SharePoint Insanity DemystifiedDan HolmeMicrosoft Technologies Analyst & EvangelistMVP, SharePoint Server

danholme http://tiny.cc/danholmepresentationsdan.holme@intelliem.com

ConsultantDan Holme

Dan Holme

INTELLIEM AuthorMAUI, HAWAIIAvePoint

danholme http://tiny.cc/danholmepresentationsdan.holme@intelliem.com

Service Accounts

Directory Services PrerequisitesResourcesInitial deployment administrative and service accounts in SharePoint 2013

http://technet.microsoft.com/en-us/library/ee662513.aspxAccount permissions and security settings in SharePoint 2013

http://technet.microsoft.com/en-us/library/cc678863.aspx

Service AccountsSQL Server service: SQL_Service, *SQL administrator: SQL_AdminSharePoint Administrator and Setup User: SP_AdminSharePoint Farm Service: SP_FarmApplication pool accountsUser-facing web application app pool: SP_WebApps, SP_MySiteApp, *Service application app pool: SP_ServiceApps, *

Default content access (crawl) account: SP_Crawl, *User Profile Synchronization account: SP_UserSyncObject cache accounts: SP_CacheSR, SP_CacheSU

SQL_Service, SQL_Admin, *SQL Database Engine service account: SQL_ServiceSQL service ownership account: SQL_AdminResourcesSecurity Considerations for a SQL Server Installation

http://technet.microsoft.com/en-us/library/ms144228.aspxSQL Server 2012 Security Best Practice Whitepaper

http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx

SQL Agent service account: SQL_Agent

SP_AdminSharePoint Administrator and Setup UserUsed by a service admin to perform bit-level changesInstall SharePoint prerequisites Install SharePoint productsConfigure SharePoint (SharePoint Products Configuration Wizard)Update, patch, add/remove servers, etc.

Unique, “generic” SharePoint administrative accountNot your “normal” user or admin accountRepresents enterprise service administrationCan be locked down (password, disabled) after installation, until needed

Delegate service to administratorsAfter setup, add your admin user accounts to Farm Administrators

SP_AdminDomain user accountAdministratorAdd to the local Administrators group of each SharePoint server in the farm

SQL privilegesCreate a SQL Server login for the SP_Admin account, e.g. CONTOSO\SP_AdminAssign the securityadmin and dbcreator server roles to the login

PowerShell privilegesAssign the SharePoint_Shell_Access database role for any database against which Windows PowerShell will be used (Add-SPShellAdmin)

SP_FarmSharePoint Farm Service Used for highly privileged SharePoint servicesCentral Administration application poolSTS & Topology service application poolWindows services including Timer, Workflow Timer’SharePoint services including User Profile Synchronization

Domain user accountSharePoint assigns permissions automatically

SP_FarmExtra privileges: UPSBefore provisioning User Profile Synchronization Service1. Add SP_Farm to local Administrators group of the server running

UPS2. Reboot3. Provision User Profile Synchronization4. After UPS has started, remove SP_Farm from Administrators group5. Reboot

Application Pool Accounts - Whiteboard

WSS_WPG groupSP_DATA_ACCESS roleWSS_CONTENT_APPLICATION_POOLS role

Collab Intranet

SharePoint Web Apps

SP_WebApps

SharePoint_

Content_Intranet

SharePoint_

Content_Collab

Extranet

SharePoint Extranet Apps

SP_ExtranetApps

SharePoint_

Content_Extranet

SharePoint Web Apps

SP_ServiceApps, SP_WebAppsWeb and service application pool accountsKeeping it simple for this discussion… two accounts

Domain user accountsRegister as managed accounts in the SharePoint farmAssigned as the application pool identityFirst web application app pool: SP_WebApps

Additional web applications are added to the same, shared poolFirst service application app pool: SP_ServiceApps

Additional service applications are added to the same, shared pool

Permissions required depend on the web app or service applicationGenerally assigned automatically by SharePoint

SP_MySiteApp, *My Site web applicationOften isolated in its own application pool to address security concerns

Each user is the site collection administrator of his/her My SiteDetermine security risk: perception vs. reality?

SP_MySiteApp

Account for each application pool to isolate access

SP_Crawl, *SharePoint Search default content access accountCrawler account used when no specific crawl account is specified

Domain user accountRequires read permission to indexed content sourcesAutomatically given Read permission to all SharePoint content

Web application READ user policy applied to each new web appConfigure SP_Crawl before creating web apps or manually grant it Read user policy

Assign Read permission to all other indexed content sourcesDo not give the account the ability to modify any content

Create additional content access accountsFor security isolation or access to disparate systems

SP_UserSyncSharePoint User Profile Synchronization Synchronizes user profile data between Active Directory and SharePoint

Domain user accountRequires Replicating Directory Changes permission on domainIf a Windows Server 2003 domain

Add account to Pre-Windows 2000 Compatible Access groupThis is not a “big deal”!

This permission is really “Detect changes to Domain NC”Does not give access to “secrets” (e.g. passwords)An educated Active Directory team should not have an issue with this

See TechNet user profile synchronization documentation for steps and details

SP_CacheSR, SP_CacheSUObject cache accountsSuper UserSuper Reader

See http://technet.microsoft.com/en-us/library/ff758656.aspx

Note: this is not the same as BLOB cache or remote BLOB store. This has to do with versions & drafts

Other accountsOffice Web Apps (2013)Secure Store

Automation AccountSharePoint Automation: SP_AutomationRights required to perform automated tasks

PowerShell (Add-SPAdmin)Local Administrators groupFarm Administrators groupSite Collection Administrator (of each site collection)User right to log on as a batch service

Über Admin AccountSharePoint Enterprise Administrator: SP_EnterpriseAdminLeast privilege not always possible

Delegate to administrators privilege to use PowerShellPatch/updateUpgrade

SQL Administrator or db_owner of all SharePoint databasesLocal Administrators group of all SharePoint serversFarm Administrators groupDisabled until needed

Accounts for Multiple FarmsEach farm…Dev, test, QA, production

… needs its own “set” of accountsConsider multiple farms in your naming convention

SP_Farm – ProductionSP_Farm_DevSP_Farm_Test

Note: Managed service accounts DOMAIN\username limit is 20 characters!

Why?Least privilegeMonitoring & auditingAutomatic password management

ResourcesAccount permissions and security settings in SharePoint 2013http://technet.microsoft.com/en-us/library/cc678863.aspx

Configure object cache user accounts in SharePoint Server 2013http://technet.microsoft.com/en-us/library/ff758656.aspx

Automate Creation of Service AccountsImport-CSV $filename | New-ADUser -Path $ou –PassThru | Set-ADAccountPassword -Reset –NewPassword (ConvertTo-SecureString –AsPlaintext $password –Force) -PassThru | Enable-ADAccountWrite-Host "Complete"

Managed Accounts

Service AccountsWhat is a service account?A domain user accountUsed as the identity of a service like SQL or SharePoint

The #1 problem with service accounts is….PASSWORD CHANGESService account password is changedUpdate each location in which the service account is used

Painful!Result… Admins set Password never expiresTerrible for securityService accounts are typically highly-privileged

Managed AccountsIn a nutshellAn Active Directory account that has been registered with SharePointSharePoint can then manage the password changes for the account

Register a managed accountCentral Administration Security Configure managed accountsRegister a managed account

Enter the user name and current passwordEnter user name as DOMAIN\name not user principal name (name@domain.com)

Use a managed accountWhen creating or configuring an application pool for service or web appsWhen managing Windows services related to SharePoint

Timer, Search, Document Conversion

Password ChangesManual Password Change for a managed accountCentral Administration Security Configure managed accounts Edit

BenefitsSharePoint changes the password in Active Directory

Does not require any delegation in Active Directory because the process uses the CHANGE PASSWORD right, not the Reset Password right

SharePoint updates the logon information of componentsServicesApp Pools

Password can be randomReduces risk of an administrator leveraging the privileges of the account

Automatic Password ChangesAutomatic Password Change for an individual managed accountCentral Administration Security Configure managed accounts EditSchedule

Based on scheduled date or domain password policy expiration (whichever comes first)

Notify administrators by emailThe service will be “down” while it recycles with the new password

BenefitsRemoves the management burden of service accountsImproves security and compliance

SharePoint admins don’t know the passwords to highly privileged accounts

SP_Farm (full control access to all SharePoint content)

Managed AccountsUse themConfigure automatic password managementKnow the limitationsEach farm must have separate accountsSome components use “standard” service accounts, not managed accounts

Search crawlProfile syncSecure store

These must be managed using traditional methods (change password in AD and in SharePoint)

Automate with PowerShell

SQL & Storage

SQL aliasSQL AliasSQLSERVER01.contoso.com = NYSQL05.contoso.com today

= NYSQLCLUSTER.contoso.com tomorrow= NYSQLCLUSTER.newcompany.com next year

Configure a SQL aliasCLICONFG.exe on each SharePoint server in the farm

Do not “Fake it out” with a DNS recordKerberos

Consider “tiers” of aliases to support SQL scalingContent Databases: SQLSPCONTENTSearch Databases: SQLSPSEARCHService Application Databases: SQLSPSERVICES

All point to single SQL instance today…

Documents stored in content database

workflows

security

metadata

“Document”BLOB

SQL Content Database

Binary Large Object (BLOB)

Database SizingContent DatabasesInitial SizeGrowth Rate

TempDBInitial SizeGrowth Rate

Model – Monitor – Measure – Modify

Content scaling support & guidanceContent Database200 GB (out-of-box)4 TB (collaboration)*Unlimited (archive)*

Site Collection 200 GB (out-of-box, only site collection in CDB)100 GB (out-of-box, multiple site collections in CDB)Up to size of CDB*

Items per CDB60 million

*Conditions apply: Performance, DR, HA

Quotas

QuotasConfigured per site collection (SPSite)Can be applied with a quota templateConfigured for the web applicationApplied to one or more site collections

Quota template updateApplies new settings to new sitesDoes not modify existing sties that were based on the templateUse PowerShell (scripts can be found on TechNet) to update existing sites

Sharing

SharePoint 2013 Sharing Interfaces

ShareInvite

Shared WithReport

AdvancedManage

Finding the Sharing InterfacesScope Share Shared With Advanced

Site

orSite Settings Site Permissions

List or Library

Folder

Document or

Sharing (2013) with Internal UsersScopesSite, List or Library, Folder, Item or Document

Assign permissionsUse the Share interfaceWhen you share, you break inheritance

Review permissionsUse the Share With interface

Manage permissionsUse the Advanced interface

Reinstate inheritance and remove unique permissionsUse the Advanced interface: Delete Unique Permissions

Requires Change Permission permissionIncluded in Design permission level

Sharing with External Users (Office 365)Share sites or documents with external usersShare sites or documentsNo additional license requiredNo user account required in your authentication provider

Requires full control permissionShare a siteAdd to access group

Share a documentChoose access level: Edit or ViewRequire sign-in or use guest link

Guest linksAnyone with the link can access the contentView or Edit only in Office Web Apps. Cannot download or open locally.

http://office.microsoft.com/en-us/office365-sharepoint-online-small-business-help/share-sites-or-documents-with-people-outside-your-organization-HA102894713.aspx

Manage External Sharing (Office 365)Enable or disable external sharingSharePoint Admin CenterTenancy (all plans)

SettingsSite collection (Enterprise plans E1, E3, E4 only)

Select site collection(s) then click Sharing

Read the documentation!Revoking permissions to external usersDisabling and deleting guest linksDisabling and re-enabling sharing

2013 E: http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/manage-external-sharing-for-your-sharepoint-online-environment-HA102849864.aspx2013 P: http://office.microsoft.com/en-us/office365-sharepoint-online-small-business-help/manage-sharing-with-external-users-HA102849862.aspx

2010: http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/share-a-site-with-external-users-HA102476183.aspx?CTT=5&origin=HA102849864

Sharing Scopes (Office 365)

W

Site

W

Library

Site

W

Internal External Guest Link

MAHALO! (thank you!)http://tiny.cc/danholmepresentationshttp://tiny.cc/danholmearticleshttp://tiny.cc/danholmebooks

A HUI HO! (‘til next time!)dan.holme@intelliem.com@danholme