProvider. • Registers only one SSO provider per LOB system at a time.
Forms-Based Authentication • Utilizes pluggable authentication and role providers to enable Internet-style security. • Supports a customized login process geared to users' needs. • Forms authentication cookies and authentication tickets are encrypted and tamper-proof. • The form identity provider, called Web SSO, can plug into an external identify management system.
FBA Web Single Sign-On • Employs an HTTP module for external authentication. • Allows external partners to authenticate using their user credentials. • Delegates log in and password reset to provider. • Web SSO authentication requires an extranet zone. Partner Application
Alternate Access Mappings • Provides internal and external URL mappings work correctly. • The URL is mapped by default, but can be extended to additional URLs. • Alternate URLs can be mapped to one physical path • Zones can use different authentication providers / Web application security policies. • Compensates for different application domains, reverse proxies, and other URL redirection mechanisms. Intranet Users http://contoso http://MOSS Extranet Users http://extranet.contoso.com
Zones in Alternate Access Mapping (AAM) • A zone maps Web application to a single set of content databases, allowing greater control over AAM. • Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content. • Recommended: Bind the zone to an authentication mechanism. Default • URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone. • Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet.
SharePoint Web App Security Policies • Central enforced permissions for all sites in the web application • GRANT and DENY • Bound to web application/zone • Scenarios • Full read – search crawling accounts, auditors, legal compliance • Deny all – security control, regulatory compliance • Deny write – extranet lockdown • Overrides the granular item level permission settings, managed from SharePoint Central Administration interface.
Web Application Policies Demo Solution Deployment
Encryption of Application Connection Strings • Storing connection string data in plain text in the web.config file creates a security vulnerability. • ASP.NET 2.0 functionality can be used to encrypt application connection string data using either: • Windows Data Protection API (DPAPI): Encrypts and decrypts using the MOSS server machine key. • RSA encryption: Uses public key algorithms, but adds appropriate containers for the encryption keys. • Pluggable encryption providers can use different encryption tools.
Connection String Encryption Best Practices • For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the <connectionStrings> node in cipher text: • DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands: • Encrypt the connection strings node specifying the section parameter:
Connection String Encryption Best Practices (continued) • After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values: • This pluggable model can support custom encryption providers to manage cipher text for relevant MOSS configuration files. • Considerations: • Encryption using the local machine key can only use the configuration node on the server on which it was created. • If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string. • Decryption causes a minor application performance hit.
Shared Service Considerations • BDC is available to all web apps consuming from the SSP where it is configured • Without security trimmers • Notes search results are not trimmed • BDC Search Results are not security Trimmed • WSS Search results are trimmed to site collection by scope, ensure sites are secured appropriately
Active Directory Federation Services • ADFS – Active Directory Federation Services – includes non trusted federated web services authentication model. Works with browser based functions. • Not recommended with rich client requirements • Understand - “Enable Client Integration” • Matches Office client’s behavior for someFBA providers
SERVER and FARM SECURITY Architectural Considerations and Lockdown
Secure by Default • Anonymous disabled by default • Sites secured to site creator • Server administrators no access to content web apps • Permissions changes audited • Self Service not enabled by default
LOCK IT DOWN! • Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (i.e. outbound HTTP • Consider RSS/XML web part requirements • Secure client communication with trusted SSL certificates (128bit HTTPS) • IP Sec – Require or Request: Secure communication between servers and DCs • Careful with NLB and clients (MAC/Unix) • Enable Kerberos Authentication (Intranet) *Careful with NLB • SQL SSL encrypted Traffic + Non Standard Port • Configure Central Admin on App server • IP Restrict traffic to Central Admin and SSP App Pools (IIS) • Configure Deny Policies on Content/Admin Web Apps for Applicable Groups/Domains • Configure ISA Secure Publishing
Forefront Security for SharePoint Protects MOSS 2007 and WSS 3.0 Virus Protection for Document Libraries • Integrates scan engines from eight industry leading vendors • Real-time scanning of documents uploadedand downloaded from document library • Manual and scheduled scanning of document library SQL Document Library Document SharePoint Server Users Document Content Filtering Policy Enforcement • File filtering to block documents frombeing posted based on name match, file type or file extension • Content filtering by keywords withindocuments for inappropriate words and phrases
SharePoint API integration • Utilizes the SharePoint Virus API to scan files during upload and download • Optimized for performance in a SQL environment • Files are not rescanned if engines have not been updated • Up to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scan • Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly
Intranet Web Server Exchange External Web Server ISA 2006 User DMZ Internal Network Internet SharePoint HEAD QUARTERS Active Directory Administrator Secure Web Publishing with ISA Fast, Secure Access Integrated Security Efficient Management
Intranet, Extranet, Internet2 Farms, 3 SSPs TechNet: Plan Logical Architecture
Architecture Considerations • Why more than 1 Farm? • Application/Customization SLAs, Licensing (Internet vs. Intranet CAL), Isolation (No Scale) • Why more than 1 SSP? • Isolation and Service Needs • Why more than 1 App Pool? • Security Isolation, Memory and CPU isolation, Auth requirements • Why more than 1 Site Collection? • Separation/delegation of ownership, quotas, ability to split across databases • Why keep them together? • Global Navigation, Inheritance of style/Master page, Security inheritance, Query web parts, Site Collection policy and content types enforcements
Database Considerations • Databases can be pre-created and then used to be created for content databases • SQL Security, rights and roles should be scrutinized employ least priviledged access considerations • Config • Contains list of all servers, site collections, web apps, web parts, solutions (Most critical db in farm from availability ) • Content database • Contains all data, blobs, sites webs, etc… (Most Sensitive, • Search & SSP Dbs • Optimize… High Disk I/O contains configuration & search property and profile store (index/query - index on disk)
Protocols • All protocols are HTTP-based • HTTP/S: Browser sessions • SOAP/Web Services: Editing from Office Applications, Web Services & Indexing • RSS: All lists can be viewed this way • FP-RPC: SharePoint Designer, Usage • Web-DAV: Explorer View, Web Client Access • XMLHTTPRequest - Forms
Additional Architectural Considerations • Windows Servers – (SCW) Security Configuration Wizard (verify) • IIS – Certificate management, IP restrictions • SQL – Use windows auth vs. SQL security • Manage domain accounts
Security Summary Site and List Security Information Rights Management Integration Information Policies – auditing, expiration Item Level Security Barcodes and Labels, extensibility for signatures Content Approval, Workflows Web Application Security Forms-Based Authentication and Single Sign-on Active Directory Federation Services (ADFS) Search – security trimmed search results Publishing through Internet Security and Acceleration Server (ISA) and Intelligent Application Gateway (IAG) Server and Farm Security Pluggable Authentication – Pluggable Authentication Provider Security Policies; Major and minor versions, Web Application IIS IP restrictions, Windows 2003 R2 SCW to Lock down server
Summary Allows for the easyimplementation of Internet-facingenvironments and extranets. ü Built to enable support for heterogeneous environments. ü Supports pluggable forms-based authentication (FBA) providers. ü Reduces management overhead and improves securely. ü Offers granular rights management of business assets. ü
Guidance for a More Secure Infrastructure SharePoint Team Security Related Postshttp://blogs.msdn.com/sharepoint/archive/tags/Security/default.aspx TechNet Securing Your Sites, Servers, and Server Hardeninghttp://technet2.microsoft.com/Office/en-us/library/763613ac-83f4-424e-99d0-32efd0667bd91033.mspx?mfr=true 7 New Features that Enhance Security in SharePoint http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx Security and Protection for Office SharePoint Server 2007 http://technet2.microsoft.com/Office/en-us/library/6cc7cbec-bbb8-4473-83a2-65149e932e901033.mspx?mfr=true TechNet Webcast: SharePoint Security from Service Accounts to Item-Level Access http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032313270&CountryCode=US Forefront Security for SharePoint http://www.microsoft.com/forefront/serversecurity/sharepoint/default.mspx