Designing Secure SharePoint External Access

Ondrej Sevecek | MCM: Directory | MVP: Security

ondrej@sevecek.com | www.sevecek.com

MOTIVATIONDesigning Secure SharePoint External Access

Why

• Enable internal users to access from outside

• Share portal access with business partners

How

• Forefront Threat Management Gateway

• Forefront Unified Access Gateway

Challenges

• Secure authenticated access

• Smooth document access from Office applications

• Repeated password prompts

• Endpoint compliance

• Intrusion prevention

AUTHENTICATION OVERVIEWDesigning Secure SharePoint External Access

SharePoint Authentication

• Classic Mode Authentication• NTLM or Kerberos

• Claims Based Authentication• NTLM or Kerberos• Basic• ASP.NET Forms• Active Directory Federation Services

SharePoint Authentication

Extending Web Applications

WFE

LAN

Internet

Intranet Web Sitehttp://intranet

Extranet Web Sitehttps://extranet.idtt.com

Web ApplicationContent DB

Kerberos

Forms

.PDF/.DOC

Visitors READ

LDAPAD

WINDOWS AUTHENTICATIONDesigning Secure SharePoint External Access

SharePoint Authentication

• External access for internal users• Basic• NTLM (no SSO)• Kerberos (only on intranet)• SSL client certificates

• Not suitable for external users• accounts in AD• possibly other access

SharePoint Authentication for Internal Users

• Basic• plaintext password• works from internet• no SSO

• NTLM• less secure, MD5• performance problems at 200 +/- users per WFE• no SSO

• Kerberos• secure, mutual authentication, AES, smart cards• faster, smoother• intranet only

• SSL Client Certificates• the most secure, mutual authentication• SSO from outside

Internal Users Authentication

Method SSO Mutual Authentication

Used from internet

Security Notes

Basic no no yes little

NTLM no no yes password hash

performance problems

Kerberos yes yes no password hash

SSL Certificate

yes yes yes private key

Basic Authentication with Port Forwarding

Basic Authentication with Port Forwarding

• Simplest to deploy

• Less secure direct access to the farm

• Must use public certificates on the farm

• NTLM would require custom IE configuration and has performance problems

Basic Authentication with TMG Inspection

Basic Authentication with TMG Inspection

• Authenticates users at the gateway level• Forms authentication (cookies)• Basic authentication

• Inspects clear HTTP• plus URL filters etc.• intrusion prevention signatures

• Automatically forwards the basic credentials

• Offloads SSL encryption• or hides the internal certficates on the farm

TMG and Forms Authentication

TMG Inspection with Kerberos Delegation

TMG Inspection with Kerberos Delegation

• SSO or smart cards and tokens

• No Basic authentication on the internal part• SharePoint “developers” do not receive your full

password

• Mutual authentication with client certificate

• No password guessing

UAG Inspection with Kerberos Delegation

UAG Inspection with Kerberos Delegation

• TMG features plus

• Predefined URL and application inspections

• User portal access

• Endpoint policies and compliance

UAG Portal and Forms Authentication

Windows Authentication Recap

• Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance

• TMG can also authenticate certificates and/or use Kerberos

• Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”

SHAREPOINT 2010 FORMS AUTHENTICATION

Designing Secure SharePoint External Access

SharePoint Forms Authentication

• No SSO

• Separate accounts for external users

• AD LDS, SQL DB, XML text file, ...

• You manage the account database• create accounts• reset passwords

AD LDS

• Active Directory Lightweight Directory Services

• Standalone LDAP/S server

• Part of Windows Server 2008 and newer• previously free download ADAM

• Installs on Windows 7 as well

• Managed manually using ADSI Edit

AD LDS Authentication with Port Forwarding

AD LDS Authentication with UAG Inspection

AD LDS with UAG and Certificates

AD LDS Authentication with UAG Inspection

• Pre-authenticates users at the gateway level• double login prompt or certificates

• Predefined set of URL and application inspections

• User portal access

• Endpoint policies and compliance

ACTIVE DIRECTORY FEDERATION SERVICES

Designing Secure SharePoint External Access

AD FS

• HTTPS/XML authentication protocol

• Replacement for AD trusts

• Free download• RTW – released to web

• Accounts managed by Account Partner

• Resource Partner just accepts identity claims

• Requires level of management on the Account Partner part

AD FS Principles

AD FS Principles

AD FS Principles

TAKEAWAYDesigning Secure SharePoint External Access

Takeaway

• Use certificates and/or Kerberos for internal users

• Use AD LDS for external partners without AD FS

• Use AD FS for larger external partners who do want to manage their own accounts

Ondrej Sevecek | MCM: Directory | MVP: Security

ondrej@sevecek.com | www.sevecek.com

Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!