Best Practices for Security and Governance in SharePoint 2013
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Best Practices for Security and Governance in SharePoint 2013

  • 294 views
Uploaded on

Presented at SharePoint TechFest Dallas 2014. All rights reserved.

Presented at SharePoint TechFest Dallas 2014. All rights reserved.

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
294
On Slideshare
294
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
11
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP Best Practices for Security and Governance in SharePoint 2013 Email: Antonio.maio@protiviti.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2
  • 2. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. About Protiviti INDIA (3) Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. • 2,500+ professionals • 1,000+ clients • 70+ offices • Over 20 countries in the Americas, Europe and Asia-Pacific Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.
  • 3. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Goal Inform and Educate on Key SharePoint Security Features Illustrate the Importance of Establishing Strong Governance
  • 4. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. What do we know about Security and Governance? • Security is critical in government and military deployments • It’s a critical consideration in business • Requires good planning • Requires good awareness of SharePoint capabilities • Requires knowledge of what SharePoint cannot do • Yet… Security and Governance are still often an after thought for many deployments
  • 5. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. What Drives our Information Security Needs? • Information Security comes down to 2 or 3 drivers – Protecting Your Investments (intellectual property, digital assets, competitive advantage…) – Reducing Your Liability (avoid compliance violations, fines/sanctions, reputation issues…) – Public Safety or Mission Success (protect classified information, mission plans, reputation issues…) – Public Health (health records, health insurance, insurance fraud/theft…)
  • 6. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. What Drives our Information Security Needs? • How does this affect us as SharePoint people? – How We Deploy SharePoint – Control Access – Assign Roles – Establish Repeatable/Predictable Process – Regulatory Compliance Standards – Auditing & Reporting Obligations
  • 7. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Information Governance Ignorance is not always bliss… it’s problematic! … Why?
  • 8. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Information Governance • Governance means setting out the structures, people, policies, procedures and controls implemented to manage information and support an organization's immediate and future requirements: – Regulatory – Legal – Risk – Administrative – Environmental – Operational
  • 9. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Governance and SharePoint • SharePoint as a platform which offers services to your organization’s users • Governance for the SharePoint platform means: • Managing existing services in a predictable way • Deploying new services in a predictable way • Providing a clear set of guidelines for usage and administration • Achieve Strong Governance for SharePoint: 1. Develop a Governance Plan • Cross functional - Identifies ownership for business and technical teams • Regulatory, risk, legal, admin, environmental, organizational Needs 2. Establish a Governance Team • Include stakeholders from across the organization
  • 10. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Define Information Architecture/Structures (Includes Metadata Taxonomy) Confidential Developing a SharePoint Governance Plan - Key Areas to Focus Define Security Controls/Groups, Permissions and Roles for Assigning Permissions Define Roles, Responsibilities, Authority Determine Training Needs; Plan to Educate User Community Define Rules for Site Creation, Management, Decommissioning
  • 11. SharePoint Security
  • 12. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. SharePoint Deployment • Plan your Deployments and Necessary User Accounts • Use Least Privileged Accounts • Review SharePoint deployment guide before you install • SharePoint is a web application built on top of SQL Server – Best practice: to use specific user accounts for specific purposes with least privileges • Benefits: Separation of Concerns – Multiple points of redundancy – Targeted auditing of account usage – Minimize the risk of compromised accounts
  • 13. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Deployment User Accounts • Use 3 Different Deployment Accounts (at minimum) SQL Server Service Account Setup User Account SharePoint Farm Account Assign to MSSQLSERVER and SQLSERVERAGENT services when installing SQL Server (ex. domainSQL_service) Used to install SharePoint, run Product Config Wizard, install patches/update Used to run the SharePoint farm; not just for database access (ex. domainsp_farm_user) No special domain permissions - given required rights in SQL Server during SQL setup Login with this when running setup (ex. domainsp_setup_user) After Product Config Wizard run, prompted to provide the Database Access Account – this is the all powerful farm account Must be local admin on each server in SharePoint farm (except SQL Server if its different box) Given ownership of Config database - also configures several SharePoint services (ex. timer service) to use this as its identity Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL
  • 14. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Deployment User Accounts • Use 3 Different Deployment Accounts (at minimum) SQL Server Service Account Setup User Account SharePoint Farm Account • Should all be AD domain accounts (user accounts) • Do not use personal admin account, especially for Setup User Account • Configure central email account for all managed accounts
  • 15. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Authentication • Determine that users are who they say they are (via login) • Configured on each web app • Multiple authentication methods per web app • SharePoint 2010 Options • Classic Mode Authentication (Integrated Auth, NTLM, Kerberos) • Claims Based Authentication • Forms Based Authentication available - through Claims Based Auth. – UI configuration options only available in UI upon web app creation – To convert non-claims based web app to claims will require PowerShell • SharePoint 2013 Options • Claims Based Authentication - default • Classic Mode Deprecated - Configuration UI has been removed (Only configurable through PowerShell)
  • 16. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Authorization • Determine if users have access to specific information objects and which level of access are they granted • Accomplished through Permissions in SharePoint • Allow you to secure any information object or container • Apply to items, documents, folders, lists, libraries, sites • Do not apply to individual column field values • Assigning Permissions Includes • The information object or container in question • The user, group or claim that is granted access • The permission level we are granting as part of that access
  • 17. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Permission Examples: Users and Groups • Finance AD Group has Full Control on Library A • ProjectXContractor SP Group has Read access on site B • Antonio.Maio AD user has Contribute access on Document C User or Group (also called a ‘Principle’) Permission Level (collection of permissions) Information Object (item or container)
  • 18. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Permission Examples: Claims • Remember: Claims are trusted attributes about a user • May assign a Claim as part of a permission to an object or container (like a user or group) • ‘SecurityClearance=Secret’ has Full Control access on Document X • ‘ITARCleared=True’ has Read access on Library Y • ‘EmploymentStatus=FTE’ has Contribute access on Site Z
  • 19. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Users Interacting with Permissions
  • 20. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Users Interacting with Permissions
  • 21. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Users Interacting with Permissions
  • 22. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Users Interacting with Permissions
  • 23. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Inherited Permission Model • Hierarchical permission model • Permissions are inherited from level above • Can break inheritance and apply unique permissions • Manual process • Permissive Model SharePoint Farm Web Application Site Collection Site Collection Site Site Library List Document Web Application Item Site Document Document Item Demo Members SharePoint Group Edit Demo Owners SharePoint Group Full Control Demo Visitors SharePoint Group Read Finance Team Domain Group Edit Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Antonio.Maio Domain User Full Control
  • 24. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Permissions and Security Scopes • Every time permission inheritance is broken a new security scope is created • Security Scope is made of up principles: • Domain users/groups • SharePoint users/groups • Claims • Be aware of “Limited Access” • Limitations • Security Scopes (50K per list) • Size of Scope (5K per scope) Microsoft SharePoint Boundaries and Limits: http://technet.microsoft.com/en-us/library/cc262787.aspx
  • 25. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Information Architecture and Metadata • Information Architecture – The structural design of your information sharing environment • Organization and Storage • Identification • Retention • Business sensitivity and confidentiality • … • Metadata can provide important insight into what type of information you have in SharePoint • Recommended: Use Metadata to Classify information and Identify its Sensitivity
  • 26. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Standardized Metadata
  • 27. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Standardized Metadata • Implement Standardized Metadata Fields across libraries/lists • Library or List Level • Site Column Level • Managed Metadata Service (across Site Collection or Farm) • Ensure users are adding metadata when adding/editing information (mandatory fields) • Be aware of situations where SharePoint doesn’t request metadata (multi-file upload, explorer view) • Keep it Simple: Limit sensitivity classification to 3 or 4 labels – Public, Confidential, Restricted, Highly Restricted – Low Business Impact, Moderate Business Impact, High Business Impact – Unclassified, Confidential, Secret, Top Secret • Educate, Educate, Educate: What does each label mean/impact?
  • 28. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Recap • Develop a SharePoint Governance Plan with Key Stakeholders • Ignorance is not bliss… it’s problematic! • Understand the type of information you have • Develop an information architecture • Understand the risks to that information: accidental, insider and external threats • Use Metadata to identify sensitivity • Educate end users on significance of sensitivities – make them part of the solution • Deploying SharePoint with Appropriate Least Privileged Accounts • Determine your Authentication and Authorization Needs • Understand how permissions work • Plan for how permissions are given and managed • Understand SharePoint Security Features • Others: Web App Policies, Anonymous Users, Information Rights Management, Privileged Users , Event Auditing
  • 29. Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP Thank You! Email: Antonio.maio@protiviti.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2