SharePoint Security A-Z:Who Has Access to What?  Steve Goldberg, Axceler   steve.goldberg@axceler.com          @iamgoldberg
About Me                              Steve Goldberg, Sales Engineer at Axceler                              •    Software...
Axceler Overview      Improving Collaboration Since 2007            Mission: To enable enterprises to simplify, optimize,...
Always Ask Yourself…                                       How is your organization using SharePoint?                     ...
6/4/2012Email               Cell           Twitter          Blogcbuck@axceler.com   425.246.2823   @buckleyplanet   http:/...
Authentication Methods              A SharePoint environment must             support user accounts that can be           ...
Windows Authentication         NTLM:              Users authenticated by using the credentials on the running thread    ...
Active Directory Domain Services                        (AD DS)           Authentication based on user account and passwor...
Forms-based Authentication                            Used mostly for Extranets       Credentials stored in:            ...
Claims-Based Authentication                    (SharePoint 2010)                    Usually for external customers or part...
So Much Potential…     Integration with Facebook, Google, Live ID, etc.     1.     “I’d like to access the Axceler Microso...
SharePoint Authentication        Defined at the web application levelEmail                Cell           Twitter          ...
Who Needs to Access SharePoint?           Claims-based authentication mode: use any supported           authentication met...
Now That We’ve Authenticated                     Our Users….         Is permission management part of your                ...
Governance is about taking action to                  help your organization           organize, optimize, and manage your...
What do your permissions                     look like in SharePoint?Email               Cell           Twitter          B...
Email               Cell           Twitter          Blogcbuck@axceler.com   425.246.2823   @buckleyplanet   http://buckley...
How did that happen?     No plan     The business grows and evolves     People and project turn overEmail              ...
Securable Objects        What can we secure?        Site        Library or List        Folder        Document or ItemE...
Structure/Architecture                                                                                   Sub-site         ...
Plan! How granular do you need to control access to content? Who manages all the different parts of your SharePoint farm...
Farm Administrators Group         Assigned in Central Admin and has permission to               all servers and settings i...
Web Application Policies                    Quick way to apply permissions across web                                   ap...
Site Collection Administrators              Given full control over all sites in a                         site collection...
Your Content                                                      Lists/Libraries               Lists/Libraries           ...
Permission Levels               Collections of permissions that               allow users to perform a set of             ...
SharePoint Groups        A group of users that are defined at site collection level for                    easy management...
Customizing Permission Levels                     The default permission levels are Full             Control, Design, Cont...
The Basics: Permissions   Permissions are applied on objects:   1. Directly to users   2. Directly to domain groups (visib...
Check Permission Button    SharePoint 2010 lets administrators Check    Permissions to determine a user or group’s permiss...
Inheritance            If all sites and site content inherit            those permissions defined at the               sit...
Fine Grained Permissions         Sites, lists, libraries, folders, docum            ents, items can all have unique       ...
What Exactly is Happening?     Copies groups, users, and      permission levels from the parent      object to the child ...
Limited Access     Auto applied to every securable objects above the                uniquely permissioned item            ...
Permissions Management Becomes                    Impossible              “If you use fine-grained permissions            ...
Performance is Affected too!                Performance is reduced once 1000 objects have broken                          ...
Orphaned Domain Users               Deleted and disabled Active Directory users are not                             update...
Distributed Administration                       SharePoint is designed to have                    site administrators and...
Be Careful!      Train your admins and power users!           “I didn’t know that restoring inheritance          would rem...
Power Users Tip                    Manage power users through the                     “Owners” SharePoint groups.      li...
Best Practice             Make most users members of the Members or                           Visitors groups            ...
Stick to the Plan              If you do break inheritance, Microsoft recommends             using groups to avoid having ...
Plan for Permission Inheritance        Arrange sites and subsites, and lists and libraries              so they can share ...
It’s SharePoint’s Fault!            Administrators can audit permission changes by going                    to the site co...
Questions and Answers
Contact me        Steve Goldberg        steve.goldberg@axceler.com        @iamgoldberg        Additional Resources availab...
We want your feedback!                   Use this QR code or visit:                   http://sps.la/feedback              ...
Victory Lap- social event  "SharePoint Victory Lap" Social Event for     SPSLA will be at: 5:30pm to 8pm atDi Piazzas (520...
What I left out…
Windows Authentication        - Basic:             - Users have previously assigned Windows credentials             - Brow...
Zones           Each "zone" is essentially a new IIS Website            Access the same content through a different URL  ...
Audience targeting           To display content such as list or library           items, navigation links, and entire Web ...
Upcoming SlideShare
Loading in …5
×

SharePoint Security A to Z

1,298 views

Published on

The session will address the different ways users can be authenticated in SharePoint: Active Directory, forms based authentication, claims based authentication, and anonymous access. I’ll discuss when to implement each method and what the best practices are for permission application and management. I’ll address when to use each method and when to implement other concepts like web application policies, extending web applications, laying out a decentralized security model.
 
To abide by this best practice, I’ll discuss how the farm’s taxonomy may need to be restructured. This is where administrators need to develop and enforce a governance plan around the farm’s taxonomy. Thinking about where lists, items, and groups need to be in a SharePoint farm will ensure the right eyes are seeing the right content- and nothing more.
 
The goal of the session is to ensure SharePoint content is secure and permissions do not get out of control. I’ll take a deep dive into what is available out of the box and what you can customize. Finally, I’ll also demonstrate how to utilize SharePoint’s auditing functionality to track who is changing permissions. The audit reports will be used to ensure the admins changing permissions are taking the correct action. When administrators know all their options around security, internal governance plans can be developed to safeguard their farm’s content.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,298
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Currently, is SharePoint a document repository? Is it critical to day to day business?Just internal users? Are there ways you can expand the use of SharePoint to offer more benefits to your organization? To partners? To the outside world?
  • Things change
  • - Kerberos: Less traffic between servers, clients, and domain controllers- uses tickets instead of tokens so it doesn’t have to do a double hop to AD with each requestMuch more planning needed Anonymous: Instead, add the all Authenticated users security instead. This way actions can be traced to users.
  • Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches. An Active Directory domain controller is a server that is running AD DS.Used for many things in your organization besides SharePointThe potential for SharePoint to be used and accessed by people outside your organization…2010 makes it easier!
  • Organization don’t want external user accounts within their internal domains so forms based authentication is used.
  • Less user management
  • Seeing more and more login pages with “use facebook or twitter to log in”
  • We’re going to be talking mostly about securing intranet content- not an extranet
  • Who has one? Not a checklist…it’s constantly changing every day and needs to be managed in the long term
  • CB lead, MG color
  • Who do you trust to manage all the different parts of your SharePoint farm?
  • CB lead, MG color
  • Break the inheritance and customize the Read permission level for a subsite to define what “read” really means to your organization
  • Still hard to manage at lower levels
  • More work! Harder to manage!
  • There designed to make your life easier…I swear!
  • If you restore inherited permissions, the child object will inherit its users, groups, and permission levels from the parent again, and you will lose any users, groups, or permission levels that were unique to the child object.
  • SharePoint Security A to Z

    1. 1. SharePoint Security A-Z:Who Has Access to What? Steve Goldberg, Axceler steve.goldberg@axceler.com @iamgoldberg
    2. 2. About Me Steve Goldberg, Sales Engineer at Axceler • Software Engineer at Axceler for ControlPoint- a SharePoint administration product • Prior to Axceler, was a consultant at Computer Sciences Corporation (CSC), specializing in SharePoint development • Current Role: • Talk to 30-40 people weekly about how to govern SharePoint • Managing permissions is the #1 issue administrators face • Manage and cleanup • Twitter: @iamgoldberg Blog: iamgoldberg.com Email: steve.goldberg@axceler.comEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    3. 3. Axceler Overview Improving Collaboration Since 2007  Mission: To enable enterprises to simplify, optimize, and secure their collaborative platforms  Delivered award-winning administration and migration software since 1994  Over 2,500 global customers Dramatically improve the management of SharePoint  Innovative products that improve security, scalability, reliability, “deployability”  Making IT more effective and efficient and lower the total cost of ownership Focus on solving specific SharePoint problems (Administration & Migration)  Coach enterprises on SharePoint best practices  Give administrators the most innovative tools available  Anticipate customers’ needs  Deliver best of breed offerings  Stay in lock step with SharePoint development and market trendsEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    4. 4. Always Ask Yourself… How is your organization using SharePoint? Is there secure content in your SharePoint environment? Who needs to have access to SharePoint? Are there ways you can expand the use of SharePoint to offer more benefits to your organization? 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    5. 5. 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    6. 6. Authentication Methods A SharePoint environment must support user accounts that can be authenticated by a trusted authority How do you authenticate your users?Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    7. 7. Windows Authentication  NTLM:  Users authenticated by using the credentials on the running thread  Simple to implement  SharePoint will not be integrated with other applications  Kerberos  If your SharePoint sites use external data  Credentials passed from one server to another (“double hop”)  Faster, more secure, and can be less error prone then NTLM  Anonymous Access  No authentication needed to browse the siteEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    8. 8. Active Directory Domain Services (AD DS) Authentication based on user account and password from AD This works well for Windows environments Do you need support Internet, partner, or cloud-based computing models? 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    9. 9. Forms-based Authentication Used mostly for Extranets  Credentials stored in:  Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun)  AD DS  SQL or other database  Custom or third-party membership and role providers In SharePoint 2010, forms-based authentication is only available when you use claims-based authenticationEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    10. 10. Claims-Based Authentication (SharePoint 2010) Usually for external customers or partners An outside identity provider authenticates users A claim is just a piece of information describing a user: name, email, age, hire date, etc. used to authenticate the userEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    11. 11. So Much Potential… Integration with Facebook, Google, Live ID, etc. 1. “I’d like to access the Axceler Microsoft technology partners site.” 2. “Not until you can prove to me that you are in the Axceler Microsoft technology partners group.” 3. “Here is my Live ID and password.” 4. “Hi, Steve. I see you are in the Axceler Microsoft technology partners group. Here is a token you can use.” 5. “I’d like to access the Axceler Microsoft technology partner document, and here’s proof I have access to it!” 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    12. 12. SharePoint Authentication Defined at the web application levelEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    13. 13. Who Needs to Access SharePoint? Claims-based authentication mode: use any supported authentication method or else you will support only Windows authentication 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    14. 14. Now That We’ve Authenticated Our Users…. Is permission management part of your governance plan?Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    15. 15. Governance is about taking action to help your organization organize, optimize, and manage your systems and resources.Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    16. 16. What do your permissions look like in SharePoint?Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    17. 17. Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    18. 18. How did that happen? No plan The business grows and evolves People and project turn overEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    19. 19. Securable Objects What can we secure? Site Library or List Folder Document or ItemEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    20. 20. Structure/Architecture Sub-site Site Sub-site Site Site Collection Web App Site Sub-site Site Site Farm Collection Site Site Web App Collection Site Sub-siteEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    21. 21. Plan! How granular do you need to control access to content? Who manages all the different parts of your SharePoint farm? How do you want to manage your users?Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    22. 22. Farm Administrators Group Assigned in Central Admin and has permission to all servers and settings in the farm Central Administration access, create new web apps, manage services, stsadm/PowerShell command Can take ownership of content: make themselves Site Collection Administrators 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    23. 23. Web Application Policies Quick way to apply permissions across web applications Users can be explicitly denied access Set in Central Admin 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    24. 24. Site Collection Administrators Given full control over all sites in a site collection Access to settings pages: Manage users, restores items, manage site hierarchy Cannot access Central Admin 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    25. 25. Your Content Lists/Libraries Lists/Libraries Site Sub-Sites Site Lists/Libraries Lists/Libraries Collection Site Sub-siteEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    26. 26. Permission Levels Collections of permissions that allow users to perform a set of related tasks Permission levels are defined at the site collection levelEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    27. 27. SharePoint Groups A group of users that are defined at site collection level for easy management of permissions The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively Anyone with Full Control permission can create custom groups 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    28. 28. Customizing Permission Levels The default permission levels are Full Control, Design, Contribute, Read, and Limited Access What does “Read” mean to your organization? 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    29. 29. The Basics: Permissions Permissions are applied on objects: 1. Directly to users 2. Directly to domain groups (visibility warning) 3. To SharePoint GroupsEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    30. 30. Check Permission Button SharePoint 2010 lets administrators Check Permissions to determine a user or group’s permissions on all content 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    31. 31. Inheritance If all sites and site content inherit those permissions defined at the site collection, what’s so hard about managing permissions if they are defined so high in the hierarchy?Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    32. 32. Fine Grained Permissions Sites, lists, libraries, folders, docum ents, items can all have unique securityEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    33. 33. What Exactly is Happening? Copies groups, users, and permission levels from the parent object to the child object Changes to parent object do not affect the child 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    34. 34. Limited Access Auto applied to every securable objects above the uniquely permissioned item Is not directly “applied” 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    35. 35. Permissions Management Becomes Impossible “If you use fine-grained permissions extensively, you will spend more time managing the permissions, and users will experience slower performance when they try to access site content” ~Planning site permissions, technet http://bit.ly/InKv9i Permission management (additions, deletions, edits) is done one securable object at a time! 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    36. 36. Performance is Affected too! Performance is reduced once 1000 objects have broken inheritance in a list or library  Sites, lists, and libraries need to build security trimmed navigation  List load time increases *Apply unique permissions to folders if need be* 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    37. 37. Orphaned Domain Users Deleted and disabled Active Directory users are not updated in SharePoint Permissions User Profiles My Sites 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    38. 38. Distributed Administration SharePoint is designed to have site administrators and power users 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    39. 39. Be Careful! Train your admins and power users! “I didn’t know that restoring inheritance would remove our unique security model!” ~Countless well intentioned site admins 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    40. 40. Power Users Tip Manage power users through the “Owners” SharePoint groups. limit the members to only those users you trust to change the structure, settings, or appearance of the site 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    41. 41. Best Practice Make most users members of the Members or Visitors groups  Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.  Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents. 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    42. 42. Stick to the Plan If you do break inheritance, Microsoft recommends using groups to avoid having to track individual users People move in and out of teams and change responsibilities frequently Tracking those changes and updating the permissions for uniquely secured objects would be time-consuming and error-prone. 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    43. 43. Plan for Permission Inheritance Arrange sites and subsites, and lists and libraries so they can share most permissions Separate sensitive data into their own lists, libraries, or subsite Permission worksheet: http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    44. 44. It’s SharePoint’s Fault! Administrators can audit permission changes by going to the site collection’s settings page 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    45. 45. Questions and Answers
    46. 46. Contact me Steve Goldberg steve.goldberg@axceler.com @iamgoldberg Additional Resources available  11 Strategic Considerations for SharePoint Migrations http://bit.ly/j4Vuln  The Insider’s Guide to Upgrading to SharePoint 2010 http://bit.ly/mIpOBZ  Why Do SharePoint Projects Fail? http://bit.ly/d1mJmw  Best practices for capacity management for SharePoint Server 2010, TechNet http://bit.ly/nvNrig  What to Look for in a SharePoint Management Tool http://bit.ly/l26ida  The Five Secrets to Controlling Your SharePoint Environment http://bit.ly/kzdTjZEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    47. 47. We want your feedback! Use this QR code or visit: http://sps.la/feedback Silver Sponsors:
    48. 48. Victory Lap- social event "SharePoint Victory Lap" Social Event for SPSLA will be at: 5:30pm to 8pm atDi Piazzas (5205 E. Pacific Coast Hwy, 90804)
    49. 49. What I left out…
    50. 50. Windows Authentication - Basic: - Users have previously assigned Windows credentials - Browser provides credentials during HTTP transaction - Not encrypted- should enable Secure Sockets Layer (SSL) encryption - Digest - Credentials are encrypted These are set directly in IISEmail Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    51. 51. Zones Each "zone" is essentially a new IIS Website  Access the same content through a different URL Allows for multiple authentication methods to the same site Since SharePoint 2010 allows web applications to have mixed authentication methods when choosing claims based authentication, zones are more useful to for load balancing, caching, content databases, and custom modules 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com
    52. 52. Audience targeting To display content such as list or library items, navigation links, and entire Web Parts to specific groups of people. This is useful when you want to present information that is relevant only to a particular group of people. For example, you can add a Web Part to the legal departments portal site that contains a list of legal contracts that is visible only to that department. 6/4/2012Email Cell Twitter Blogcbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com

    ×