spca2013 - sharepoint insanity demystified

SharePoint Insanity DemystifiedDan HolmeMicrosoft Technologies Analyst & EvangelistMVP, SharePoint Server

danholme http://tiny.cc/danholmepresentationsdan.holme@intelliem.com

ConsultantDan Holme

Dan Holme

INTELLIEM AuthorMAUI, HAWAIIAvePoint

danholme http://tiny.cc/danholmepresentationsdan.holme@intelliem.com

Service Accounts

Directory Services PrerequisitesResourcesInitial deployment administrative and service accounts in SharePoint 2013

http://technet.microsoft.com/en-us/library/ee662513.aspxAccount permissions and security settings in SharePoint 2013

http://technet.microsoft.com/en-us/library/cc678863.aspx

Service AccountsSQL Server service: SQL_Service, *SQL administrator: SQL_AdminSharePoint Administrator and Setup User: SP_AdminSharePoint Farm Service: SP_FarmApplication pool accountsUser-facing web application app pool: SP_WebApps, SP_MySiteApp, *Service application app pool: SP_ServiceApps, *

Default content access (crawl) account: SP_Crawl, *User Profile Synchronization account: SP_UserSyncObject cache accounts: SP_CacheSR, SP_CacheSU

SQL_Service, SQL_Admin, *SQL Database Engine service account: SQL_ServiceSQL service ownership account: SQL_AdminResourcesSecurity Considerations for a SQL Server Installation

http://technet.microsoft.com/en-us/library/ms144228.aspxSQL Server 2012 Security Best Practice Whitepaper

http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx

SQL Agent service account: SQL_Agent

SP_AdminSharePoint Administrator and Setup UserUsed by a service admin to perform bit-level changesInstall SharePoint prerequisites Install SharePoint productsConfigure SharePoint (SharePoint Products Configuration Wizard)Update, patch, add/remove servers, etc.

Unique, “generic” SharePoint administrative accountNot your “normal” user or admin accountRepresents enterprise service administrationCan be locked down (password, disabled) after installation, until needed

Delegate service to administratorsAfter setup, add your admin user accounts to Farm Administrators

SP_AdminDomain user accountAdministratorAdd to the local Administrators group of each SharePoint server in the farm

SQL privilegesCreate a SQL Server login for the SP_Admin account, e.g. CONTOSO\SP_AdminAssign the securityadmin and dbcreator server roles to the login

PowerShell privilegesAssign the SharePoint_Shell_Access database role for any database against which Windows PowerShell will be used (Add-SPShellAdmin)

SP_FarmSharePoint Farm Service Used for highly privileged SharePoint servicesCentral Administration application poolSTS & Topology service application poolWindows services including Timer, Workflow Timer’SharePoint services including User Profile Synchronization

Domain user accountSharePoint assigns permissions automatically

SP_FarmExtra privileges: UPSBefore provisioning User Profile Synchronization Service1. Add SP_Farm to local Administrators group of the server running

UPS2. Reboot3. Provision User Profile Synchronization4. After UPS has started, remove SP_Farm from Administrators group5. Reboot

Application Pool Accounts - Whiteboard

WSS_WPG groupSP_DATA_ACCESS roleWSS_CONTENT_APPLICATION_POOLS role

Collab Intranet

SharePoint Web Apps

SP_WebApps

SharePoint_

Content_Intranet

SharePoint_

Content_Collab

Extranet

SharePoint Extranet Apps

SP_ExtranetApps

SharePoint_

Content_Extranet

SharePoint Web Apps

SP_ServiceApps, SP_WebAppsWeb and service application pool accountsKeeping it simple for this discussion… two accounts

Domain user accountsRegister as managed accounts in the SharePoint farmAssigned as the application pool identityFirst web application app pool: SP_WebApps

Additional web applications are added to the same, shared poolFirst service application app pool: SP_ServiceApps

Additional service applications are added to the same, shared pool

Permissions required depend on the web app or service applicationGenerally assigned automatically by SharePoint

SP_MySiteApp, *My Site web applicationOften isolated in its own application pool to address security concerns

Each user is the site collection administrator of his/her My SiteDetermine security risk: perception vs. reality?

SP_MySiteApp

Account for each application pool to isolate access

SP_Crawl, *SharePoint Search default content access accountCrawler account used when no specific crawl account is specified

Domain user accountRequires read permission to indexed content sourcesAutomatically given Read permission to all SharePoint content

Web application READ user policy applied to each new web appConfigure SP_Crawl before creating web apps or manually grant it Read user policy

Assign Read permission to all other indexed content sourcesDo not give the account the ability to modify any content

Create additional content access accountsFor security isolation or access to disparate systems

SP_UserSyncSharePoint User Profile Synchronization Synchronizes user profile data between Active Directory and SharePoint

Domain user accountRequires Replicating Directory Changes permission on domainIf a Windows Server 2003 domain

Add account to Pre-Windows 2000 Compatible Access groupThis is not a “big deal”!

This permission is really “Detect changes to Domain NC”Does not give access to “secrets” (e.g. passwords)An educated Active Directory team should not have an issue with this

See TechNet user profile synchronization documentation for steps and details

SP_CacheSR, SP_CacheSUObject cache accountsSuper UserSuper Reader

See http://technet.microsoft.com/en-us/library/ff758656.aspx

Note: this is not the same as BLOB cache or remote BLOB store. This has to do with versions & drafts

Other accountsOffice Web Apps (2013)Secure Store

Automation AccountSharePoint Automation: SP_AutomationRights required to perform automated tasks

PowerShell (Add-SPAdmin)Local Administrators groupFarm Administrators groupSite Collection Administrator (of each site collection)User right to log on as a batch service

Über Admin AccountSharePoint Enterprise Administrator: SP_EnterpriseAdminLeast privilege not always possible

Delegate to administrators privilege to use PowerShellPatch/updateUpgrade

SQL Administrator or db_owner of all SharePoint databasesLocal Administrators group of all SharePoint serversFarm Administrators groupDisabled until needed

Accounts for Multiple FarmsEach farm…Dev, test, QA, production

… needs its own “set” of accountsConsider multiple farms in your naming convention

SP_Farm – ProductionSP_Farm_DevSP_Farm_Test

Note: Managed service accounts DOMAIN\username limit is 20 characters!

Why?Least privilegeMonitoring & auditingAutomatic password management

ResourcesAccount permissions and security settings in SharePoint 2013http://technet.microsoft.com/en-us/library/cc678863.aspx

Configure object cache user accounts in SharePoint Server 2013http://technet.microsoft.com/en-us/library/ff758656.aspx

Automate Creation of Service AccountsImport-CSV $filename | New-ADUser -Path $ou –PassThru | Set-ADAccountPassword -Reset –NewPassword (ConvertTo-SecureString –AsPlaintext $password –Force) -PassThru | Enable-ADAccountWrite-Host "Complete"

Managed Accounts

Service AccountsWhat is a service account?A domain user accountUsed as the identity of a service like SQL or SharePoint

The #1 problem with service accounts is….PASSWORD CHANGESService account password is changedUpdate each location in which the service account is used

Painful!Result… Admins set Password never expiresTerrible for securityService accounts are typically highly-privileged

Managed AccountsIn a nutshellAn Active Directory account that has been registered with SharePointSharePoint can then manage the password changes for the account

Register a managed accountCentral Administration Security Configure managed accountsRegister a managed account

Enter the user name and current passwordEnter user name as DOMAIN\name not user principal name (name@domain.com)

Use a managed accountWhen creating or configuring an application pool for service or web appsWhen managing Windows services related to SharePoint

Timer, Search, Document Conversion

Password ChangesManual Password Change for a managed accountCentral Administration Security Configure managed accounts Edit

BenefitsSharePoint changes the password in Active Directory

Does not require any delegation in Active Directory because the process uses the CHANGE PASSWORD right, not the Reset Password right

SharePoint updates the logon information of componentsServicesApp Pools

Password can be randomReduces risk of an administrator leveraging the privileges of the account

Automatic Password ChangesAutomatic Password Change for an individual managed accountCentral Administration Security Configure managed accounts EditSchedule

Based on scheduled date or domain password policy expiration (whichever comes first)

Notify administrators by emailThe service will be “down” while it recycles with the new password

BenefitsRemoves the management burden of service accountsImproves security and compliance

SharePoint admins don’t know the passwords to highly privileged accounts

SP_Farm (full control access to all SharePoint content)

Managed AccountsUse themConfigure automatic password managementKnow the limitationsEach farm must have separate accountsSome components use “standard” service accounts, not managed accounts

Search crawlProfile syncSecure store

These must be managed using traditional methods (change password in AD and in SharePoint)

Automate with PowerShell

SQL & Storage

SQL aliasSQL AliasSQLSERVER01.contoso.com = NYSQL05.contoso.com today

= NYSQLCLUSTER.contoso.com tomorrow= NYSQLCLUSTER.newcompany.com next year

Configure a SQL aliasCLICONFG.exe on each SharePoint server in the farm

Do not “Fake it out” with a DNS recordKerberos

Consider “tiers” of aliases to support SQL scalingContent Databases: SQLSPCONTENTSearch Databases: SQLSPSEARCHService Application Databases: SQLSPSERVICES

All point to single SQL instance today…

Documents stored in content database

workflows

security

metadata

“Document”BLOB

SQL Content Database

Binary Large Object (BLOB)

Database SizingContent DatabasesInitial SizeGrowth Rate

TempDBInitial SizeGrowth Rate

Model – Monitor – Measure – Modify

Content scaling support & guidanceContent Database200 GB (out-of-box)4 TB (collaboration)*Unlimited (archive)*

Site Collection 200 GB (out-of-box, only site collection in CDB)100 GB (out-of-box, multiple site collections in CDB)Up to size of CDB*

Items per CDB60 million

*Conditions apply: Performance, DR, HA

Quotas

QuotasConfigured per site collection (SPSite)Can be applied with a quota templateConfigured for the web applicationApplied to one or more site collections

Quota template updateApplies new settings to new sitesDoes not modify existing sties that were based on the templateUse PowerShell (scripts can be found on TechNet) to update existing sites

BLOBsBinary Large Objects

Default: BLOBs stored in content database

workflows

security

metadata

“Document”BLOBs

SQL Content Database

BLOB externalization

SQL Content Database

SANNASShareCloud

workflows

security

metadata

“Document”

BLOBs

BLOB externalization alphabet soupBLOBBinary large object: the representation of the content of a document

EBSExternal BLOB StorageSharePoint featureSupported: SharePoint 2007 – SharePoint 2010

RBSRemote BLOB StorageSQL feature – SharePoint is an RBS “client”Supported: SharePoint 2010 – SharePoint 2013

Advantages of BLOB externalizationReduced storage costIncreased performanceIn a real world workload

Externalizing all BLOBs boosts performanceMicrosoft white paper: 25% performance improvementhttp://www.microsoft.com/en-us/download/details.aspx?id=14726 My experience: significant improvement

The noise about performanceTrajectory of guidance: externalize collaborative content at 1MB

Access to features of the underlying storage platformBusiness rules to determine what gets externalized

Shredded Storage

Shredded StorageOffice documentsClient sends updates SharePoint SQLSQL shreds the updated versionUpdate of document library metadata does not generate additional shreds

Non-Office documentsClient sends full file SharePoint SQLSQL shreds the full fileUpdate of document library metadata might generate additional shreds

Shredded Storage RealityReduces I/O between web server and SQL serverFor Office document formats

Potential reduction in storage of Office document versionsAchieves something like “de-duplication” or “differential versioning” of document versionsUpdated document versions show reduced storage footprintUpdating document library metadata only (and not the document) does not generate new shreds

Non-Office document formats don’t benefit as much/at allTotal storage suggests that de-duplication is inefficient or ineffectiveUpdating document library metadata might generate additional shreds

Does not reduce storage in multiple-location scenariosSame document stored in more than one location

Shredded Storage ConsiderationsShreds on new/modified document, not on upgradeCannot currently be turned offFileWriteChunkSize and FileReadChunkSize are farm-wide settings

Overall system performance may be degradedDefault shred size probably not idealGuidance is vectoring towards 1MB for both FileRead and FileWriteChunkSizeDO NOT exceed 4MB!!

Storage Optimization

Storage Guidance*Shredded storage means no RBS in collab scenariosOr set FileRead & FileWriteChunkSize to 1MB, and use size >1MB externalization rule

Use RBS for tiered storage management for archivesAcquire a third-party solution that manages storage: both RBS and backup/restore and archiving

Requires an RBS “Provider”FILESTREAM or, better yet, third Parties

PerformanceBusiness rulesManageability: integration with backup, recovery, high-availability solutions

Watch for Microsoft/Dell white paper

* Fresh if used by [today]

Archiving – Scenarios and SolutionsMove to different location, keep in SharePointRecords management featuresUI: Send To Another LocationWorkflowPowerShellThird-party content management tools

Move to different storage tier, keep in SharePointThird-party RBS tools

Move out of SharePoint entirelyPowerShellThird-Party Tools

Shout OutsRandy WilliamsJeremy ThakeGary LapointeChris GivensAndrew ConnellSpence HarbarJason HimmelsteinTodd BaginskiScot HillierSusan HanleyMatt McDermottEric ShuppsPaul Swider

Shane YoungTodd KlindtWictor WilénAsif RehmaniRob BogueAgnes MolnarSteve FoxMirjam van OlstJasper OosterveldMichael Noel

MAHALO! (thank you!)http://tiny.cc/danholmepresentationshttp://tiny.cc/danholmearticleshttp://tiny.cc/danholmebooks

A HUI HO! (‘til next time!)dan.holme@intelliem.com@danholme