Share Point Server Security with Joel Oleson

Office SharePoint Server 2007: Security Authentication and Authorization Joel Oleson Sr. Technical Product Manager SharePoint Team

Key Take Aways

Learn in this session

What Security features are in the box

Authentication and Authorization

Extranet Topologies

What Microsoft Solutions make it better

Agenda

Agenda

Platform Security

Windows and ASP.NET authentication

3 Tiered Admin & Managing security

Compliance from bottom to top

Web farm Configuration

Microsoft Products & Solutions

Questions?

SharePoint 2007 Feature Areas Collaboration Business Intelligence Portal Business Forms Search Content Management Platform Services Workspaces, Mgmt, Security, Storage, Topology, Site Model

User Authentication

Authentication = Who are you?

User identity

User groups/roles as defined by the directory

Same in WSS and MOSS!

Windows

Windows integrated, Basic, Digest, etc

ASP.NET Pluggable Authentication

Forms – locally hosted login form

Web SSO – remotely hosted login form

Windows Authentication

Provided by IIS – SharePoint consumes

Windows Integrated

Kerberos/Negotiate

NTLM

Basic

Digest

Certificates (Must use IIS to configure)

SharePoint & ASP.NET Authentication

Pluggable authentication framework

Two related providers

Membership – user identities

Role – roles/groups/attributes for a user

Out-of-the-box providers

LDAP (Office SharePoint Server)

SQL Server (ASP.NET)

AD – single domain only (ASP.NET)

Admin Security Layers

Three Tier Admin

Web-based

Role & task delineated

Controlled delegation

Secure isolation

Shared Services(MOSS)

Single Sign on

Service Configuration

Central Admin

Authentication

Security Policies

Farm Configuration

Site Settings

Site Permissions

Auditing & Expiration Policies & IRM

Site Admins IT Server Admins Service Admins (ex. search)

Permissions Management

Group-based permissions management

Role-based permissions management

Fine-grained permissions control

List, library, folder, item, and document

Anonymous access

Security trimmed user interface!

Explicit access denied experience!

SharePoint Groups

New permissions management experience

Three default groups

Owners – full control

Members – contribute to existing lists and libraries

Visitors – read only

Integrated with user information list

SharePoint groups can be assigned permissions anywhere in the site collection

Group administration scales better

Security Policy

Central enforced permissions for all sites in the web application

GRANT and DENY

Bound to web application/zone

Scenarios

Full read – search crawling accounts, auditors, legal compliance

Deny all – security control, regulatory compliance

Deny write – extranet lockdown

Compliance

Auditing

Content Modifications

Content Viewing

Deletion

More

Expiration

Security Report

Policy Modification

Custom Report

Summary

Data Classification Enforcement

Information Rights Management Integration

Information Policies – auditing, expiration

Groove

Secure Collaboration Capabilities

Item Level Security (ILS) – Secured Objects (SO)

Publishing through Internet Security and Acceleration Server (ISA) and Intelligent Application Gateway (IAG)

Integrated Security Services

Active Directory Federation Services (ADFS)

Forms-Based Authentication and Single Sign-on

MOSS for Search – security trimmed search results

Central Administration

Pluggable Authentication – Pluggable Authentication Provider

Security Policies; Major and minor versions, Web Application

MOSS Farm Inter-Server Communications

User Access

Query/Index Propagation

MOSS Web Services

SQL

Indexing

SSO

Example Multi-Farm Topology

Sample Extranet Network Topology

“ Back-to-back” or “Dual-screened” Perimeter Network:

Secure Collaboration Microsoft Forefront Security for SharePoint helps businesses protect their Microsoft Office SharePoint 2007 and Windows SharePoint Services 3.0 collaboration environments by eliminating documents containing malicious code, confidential information, and inappropriate content.

Ships with & manages multiple antivirus engines

File & content keyword filtering

Support for Open XML & IRM-protected docs

Deep integration with SharePoint Server

Scanning innovations and performance controls

Maintains uptime and optimizes performance

Easily manage configuration and operation

Automated signature updates

Reporting, notifications, and alerts

Comprehensive Protection Optimized Performance Simplified Management

Forefront Security for SharePoint Protection Scenarios Internet Malware Inappropriate Content Extranet Indexing Server Web Front End SQL Back End Malware Inappropriate Content Management Firewall External SharePoint Users Internal SharePoint Users Management

Forefront Edge Products: Key Scenarios Remote Access VPN, OWA & SharePoint Publishing Firewall and Forward Proxy Secure Remote Access Internet Access Control & Protection Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures Branch Offices Protection Features, Caching, HTTP Compression SSL VPN Based Remote Access    

Intelligent Application Gateway 2007 IAG provides an easy and secure remote access solution for employees, partners and customers by combining SSL-VPN with application optimization technologies, a Web application firewall, and endpoint security controls. IAG includes a robust and comprehensive end point health security detection mechanism and cache cleanup tailored to the specific application and environments used for access. This allows administrators to publish granular and restricted access to unmanaged machines and extend more comprehensive and rich access from corporate assets . With wizard driven configuration, easy to use policies and a highly intuitive user experience, IAG ensures a fast and easy deployment allowing employees, partners and vendors simple and secure access. Ongoing management and control is simplified via updates to application and endpoint policies. Easy Management and Customization Application Intelligence At the heart of IAG’s is a highly granular and intelligent application firewall that improves security, functionality and performance of most applications. Default policies are in place to address common applications such as SharePoint, Exchange, Terminal Services and policies can easily be created to enhance proprietary line of business applications. Endpoint & Access Security

External Collaboration Toolkit for SharePoint SOLUTION ACCELERATORS Act faster. Go further. microsoft.com/technet/SolutionAccelerators Best practices and tools to collaborate with team members from different organizations –across the Internet Tested guidance by Microsoft security experts

Easy to Deploy and Use

Site Provisioning Approval Workflow

ADAM .NET LDAP Provider

SharePoint Admin UI and User Provisioning

Guidance for a More Secure Infrastructure

TechNet Securing Your Sites, Servers, and Server Hardening http://technet2.microsoft.com/Office/en-us/library/763613ac-83f4-424e-99d0-32efd0667bd91033.mspx?mfr=true

7 New Features that Enhance Security in SharePoint http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx

Security and Protection for Office SharePoint Server 2007 http://technet2.microsoft.com/Office/en-us/library/6cc7cbec-bbb8-4473-83a2-65149e932e901033.mspx?mfr=true

TechNet Webcast: SharePoint Security from Service Accounts to Item-Level Access (Level 200) http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032313270&CountryCode=US