![Page 1: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/1.jpg)
![Page 2: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/2.jpg)
Microsoft Office SharePoint Server 2007 Security, Compliance and Policy from Service Accounts to Item Level Permissions
Joel Oleson
Sr. Product Manager
![Page 3: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/3.jpg)
Key Take Aways
• Learn in this session– Configure authentication– Manage permissions– Securely configure your web farm– Enable auditing for compliance– Manage retention policies– Report on security related events
![Page 4: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/4.jpg)
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
![Page 5: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/5.jpg)
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
![Page 6: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/6.jpg)
SharePoint 2007 Feature AreasDocs/tasks/calendars, blogs,
wikis, e-mail integration, project management “lite”,
Outlook integration, offline docs/lists
CollaborationBusiness
Intelligence
Portal
Enterprise Portal template, Site
Directory, My Sites, social networking,
privacy control
Enterprise scalability,contextual relevance, rich people and business data
search
Rich and Web forms based front-ends, LOB actions, pluggable SSO
Server-based Excel spreadsheets and data visualization, Report Center, BI Web Parts, KPIs/Dashboards
Integrated document management, records management, and Web content management with policies and workflow
BusinessForms
SearchContentManagement
PlatformServicesWorkspaces,
Mgmt, Security, Storage, Topology,
Site Model
![Page 7: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/7.jpg)
SharePoint 2007 Feature Areas
CollaborationBusiness
Intelligence
PortalBusinessForms
SearchContentManagement
PlatformServicesWorkspaces,
Mgmt, Security, Storage, Topology,
Site Model
![Page 8: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/8.jpg)
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
![Page 9: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/9.jpg)
User Authentication
• Authentication = Who are you?– User identity– User groups/roles as defined by the directory– Same in WSS and MOSS!
• Windows– Windows integrated, Basic, Digest, etc
• ASP.NET Pluggable Authentication– Forms – locally hosted login form– Web SSO – remotely hosted login form
![Page 10: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/10.jpg)
Windows Authentication
• Provided by IIS – SharePoint consumes
• Windows Integrated– Kerberos/Negotiate– NTLM
• Basic
• Digest
• Certificates (Must use IIS to configure)
![Page 11: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/11.jpg)
Configuring Kerberos
• KDC Service Principal Name must match SharePoint application pool account
![Page 12: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/12.jpg)
ASP.NET Authentication
• Pluggable authentication framework– User identity is independent from
Operating System (OS) identity– Custom code to handle authentication– Two related providers
• Membership – user identities• Role – roles/groups/attributes for a user
• Out-of-the-box providers– LDAP (Office SharePoint Server)– SQL Server (ASP.NET)– AD – single domain only (ASP.NET)
![Page 13: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/13.jpg)
ASP.NET Pipeline
AuthenticationModule
RoleManager
MembershipProvider
SharePoint ContentDatabase
User/GroupDirectories
User Identity
Client Redirects
Groups/Roles
Authorization
Invitations
![Page 14: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/14.jpg)
Web.config<membership>
<providers><add name=“YourMembershipProviderName“connectionStringName=“YourConnectionString" …/>
</providers></membership>
<roleManager><providers>
<add name=“YourRoleProviderName“connectionStringName=“YourConnectionString“… />
</providers></roleManager>
<connectionStrings><add name=“YourConnectionString" connectionString="data source=127.0.0.1;Integrated Security=SSPI;Initial Catalog=aspnetdb" />
</connectionStrings>
![Page 15: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/15.jpg)
ASP.NET Authentication Limitations
• Browser clients only– Search crawler must use Windows– Office client interaction degraded
• One authentication type per web application– No Windows and Forms in same domain– One provider pair per domain
• Forms over Windows accounts– Forms user not same as Windows user
![Page 16: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/16.jpg)
Authentication & Alternate Access Mappings
![Page 17: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/17.jpg)
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
![Page 18: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/18.jpg)
Sample Deployment Governance Model
PermanentEnterprise SearchNewsKPIs - Business Intelligence
CorporateBusiness TaxonomyWith DivisionalStakeholders
Exists withAD User
Ad hoc SelfServicew/ Retention Policies
PermanentBusiness Process ManagementDashboardsDivision Scoped SearchGroup Reporting & ScorecardsSite Directories & Site Maps
AS NeededDocument & Records MgmtAggregationProject Reports
Short LivedCollaboration
Semi PermanentPrivate & SharedContextual Collab
![Page 19: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/19.jpg)
Common Information Management RolesInformation Worker
Consumes and creates content
Site AdministratorCreates lists, manages site roles & manages permissions
Business Owner/Application OwnerResponsible for architecting the departmental top down solution for Enterprise Search, Profiles, Site Hierarchy/Site Map, Site Directory, branding
IT Pro/Farm AdministratorManages the Server Farm, installs & deploys servers, web parts, manages capacity planning
![Page 20: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/20.jpg)
Three Tier AdminWeb-basedRole & task delineatedControlled delegationSecure isolation
Shared ServicesService AuthorizationService ConfigurationMOSS only
Central AdminAuthenticationSecurity PoliciesFarm Configuration
Site SettingsContent Authorization
Administrative Architecture
Content Admins
IT Admins
Shared Content Admins
![Page 21: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/21.jpg)
Site TopologiesPortals are Sites with a special template and *features*
Office SharePoint Server
Web Application(s)
SSP Admin Central AdminPortal Template
Portal Template
![Page 22: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/22.jpg)
Authorization Tools• Authorization = What can you do?
SharePointContent
Configuration
Data Services
What can you view, update, delete, and customize?
What services and tools can you use?
What rules are enforced everywhere in the application?
![Page 23: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/23.jpg)
Permissions Management
• Group-based permissions management
• Role-based permissions management
• Fine-grained permissions control– List, library, folder, item, and document
• Anonymous access
• Security trimmed user interface!
• Explicit access denied experience!
![Page 24: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/24.jpg)
SharePoint Groups
• New permissions management experience– Three default groups
• Owners – full control• Members – contribute to existing lists and libraries• Visitors – read only
– Integrated with user information list
• SharePoint groups can be assigned permissions anywhere in the site collection
• Group administration scales better
![Page 25: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/25.jpg)
Permission Levels
• Collections of rights, not people– Full Control – Has full control– Design – Can view, add, update, delete,
approve, and customize– Contribute – Can view, add, update, and delete– Read – Can view only
• Customizable
• Inheritable across site collection
![Page 26: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/26.jpg)
Fine Grained Permissions
• New securable objects– Web site– Lists and libraries– Folders within list or library– Document or list item
• Consistent user interface top to bottom– Permission levels– Inherit from parent or unique permissions
![Page 27: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/27.jpg)
Site Collection Administrators
• Users with full control over all content in the site collection– Fix lock out problems– Recover items from 2nd stage recycle bin– Cannot be removed from permissions
![Page 28: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/28.jpg)
New Permissions• Edit User Information – display name, e-mail, etc• Approve Items – promote minor to major version• View Versions• Delete Versions• Create Alerts – separated from view items• Manage Alerts – create alerts for other people• Enumerate Permissions – read, but not change• Open Items – view source of server files (ASPX)• View Application Pages – e.g. _layouts pages• Use Remote Interfaces – e.g. SOAP• Use Client Integration Features – e.g. Office
![Page 29: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/29.jpg)
Permissions Management
![Page 30: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/30.jpg)
Shared Services
• Business data catalog– Impersonation/delegation
• Kerberos constrained delegation• Office server SSO
– Trusted subsystem
• Excel trusted locations
• User profile rights– Property visibility
• Audiences are NOT for security
![Page 31: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/31.jpg)
Shared Services Provider
Resource optimization
Security isolation
Delegation of administration
Can be shared across farms
![Page 32: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/32.jpg)
Shared Services
Web AppWeb App Web AppWeb App
CorpWeb WinWebOfficeWeb LegalWeb
Office Server SearchDirectory importUser profile synchAudiences
TargetingBusiness data catalogExcel calculation serviceUsage Reporting
Shared Services
App PoolApp Pool App PoolApp Pool
![Page 33: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/33.jpg)
Shared Services: Audiences
![Page 34: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/34.jpg)
Security Policy
• Central enforced permissions for all sites in the web application– GRANT and DENY– Bound to web application/zone
• Scenarios– Full read – search crawling accounts, auditors,
legal compliance– Deny all – security control,
regulatory compliance– Deny write – extranet lockdown
![Page 35: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/35.jpg)
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
![Page 36: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/36.jpg)
Business Benefits
Reduce costs of retrieving information for legal discovery
Reduce risk of non-compliance and legal liability
Retain vital records for business continuity
![Page 37: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/37.jpg)
Compliance• Auditing
– Content Modifications
– Content Viewing
– Deletion
– More
• Bar Codes (for tracking)• Expiration• Security Report• Policy Modification• Custom Report
![Page 38: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/38.jpg)
Organizational Styles
Library
Folder
Site
Library
Server
Site Collection
Document Center
Portal\Team Site
Distributed
Structured Autonomous
Records Repository
![Page 39: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/39.jpg)
Managing Collaborative Spaces
Office SharePoint Server
Sales
Asia Pacific Region
Employment Claims
Contracts
Content Types to classify content
Policies toaudit and
expire information
Serverside IRM
Declared records sent to
Records Repository
![Page 40: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/40.jpg)
Records Repository
Records Manager
Records Repository
ContractsContracts
Asia Pacific Asia Pacific RegionRegion
FinancialsFinancials MortgageMortgage
Doc Mgmt Systems
Records Repository template
Transfers document context
Configure policies as per
retention schedule
Configure repository as per file plan
Physical Assets
E-mail/services Interface
![Page 41: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/41.jpg)
Compliance Auditing
![Page 42: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/42.jpg)
Agenda
• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?
![Page 43: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/43.jpg)
Web Farm Configuration
• Application pool accounts– Full control over content– Act as the “SharePoint\system” account
• Timer service accounts– Timer – Admin Service – must run as Local System
• SQL Servers– Kerberos SPN issue applies here too!
![Page 44: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/44.jpg)
Security Configuration
• Rights mask
• Blocked file types
• Form digest timeout
• Safe control list
• Code access security
• Code execution paths
• Virus scanning
![Page 45: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/45.jpg)
Office Server SSO
• Credentials for server-to-server hop• Unique or shared
Client SharePointExternal
Data
Credentials
![Page 46: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/46.jpg)
Admin Access To Data
• Central administrators no longer have default full access to content
• Central administrators can grant themselves access to any content– Security policy– Site collection owners/administrators– Both actions are audited in NT Event Log
![Page 47: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/47.jpg)
WSS Topology
Web Servers Web Servers
Router
Web Servers
Content DBContent DB Config DB
Search Search
![Page 48: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/48.jpg)
MOSS Shared Services
Web Servers Web Servers
Router
Web Servers
Content DBContent DB Config DB
App Servers: Index, Query, Excel,
InfoPath, User Profile, etc.
App Servers: Index, Query, Excel,
InfoPath, User Profile, etc.
Shared Services DB
![Page 49: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/49.jpg)
Example Multi-Farm Topology
![Page 50: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/50.jpg)
Configuration Best Practices
• Unique accounts– Central administration– Shared services process– Shared services shared web service account– Content app pools
• Kerberos on (default = NTLM)– Each process account must be a registered SPN to work– SQL 2005 defaults to Kerberos with non-system process ID!
• SSL enabled (default = off)– Turn on for admin sites and server to server– Warning provided on credentials pages if SSL is off
• SPAdmin service– Single server: Off (recommend ‘On’ for OSS)– Farm: On
![Page 51: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/51.jpg)
Session Summary• Pluggable authentication
– Windows – Kerberos, NTLM, Basic– ASP.NET – Forms and Web SSO
• Managing permissions– Site settings: Site, list, folder, and item– Shared services– Central admin policies and configuration
• Web farm configuration– Application pool accounts– Other process accounts
![Page 52: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/52.jpg)
Call To Action
• Use Kerberos!– More secure than NTLM– Better performance than NTLM
• Evaluate Authentication– Ready for Forms authentication?
• Evaluate content topology– Does folder and item level permissions change
how you deploy SharePoint content?
• Model your groups
![Page 53: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/53.jpg)
References
• Kerberos Protocol Transition and Constrained Delegation
• ASP.NET Developer Center: Provider Toolkit
• SharePoint Server 2007 Tech Center• Planning Logical Architecture
![Page 54: Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson](https://reader033.vdocument.in/reader033/viewer/2022061118/545c649bb1af9f280a8b4749/html5/thumbnails/54.jpg)
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.