designing secure sharepoint external access ondrej sevecek | mcm: directory | mvp: security...
TRANSCRIPT
Designing Secure SharePoint External Access
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com
Challenges
• Secure authenticated access
• Smooth document access from Office applications
• Repeated password prompts
• Endpoint compliance
• Intrusion prevention
SharePoint Authentication
• Classic Mode Authentication• NTLM or Kerberos
• Claims Based Authentication• NTLM or Kerberos• Basic• ASP.NET Forms• Active Directory Federation Services
Extending Web Applications
WFE
LAN
Internet
Intranet Web Sitehttp://intranet
Extranet Web Sitehttps://extranet.idtt.com
Web ApplicationContent DB
Kerberos
Forms
.PDF/.DOC
Visitors READ
LDAPAD
SharePoint Authentication
• External access for internal users• Basic• NTLM (no SSO)• Kerberos (only on intranet)• SSL client certificates
• Not suitable for external users• accounts in AD• possibly other access
SharePoint Authentication for Internal Users
• Basic• plaintext password• works from internet• no SSO
• NTLM• less secure, MD5• performance problems at 200 +/- users per WFE• no SSO
• Kerberos• secure, mutual authentication, AES, smart cards• faster, smoother• intranet only
• SSL Client Certificates• the most secure, mutual authentication• SSO from outside
Internal Users Authentication
Method SSO Mutual Authentication
Used from internet
Security Notes
Basic no no yes little
NTLM no no yes password hash
performance problems
Kerberos yes yes no password hash
SSL Certificate
yes yes yes private key
Basic Authentication with Port Forwarding
• Simplest to deploy
• Less secure direct access to the farm
• Must use public certificates on the farm
• NTLM would require custom IE configuration and has performance problems
Basic Authentication with TMG Inspection
• Authenticates users at the gateway level• Forms authentication (cookies)• Basic authentication
• Inspects clear HTTP• plus URL filters etc.• intrusion prevention signatures
• Automatically forwards the basic credentials
• Offloads SSL encryption• or hides the internal certficates on the farm
TMG Inspection with Kerberos Delegation
• SSO or smart cards and tokens
• No Basic authentication on the internal part• SharePoint “developers” do not receive your full
password
• Mutual authentication with client certificate
• No password guessing
UAG Inspection with Kerberos Delegation
• TMG features plus
• Predefined URL and application inspections
• User portal access
• Endpoint policies and compliance
Windows Authentication Recap
• Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance
• TMG can also authenticate certificates and/or use Kerberos
• Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”
SharePoint Forms Authentication
• No SSO
• Separate accounts for external users
• AD LDS, SQL DB, XML text file, ...
• You manage the account database• create accounts• reset passwords
AD LDS
• Active Directory Lightweight Directory Services
• Standalone LDAP/S server
• Part of Windows Server 2008 and newer• previously free download ADAM
• Installs on Windows 7 as well
• Managed manually using ADSI Edit
AD LDS Authentication with UAG Inspection
• Pre-authenticates users at the gateway level• double login prompt or certificates
• Predefined set of URL and application inspections
• User portal access
• Endpoint policies and compliance
AD FS
• HTTPS/XML authentication protocol
• Replacement for AD trusts
• Free download• RTW – released to web
• Accounts managed by Account Partner
• Resource Partner just accepts identity claims
• Requires level of management on the Account Partner part
Takeaway
• Use certificates and/or Kerberos for internal users
• Use AD LDS for external partners without AD FS
• Use AD FS for larger external partners who do want to manage their own accounts
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com