Secure SharePoint DevelopmentEli RobillardSharePoint Server MVPCanada, EDT (GMT -5:00)

April 16th /17th, 2014

#SP24S045 Thanks to SP24 team, Camtasia and Microsoft for making this session possible!

1Security Fundamentals Microsofts Secure Development Lifecycle and ISO 27034Principles, Threats & Countermeasures Threats specific to SharePoint How to be secure by default: out-of-box threats and security bulletins, service accounts and application context Secure SharePoint practicesCode snippets, recommended practices and pitfalls for on-premises solutions The App Model and Remote-hosted Apps Join the conversation! #SP24S045 @erobillard

In this hour:#SP24S045 2www.sp24conf.com

Eli is a ten-time Microsoft MVP (2x ASP.NET, 8x SharePoint Server) and Senior Manager of MNPs SharePoint Consulting Practice.

As a thought leader and community builder, Eli co-founded the ASPInsiders, launched the Toronto SharePoint User Group in 2005, launched the first free Saturday event in 2007, co-authored Professional SharePoint 2007 Development and served as technical editor of Professional Professional SharePoint 2010 Development (Wrox Press).

For over 65 years, MNP LLP has forged strong relationships with businesses across Canada through its consulting, advisory, and accounting practices.

Eli RobillardE-mailEli.Robillard@MNP.caTwitter@erobillardBlogweblogs.asp.net/erobillardEli RobillardMNP LLPSenior Manager, SharePoint Consulting

#SP24S045 3www.sp24conf.comWhy bother writing secure code?

Aberdeen Group realized a very strong 4.0-times return on their annual investments higher than that of both the find and fix and defend and defer approaches.Ponemon Institute a decrease in revenue that results from both the loss of customer trust and loyalty and the inability to deliver services and products.Roadmap to Secure Energy Delivery Systems Vendors should employ best product development practices, such as the security development lifecycle (SDL) created by Microsoft in 2002.Forrester Research those practicing SDL specifically reported visibly better ROI results than the overall population.Security at development time is rapidly becoming conventional wisdom#SP24S045 Malcolmson.

4www.sp24conf.comSecurity FundamentalsISO 27034 and Microsofts Secure Development LifecycleSource cited in this section: Ken Malcolmson, Group manager, Trustworthy Computing Communications, Microsoft Corporation

5www.sp24conf.comMicrosofts SDL JourneySecure Windows Initiative

Prior to 2001

TwC Memo

2002-2003

Secure Windows Initiative

Prior to 2001

We knew we had a problemWe neededan approachSmall team, ad hoc processTwC Memo

2002-2003

Training andSecurity PushesHeavily reliant on small team of expertsNeeded a consistent, scalable, prescriptive processSDL Launched

2004Required for almost all productsIntegrated into all phases of product lifecycleA framework for continuous improvementSDL Implementation

2005-2007Theory vs. PracticeAutomationMitigationsSDL and the Ecosystem

2008-2012Publication of SDL and free toolsAdaptationsSDL for AgileSimplified SDLEcosystem collaboration Standards-based Secure Development

CurrentA core part of supply chain discussionInternational standard on secure developmentEcosystem AdoptionMany of Microsofts large initiatives started with an internal memo, and Trustworthy Computing is no exception.

6www.sp24conf.comSDL ResultsImproved mitigationsLower exploitabilityLower infection rateshttp://nvd.nist.gov/Database systems vulnerability trendsData sourced from National Vulnerability DatabaseIbid.

7www.sp24conf.comWhat makes a good standard? #SP24S045 A good standard is Clear: ISO 27034 defines clear requirements and benchmarks, as well as examples to follow. Any security-related standard needs to be clearly understood so we can agree on what it means.

A good standard is Concise: ISO 27034 is concise both in its language and criteria. A shared language allows us to talk about the topic at hand, and concise criteria lets us see when the standard is met, and when it is not.

A good standard is Actionable: ISO 27034 lets us assert compliance with well-understood and delineated processes. Any standard without actionable steps for implementation would be worth no more than the bits its printed on.

Source: Malcolmson and Robillard.8www.sp24conf.comThe Simplified SDL implements 27034-127034-145 pages of process and framework guidance16 page case study in Annex A aligning Simplified SDL and ISO/IEC 27034Simplified Implementation of SDL Guidance17 pages of process guidance and Application Security ControlsTrainingRequirementsDesignVerificationReleaseResponseImplementation1. Core Security Training2. Establish Security and Privacy Requirements

3. Create Quality Gates/Bug Bars

4. Perform Security and Privacy Risk Assessments

5. Establish Design Requirements

6. Perform Attack Surface Analysis/Reduction

7. Use Threat Modeling 8. Use Approved Tools

9. Deprecate Unsafe Functions

10. Perform Static Analysis11. Perform Dynamic Analysis

12. Perform Fuzz Testing

13. Conduct Attack Surface Review14. Create an Incident Response Plan

15. Certify Release and Archive

16. Certify Release and Archive17. Execute Incident Response PlanMalcolmson

9www.sp24conf.comKey Concepts of ISO 27034

Organisational (ONF) ComponentsApplication (ANF) ComponentsSpectrum of MaturityWhere should you start?Assess the current state of your software security program.Reactive and Ad Hoc Continuously ImprovingSystematic application of SDL process Validate with 27034-1Apply some Simplified SDL practicesStandardize with policy and toolsKey aspects of ONF addressed by SDLBusiness ContextASC LibraryRolesRegulatory ContextTechnical ContextSpecificationsProcessesSimplified Guidance Context- Specific Guidance Business ContextSDL ChroniclesSecure Software Trends in Healthcare

Regulatory ContextSDL and PCI DSS/PA-DSSSDL and HIPAABITS FrameworkMalcolmson13www.sp24conf.comPutting it all togetherOrgAppApplication Security Lifecycle Reference Model Management ProcessApplication Security Management Process Organization Normative Framework (ONF)Application Normative Framework (ANF)Simplified SDL GuidanceProcess GuidanceRolesTechnical Context17 Practices (ASCs)Lifecycle Aligned to 27034Compliance Tracking Process RequirementsPractices that map to ASMPImplementation Informed by context, Regulatory/Business/Tech

Instantiated throughApproved policiesInternal communications

Results inCentralized ASC store Compliance workflow + toolsA conforming 27034 process =+Malcolmson14www.sp24conf.comBuild security into every step of your process. Review open source as you would your own.

Calls to ActionRobillard15www.sp24conf.comSecurity FundamentalsPrinciples, Threats and Counter-measures#SP24S045 Sources:Improving Web Application Security, Threats and Countermeasures, Microsoft Press, p. lxxxiImproving .NET Application Performance and Scalability, Microsoft Developer Network, http://msdn.microsoft.com/en-us/library/ff648148.aspx

16www.sp24conf.comApplication Threats and Countermeasures#SP24S045 Ibid., pp. 13-43Listed threats are from the source cited, Countermeasures were rewritten (Robillard).Writing Secure SharePoint Code with Eli Robillard17Tweet about it! #SPT322 #DevTeach @erobillard Principles of Security#SP24S045 Source: Ibid., p. 11Writing Secure SharePoint Code with Eli Robillard18Tweet about it! #SPT322 #DevTeach @erobillard Keeping SharePoint SecureBe secure by default Well-known Threats to SharePoint#SP24S045 Writing Secure SharePoint Code with Eli Robillard20Tweet about it! #SPT322 #DevTeach @erobillard Prevent click-jacking attacks by adding this HTTP Response header: X-frame-options : sameorigin

Protect Session and Auth cookies from session reanimation with this web.config entry in the system.web node:

Configuration solutionsClick-jacking (a luring attack) is disabled in SharePoint 2013 by default. Frame-breaking Javascript code works equally well to prevent wrapping the page in an IFRAME. Note that Apps are surfaced in IFRAMES so you might protect App rendering from being further spoofed, but not the SharePoint WFEs that consume Apps. Note that the HTTP Only cookie setting breaks out-of-box workflow in SharePoint 2010 as these use the InfoPath-style forms rather than WebForms. The error message is, The form cannot be displayed because the use of session cookies has been disabled in the current browser settings. In order to load the form, session cookies must be allowed. Writing Secure SharePoint Code with Eli Robillard21Tweet about it! #SPT322 #DevTeach @erobillard http://technet.microsoft.com/en-us/security/bulletinWatch for Security Updates

#SP24S045 Walkthrough of a Security Bulletinhttp://technet.microsoft.com/en-us/security/bulletin/ms13-024 Walk1: The advisory was issued for ASP.NEThttp://technet.microsoft.com/en-us/security/advisory/2416728 2: Scott Guthrie posted a workaround http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx3: The SP product team notified SharePoint 2010 usershttp://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?PageType=4&ListId={72C1C85B-1D2D-4A4A-90DE-CA74A7808184}&pID=9414: I posted a workaround for SharePoint 2010 and 2007http://weblogs.asp.net/erobillard/archive/2010/09/21/how-to-protect-sharepoint-servers-from-the-asp-net-vulnerability.aspx5: Microsofts SharePoint guidance was updated to include 2007

Walkthrough: MS 10-070#SP24S045 Writing Secure SharePoint Code with Eli Robillard24Tweet about it! #SPT322 #DevTeach @erobillard Focus your effort on protecting secrets. Assume the attacker will be able to read files in the SharePoint hive and IIS web root. Encrypt your secrets. When an exploit is published, assume you are affected and protect your information first. Then figure out how you are affected and seek remedies. Good practices pay their own way. Lessons of MS 10-070#SP24S045 Lock down any unnecessary URLs and pagesCandidates: Application pages in a crawl-only site, userdisp.aspx in a public siteRequest blocking with URL Rewrite module Request routing rules

Lock down unnecessary user permissionsRemove the View Application Pages permission from permission level Enable the ViewFormPagesLockDown feature User permissions#SP24S045 Writing Secure SharePoint Code with Eli Robillard26Tweet about it! #SPT322 #DevTeach @erobillard Use service accounts to: Contain attacksProvide defence-in-depth

Fewest Required Accounts:SQL Service, Setup User, SP Farm

Suggested Accounts for Least-Privilege:

Service Accounts

#SP24S045 Minimum required accounts: http://technet.microsoft.com/en-us/library/ee662513.aspx Reference: Account permissions and security settings in SharePoint 2013http://technet.microsoft.com/en-us/library/cc678863.aspx WSS_ADMIN_WPG, WSS_WPG and other group permissions Registry, File System (including hosts) http://technet.microsoft.com/en-us/library/ee662513.aspx

Writing Secure SharePoint Code with Eli Robillard27Tweet about it! #SPT322 #DevTeach @erobillard Know the identity used in every contextService Account Context

#SP24S045 Plan for App Authentication in SharePoint 2013http://technet.microsoft.com/en-us/library/jj219806.aspx Writing Secure SharePoint Code with Eli Robillard28Tweet about it! #SPT322 #DevTeach @erobillard Impersonation (PassThrough) Application Pool ID (RevertToSelf) Stored Credentials Hard-coded: Just dont do it. Web.config: A pain to encrypt & update. Secure Store Service: The best choice.Managed accounts: Great (where applicable).What to choose for external data?#SP24S045 External Data Reference (BCS): http://msdn.microsoft.com/en-us/library/ff798353.aspxManaged account reference: http://blog.falchionconsulting.com/?s=%22managed+accounts%22

Writing Secure SharePoint Code with Eli Robillard29Tweet about it! #SPT322 #DevTeach @erobillard SharePoint Execution ContextsAuthorization and authentication for apps in SharePoint 2013http://msdn.microsoft.com/en-us/library/fp142384.aspxWhile presenting to Bermuda SharePoint User Group, Craig Lussier asked: Where it would be best to store configuration if you are a vendor and want to release a web part to check for membership in a particular AD group before executing an operation (e.g. prior to creating a user in AD)? While web.config is the easiest place to name your AD group, a better solution would be to create a Central Admin page that would let you configure the web part per site collection, and store the property in the Site Collection Root Webs property bag. Then the web part could look the value up and if it existed, would execute; or if the property did not exist, the WP would know it is not allowed to be executed in that context. Writing Secure SharePoint Code with Eli Robillard30Tweet about it! #SPT322 #DevTeach @erobillard Write for SharePoint as a presentation tier. Keep all non-SharePoint data and code outside SharePoint. No custom CAS policies. If its not Minimal, its Full Trust.

Schedule regular peer-to-peer code reviews Do a formal code security review before release

Use static code analysis tools SPCop, FxCop, HP FortifyRun the Initialize-SPResourceSecurity cmdlet

Habits of Secure SharePoint DevelopersSPCop is a sponsor of SP24 and deserve a mention!

HP WebInspect is popular but results are mixed with SharePoint sites. MSRs Gatekeeper project is a promising static analysis tool for JavaScript but no tools implementing its principles appear available: http://research.microsoft.com/en-us/projects/gatekeeper/Writing Secure SharePoint Code with Eli Robillard31Tweet about it! #SPT322 #DevTeach @erobillard Aim to be secure by defaultIf it isnt a requirement, lock it down. Watch for Security Bulletins SharePoint plus ASP.NET, IIS, Windows Server and other products in use. Think like a service account understand contextWhat do you really need to get the job done? Adopt secure development habits There are tools and techniques for every stage, knowledge is power.Calls to ActionKeeping SharePoint SecureTips and Tricks for Writing Secure SharePoint CodeWriting Secure SharePoint Code with Eli Robillard33Tweet about it! #SPT322 #DevTeach @erobillard It takes a community to raise a secure SharePoint solution, your feedback is always welcome.

These tips will never be completeAnd when we start to ignore security then the black hat hackers will have already won. 34www.sp24conf.comBadSPWeb web = site.OpenWeb();// do stuff with web

BetterSPWeb web = site.OpenWeb();// do stuff with webmyWeb.Dispose();

Bestusing (SPWeb web = site.OpenWeb()){ // do stuff with web}

Secure Practices: Dispose of SPWeb and SPSiteLets start with an easy one Writing Secure SharePoint Code with Eli Robillard35Tweet about it! #SPT322 #DevTeach @erobillard Do methods test for execution context before making changes?

if (HttpContext.Current == null) { // This isnt being called in a web application }Secure Practices: Check Execution Context Writing Secure SharePoint Code with Eli Robillard36Tweet about it! #SPT322 #DevTeach @erobillard Are permissions tested before elevating privileges? if (web.DoesUserHavePermissions(SPBasePermissions.ManageLists)){// Backup list(s) to OneDrive }

Reference: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx Secure Practices: Check user permissionsBased on the following post Martin Laplante (IceFire) suggested that this technique may have performance implications: http://www.alaindeklerk.com/checking-user-permissions-doesuserhavepermissions-vs-catchaccessdeniedexception/ While this is a good technique for failing safe and try/catch blocks should wrap any SharePoint operation, the technique is flawed in that it assumes RunWithElevatedPrivileges() is the alternative to throwing an exception, when neither is a recommended practice. Writing Secure SharePoint Code with Eli Robillard37Tweet about it! #SPT322 #DevTeach @erobillard Do all methods use /// blocks to describe acceptable parameter types, values and ranges? Do you use the AntiXssLibrary.dll? Do all methods that emit settings or content provided by users encode output with: AntiXss.HtmlEncode(myString) or AntiXss.URLEncode(myString) ?

Note: AntiXss cannot sanitize all JS injection scenarios. The current version is the last planned for release.Secure Practices: Validate All Input DataAnti-Cross Site Scripting Libraryhttp://www.microsoft.com/en-us/download/details.aspx?id=43126See also the Web Protection Library: https://wpl.codeplex.com/ This will be the last release with a sanitizer - the HTML parsing engine is too old and fragile to maintain. Further releases will be updated or new encoding types. Barry DornansDoesnt appear it will receive further love from MS. Still better than not sanitizing strings, but be aware that JS injection can modify pages in ways that are not easy to catch. Reference: Microsoft Anti-Cross Site Scripting Library v1.5: Protecting the Contoso Bookmark Pagehttp://msdn.microsoft.com/en-us/library/aa973813.aspx

Writing Secure SharePoint Code with Eli Robillard38Tweet about it! #SPT322 #DevTeach @erobillard Validate with Type Checking// Is the ItemId parameter an Int32? if(!Int32.TryParse(Request.QueryString["ItemId"],out ItemId)){ // Exit with an invalid parameter error}

Validate with Regular Expression// Is the ListId parameter a GUID?RegexStringValidator val = new RegexStringValidator(@"^\{?[\dA-Fa-f]{8}-[\dA-Fa-f]{4}-[\dA-Fa-f]{4}-[\dA-Fa-f]{4}-[\dA-Fa-f]{12}\}?$");// If invalid, this will throw a System.ArgumentExceptionval.Validate(Request.QueryString["ListId"]);Guid ListId = new Guid(Request.QueryString["ListId"]);Secure Practices: Validate All Input DataWriting Secure SharePoint Code with Eli Robillard39Tweet about it! #SPT322 #DevTeach @erobillard Does the page inherit from LayoutsPageBase?Does the page update any SharePoint objects? If yes, does it process only during IsPostBack? Updating the object model during a GET allows cross-site scripting. If yes, does the .aspx have a FormDigest control?Does the page call SPUtility.ValidateFormDigest() before making any updates? Does the page set AllowUnsafeUpdates? If yes, make sure the SPSite or SPWeb is not created from HttpContext. Only set AllowUnsafeUpdates where you obtain an SPSite or SPWeb reference from an absolute URL. Reject any code that disables FormDigest this makes cross-site scripting attacks possible.

Secure Practices: Application PagesGreat posts on AllowUnsafeUpdates by Hristo Pavlov: http://hristopavlov.wordpress.com/2008/05/16/what-you-need-to-know-about-allowunsafeupdates/ http://hristopavlov.wordpress.com/2008/05/21/what-you-need-to-know-about-allowunsafeupdates-part-2/

Writing Secure SharePoint Code with Eli Robillard40Tweet about it! #SPT322 #DevTeach @erobillard Appropriate context to use ValidateFormDigest() vs. AllowUnsafeUpdates if (HttpContext.Current == null) { // parmAbsUrl is an absolute URL in the format "http://server/sites/mySite/" using (SPSite site = new SPSite(parmAbsoluteUrl)) { using (SPWeb web = site.OpenWeb(parmAbsoluteUrl)) { web.AllowUnsafeUpdates = true; // Update SharePoint objects here web.AllowUnsafeUpdates = false; } } } else // HttpContext.Current has a value { SPUtility.ValidateFormDigest(); // Update SharePoint objects here }

Secure Practices: Application PagesWriting Secure SharePoint Code with Eli Robillard41Tweet about it! #SPT322 #DevTeach @erobillard Does the Web Part swallow all exceptions and display the Correlation ID?It is bad when a page fails because of an errant web part. How to display Correlation ID:[DllImport("advapi32.dll")] public static extern uint EventActivityIdControl(uint controlCode, ref Guid activityId); public const uint EVENT_ACTIVITY_CTRL_GET_ID = 1; // // And then use it in code like this: try { // code block goes here }catch { Guid g = Guid.Empty; EventActivityIdControl(EVENT_ACTIVITY_CTRL_GET_ID, ref g); this.Controls.Add(new Label { Text = string.Format("An error occurred with Correlation ID {0}", g) });}Secure Practices: Web PartsSource: Wictor Wiln, http://www.wictorwilen.se/Post/Working-with-SharePoint-2010-Correlation-ID-in-PowerShell-and-code.aspxWriting Secure SharePoint Code with Eli Robillard42Tweet about it! #SPT322 #DevTeach @erobillard Do Web Parts validate their properties? It is most effective to do this in the property settings and not during web part execution (by then the user must re-open the property page).

public string NumberArray { // Require format: 1,2,3,4 get{return _numberArray;} set{ string [] arr = value.split(','); foreach (string item in arr) { int i; if(!int.TryParse(item,out i)) throw new WebPartPageUserException("\""+item+"\" is not a valid number"); } _numberArray=value; } }

Secure Practices: Web Part PropertiesSource: Ishai Sagi, http://www.sharepoint-tips.com/2010/06/validating-web-part-properties.htmlWriting Secure SharePoint Code with Eli Robillard43Tweet about it! #SPT322 #DevTeach @erobillard Three scenarios to elevate thread privileges: Read SharePoint data.

Update SharePoint data.

Make an external call.

Secure Practices: Elevated ThreadsWriting Secure SharePoint Code with Eli Robillard44Tweet about it! #SPT322 #DevTeach @erobillard SPWeb web = SPContext.Current.Web;

try{ // Verify this is a postback from a valid Application Page SPUtility.ValidateFormDigest(); // Verify that the user has a valid permission before elevating if (web.DoesUserHavePermissions(SPBasePermissions.ManageWeb)) { SPSecurity.RunWithElevatedPrivileges(delegate() { // Read data using the SharePoint Object Model here }); }}

Secure Practices: Reading SharePoint DataWriting Secure SharePoint Code with Eli Robillard45Tweet about it! #SPT322 #DevTeach @erobillard // Update a SharePoint propertyusing (SPSite elevatedSite = LitwareSecurity.SharePoint.Security.GetElevatedSite(web.Site){ // Update data using SharePoint object model here. }

The secret sauce: GetElevatedSite first tries site.SystemAccount.UserToken. If that doesnt work it falls back to RWEP() to GetSystemToken(). It then returns an elevated SPSite using this token.

Get the source: http://www.danlarson.com/elevated-privilege-with-spsite/

Secure Practices: Updating SharePoint DataGet the source to make this work from Dan Larsen: http://www.danlarson.com/elevated-privilege-with-spsite/ Or paste it from here!

using System;using Microsoft.SharePoint; namespace LitwareSecurity{ /// A class for working with elevated privilege public static class SpSecurityHelper { /// Returns an elevated site /// /// The site that you want an elevated instance of. /// You must dispose of this object unless it is part of SPContext.Current. /// /// An elevated site context. /// Be sure to dispose of objects created from this method. public static SPSite GetElevatedSite(SPSite theSite) { var sysToken = GetSystemToken(theSite); return new SPSite(theSite.ID, sysToken); } /// Gets a UserToken for the system account. /// /// A usertoken for the system account user./returns> /// Use this token to impersonate the system account public static SPUserToken GetSystemToken(SPSite site) { site.CatchAccessDeniedException = false; try { return site.SystemAccount.UserToken; } catch (UnauthorizedAccessException) { SPUserToken sysToken = null; // Only use runwithelevated to grab the system user token. SPSecurity.RunWithElevatedPrivileges( delegate() { using (SPSite lolcatKiller = new SPSite(site.ID)) { sysToken = lolcatKiller.SystemAccount.UserToken; } } ); return sysToken; } } }}

Writing Secure SharePoint Code with Eli Robillard46Tweet about it! #SPT322 #DevTeach @erobillard // Call a non-SharePoint resourceusing (HostingEnvironment.Impersonate()){ // Call an external resource using the credentials of // the Application Pool ID here}Secure Practices: Using thread identity to call outside SharePointWriting Secure SharePoint Code with Eli Robillard47Tweet about it! #SPT322 #DevTeach @erobillard Three scenarios to elevate thread privileges: Read SharePoint data RWEP() is fine to read.Update SharePoint dataGetElevatedSite() creates a safe SPSite to work with. Make an external callThe ASP.NET way to get the job done still works in SharePoint.Secure Practices: Elevated ThreadsWriting Secure SharePoint Code with Eli Robillard48Tweet about it! #SPT322 #DevTeach @erobillard Keeping SharePoint SecureThe App ModelSharePoint-hosted AppsApp resources added to SharePoint hostStored in child site known as App WebApp can have client-side code (HTML4/5, Javascript, jQuery, Silverlight, Flash, etc.)App cannot have server-side code

Provider-hosted & Auto-hosted AppsApp resources deployed on remote serverRemote site known as Remote WebApp can have client-side code App can have server-side code (C#, node.js, PHP, Ruby, Java, etc.)App Hosting Models

Source: SPC205, Ted Pattison (with changes: Cloud-hosted clarified as both Provider and Auto-hosted Apps)Writing Secure SharePoint Code with Eli Robillard50Tweet about it! #SPT322 #DevTeach @erobillard Permissions are requested when an App is installed on a SharePoint server.Granting SharePoint App Permissions

All or nothingSource: SPS030, Todd Baginski51Tweet about it! #SPT322 #DevTeach @erobillard

My Sample App http://ContosoApps/default.aspx/?SPHostUrl={HostUrl}

Sample App ManifestReference: App Permissions in SharePoint 2013 http://msdn.microsoft.com/en-us/library/fp142383.aspxList Elements (including out-of-box Base Type IDs) http://msdn.microsoft.com/en-us/library/ms415091.aspxWriting Secure SharePoint Code with Eli Robillard52Tweet about it! #SPT322 #DevTeach @erobillard Provider-hosted App Permission ScopesScopePertains ToSite Collection *A SharePoint Site CollectionWeb *A SharePoint Web SiteList *A SharePoint listSearchThe SharePoint Search ServiceWorkflowThe Windows Azure Workflow ServiceTaxonomyThe SharePoint Taxonomy ServiceBCSRead access to BCS service data sourcesWriting Secure SharePoint Code with Eli Robillard53Tweet about it! #SPT322 #DevTeach @erobillard App PermissionsApp permission nameSharePoint permission namePermissionsReadReaderView Items, Open Items, View Versions, Create Alerts, Use Self-Service Site Creation, View PagesWriteContributorRead-Only permissions, plus:Add Items, Edit Items, Delete Items, Delete Versions, Browse Directories, Edit Personal User Information, Manage Personal Views, Add/Remove Personal Web Parts, Update Personal Web PartsManageDesignerWrite permissions, plus:Manage Lists, Add and Customize Pages, Apply Themes and Borders, Apply Style Sheets FullControlFull ControlAll permissions.Writing Secure SharePoint Code with Eli Robillard54Tweet about it! #SPT322 #DevTeach @erobillard App Authorization PoliciesPolicyConditionsUser-only PolicyContent database authorization checks succeed if the User has sufficient permissions to perform the action. App-only PolicyContent database authorization checks succeed if the App has sufficient permissions, whether or not the current user (if there is a current user) has the same permissions. User and App Policy Content database authorization checks succeed only if both the current User and the App have sufficient permissions to perform the actions that the App is designed to perform.

This is required to act on behalf of the user when the App is hosted in a Remote Web and not an App Web. Writing Secure SharePoint Code with Eli Robillard55Tweet about it! #SPT322 #DevTeach @erobillard Same-origin policy prevents direct Javascript calls between App and HostBest ways to communicate from the App are with CSOM or REST calls into SharePoint

IT Pros: Keep track of App permissions and note any changes. Once it is approved, an App is trusted. Apps dont ask to be re-approved on update, unless the permission list changes. Secure Practices: App ModelWriting Secure SharePoint Code with Eli Robillard56Tweet about it! #SPT322 #DevTeach @erobillard Host Apps in a unique domain. Choosing a sub-domain instead of a unique domain makes cookie attacks possible.

Secure Practices: App Model

Reference: Addressing same-origin policy limitations in apps for Office: http://msdn.microsoft.com/en-us/library/fp123589.aspx Configuring SharePoint On-premise Deployment for Apps: http://blogs.technet.com/b/mspfe/archive/2013/01/31/configuring-sharepoint-on-premise-deployments-for-apps.aspx

Writing Secure SharePoint Code with Eli Robillard57Tweet about it! #SPT322 #DevTeach @erobillard The Alternative: Office 365If you either cannot afford the expense of running a secure environment, or simply cannot be bothered to follow the principles described herein, then get out of the business of hosting and/or developing SharePoint solutions. #SP24S045 RecapMakes security part of your culture Require SDL and ISO 27034 for all development Provide everyone with training on secure practices Subscribe to Microsofts Security Bulletins Be secure by default Encrypt secrets and assume all else is known Develop and deploy secure solutionsWrite secure code Prefer Apps to Full Trust solutions

#SP24S045 E-mailEli.Robillard@mnp.ca

Twitter@erobillard

Blogweblogs.asp.net/erobillardEli RobillardMNP LLPSenior Manager, SharePoint Consulting

#SP24S045 ...the anchor will pick some of them up!Questions?Post your questions in the chat...#SP24S045 Thank you!#SP24S045 Sheet1AccountDescriptionVersionManaged?
Eli Robillard: Eli Robillard:Managed credentials are managed by SharePoint in the Secure Store (including observation of password change policies, etc.), and are not directly used by end-users.App Pool ID?DB?
Eli Robillard: Eli Robillard:Indicates whether the account has associated data stored in SQL.Farm Admin?
Eli Robillard: Eli Robillard:Indicates whether the account requires membership in the Farm Admin group.Other RolesNotesLocal SystemAdministration ServiceBothNoNoNoNo3 required Windows Services run as local system.Local SystemTrace ServiceBothNoNoNoNoTrace items will be missed if this is incorrectly set to use the SP Farm account.Local SystemVSS Writer ServiceBothNoNoNoNoSqlServiceSQL ServiceBothNoNoYesNodb_ownerSPInstallInstallerBothNoNoNoYesLocal Admins, WSS_ADMIN_WPG, IIS_WPG, SQL sysadmin, db_owner on ConfigDB and Central Admin ContentDBAlso SQL db_owner to update any other dbs via PowerShell SPFarmSharePoint Farm AccountBothNoNoNoYesLog on locally, local admin (during UPA provisioning), WSS_ADMIN_WPG, WSS_RESTRICTED_WPG, WSS_WPG, SQL dbcreator, securityadmin, db_owner for ContentDBsDatabase access account, Central Admin App Pool, Timer Service, Secure Token ServiceSPAppPoolIdentityContent ApplicationsBothNoYesYesNodb_owner (on ContentDBs)Log on as batch job, WSS_WPGShould NOT be in Local Admins groupSPSuperUserSuper UserBothNoNoYesNoWeb App policy: Full ControlUsed to cache R/W objectsSPSuperReaderSuper ReaderBothNoNoYesNoWeb App policy: Full ReadUsed to cache RO objectsSPServicesFarmAdminFull Trust ServicesBothYesYesYesYesState, Usage and Health, Web Analytics, Visio Graphics, Access ServicesSPServicesGeneral ServicesBothYesYesYesNoMMS, Enterprise Search; BCSSPSearchServiceSearch ServiceBothYesYesYesNoCan isolate Search Service App ID, Search Admin Service App ID, Search Query App ID, SPSecureStoreSecure Store ServiceBothYesYesYesYesSPSearchCrawlCrawlBothNoNoYesNoSPUpaSynchUPA SynchBothNoNoYesYesLog on locally, local admin, AD: Replicating Change permissionSynch Service and Synch ConnectionSPExcelViewerExcel ViewerBothYesNoNoNoReader on Excel data sources Excel Services, Calculation Services, Unattended Excel Service AccountSPPerformancePointPerformancePoint BothYesYesSPSsasSQL Server Analysis ServicesBothYesYesdb_reader on databases SPAccessAccess Service ApplicationBothYesYesdb_owner, public, db_securityadminCreates all Access dbs SPWorkflowWorkflow Service RunAs Account2013YesYesYesNoLog On as as Service, SQL sysadmin during installationUsed to create the WF service. Needs a UPA profile. Requires membership in Local Admins unless you create a dedicated WFAdmins group.SPServiceBusService Bus RunAs Account2013Can be the same as the WF account, although the least-privileged article cites separate accounts. SPMySitesMy Site Application Pool ID2013YesYesYesNoAn app pool identity

Sheet2

Sheet3