You probably remember me from movies such asBoys with LasersMicrophone AssassinMy Pet Dinosaur
The castThis refers to the different players I will be talking about that touches security at some level in SharePointThe goodThis will be about the good things that are associated with the “cast” membersThis section will point out several best practicesThe BadThis will deal with the negatives that may be associated with the cast memberThis section will point out bad practicesThe UglyI am not kidding there is uglyBuilding Security Schema’sFinal thoughtsQ&A: Self explanatory
Speaking about security and SharePoint can be interesting. You can very easily be sucked into doing a session on how to do security vs. best practices surrounding security. You can find how to all over the internet when you Bing it. This session is going to have mainly theoretical thought around SharePoint security, however, there will be some demos to show exactly what I am speaking about to allow you to visually understand as well.Where there are best practices, there is not so great practices as well. We certainly want to look at these as well and the why behind themHopefully you will gain the Insight to go back to your environments to plan a solid security schema to achieve your goals using best practice techniques and methods.
Read as an introduction
AD plays the Cheshire cat. Its everywhere and nowhere at the same timeMost companies (should/think) they already have well defined security groups in their environment. (expound)AD is not changeable by the masses, its in a tightly controlled environment (expound)AD groups can give many people sweeping permissions in very little time (expound)
SharePoint Security Groups get up and go… fast. As the white rabbit.High turnover rates in large project sites, specialty or novelty groups for fluff sites (expound)Large corporations have to be more mobile be lean and trim, at times (almost always) the IT team has its hands full, that being said, they will need to weigh which is better (expound)Can be created easily with side benefits, one being able to tie a custom permission set (foreshadow student example), when SharePoint is tied to AD creating Distribution lists is a nice plusIT can push the ownership responsibility to power users and still have AD safe
Out of box permission sets have very clear lines of permissions with appreciable increases of responsibilitiesSpeak briefly on the ability to create custom permission setsUse the student example (no delete)
It is rare that there is more than one resource in a company dedicated to just the AD. Larger the company, the more exaggerated it can be(expound)SharePoint is a window to your AD environment, when you run the import… is you’re AD maintained as good as you think? (expound)Is it a security group? Or Distribution list?
The entire environment could potentially get out of the hand. (expound)Multiple groups due to lack of understanding by end usersGroups falling into disrepair because of employee turnover/movesWith end users introducing new groups to the environment this could counter the desired effects of the main security schemaIf your farm is email enabled to accept incoming email, your gal could potentially get out of control
Just because you can do something doesn’t always mean it’s a good idea. The more permission levels, the harder it will be to decipher the security schema
Use the white board to help visualize thisNote: There will be exceptions to the rule
Story timeWhen there is no beginning for security, the end cant be goodExpound upon why security will deteriorate over time3rd party tools can combat this problem
Do you know your data? What you are going to put into your farm is going to have a massive impact. Governance anyone?Best Practice. Use multiple site collections.Less likely to break inheritanceLoose the massive DBAble to get rid of ambiguous sites. Its our department site kindasortaDifferent kinds portal, department, team, community and project
Most are not aware of this abilitySpeak on this at a high level to let them know its available to themGoing way of the DODO!
For an Intranet, if you have AD as your LDAP it is a mixture of common sense/best practice to use AD (expound)Extranet/Internet: AD introduction of a Extranet AD to keep the primary domain safe, forms based works, but takes development time, ADFS takes some configuring lose functionality, anonymous… well. AD RMS Give a high level overview of what it can do.
Make sure you show them about Limited Access
*self note*Learn from the questions
SharePoint Security: Through the Looking Glass
David J Pileggi Jr.
Through the Looking Glass
was made possible by the generous
support of the following sponsors…
And by your participation… Thank you!
Be sure to fill out your eval
form & turn in at the end of
the day for a ticket to the
Join us for the raffle &
SharePint following the
AD Rights ManagementServices:
David J Pileggi Jr.
Consultant at Insight
Please fill out and return your evaluations.
We want to know what you think.