410 likes | 488 Views
GOPAS TechEd 2012. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. SharePoint External Access. Designing Secure SharePoint External Access. Motivation. Why. Enable internal users to access from outside
E N D
GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | SharePoint External Access
Designing Secure SharePoint External Access Motivation
Why • Enable internal users to access from outside • Share portal access with business partners
How • Forefront Threat Management Gateway • Forefront Unified Access Gateway
Challenges • Secure authenticated access • Smooth document access from Office applications • Repeated password prompts • Endpoint compliance • Intrusion prevention
Designing Secure SharePoint External Access Authentication Overview
SharePoint Authentication • Classic Mode Authentication • NTLM or Kerberos • Claims Based Authentication • NTLM or Kerberos • Basic • ASP.NET Forms • Active Directory Federation Services
Extending Web Applications LAN WFE Web Application Content DB .PDF/.DOC Kerberos Intranet Web Site http://intranet Internet Visitors READ Forms Extranet Web Site https://extranet.idtt.com AD LDAP
Designing Secure SharePoint External Access Windows Authentication
SharePoint Authentication • External access for internal users • Basic • NTLM (no SSO) • Kerberos (only on intranet) • SSL client certificates • Not suitable for external users • accounts in AD • possibly other access
SharePoint Authentication for Internal Users • Basic • plaintext password • works from internet • no SSO • NTLM • less secure, MD5 • performance problems at 200 +/- users per WFE • no SSO • Kerberos • secure, mutual authentication, AES, smart cards • faster, smoother • intranet only • SSL Client Certificates • the most secure, mutual authentication • SSO from outside
Basic Authentication with Port Forwarding • Simplest to deploy • Less secure direct access to the farm • Must use public certificates on the farm • NTLM would require custom IE configuration and has performance problems
Basic Authentication with TMG Inspection • Authenticates users at the gateway level • Forms authentication (cookies) • Basic authentication • Inspects clear HTTP • plus URL filters etc. • intrusion prevention signatures • Automatically forwards the basic credentials • Offloads SSL encryption • or hides the internal certficates on the farm
TMG Inspection with Kerberos Delegation • SSO or smart cards and tokens • No Basic authentication on the internal part • SharePoint “developers” do not receive your full password • Mutual authentication with client certificate • No password guessing
UAG Inspection with Kerberos Delegation • TMG features plus • Predefined URL and application inspections • User portal access • Endpoint policies and compliance
Windows Authentication Recap • Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance • TMG can also authenticate certificates and/or use Kerberos • Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”
Designing Secure SharePoint External Access SharePoint 2010 Forms Authentication
SharePoint Forms Authentication • No SSO • Separate accounts for external users • AD LDS, SQL DB, XML text file, ... • You manage the account database • create accounts • reset passwords
AD LDS • Active Directory Lightweight Directory Services • Standalone LDAP/S server • Part of Windows Server 2008 and newer • previously free download ADAM • Installs on Windows 7 as well • Managed manually using ADSI Edit
AD LDS Authentication with UAG Inspection • Pre-authenticates users at the gateway level • double login prompt or certificates • Predefined set of URL and application inspections • User portal access • Endpoint policies and compliance
Designing Secure SharePoint External Access Active Directory Federation Services
AD FS • HTTPS/XML authentication protocol • Replacement for AD trusts • Free download • RTW – released to web • Accounts managed by Account Partner • Resource Partner just accepts identity claims • Requires level of management on the Account Partner part
Takeaway • Use certificates and/or Kerberos for internal users • Use AD LDS for external partners without AD FS • Use AD FS for larger external partners who do want to manage their own accounts
GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Thank you!