securing sharepoint environment and its content - sharepoint user group uk cambridge (22 march 2016)
TRANSCRIPT
#SUGUK@techChirag
Securing SharePoint Environment and ContentCHIRAG PATEL – 22 MARCH 2016SHAREPOINT USER GROUP UK - CAMBRIDGE
#SUGUK@techChirag
CIA Triad
ICT Policy Statement Areas System Accounts Computing Assets Network Usage Electronic Communications Enforcements
ConfidentialityThe state of being secret
IntegrityThe state or quality of
being entire or complete
AvailabilityPresent and
ready for use
SHAREPOINTSECURITY
#SUGUK@techChirag
About Chirag
techChirag.com@techChirag
#SUGUK@techChirag
Good Security Practices
Platform Security & Authentication Methods
In-depth planning and knowledge of the overall information architecture (IA) design
Understanding and awareness of SharePoint capabilities available
54% feel that their organization is exposed to considerable risk due to stored content that is not correctly identified(Source: http://info.aiim.org/content-analytics)
#SUGUK@techChirag
Encryptions
Data at restDisk EncryptionFile Encryption
Data in transitSecure browser traffic between SharePoint Websites
DatabaseBy Default – unencryptedPerformance vs Vulnerability
#SUGUK@techChirag
Antivirus For SharePoint
Scan for uploads Scan for downloads
#SUGUK@techChirag
SharePoint Content HierarchyUser & permission policy at web application levelUser security boundary at site collection levelPermission inheritance site level
Documents, Items and Pages
Folders, Document Sets
Subsites, Libraries and Lists
Sites
Site Collections
Content Databases
Web Applications
Service Applications
Servers: Web, App, Database
SharePoint Server Farm
#SUGUK@techChirag
Who is SharePoint Administrator?
App Administrator Site owners Site collection admin Service app admin Web App admin Farm Administrator Database Administrators (DBA) Server Administrator Network Administrator Developers
#SUGUK@techChirag
SharePoint Policies
User Policyusers and groups to which the permissions apply
Permission PolicySet of permissions that applies to only a subset of users or groupswebsite with multiple zonesDefine custom permission levels
Information Management PolicyNot a security policyRules for a type of contentRetention, Auditing, etc.
#SUGUK@techChirag
Active Directory (AD) v SharePoint Security Groups
AD Security Groups Reusable across site collections Site owners loose flexibility to
manage members
SharePoint Security Groups SharePoint user manage
members freely without IT department
Limited to the site collection only
Users -> SharePoint Groups : better for “collaboration” sites (teams, projects, meetings, etc.)
Users -> AD Groups -> SharePoint Groups: better for organisational sites (intranet, departments)
#SUGUK@techChirag
Default Site Member GroupEdit: SharePoint 2016 & 2013 Contribute permissions plus: Managing Lists
Manage Permissions Manage Columns Manage Content Types Also Delete Lists
Contribute: SharePoint 2010 Add Items Edit Items Delete Items Delete Versions Browse Directories Edit Personal User Information Manage Personal Views Add/Remove Personal Web Parts Update Personal Web Parts
#SUGUK@techChirag
Security Limits
Assigning unique permissions to an entity = new security scope Security Scopes (50,000 per list) Size of Scope (5,000 principals per scope) 5,000 users supported per SharePoint Group User can belong to 5,000 SharePoint Groups
Source: https://technet.microsoft.com/en-GB/library/cc262787.aspx
#SUGUK@techChirag
SHARE Button Control
Site, Library, Folder or Document Breaks permission inheritance Unknowingly new member can’t access everything but only
items with inherited permissions
#SUGUK@techChirag
External Sharing vs Extranet
External Sharing Use Form based authentication Active Directory accounts liable
for Windows Server CALs
Extranet Multi-Farm deployments Extend Web Application – more
control over authentication
#SUGUK@techChirag
Content Schema – No Security
Content TypesHub, Site collection, sites
Read-only/Writeable
ColumnsHub, Site collection, sitesColumn data ownership
ViewsLists or Library level
Personal views
#SUGUK@techChirag
Managing Audiences
Audience feature is NOT a security feature Simply a Display/Hide feature through profile attributes Works with Active Directory security groups but not SharePoint
security groups
#SUGUK@techChirag
Data Loss Prevention (DLP) in SharePoint 2016 Method to discover (find) and restrict
sensitive data being put into SharePoint that matches policy criteria through defined industry templates
Person who is running the query in the eDiscovery Centre must have read access to all data in SharePoint
Comprehensive how-to article by Steve Smith @ Combined Knowledgehttps://blogs.msdn.microsoft.com/mvpawardprogram/2016/01/13/data-loss-prevention-dlp-in-sharepoint-2016-and-sharepoint-online/
#SUGUK@techChirag
Site Collections vs Databases
One database many site collections Specific database encryption Separate database by functions i.e. Projects, Meetings, etc. Discrete databases for department based site collections
#SUGUK@techChirag
Backup & Restore Scenarios
Source: https://technet.microsoft.com/en-us/library/cc263199.aspx
#SUGUK@techChirag
slideshare.net/techChirag
#SUGUK@techChirag
Thank you!