tech ed 2006 south east asia security and compliance by joel oleson

Microsoft Office SharePoint Server 2007 Security, Compliance and Policy from Service Accounts to Item Level Permissions

Joel Oleson

Sr. Product Manager

Key Take Aways

• Learn in this session– Configure authentication– Manage permissions– Securely configure your web farm– Enable auditing for compliance– Manage retention policies– Report on security related events

Agenda

• Agenda– Intro… SharePoint Products & Technologies– Windows and ASP.NET authentication– Managing security – Compliance from bottom to top– Web farm Configuration– Questions?

SharePoint 2007 Feature AreasDocs/tasks/calendars, blogs,

wikis, e-mail integration, project management “lite”,

Outlook integration, offline docs/lists

CollaborationBusiness

Intelligence

Portal

Enterprise Portal template, Site

Directory, My Sites, social networking,

privacy control

Enterprise scalability,contextual relevance, rich people and business data

search

Rich and Web forms based front-ends, LOB actions, pluggable SSO

Server-based Excel spreadsheets and data visualization, Report Center, BI Web Parts, KPIs/Dashboards

Integrated document management, records management, and Web content management with policies and workflow

BusinessForms

SearchContentManagement

PlatformServicesWorkspaces,

Mgmt, Security, Storage, Topology,

Site Model

SharePoint 2007 Feature Areas

CollaborationBusiness

Intelligence

PortalBusinessForms

SearchContentManagement

PlatformServicesWorkspaces,

Mgmt, Security, Storage, Topology,

Site Model

Agenda


User Authentication

• Authentication = Who are you?– User identity– User groups/roles as defined by the directory– Same in WSS and MOSS!

• Windows– Windows integrated, Basic, Digest, etc

• ASP.NET Pluggable Authentication– Forms – locally hosted login form– Web SSO – remotely hosted login form

Windows Authentication

• Provided by IIS – SharePoint consumes

• Windows Integrated– Kerberos/Negotiate– NTLM

• Basic

• Digest

• Certificates (Must use IIS to configure)

Configuring Kerberos

• KDC Service Principal Name must match SharePoint application pool account

ASP.NET Authentication

• Pluggable authentication framework– User identity is independent from

Operating System (OS) identity– Custom code to handle authentication– Two related providers

• Membership – user identities• Role – roles/groups/attributes for a user

• Out-of-the-box providers– LDAP (Office SharePoint Server)– SQL Server (ASP.NET)– AD – single domain only (ASP.NET)

ASP.NET Pipeline

AuthenticationModule

RoleManager

MembershipProvider

SharePoint ContentDatabase

User/GroupDirectories

User Identity

Client Redirects

Groups/Roles

Authorization

Invitations

Web.config<membership>

<providers><add name=“YourMembershipProviderName“connectionStringName=“YourConnectionString" …/>

</providers></membership>

<roleManager><providers>

<add name=“YourRoleProviderName“connectionStringName=“YourConnectionString“… />

</providers></roleManager>

<connectionStrings><add name=“YourConnectionString" connectionString="data source=127.0.0.1;Integrated Security=SSPI;Initial Catalog=aspnetdb" />

</connectionStrings>

ASP.NET Authentication Limitations

• Browser clients only– Search crawler must use Windows– Office client interaction degraded

• One authentication type per web application– No Windows and Forms in same domain– One provider pair per domain

• Forms over Windows accounts– Forms user not same as Windows user

Authentication & Alternate Access Mappings

Agenda


Sample Deployment Governance Model

PermanentEnterprise SearchNewsKPIs - Business Intelligence

CorporateBusiness TaxonomyWith DivisionalStakeholders

Exists withAD User

Ad hoc SelfServicew/ Retention Policies

PermanentBusiness Process ManagementDashboardsDivision Scoped SearchGroup Reporting & ScorecardsSite Directories & Site Maps

AS NeededDocument & Records MgmtAggregationProject Reports

Short LivedCollaboration

Semi PermanentPrivate & SharedContextual Collab

Common Information Management RolesInformation Worker

Consumes and creates content

Site AdministratorCreates lists, manages site roles & manages permissions

Business Owner/Application OwnerResponsible for architecting the departmental top down solution for Enterprise Search, Profiles, Site Hierarchy/Site Map, Site Directory, branding

IT Pro/Farm AdministratorManages the Server Farm, installs & deploys servers, web parts, manages capacity planning

Three Tier AdminWeb-basedRole & task delineatedControlled delegationSecure isolation

Shared ServicesService AuthorizationService ConfigurationMOSS only

Central AdminAuthenticationSecurity PoliciesFarm Configuration

Site SettingsContent Authorization

Administrative Architecture

Content Admins

IT Admins

Shared Content Admins

Site TopologiesPortals are Sites with a special template and *features*

Office SharePoint Server

Web Application(s)

SSP Admin Central AdminPortal Template

Portal Template

Authorization Tools• Authorization = What can you do?

SharePointContent

Configuration

Data Services

What can you view, update, delete, and customize?

What services and tools can you use?

What rules are enforced everywhere in the application?

Permissions Management

• Group-based permissions management

• Role-based permissions management

• Fine-grained permissions control– List, library, folder, item, and document

• Anonymous access

• Security trimmed user interface!

• Explicit access denied experience!

SharePoint Groups

• New permissions management experience– Three default groups

• Owners – full control• Members – contribute to existing lists and libraries• Visitors – read only

– Integrated with user information list

• SharePoint groups can be assigned permissions anywhere in the site collection

• Group administration scales better

Permission Levels

• Collections of rights, not people– Full Control – Has full control– Design – Can view, add, update, delete,

approve, and customize– Contribute – Can view, add, update, and delete– Read – Can view only

• Customizable

• Inheritable across site collection

Fine Grained Permissions

• New securable objects– Web site– Lists and libraries– Folders within list or library– Document or list item

• Consistent user interface top to bottom– Permission levels– Inherit from parent or unique permissions

Site Collection Administrators

• Users with full control over all content in the site collection– Fix lock out problems– Recover items from 2nd stage recycle bin– Cannot be removed from permissions

New Permissions• Edit User Information – display name, e-mail, etc• Approve Items – promote minor to major version• View Versions• Delete Versions• Create Alerts – separated from view items• Manage Alerts – create alerts for other people• Enumerate Permissions – read, but not change• Open Items – view source of server files (ASPX)• View Application Pages – e.g. _layouts pages• Use Remote Interfaces – e.g. SOAP• Use Client Integration Features – e.g. Office

Permissions Management

Shared Services

• Business data catalog– Impersonation/delegation

• Kerberos constrained delegation• Office server SSO

– Trusted subsystem

• Excel trusted locations

• User profile rights– Property visibility

• Audiences are NOT for security

Shared Services Provider

Resource optimization

Security isolation

Delegation of administration

Can be shared across farms

Shared Services

Web AppWeb App Web AppWeb App

CorpWeb WinWebOfficeWeb LegalWeb

Office Server SearchDirectory importUser profile synchAudiences

TargetingBusiness data catalogExcel calculation serviceUsage Reporting

Shared Services

App PoolApp Pool App PoolApp Pool

Shared Services: Audiences

Security Policy

• Central enforced permissions for all sites in the web application– GRANT and DENY– Bound to web application/zone

• Scenarios– Full read – search crawling accounts, auditors,

legal compliance– Deny all – security control,

regulatory compliance– Deny write – extranet lockdown

Agenda


Business Benefits

Reduce costs of retrieving information for legal discovery

Reduce risk of non-compliance and legal liability

Retain vital records for business continuity

Compliance• Auditing

– Content Modifications

– Content Viewing

– Deletion

– More

• Bar Codes (for tracking)• Expiration• Security Report• Policy Modification• Custom Report

Organizational Styles

Library

Folder

Site

Library

Server

Site Collection

Document Center

Portal\Team Site

Distributed

Structured Autonomous

Records Repository

Managing Collaborative Spaces

Office SharePoint Server

Sales

Asia Pacific Region

Employment Claims

Contracts

Content Types to classify content

Policies toaudit and

expire information

Serverside IRM

Declared records sent to

Records Repository

Records Repository

Records Manager

Records Repository

ContractsContracts

Asia Pacific Asia Pacific RegionRegion

FinancialsFinancials MortgageMortgage

Doc Mgmt Systems

Records Repository template

Transfers document context

Configure policies as per

retention schedule

Configure repository as per file plan

Physical Assets

E-mail/services Interface

Compliance Auditing

Agenda


Web Farm Configuration

• Application pool accounts– Full control over content– Act as the “SharePoint\system” account

• Timer service accounts– Timer – Admin Service – must run as Local System

• SQL Servers– Kerberos SPN issue applies here too!

Security Configuration

• Rights mask

• Blocked file types

• Form digest timeout

• Safe control list

• Code access security

• Code execution paths

• Virus scanning

Office Server SSO

• Credentials for server-to-server hop• Unique or shared

Client SharePointExternal

Data

Credentials

Admin Access To Data

• Central administrators no longer have default full access to content

• Central administrators can grant themselves access to any content– Security policy– Site collection owners/administrators– Both actions are audited in NT Event Log

WSS Topology

Web Servers Web Servers

Router

Web Servers

Content DBContent DB Config DB

Search Search

MOSS Shared Services

Web Servers Web Servers

Router

Web Servers

Content DBContent DB Config DB

App Servers: Index, Query, Excel,

InfoPath, User Profile, etc.

App Servers: Index, Query, Excel,

InfoPath, User Profile, etc.

Shared Services DB

Example Multi-Farm Topology

Configuration Best Practices

• Unique accounts– Central administration– Shared services process– Shared services shared web service account– Content app pools

• Kerberos on (default = NTLM)– Each process account must be a registered SPN to work– SQL 2005 defaults to Kerberos with non-system process ID!

• SSL enabled (default = off)– Turn on for admin sites and server to server– Warning provided on credentials pages if SSL is off

• SPAdmin service– Single server: Off (recommend ‘On’ for OSS)– Farm: On

Session Summary• Pluggable authentication

– Windows – Kerberos, NTLM, Basic– ASP.NET – Forms and Web SSO

• Managing permissions– Site settings: Site, list, folder, and item– Shared services– Central admin policies and configuration

• Web farm configuration– Application pool accounts– Other process accounts

Call To Action

• Use Kerberos!– More secure than NTLM– Better performance than NTLM

• Evaluate Authentication– Ready for Forms authentication?

• Evaluate content topology– Does folder and item level permissions change

how you deploy SharePoint content?

• Model your groups

References

• Kerberos Protocol Transition and Constrained Delegation

• ASP.NET Developer Center: Provider Toolkit

• SharePoint Server 2007 Tech Center• Planning Logical Architecture

http://technet2.microsoft.com/WindowsServer/en/library/c312ba01-318f-46ca-990e-a597f3c294eb1033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/c312ba01-318f-46ca-990e-a597f3c294eb1033.mspx?mfr=true

http://msdn.microsoft.com/asp.net/downloads/providers/

http://msdn.microsoft.com/asp.net/downloads/providers/

http://www.microsoft.com/technet/prodtechnol/office/sharepoint/default.mspx

http://technet2.microsoft.com/Office/en-us/library/3e3b8737-c6a3-4e2c-a35f-f0095d952b781033.mspx

tech ed 2006 south east asia security and compliance by joel oleson

Technology

technologies

site directory

server

topology

net

compliance

view

delete