Microsoft SharePoint provides features and capabilities enabling you to secure access, control authentication and authorize access to information. Choosing the capabilities to make use of, configuring them and understanding their impact can be a complex tax. In this session you will learn about the key security features available in Microsoft SharePoint 2013 and the best practices for using them. The sessions begin by talking about the business reasons that organizations need to consider when security their SharePoint content, and it will then review specific capabilities and options in detail with recommendations. We’ll also review various governance best practices and how they relate to SharePoint security capabilities. Throughout the session, you’ll hear examples from large commercial enterprise, government and military and about the best practices they use to secure their content within SharePoint.

1. Best Practices for
Security and Governance
in SharePoint 2013
Antonio Maio
Protiviti, Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
Email: Antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: 0
@AntonioMaio2

2. Welcome to Houston TechFest
Thank you for being a part of the
8th Annual Houston TechFest!
• Please turn off all electronic devices or set them to vibrate.
• If you must take a phone call, please do so in the lobby so as not
to disturb others.
• Thanks to our Diamond Sponsors:
1

3. 2

4. What Drives our Information Security Needs?
• Information Security comes down to 2 or 3 drivers
4
• Protecting Your Investments
(intellectual property, digital assets, competitive advantage…)
• Reducing Your Liability
(avoid compliance violations, fines/sanctions, reputation issues…)
• Public Safety or Mission Success
(protect classified information, mission plans, reputation issues…)
• Public Health
(health records, health insurance, insurance fraud/theft…)

5. What Drives our Information Security Needs?
• How does this affect us as SharePoint people?
• How We Deploy SharePoint
• Control Access
• Assign Roles and Permissions
• Establish Repeatable/Predictable Process
• Regulatory Compliance Standards
• Auditing & Reporting Obligations
5

6. SharePoint Deployment
• Plan your Deployments and Necessary User Accounts
• Use Least Privileged Accounts
• Review SharePoint deployment guide before you install
• SharePoint is a web application built on top of SQL Server
– Best practice: to use specific user accounts for specific purposes with least
6
privileges
• Benefits: Separation of Concerns
– Targeted auditing of account usage
– Multiple points of redundancy
– Minimize the risk of compromised accounts

7. Deployment User Accounts
• Use 3 Different Deployment Accounts (at minimum)
SQL Server Service Account Setup User Account SharePoint Farm Account
7
Assign to MSSQLSERVER and
SQLSERVERAGENT services when
installing SQL Server
(ex. domainSQL_service)
Used to install SharePoint, run
Product Config Wizard, install
patches/update
Used to run the SharePoint farm;
not just for database access (ex.
domainsp_farm_user)
No special domain permissions -
given required rights in SQL Server
during SQL setup
Login with this when running setup
(ex. domainsp_setup_user)
After Product Config Wizard run,
prompted to provide the Database
Access Account – this is the all
powerful farm account
Must be local admin on each server
in SharePoint farm (except SQL
Server if its different box)
Given ownership of Config
database - also configures several
SharePoint services (ex. timer
service) to use this as its identity
Before starting SharePoint setup,
assign the securityadmin and
dbcreator roles in SQL

8. Deployment User Accounts
• At least 3 Different Deployment Accounts
SQL Server Service Account Setup User Account SharePoint Farm Account
• Should all be AD domain accounts
• Do not use personal admin account, especially for Setup User Account
• Test and Production environments should have different accounts
• Configure central email account for all managed accounts
8

9. Authentication
• Determine that users are who they say they are – typically via login
9
• SharePoint 2010 Options
• Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)
• Claims Based Authentication
• Forms Based Authentication - through Claims Based Auth.
– UI configuration options only available in UI upon web app creation
– To convert non-claims based web app to claims will require PowerShell
• SharePoint 2013 Options
• Claims Based Authentication - default
• Classic Mode Deprecated - Configuration UI has been removed
(Only configurable through PowerShell)

10. Authorization
• Determine if users have access to specific information
objects and which level of access are they granted
• Accomplished through Permissions in SharePoint
• Allow you to secure any information object or container
• Apply to items, documents, folders, lists, libraries, sites
• Do not apply to individual column field values, social fields
• Assigning Permissions Includes
• The information object or container in question
• The user, group or claim that is granted access
• The permission level we are granting as part of that access
10

11. Permission Examples
11
Users, Groups or Claims
• Finance AD Group has Full Control on Library A
• ProjectContractors SP Group has Read access on site B
• John.Smith AD user has Contribute access on Document C
• ‘SecurityClearance=Secret’ has Full Control access on Document X
• ‘EmploymentStatus=FTE’ has Contribute access on Site Z
User, Group, or Claim
(also called a ‘Principle’)
Permission Level
(collection of permissions)
Information Object
(item or container)

12. Users Interacting with Permissions
12

13. Users Interacting with Permissions
13

14. Users Interacting with Permissions
14

15. Users Interacting with Permissions
15

16. Inherited Permission Model
16
• Hierarchical permission model
• Permissions are inherited from
level above
• Can break inheritance and apply
unique permissions
• Manual process
• Permissive Model
SharePoint Farm
Web Application
Site Collection Site Collection
Site Site
Site
Library List
Document
Web Application
Item
Document
Document
Item
Demo Members SharePoint Group Edit
Demo Owners SharePoint Group Full Control
Demo Visitors SharePoint Group Read
Finance Team Domain Group Edit
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Antonio.Maio Domain User Full Control

17. Permissions and Security Scopes
17
• Every time permission
inheritance is broken a new
security scope is created
• Security Scope is made of up
principles:
• Domain users/groups
• SharePoint users/groups
• Claims
• Be aware of “Limited Access”
• Limitations
• Security Scopes (50K per list)
• Size of Scope (5K per scope)
Microsoft SharePoint Boundaries and Limits:
http://technet.microsoft.com/en-us/library/cc262787.aspx

18. Information Architecture and Metadata
• Information Architecture – The structural design of your
information sharing environment
• Organization and Storage
• Identification
• Retention
• Business sensitivity and confidentiality
• Metadata can provide important insight into what type of
information you have in SharePoint
• Recommended: Use Metadata to Classify information and
Identify its Sensitivity
18

19. Standardized Metadata
19

20. Standardized Metadata
• Implement Standardized Metadata Fields across sites, libraries, lists
• Library or List Level
• Site Column Level
• Managed Metadata Service (across Site Collection or Farm)
• Ensure users are adding metadata when adding/editing information
20
(mandatory fields)
• Be aware of situations where SharePoint doesn’t request
metadata (multi-file upload, explorer view)
• Keep it Simple: Limit sensitivity classification to 3 or 4 labels
– Public, Confidential, Restricted, Highly Restricted
– Low Business Impact, Moderate Business Impact, High Business Impact
– Unclassified, Confidential, Secret, Top Secret
• Educate, Educate, Educate: What does each label mean/impact?

21. Information Governance
Governance means setting out the structures, people,
policies, procedures and controls to manage information
and support an organization's immediate and future
requirements for that information:
21
• Regulatory Compliance
• Legal
• Risk
• Administrative
• Environmental
• Operational

22. Information Governance
Ignorance is not always bliss… it’s problematic!
22

23. Governance and SharePoint
• SharePoint as a platform which offers services to your
23
organization’s users
• Governance for the SharePoint platform means:
• Managing existing services in a predictable way
• Understanding how to deploy new services in a predictable way
• Providing a clear set of guidelines for usage and administration
• Achieve Strong Governance for SharePoint:
1. Establish a Governance Team
• Include stakeholders from across the organization
2. Develop a Governance Plan
• Cross functional - Identifies ownership for business and technical
teams
• Regulatory, risk, legal, admin, environmental, organizational Needs

24. Developing a SharePoint Governance Plan
Key Areas to Focus
Define Information
Architecture/Structures
(Includes Metadata Taxonomy)
24
Confidential
Define Security Controls/Groups,
Permissions and Roles for Assigning
Permissions
Define Roles, Responsibilities,
Who has authority?
Determine Training Needs;
Plan to Educate User
Community
Define Rules for Site Creation,
Management, Decommissioning

25. Conclusion
• Develop a SharePoint Governance Plan with Key Stakeholders
• Ignorance is not bliss… it’s problematic!
• Understand the type of information you have
• Develop an information architecture
• Understand the risks to that information: accidental, insider and external threats
• Use Metadata to identify sensitivity
• Educate end users on significance of sensitivities – make them part of the solution
• Deploying SharePoint with Appropriate Least Privileged Accounts
• Determine your Authentication and Authorization Needs
• Understand how permissions work
• Plan for how permissions are given and managed
• Understand SharePoint Security Features
• Others: Web App Policies, Anonymous Users, Information Rights Management, Privileged
25
Users , Event Auditing

26. Please Leave Feedback During Q&A
26
If you leave session
feedback and provide
contact information in
the survey, you will be
qualified for a prize
Scan the QR Code to
the right or go to
http://bit.ly/1p13f3n

27. Thanks to all our Sponsors!
27