SlideShare a Scribd company logo

SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013 - Antonio Maio

Download as PPTX, PDF
A
AntonioMaio2

This document provides an overview of security features in Microsoft SharePoint 2013, beginning with an introduction and goal to educate about key security capabilities. It then covers an agenda of topics like deployment planning, authentication, permissions, governance and various other security features. It emphasizes the importance of security and recommends best practices like using separate accounts for setup, farm administration and SQL services with least privileges. It also highlights risks of inadvertent data exposure if anonymous access is not properly configured for public-facing SharePoint sites.

Technology
1 of 31
Downloaded 54 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Introduction to Security in Microsoft SharePoint 2013 Email: Antonio.maio@titus.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2 Antonio Maio Senior Product Manager, TITUS Microsoft SharePoint Server MVP
2 Goal Inform and Educate on Key SharePoint Security Features  We know its critical in government and military deployments  We know its critical consideration in business  Security is still often its an after thought for many deployments  Requires good planning  Requires good awareness of the capabilities available  Requires knowledge of what SharePoint cannot do
3 Agenda  What Drives our Security Needs in SharePoint?  Deployment Planning & Least Privileged Accounts  Authentication  Permissions or Authorization  Governance and Awareness  Web Application Policies & Anonymous Access  Other Security Features
Why SharePoint?  Content repository and document management  Extranet portals, External Portal/Site (partner and client access)  Information Lifecycle Management (ILM) & workflows  Records management 4
What Drives our Information Security Needs? Information Security comes down to 2 or 3 drivers:  Protecting Your Investments (intellectual property, digital assets, competitive advantage…)  Reducing Your Liability (avoid compliance violations, fines/sanctions, reputation issues…)  Public Safety or Mission Success (protect classified information, mission plans, reputation issues…)  Public Health (health records, health insurance, insurance fraud/theft…) 5
What Drives our Information Security Needs? How does this affect us as SharePoint people?  How We Deploy SharePoint  Control Access  Assign Roles & Establish Repeatable/Predictable Process  Regulatory Compliance Standards  Auditing & Reporting Obligations 6
Deployment Planning & Least Privileged Accounts SharePoint is a web application built on top of SQL Server  Best practice: to use specific user accounts for specific purposes with least privileges Benefits: Separation of Concerns  Multiple points of redundancy  Targeted auditing of account usage  Minimize the risk of compromised accounts Review SharePoint deployment guide before you install
3 Deployment Accounts (minimum) 1. SQL Server Service Account  Assign to MSSQLSERVER and SQLSERVERAGENT services when you install SQL Server (ex: domainSQL_service)  No special domain permissions - given required rights in SQL Server during SQL setup 2. Setup User Account  Used to install SharePoint, run Product Config Wizard, install patches/updates  login with this account when running setup (ex: domainsp_setup_user)  Must be local admin on each server in SharePoint farm (except SQL Server if different box)  Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL 3. SharePoint Farm Account  Used to run the SharePoint farm; not just for database access (ex. domainsp_farm_user)  After Product Config Wizard is run, prompted to provide the Database Access Account – misnamed in UI, this is really the all powerful farm account  Given ownership of Config database - also configures several SharePoint services including the timer service to use Farm account as its identity Should all be AD domain accounts (user accounts) Do not use personal admin account, especially for Setup User Account Configure central email account for all managed accounts
Authentication Determine that users are who they say they are (login)  Configured on each web app  Multiple authentication methods per web app SharePoint 2010 Options  Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)  Claims Based Authentication  Forms Based Authentication available- done through Claims Based Auth. UI configuration options only available in UI upon web app creation To convert non-claims based web app to claims will require PowerShell SharePoint 2013 Options  Claims Based Authentication - default  Classic Mode Configuration UI has been removed (Only configurable through PowerShell)
Permissions Allow you to secure any information object or container  Determine who gets access to what information objects and what type of access  Apply to items, folders, lists, libraries, sites, site collection…  Do not apply to individual column field values (not a securable object) Assigning Permissions Includes  The user or group we are enabling with access  The information object in question  The permission level we are granting as part of that access Examples  Finance AD Group has Full Control on Library  ProjectX-Contractor SP Group has Read access on site  Antonio.Maio AD user has Contribute access on Document
Users Interacting with Permissions 11
Users Interacting with Permissions 12
Users Interacting with Permissions 13
Users Interacting with Permissions 14
Inherited Permissions  Hierarchical permission model  Permissions are inherited from level above  Can break inheritance and apply unique permissions  Manual process  Permissive Model SharePoint Farm Web Application Site Collection Site Collection Site Site Library List Document Web Application Item Site Document Document Item Demo Members SharePoint Group Edit Demo Owners SharePoint Group Full Control Demo Visitors SharePoint Group Read Finance Team Domain Group Edit Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Antonio.Maio Domain User Full Control
Permissions and Security Scopes  Every time permission inheritance is broken a new security scope is created  Security Scope is made of up principles:  Domain users/groups  SharePoint users/groups  Claims  Be aware of “Limited Access”  Limitations  Security Scopes (50,000 per list)  Size of Security Scope (5,000 per scope)  Resources  Microsoft SharePoint Boundaries and Limits: http://technet.microsoft.com/en- us/library/cc262787.aspx
Fine Grained Permissions Trend: sensitive content sitting beside non-sensitive content Leads to customers exploring fine grained permissions Confidential Public Internal Recommendation  Use metadata to identify which data to protect  User attributes (claims) to determine who should have access  Implemented automated solution to manage fine-grained permissions
Governance Challenges  Operational Management  Change Management  User training  Auditing and Monitoring  Document handling culture  Compliance Make End-Users Responsible & Accountable for Sensitive Information
Ignorance… It‟s Problematic
Responsibility vs Ignorance  How do you consistently enforce a culture of security awareness?  Workers upload, send, copy, print, etc. content  Employees are typically not aware of sensitive information or how to handle it  Consider applying standardized security labels – headers, footers and watermarks  Compliance laws dictate need for headers/footers and watermarks.  SharePoint‟s limited labeling capabilities are deprecated in SharePoint 2013!
Raise Awareness Automatically apply standardized security labels to MS Office and PDFs Headers Footers Watermarks
Promote Accountability Date & Time Stamp Date & Time Stamp Current User‟s Name Mark downloaded SharePoint documents with identifying information
Web Application Policies User Permissions  Permissions available within permission levels at site collection level Permission Policies  Define groups of permissions (similar to permission levels)  Control if site collection admins have full control on any object in site col.  Only place with a “Deny” capability (default: deny write, deny all) User Policies  Assign permission policies to users and groups for the entire web app  Ex. Deny group from deleting items within an entire web app – applicable to public facing web app Blocked File Types  Prevent specific files types from being added to libraries within web app
Anonymous Access Turn on or off for web application – only making available for sites  Central Admin> Manage Web Apps> Authentication Providers  Edit an Authentication Provider  Check on „Enable Anonymous Access‟ for that provider  Select “Anonymous Policy” for the web app  Select zone and policy for anonymous access
 Site Owners must explicitly enable on each site (this is a good thing)  Site Settings> Site Permissions Anonymous Access
Other Security Features  Information Rights Management  Event Auditing  Privileged Users
Questions? Thank you! Email: Antonio.maio@titus.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2 Antonio Maio Senior Product Manager, TITUS Microsoft SharePoint Server MVP
Reference
Risk: Inadvertent exposure of internal data on a public web site  All form pages and _vti_bin web services are accessible - PUBLICLY  Modify the URL of a public facing SharePoint site: http://www.mypublicsite.com/SitePages/Home.aspx to http://www.mypublicsite.com/_layouts/viewlsts.aspx  View All Site Content page is now exposed, typically in SharePoint branding, with all site content visible  Desired behavior: User is presented with a login page, or an HTTP error  Accessible pages /_layouts/adminrecyclebin.aspx /_layouts/policy.axpx /_layouts/recyclebin.aspx /_layouts/bpcf.aspx /_layouts/policyconfig.asp /_layouts/wrkmng.aspx /_layouts/create.aspx /_layouts/policycts.aspx /_layouts/vsubwebs.aspx /_layouts/listfeed.aspx /_layouts/policylist.aspx /_layouts/pagesettings.aspx /_layouts/managefeatures.aspx /_layouts/mcontent.aspx /_layouts/settings.aspx /_layouts/mngsiteadmin.aspx /_layouts/sitemanager.aspx /_layouts/newsbweb.aspx /_layouts/mngsubwebs.aspx /_layouts/stor_man.aspx /_layouts/userdisp.aspx Anonymous Access and Exposure Risk
Anonymous Access and Public Facing Sites Remove View Application Pages permission & Use Remote Interfaces permission from Limited Access permission level  Limited Access is what‟s used for anonymous users  Prevents anonymous users from accessing form pages To Do This… Turn on the “Lockdown” Feature  Remove all anonymous access from the site  Open command prompt and go to the folder C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14BIN  Check whether the feature is enabled or not (If ViewFormPagesLockDown is listed, it's enabled): get-spfeature -site http://url  If not listed then we must enable it using: stsadm -o activatefeature -url -filename ViewFormPagesLockDownfeature.xml  To disable it: stsadm -o deactivatefeature -url -filename ViewFormPagesLockDownfeature.xml  Reset anonymous access on the site Will result in users getting an Authentication Page when accessing these forms pages Available in MOSS2007, SharePoint 2010 and SharePoint 2013 On by default for Publishing Portal Site Template – for other site templates must turn it on manually
To prevent access to _layouts pages and web services we must also modify web.config to include: <location path="_layouts/error.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> <location path="_layouts/accessdenied.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> <add path="configuration"> <location path="_layouts"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <location path="_vti_bin"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <location path="_layouts/login.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> Anonymous Access and Public Facing Sites

More Related Content

PPTX
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
PDF
6 Most Surprising SharePoint Security Risks
Imperva
 
PPTX
SPSRI - Sharing the Point in an A/D World
Jared Matfess
 
PPTX
Best practices for Security and Governance in SharePoint 2013
AntonioMaio2
 
PDF
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
PPTX
CloudHaven
RichardVann4
 
PDF
Developing custom claim providers to enable authorization in share point an...
AntonioMaio2
 
PPTX
IAM Cloud
Aidy Tificate
 
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
6 Most Surprising SharePoint Security Risks
Imperva
 
SPSRI - Sharing the Point in an A/D World
Jared Matfess
 
Best practices for Security and Governance in SharePoint 2013
AntonioMaio2
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
CloudHaven
RichardVann4
 
Developing custom claim providers to enable authorization in share point an...
AntonioMaio2
 
IAM Cloud
Aidy Tificate
 

What's hot (18)

PDF
Managing enterprise applications, permissions, and consent in Azure Active Di...
CoLaboraDK
 
PDF
SailPoint - IdentityNow Identity Governance
Arijan Horvat
 
PPTX
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
PPT
internship project ppt
Dhruv Bhasin
 
PPTX
Developing social solutions on Microsoft technologies (SP Social and Yammer)
SPC Adriatics
 
PPTX
Managing enterprise applications, permissions, and consent in Azure Active Di...
Peter Selch Dahl
 
PDF
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Brian Culver
 
PDF
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
PDF
How to increase social adoption - meetIT 2016, Milano
Henning Schmidt
 
PPTX
Leveraging SharePoint for Extranets
Avtex
 
PPS
Social media tools training
ILRI
 
PPTX
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
PDF
816isdfo
Anil Pandey
 
PPTX
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
PDF
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
PDF
Hexnode Identity and Access Management solution
Hexnode
 
PDF
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
PDF
Identity and Access Management Tools
ijtsrd
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
CoLaboraDK
 
SailPoint - IdentityNow Identity Governance
Arijan Horvat
 
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
internship project ppt
Dhruv Bhasin
 
Developing social solutions on Microsoft technologies (SP Social and Yammer)
SPC Adriatics
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Peter Selch Dahl
 
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Brian Culver
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
How to increase social adoption - meetIT 2016, Milano
Henning Schmidt
 
Leveraging SharePoint for Extranets
Avtex
 
Social media tools training
ILRI
 
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
816isdfo
Anil Pandey
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
Hexnode Identity and Access Management solution
Hexnode
 
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
Identity and Access Management Tools
ijtsrd
 
Ad

Similar to SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013 - Antonio Maio (20)

PPTX
Best Practices for Security in Microsoft SharePoint 2013
AntonioMaio2
 
PPT
Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson
Joel Oleson
 
PPTX
Best Practices for Security and Governance in SharePoint 2013
InnoTech
 
PPTX
Securing the SharePoint Platform
Bert Johnson
 
PPTX
Mother always said "Did You Ask?": SharePoint 2010 Permissions
Regroove
 
PPTX
SharePoint Administration & Permissions
Craig Jahnke
 
PPTX
MOSS2007 Security
dropkic
 
PPT
Share Point Server Security with Joel Oleson
Joel Oleson
 
PDF
Preventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
Joel Oleson
 
PPT
D Cornell Securing Share Point
Art Upton
 
PPTX
Permissions designed to scale
Jamie Aliperti
 
PPTX
Installing SharePoint 2013 – Step by Step presented by Alan Richards
European SharePoint Conference
 
PPTX
European SharePoint Conference Training Week - Installing SharePoint 2013
Alan Richards
 
PDF
Deployment guide-for-share point-2013
prconcepcion
 
PPTX
ESDDC - Making Secured Content Discoverable in SharePoint
Jonathan Ralton
 
PPTX
SIKM Boston - Making Secured Content Discoverable in SharePoint
Jonathan Ralton
 
PDF
SharePoint Security Management - Lessons Learned
Benjamin Niaulin
 
DOC
Wss Security
LiquidHub
 
PPTX
Webinar: Take Control of SharePoint Security
AntonioMaio2
 
PDF
OWASP LA – SharePoint Hacking – 22Feb2012 – Slides.PDF
Bishop Fox
 
Best Practices for Security in Microsoft SharePoint 2013
AntonioMaio2
 
Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson
Joel Oleson
 
Best Practices for Security and Governance in SharePoint 2013
InnoTech
 
Securing the SharePoint Platform
Bert Johnson
 
Mother always said "Did You Ask?": SharePoint 2010 Permissions
Regroove
 
SharePoint Administration & Permissions
Craig Jahnke
 
MOSS2007 Security
dropkic
 
Share Point Server Security with Joel Oleson
Joel Oleson
 
Preventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
Joel Oleson
 
D Cornell Securing Share Point
Art Upton
 
Permissions designed to scale
Jamie Aliperti
 
Installing SharePoint 2013 – Step by Step presented by Alan Richards
European SharePoint Conference
 
European SharePoint Conference Training Week - Installing SharePoint 2013
Alan Richards
 
Deployment guide-for-share point-2013
prconcepcion
 
ESDDC - Making Secured Content Discoverable in SharePoint
Jonathan Ralton
 
SIKM Boston - Making Secured Content Discoverable in SharePoint
Jonathan Ralton
 
SharePoint Security Management - Lessons Learned
Benjamin Niaulin
 
Wss Security
LiquidHub
 
Webinar: Take Control of SharePoint Security
AntonioMaio2
 
OWASP LA – SharePoint Hacking – 22Feb2012 – Slides.PDF
Bishop Fox
 
Ad

More from AntonioMaio2 (19)

PDF
Introduction to Microsoft Enterprise Mobility + Security
AntonioMaio2
 
PDF
Learn how to protect against and recover from data breaches in Office 365
AntonioMaio2
 
PDF
A beginners guide to administering office 365 with power shell antonio maio
AntonioMaio2
 
PDF
Office 365 Security - MacGyver, Ninja or Swat team
AntonioMaio2
 
PDF
Information security in office 365 a shared responsibility - antonio maio
AntonioMaio2
 
PDF
SharePoint Saturday Ottawa - How secure is my data in office 365?
AntonioMaio2
 
PPTX
Office 365 security new innovations from microsoft ignite - antonio maio
AntonioMaio2
 
PPTX
Real world SharePoint information governance a case study - published
AntonioMaio2
 
PDF
Overcoming Security Threats and Vulnerabilities in SharePoint
AntonioMaio2
 
PPTX
What’s new in SharePoint 2016!
AntonioMaio2
 
PPTX
Data Visualization in SharePoint and Office 365
AntonioMaio2
 
PPTX
Hybrid Identity Management with SharePoint and Office 365 - Antonio Maio
AntonioMaio2
 
PPTX
Identity management challenges when moving share point to the cloud antonio...
AntonioMaio2
 
PDF
A Practical Guide Information Governance with Microsoft SharePoint 2013
AntonioMaio2
 
PDF
Keeping SharePoint Always On
AntonioMaio2
 
PPTX
Intro to Develop and Deploy Apps for Microsoft SharePoint and Office 2013
AntonioMaio2
 
PPTX
SharePoint Governance: Impacts of Moving to the Cloud
AntonioMaio2
 
PPTX
Share point security 101 sps-ottawa 2012 - antonio maio
AntonioMaio2
 
PPTX
SharePoint Saturday Toronto July 2012 - Antonio Maio
AntonioMaio2
 
Introduction to Microsoft Enterprise Mobility + Security
AntonioMaio2
 
Learn how to protect against and recover from data breaches in Office 365
AntonioMaio2
 
A beginners guide to administering office 365 with power shell antonio maio
AntonioMaio2
 
Office 365 Security - MacGyver, Ninja or Swat team
AntonioMaio2
 
Information security in office 365 a shared responsibility - antonio maio
AntonioMaio2
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
AntonioMaio2
 
Office 365 security new innovations from microsoft ignite - antonio maio
AntonioMaio2
 
Real world SharePoint information governance a case study - published
AntonioMaio2
 
Overcoming Security Threats and Vulnerabilities in SharePoint
AntonioMaio2
 
What’s new in SharePoint 2016!
AntonioMaio2
 
Data Visualization in SharePoint and Office 365
AntonioMaio2
 
Hybrid Identity Management with SharePoint and Office 365 - Antonio Maio
AntonioMaio2
 
Identity management challenges when moving share point to the cloud antonio...
AntonioMaio2
 
A Practical Guide Information Governance with Microsoft SharePoint 2013
AntonioMaio2
 
Keeping SharePoint Always On
AntonioMaio2
 
Intro to Develop and Deploy Apps for Microsoft SharePoint and Office 2013
AntonioMaio2
 
SharePoint Governance: Impacts of Moving to the Cloud
AntonioMaio2
 
Share point security 101 sps-ottawa 2012 - antonio maio
AntonioMaio2
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
AntonioMaio2
 

Recently uploaded (20)

PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 

SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013 - Antonio Maio

  • 1. Introduction to Security in Microsoft SharePoint 2013 Email: [email protected] Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2 Antonio Maio Senior Product Manager, TITUS Microsoft SharePoint Server MVP
  • 2. 2 Goal Inform and Educate on Key SharePoint Security Features  We know its critical in government and military deployments  We know its critical consideration in business  Security is still often its an after thought for many deployments  Requires good planning  Requires good awareness of the capabilities available  Requires knowledge of what SharePoint cannot do
  • 3. 3 Agenda  What Drives our Security Needs in SharePoint?  Deployment Planning & Least Privileged Accounts  Authentication  Permissions or Authorization  Governance and Awareness  Web Application Policies & Anonymous Access  Other Security Features
  • 4. Why SharePoint?  Content repository and document management  Extranet portals, External Portal/Site (partner and client access)  Information Lifecycle Management (ILM) & workflows  Records management 4
  • 5. What Drives our Information Security Needs? Information Security comes down to 2 or 3 drivers:  Protecting Your Investments (intellectual property, digital assets, competitive advantage…)  Reducing Your Liability (avoid compliance violations, fines/sanctions, reputation issues…)  Public Safety or Mission Success (protect classified information, mission plans, reputation issues…)  Public Health (health records, health insurance, insurance fraud/theft…) 5
  • 6. What Drives our Information Security Needs? How does this affect us as SharePoint people?  How We Deploy SharePoint  Control Access  Assign Roles & Establish Repeatable/Predictable Process  Regulatory Compliance Standards  Auditing & Reporting Obligations 6
  • 7. Deployment Planning & Least Privileged Accounts SharePoint is a web application built on top of SQL Server  Best practice: to use specific user accounts for specific purposes with least privileges Benefits: Separation of Concerns  Multiple points of redundancy  Targeted auditing of account usage  Minimize the risk of compromised accounts Review SharePoint deployment guide before you install
  • 8. 3 Deployment Accounts (minimum) 1. SQL Server Service Account  Assign to MSSQLSERVER and SQLSERVERAGENT services when you install SQL Server (ex: domainSQL_service)  No special domain permissions - given required rights in SQL Server during SQL setup 2. Setup User Account  Used to install SharePoint, run Product Config Wizard, install patches/updates  login with this account when running setup (ex: domainsp_setup_user)  Must be local admin on each server in SharePoint farm (except SQL Server if different box)  Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL 3. SharePoint Farm Account  Used to run the SharePoint farm; not just for database access (ex. domainsp_farm_user)  After Product Config Wizard is run, prompted to provide the Database Access Account – misnamed in UI, this is really the all powerful farm account  Given ownership of Config database - also configures several SharePoint services including the timer service to use Farm account as its identity Should all be AD domain accounts (user accounts) Do not use personal admin account, especially for Setup User Account Configure central email account for all managed accounts
  • 9. Authentication Determine that users are who they say they are (login)  Configured on each web app  Multiple authentication methods per web app SharePoint 2010 Options  Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)  Claims Based Authentication  Forms Based Authentication available- done through Claims Based Auth. UI configuration options only available in UI upon web app creation To convert non-claims based web app to claims will require PowerShell SharePoint 2013 Options  Claims Based Authentication - default  Classic Mode Configuration UI has been removed (Only configurable through PowerShell)
  • 10. Permissions Allow you to secure any information object or container  Determine who gets access to what information objects and what type of access  Apply to items, folders, lists, libraries, sites, site collection…  Do not apply to individual column field values (not a securable object) Assigning Permissions Includes  The user or group we are enabling with access  The information object in question  The permission level we are granting as part of that access Examples  Finance AD Group has Full Control on Library  ProjectX-Contractor SP Group has Read access on site  Antonio.Maio AD user has Contribute access on Document
  • 11. Users Interacting with Permissions 11
  • 12. Users Interacting with Permissions 12
  • 13. Users Interacting with Permissions 13
  • 14. Users Interacting with Permissions 14
  • 15. Inherited Permissions  Hierarchical permission model  Permissions are inherited from level above  Can break inheritance and apply unique permissions  Manual process  Permissive Model SharePoint Farm Web Application Site Collection Site Collection Site Site Library List Document Web Application Item Site Document Document Item Demo Members SharePoint Group Edit Demo Owners SharePoint Group Full Control Demo Visitors SharePoint Group Read Finance Team Domain Group Edit Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Antonio.Maio Domain User Full Control
  • 16. Permissions and Security Scopes  Every time permission inheritance is broken a new security scope is created  Security Scope is made of up principles:  Domain users/groups  SharePoint users/groups  Claims  Be aware of “Limited Access”  Limitations  Security Scopes (50,000 per list)  Size of Security Scope (5,000 per scope)  Resources  Microsoft SharePoint Boundaries and Limits: http://technet.microsoft.com/en- us/library/cc262787.aspx
  • 17. Fine Grained Permissions Trend: sensitive content sitting beside non-sensitive content Leads to customers exploring fine grained permissions Confidential Public Internal Recommendation  Use metadata to identify which data to protect  User attributes (claims) to determine who should have access  Implemented automated solution to manage fine-grained permissions
  • 18. Governance Challenges  Operational Management  Change Management  User training  Auditing and Monitoring  Document handling culture  Compliance Make End-Users Responsible & Accountable for Sensitive Information
  • 20. Responsibility vs Ignorance  How do you consistently enforce a culture of security awareness?  Workers upload, send, copy, print, etc. content  Employees are typically not aware of sensitive information or how to handle it  Consider applying standardized security labels – headers, footers and watermarks  Compliance laws dictate need for headers/footers and watermarks.  SharePoint‟s limited labeling capabilities are deprecated in SharePoint 2013!
  • 21. Raise Awareness Automatically apply standardized security labels to MS Office and PDFs Headers Footers Watermarks
  • 22. Promote Accountability Date & Time Stamp Date & Time Stamp Current User‟s Name Mark downloaded SharePoint documents with identifying information
  • 23. Web Application Policies User Permissions  Permissions available within permission levels at site collection level Permission Policies  Define groups of permissions (similar to permission levels)  Control if site collection admins have full control on any object in site col.  Only place with a “Deny” capability (default: deny write, deny all) User Policies  Assign permission policies to users and groups for the entire web app  Ex. Deny group from deleting items within an entire web app – applicable to public facing web app Blocked File Types  Prevent specific files types from being added to libraries within web app
  • 24. Anonymous Access Turn on or off for web application – only making available for sites  Central Admin> Manage Web Apps> Authentication Providers  Edit an Authentication Provider  Check on „Enable Anonymous Access‟ for that provider  Select “Anonymous Policy” for the web app  Select zone and policy for anonymous access
  • 25.  Site Owners must explicitly enable on each site (this is a good thing)  Site Settings> Site Permissions Anonymous Access
  • 26. Other Security Features  Information Rights Management  Event Auditing  Privileged Users
  • 27. Questions? Thank you! Email: [email protected] Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2 Antonio Maio Senior Product Manager, TITUS Microsoft SharePoint Server MVP
  • 29. Risk: Inadvertent exposure of internal data on a public web site  All form pages and _vti_bin web services are accessible - PUBLICLY  Modify the URL of a public facing SharePoint site: http://www.mypublicsite.com/SitePages/Home.aspx to http://www.mypublicsite.com/_layouts/viewlsts.aspx  View All Site Content page is now exposed, typically in SharePoint branding, with all site content visible  Desired behavior: User is presented with a login page, or an HTTP error  Accessible pages /_layouts/adminrecyclebin.aspx /_layouts/policy.axpx /_layouts/recyclebin.aspx /_layouts/bpcf.aspx /_layouts/policyconfig.asp /_layouts/wrkmng.aspx /_layouts/create.aspx /_layouts/policycts.aspx /_layouts/vsubwebs.aspx /_layouts/listfeed.aspx /_layouts/policylist.aspx /_layouts/pagesettings.aspx /_layouts/managefeatures.aspx /_layouts/mcontent.aspx /_layouts/settings.aspx /_layouts/mngsiteadmin.aspx /_layouts/sitemanager.aspx /_layouts/newsbweb.aspx /_layouts/mngsubwebs.aspx /_layouts/stor_man.aspx /_layouts/userdisp.aspx Anonymous Access and Exposure Risk
  • 30. Anonymous Access and Public Facing Sites Remove View Application Pages permission & Use Remote Interfaces permission from Limited Access permission level  Limited Access is what‟s used for anonymous users  Prevents anonymous users from accessing form pages To Do This… Turn on the “Lockdown” Feature  Remove all anonymous access from the site  Open command prompt and go to the folder C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14BIN  Check whether the feature is enabled or not (If ViewFormPagesLockDown is listed, it's enabled): get-spfeature -site http://url  If not listed then we must enable it using: stsadm -o activatefeature -url -filename ViewFormPagesLockDownfeature.xml  To disable it: stsadm -o deactivatefeature -url -filename ViewFormPagesLockDownfeature.xml  Reset anonymous access on the site Will result in users getting an Authentication Page when accessing these forms pages Available in MOSS2007, SharePoint 2010 and SharePoint 2013 On by default for Publishing Portal Site Template – for other site templates must turn it on manually
  • 31. To prevent access to _layouts pages and web services we must also modify web.config to include: <location path="_layouts/error.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> <location path="_layouts/accessdenied.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> <add path="configuration"> <location path="_layouts"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <location path="_vti_bin"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <location path="_layouts/login.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> Anonymous Access and Public Facing Sites

Editor's Notes

  • #8: least privileged accounts means that an account is given only the permissions it requires to perform very specific tasks and nothing moreMinimize risk of compromised accountsMinimize risk of information leaks
  • #9: SQL Server Service Account - it’s possible in some cases to use a local or system account but the best practice is that this needs to be a user account in Active Directory (AD) domain, secured in accordance with your IT security policiesSetup User Account - a domain user account; add it to the local Administrators group of each SharePoint server in the farm. It should not have any special rights or privileges on the SQL Server system as long as SQL server is separate from the SharePoint servers. If SQL Server is on a dedicated system or VM, the Setup User Account should not have any administrative accesson that system. When running SharePoint setup and configuration as the setup user account, this process will use your credentials to create databases and to create SQL logins for SharePoint accounts. So before starting to set up SharePoint, assign the setup user account the securityadmin and dbcreator server roles in SQL Server. Those are the privileges that are leveraged during SharePoint setup and configuration.SP Farm Account – this is the service account that is all-powerful within SharePoint. When you specify this account in the Configuration Wizard, the wizard uses the credentials you’re logged on as (the setup user account) to give the Farm account ownership of the Config database. It also configures several SharePoint services, including the timer service, to use Farm account as their identity. The Farm account is also used as the identity for the Central Administration website.Do not use personal admin accountThe setup user account becomes the “owner” of the SharePoint farm – Farm admin becomes dbowner of the SharePoint Config database. There’s many places where the account and its email address get integrated into the farm. Use a dedicated account for setup user so that the farm isn’t owned by your account that has privileges on other systems. That way, when your role within the organization changes your user account won’t be left owning the SharePoint farm.Configure central email account for all managed service accounts – not your email addressThe setup user account (and other service accounts) should have email addresses that reflect that they are part of the SharePoint infrastructure, not “you.”  For example, assign all accounts the address “[email protected]” as the email address in Active Directory. That way, all notifications related to SharePoint go to a single email inbox, which is not yours, that can be monitored by a SharePoint team (and not only you).
  • #10: Each web application can have different methods of authentication enabled… and multipleSharePoint 2013 – Forms Based Auth is still available, through Claims
  • #11: Permissions relate to a process called “Authorization”Authorization is different from AuthenticationAuthorization is the process of determining what content is a user permitted to access and which actions are they permitted to perform
  • #20: That kiss is a bit TOO passionate for a brother and sister…. If they only knew!In Iceland there is an App – hugely popular – that lets you know if the person you are asking on a date is related to you! Information = better decisions.
  • #21: Workers want to work from home and collaborate. But they could be far too free with what they are sending, how they are sending.What do you have that can add watermarks easily and consistently to all documents? Manually applying them is not the answer. SharePoint used to be able to on WORD documents, but not in 2013
  • #22: Talk this up – find some good use cases