securing sharepoint technology joel oleson sr. technical product manager microsoft corporation...
TRANSCRIPT
Securing SharePoint Technology
Joel Olesonhttp://blogs.msdn.com/joelo
Sr. Technical Product Manager
Microsoft Corporation
IW316
Agenda• Site Collection and below…
–Demo: Site Permissions and Item level security
• Web App Security–Demo: Web Application Policies
• Farm Security–Demo: Forms based authentication
• Summary• Q/A
Site and List SecurityData Protection
Item Level Security and Security Trimming
– Permissions from site collections to individual objects.
– Default permission inheritance from parent to child objects.
– 33 default permissions can be assigned to a user or SharePoint group.
– Permissions can be specified on items
– Returned search results can map back to the security context of the user.
– These controls trim the UI to the exclusive user context.
Permission Management Architecture
– Sets permissions for SharePoint users, groups, and domain groups.
– Default groups include:• Owners (get full control)• Visitors (get contributor rights)• Members (get read rights)
– Custom groups can be created and managed by site collection.
– Group membership is consistent within the site collection.
– Custom groups are reusable across different project sites.
Site Permissions and Item level securityDemo
Solution Deployment
Information Rights Management (IRM)
– Protects sensitive information at the client level, even when business information is taken offline.
– This may be essential in order for companies to deal with regulations, such as privacy legislation
– Ensure that all the requirements are met in the environment:• Windows Rights Management (WRM) Services Client on
MOSS Web servers.• Microsoft Rights Management Services (RMS)
connectivity to the SharePoint farm. • Configuration enabled in SharePoint Central
Administration then configured in the list or library
SharePoint List and Library IRM integration
– IRM integrates with lists through the rights management framework.
– IRM imposes access restrictions : “no matter where it is stored or who tries to open it”.
– Common IRM policy permits authorized viewing or printing only.
– A “protector” is used to provide IRM functionality. Several are installed with MOSS.
– A protector manages the encryption process for all files types stored in MOSS.
– The architecture supports pluggable protectors for other file types.
IRM Scenarios
– Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector.
– IRM extended scenarios include:
• User credential verification after a certain time period
• Disallow user upload of assets that so not use IRM.
• Schedule an expiration tag to drop the restriction policy.
• Bind to a global organization IRM permission policy
IRM Implementation
– IRM works directly with SharePoint data store structures such as document libraries to maintain permissions:
• A user navigates to an IRM-enabled document library and attempts to download a document.
• binds roles to the document library for the documents. • protector encrypts the document and adds an issuance
license.Result: 1:1 mapping between item and document permissions.
• SharePoint roles for the document translate into IRM permission levels on the document.
• The document is encrypted locally for offline protection.
User Downloads Documents
Document Encrypted: Issuance License
Added
Permissions CarryLocally Offline
Match Role to Document Library
Content/Audience Targeting
• Web Part/Content targeting to– Global Audience (SSP Audience Configuration)
Based on • Active directory attributes• Pluggable ASP.NET Membership provider attributes• Profile AttributesCompiled in a recurring Timer Job
• SharePoint Groups – Groups defined based users and groups in Site permissions levels
• Distribution/Security Groups
• My Site secure location targeting
• NOTE: Targeting does not equal permissions or rights
Secure Collaboration
– Common Services control access to stored information.
– Lockdown permits users to access the authorized information only:
• Binds an identity to a specific object – from a site collection to a document or list.
• Enforces granular access controls and explicit membership to an item.
• UI shows accessible items only.
Do
cum
ent
Man
agem
ent
Reco
rd
Man
agem
ent
Web
Co
nten
t M
anag
emen
t
Fo
rms
Man
agem
ent
ECM Components
Workflow Metadata Policy Library Services
IRM Collaboration Security Search
Common Services
Unified Storage Architecture
Microsoft Office Sharepoint Server 2007
Microsoft Office
Web Browser
Third Party Applications
User Interface
WEB APPLICATION SECURITYAuthentication and Authorization
Pluggable Authentication Provider
– MOSS integrates ASP .NET 2.0 pluggable authentication for Windows and non-Windows.
– Supports shipped, Windows-based authentication methods.
– Sets up Internet-facing SharePoint authentication.
– Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture.
– ASP.NET 2.0 pluggable providers can employ membership data stores including:
• LDAP Directories• SQL Database• Oracle or other ADO.NET/ODBC
Compliant data sources• XML files or Flat text files
Access a Data Source(Custom SchemaCustom Storage)
Validate Credentials(Custom Behavior)
Membership Provider
Authentication
Display Login Page
Login
Membership ClassValidateUser Method
ASP .NET 2.0 Membership Provider
– Supports configurable directories in a member data store.
– Stores pluggable provider credentials in the machine.config file.
– Membership providers include:
• LDAP V3 directory (with MOSS)• SQL Server• Active Directory (ASP .NET 2.0)
– Pluggable membership providers:
• Inherit from the ASP.NET MembershipProvider interface;
• This interface inherits from the ProviderBase class.
<x>MembershipProvider
MembershipProvider
ProviderBase
Considerations for ASP .NET Authentication
– Authentication types, not resolving to a Windows identity, must use a zone.
– A mandated PKI infrastructure such as for smartcards typically resolve to a Windows identity.
– PKI implementation may require a zone or other configuration.
• Browser clients only– Search crawler must use
Windows– Office client interaction
degraded
• Forms & Windows accounts– Forms user not same as
Windows user
Company A(Windows Authentication)
Company B(Non-Windows Authentication)
Pluggable Single Sign-On (SSO)
– The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems.
– Aids in retrieving critical information through MOSS mechanisms:
• Business Data Catalog (BDC)• SharePoint DataView Web Parts
(DVWP)– Can specify a pluggable SSO
provider, instead of SpsSsoProvider.
– Registers only one SSO provider per LOB system at a time.
Shared Service Provider (SSP)
ADO.NET
Web service LOB System
SAP Seibel, Peoplesoft
Web service LOB System
SAP Seibel, Peoplesoft
WS Proxy
BDCWeb Parts Lists Search
User Profiles
Custom Component
s
BDCMetadata
Forms-Based Authentication
– Utilizes pluggable authentication and role providers to enable Internet-style security.
– Supports a customized login process geared to users' needs.
– Forms authentication cookies and authentication tickets are encrypted and tamper-proof.
– The form identity provider, called Web SSO, can plug into an external identify management system.
FBA Web Single Sign-On
– Employs an HTTP module for external authentication.
– Allows external partners to authenticate using their user credentials.
– Delegates log in and password reset to provider.
– Web SSO authentication requires an extranet zone.
Partner Application
Alternate Access Mappings
– Provides internal and external URL mappings work correctly.
– The URL is mapped by default, but can be extended to additional URLs.
– Alternate URLs can be mapped to one physical path– Zones can use different authentication providers / Web
application security policies. – Compensates for different
application domains, reverse proxies, and other URL redirection mechanisms.
http://extranet.contoso.com
ExtranetUsers
http://contoso
IntranetUsers
http://MOSS
MOSS SiteAAM Mappings
Zones in Alternate Access Mapping (AAM)
– A zone maps Web application to a single set of content databases, allowing greater control over AAM.
– Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content.
– Recommended: Bind the zone to an authentication mechanism.
• URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone.
• Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet.
Default
Microsoft Confidential
SharePoint Web App Security Policies
Central enforced permissions for all sites in the web application
GRANT and DENYBound to web application/zone
ScenariosFull read – search crawling accounts, auditors, legal complianceDeny all – security control, regulatory complianceDeny write – extranet lockdown
Overrides the granular item level permission settings, managed from SharePoint Central Administration interface.
Web Application PoliciesDemo
Solution Deployment
Encryption of Application Connection Strings
– Storing connection string data in plain text in the web.config file creates a security vulnerability.
– ASP.NET 2.0 functionality can be used to encrypt application connection string data using either:• Windows Data Protection API (DPAPI): Encrypts and
decrypts using the MOSS server machine key.• RSA encryption: Uses public key algorithms, but adds
appropriate containers for the encryption keys.– Pluggable encryption providers can use different
encryption tools.
Connection String Encryption Best Practices
– For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the <connectionStrings> node in cipher text:
– DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands:
– Encrypt the connection strings node specifying the section parameter:
Connection String Encryption Best Practices
(continued)– After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values:
–
– This pluggable model can support custom encryption
providers to manage cipher text for relevant MOSS configuration files.
– Considerations: • Encryption using the local machine key can only use
the configuration node on the server on which it was created.
• If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string.
• Decryption causes a minor application performance hit.
Shared Service Considerations
• BDC is available to all web apps consuming from the SSP where it is configured
• Without security trimmers–Notes search results are not trimmed–BDC Search Results are not security Trimmed
• WSS Search results are trimmed to site collection by scope, ensure sites are secured appropriately
Microsoft Confidential
ADFS – Active Directory Federation Services – includes non trusted federated web services authentication model. Works with browser based functions.
Not recommended with rich client requirements
Understand - “Enable Client Integration” Matches Office client’s behavior for someFBA providers
Active Directory Federation Services
SERVER and FARM SECURITYArchitectural Considerations and Lockdown
Secure by Default
• Anonymous disabled by default• Sites secured to site creator• Server administrators no access to content web apps• Permissions changes audited• Self Service not enabled by default
LOCK IT DOWN!• Configure Firewall Rules lock down to most restrictive w/
acceptable level of usability (i.e. outbound HTTP – Consider RSS/XML web part requirements
• Secure client communication with trusted SSL certificates (128bit HTTPS)
• IP Sec – Require or Request: Secure communication between servers and DCs– Careful with NLB and clients (MAC/Unix)
• Enable Kerberos Authentication (Intranet) *Careful with NLB
• SQL SSL encrypted Traffic + Non Standard Port• Configure Central Admin on App server• IP Restrict traffic to Central Admin and SSP App Pools
(IIS)• Configure Deny Policies on Content/Admin Web Apps for
Applicable Groups/Domains• Configure ISA Secure Publishing
Forefront Security for SharePoint
SQL Document Library
DocumentUsers
Document
SharePoint Server
Virus Protection for Document LibrariesIntegrates scan engines from eight industry leading vendorsReal-time scanning of documents uploadedand downloaded from document libraryManual and scheduled scanning of
document library
Content Filtering Policy EnforcementFile filtering to block documents frombeing posted based on name match, file type or file extensionContent filtering by keywords withindocuments for inappropriate words and phrases
Protects MOSS 2007 and WSS 3.0
SharePoint API integration
• Utilizes the SharePoint Virus API to scan files during upload and download– Optimized for performance in a SQL environment
• Files are not rescanned if engines have not been updated
• Up to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scan
• Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly
Secure Web Publishing with ISA
35
Exchange
Intranet Web Server
SharePoint
Active Directory
External Web Server
Administrator
User ISA 2006
DMZ
Internal NetworkInterne
t
HEAD QUARTERS
Integrated SecurityIntegrated Security Efficient ManagementEfficient Management
NEW
Smartcards & one-time password support
NEW
Customized logon forms for most devices & apps
NEW
LDAP authentication for Active Directory
NEW
Web publishing load balancing
Fast, Secure AccessFast, Secure Access
NEW
Authentication delegation (NTLM, Kerberos)
NEW
Improved idle-based time-outs for session mgmt
NEW
Exchange & SharePoint publishing tools
NEW
Enhanced certificate administration
NEW
Single sign-on for multiple resource access
NEW
Automatic translation of embedded internal links
Extranet Architecture Example
Authoring -> Production
Content Deployment
Intranet, Extranet, Internet2 Farms, 3 SSPs
TechNet: Plan Logical Architecture
Architecture Considerations
• Why more than 1 Farm?– Application/Customization SLAs, Licensing (Internet vs.
Intranet CAL), Isolation (No Scale)
• Why more than 1 SSP?– Isolation and Service Needs
• Why more than 1 App Pool?– Security Isolation, Memory and CPU isolation, Auth
requirements
• Why more than 1 Site Collection?– Separation/delegation of ownership, quotas, ability to split
across databases
• Why keep them together?– Global Navigation, Inheritance of style/Master page,
Security inheritance, Query web parts, Site Collection policy and content types enforcements
Database Considerations
• Databases can be pre-created and then used to be created for content databases
• SQL Security, rights and roles should be scrutinized employ least priviledged access considerations
• Config– Contains list of all servers, site collections, web apps, web
parts, solutions (Most critical db in farm from availability )
• Content database– Contains all data, blobs, sites webs, etc… (Most Sensitive,
• Search & SSP Dbs– Optimize… High Disk I/O contains configuration & search
property and profile store (index/query - index on disk)
Protocols
• All protocols are HTTP-based– HTTP/S: Browser sessions– SOAP/Web Services: Editing from Office Applications, Web
Services & Indexing– RSS: All lists can be viewed this way– FP-RPC: SharePoint Designer, Usage– Web-DAV: Explorer View, Web Client Access– XMLHTTPRequest - Forms
Additional Architectural Considerations
• Windows Servers – (SCW) Security Configuration Wizard (verify)
• IIS – Certificate management, IP restrictions
• SQL – Use windows auth vs. SQL security
• Manage domain accounts
Firewall PortsIn/Out From Port ToInbound ALL (as applicable) TCP 80 or 443 ISA Web Pub or
WFE
Inbound All SharePoint Server (Depends on Central Admin config)
Office Server Web Services, TCP 56737, SSL 56738
Central Admin /SSP Admin Server
Inbound Index TCP 80 or 443 WFE
Outbound ALL SharePoint Svrs(Based on Auth)
DS (TCP 445)RPC (TCP 135)DNS (UDP 53)Kerberos (UDP 88)LDAP/S (UDP 389/636)
DC/DNS (LDAP)
Outbound/(Inbound if applicable)
WFE (alerts or mail enabled list)
SMTP (TCP 25) SMTP/MAIL
Outbound ALL SharePoint Svrs SQL (TCP 1433) or SSL custom port SQL
Outbound WFE (Search Request)
Query, NBT (TCP/UDP 137, 138,139) or Direct-hosted SMB (TCP/UDP 445)
Query
Outbound Index (Propagation) Query NBT (TCP/UDP 137, 138,139) or Direct-hosted SMB (TCP/UDP 445)
Query
Outbound WFE (SSO) RPC for SSO – (TCP 135), plus random high ports (Dynamic RPC) or restricted
APP Servers
Security SummarySite and List Security
Information Rights Management IntegrationInformation Policies – auditing, expirationItem Level SecurityBarcodes and Labels, extensibility for signaturesContent Approval, Workflows
Web Application SecurityForms-Based Authentication and Single Sign-onActive Directory Federation Services (ADFS)Search – security trimmed search resultsPublishing through Internet Security and Acceleration Server (ISA) and Intelligent Application Gateway (IAG)
Server and Farm SecurityPluggable Authentication – Pluggable Authentication ProviderSecurity Policies; Major and minor versions, Web ApplicationIIS IP restrictions, Windows 2003 R2 SCW to Lock down server
Summary
Allows for the easy implementation of Internet-facing environments and extranets.Allows for the easy implementation of Internet-facing environments and extranets.
Built to enable support for heterogeneous environments.Built to enable support for heterogeneous environments.
üü
üü
Supports pluggable forms-based authentication (FBA) providers. Supports pluggable forms-based authentication (FBA) providers.
Reduces management overhead and improves securely.Reduces management overhead and improves securely.
Offers granular rights management of business assets.Offers granular rights management of business assets.üü
üü
üü
Guidance for a More Secure InfrastructureSharePoint Team Security Related Posts
http://blogs.msdn.com/sharepoint/archive/tags/Security/default.aspx
TechNet Securing Your Sites, Servers, and Server Hardening http://technet2.microsoft.com/Office/en-us/library/763613ac-83f4-424e-99d0-32efd0667bd91033.mspx?mfr=true
7 New Features that Enhance Security in SharePoint http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx
Security and Protection for Office SharePoint Server 2007 http://technet2.microsoft.com/Office/en-us/library/6cc7cbec-bbb8-4473-83a2-65149e932e901033.mspx?mfr=true
TechNet Webcast: SharePoint Security from Service Accounts to Item-Level Access http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032313270&CountryCode=US
Forefront Security for SharePoint http://www.microsoft.com/forefront/serversecurity/sharepoint/default.mspx