Microsoft Office SharePoint Server 2007 Security, Compliance and Policy from Service Accounts to Item Level Permissions Joel Oleson Sr. Product Manager

Key Take Aways Learn in this session Configure authentication Manage permissions Securely configure your web farm Enable auditing for compliance Manage retention policies Report on security related events

Learn in this session

Configure authentication

Manage permissions

Securely configure your web farm

Enable auditing for compliance

Manage retention policies

Report on security related events

Agenda Agenda Intro… SharePoint Products & Technologies Windows and ASP.NET authentication Managing security Compliance from bottom to top Web farm Configuration Questions?

Agenda

Intro… SharePoint Products & Technologies

Windows and ASP.NET authentication

Managing security

Compliance from bottom to top

Web farm Configuration

Questions?

Agenda Agenda Intro… SharePoint Products & Technologies Windows and ASP.NET authentication Managing security Compliance from bottom to top Web farm Configuration Questions?

Agenda

Intro… SharePoint Products & Technologies

Windows and ASP.NET authentication

Managing security

Compliance from bottom to top

Web farm Configuration

Questions?

SharePoint 2007 Feature Areas Docs/tasks/calendars, blogs, wikis, e-mail integration, project management “lite”, Outlook integration, offline docs/lists Collaboration Business Intelligence Portal Enterprise Portal template, Site Directory, My Sites, social networking, privacy control Enterprise scalability, contextual relevance, rich people and business data search Rich and Web forms based front-ends, LOB actions, pluggable SSO Server-based Excel spreadsheets and data visualization, Report Center, BI Web Parts, KPIs/Dashboards Integrated document management, records management, and Web content management with policies and workflow Business Forms Search Content Management Platform Services Workspaces, Mgmt, Security, Storage, Topology, Site Model

SharePoint 2007 Feature Areas Collaboration Business Intelligence Portal Business Forms Search Content Management Platform Services Workspaces, Mgmt, Security, Storage, Topology, Site Model

Agenda Agenda Intro… SharePoint Products & Technologies Windows and ASP.NET authentication Managing security Compliance from bottom to top Web farm Configuration Questions?

Agenda

Intro… SharePoint Products & Technologies

Windows and ASP.NET authentication

Managing security

Compliance from bottom to top

Web farm Configuration

Questions?

User Authentication Authentication = Who are you? User identity User groups/roles as defined by the directory Same in WSS and MOSS! Windows Windows integrated, Basic, Digest, etc ASP.NET Pluggable Authentication Forms – locally hosted login form Web SSO – remotely hosted login form

Authentication = Who are you?

User identity

User groups/roles as defined by the directory

Same in WSS and MOSS!

Windows

Windows integrated, Basic, Digest, etc

ASP.NET Pluggable Authentication

Forms – locally hosted login form

Web SSO – remotely hosted login form

Windows Authentication Provided by IIS – SharePoint consumes Windows Integrated Kerberos/Negotiate NTLM Basic Digest Certificates (Must use IIS to configure)

Provided by IIS – SharePoint consumes

Windows Integrated

Kerberos/Negotiate

NTLM

Basic

Digest

Certificates (Must use IIS to configure)

Configuring Kerberos KDC Service Principal Name must match SharePoint application pool account

KDC Service Principal Name must match SharePoint application pool account

ASP.NET Authentication Pluggable authentication framework User identity is independent from Operating System (OS) identity Custom code to handle authentication Two related providers Membership – user identities Role – roles/groups/attributes for a user Out-of-the-box providers LDAP (Office SharePoint Server) SQL Server (ASP.NET) AD – single domain only (ASP.NET)

Pluggable authentication framework

User identity is independent from Operating System (OS) identity

Custom code to handle authentication

Two related providers

Membership – user identities

Role – roles/groups/attributes for a user

Out-of-the-box providers

LDAP (Office SharePoint Server)

SQL Server (ASP.NET)

AD – single domain only (ASP.NET)

ASP.NET Pipeline Authentication Module Role Manager Membership Provider SharePoint Content Database User/Group Directories User Identity Client Redirects Groups/Roles Authorization Invitations

Web.config <membership> <providers> <add name=“ YourMembershipProviderName “ connectionStringName=“ YourConnectionString &quot; … /> </providers> </membership> <roleManager> <providers> <add name=“ YourRoleProviderName “ connectionStringName=“ YourConnectionString “ … /> </providers> </roleManager> <connectionStrings> <add name=“ YourConnectionString &quot; connectionString=&quot;data source=127.0.0.1;Integrated Security=SSPI;Initial Catalog=aspnetdb&quot; /> </connectionStrings>

<membership>

<providers>

<add name=“ YourMembershipProviderName “ connectionStringName=“ YourConnectionString &quot;

… />

</providers>

</membership>

<roleManager>

<providers>

<add name=“ YourRoleProviderName “ connectionStringName=“ YourConnectionString “ … />

</providers>

</roleManager>

<connectionStrings>

<add name=“ YourConnectionString &quot; connectionString=&quot;data source=127.0.0.1;Integrated Security=SSPI;Initial Catalog=aspnetdb&quot; />

</connectionStrings>

ASP.NET Authentication Limitations Browser clients only Search crawler must use Windows Office client interaction degraded One authentication type per web application No Windows and Forms in same domain One provider pair per domain Forms over Windows accounts Forms user not same as Windows user

Browser clients only

Search crawler must use Windows

Office client interaction degraded

One authentication type per web application

No Windows and Forms in same domain

One provider pair per domain

Forms over Windows accounts

Forms user not same as Windows user

Authentication & Alternate Access Mappings

Agenda Agenda Intro… SharePoint Products & Technologies Windows and ASP.NET authentication Managing security Compliance from bottom to top Web farm Configuration Questions?

Agenda

Intro… SharePoint Products & Technologies

Windows and ASP.NET authentication

Managing security

Compliance from bottom to top

Web farm Configuration

Questions?

Sample Deployment Governance Model Permanent Enterprise Search News KPIs - Business Intelligence Corporate Business Taxonomy With Divisional Stakeholders Exists with AD User Ad hoc Self Service w/ Retention Policies Permanent Business Process Management Dashboards Division Scoped Search Group Reporting & Scorecards Site Directories & Site Maps AS Needed Document & Records Mgmt Aggregation Project Reports Short Lived Collaboration Semi Permanent Private & Shared Contextual Collab

Common Information Management Roles Information Worker Consumes and creates content Site Administrator Creates lists, manages site roles & manages permissions Business Owner/Application Owner Responsible for architecting the departmental top down solution for Enterprise Search, Profiles, Site Hierarchy/Site Map, Site Directory, branding IT Pro/Farm Administrator Manages the Server Farm, installs & deploys servers, web parts, manages capacity planning

Information Worker

Consumes and creates content

Site Administrator

Creates lists, manages site roles & manages permissions

Business Owner/Application Owner

Responsible for architecting the departmental top down solution for Enterprise Search, Profiles, Site Hierarchy/Site Map, Site Directory, branding

IT Pro/Farm Administrator

Manages the Server Farm, installs & deploys servers, web parts, manages capacity planning

Administrative Architecture Three Tier Admin Web-based Role & task delineated Controlled delegation Secure isolation Shared Services Service Authorization Service Configuration MOSS only Central Admin Authentication Security Policies Farm Configuration Site Settings Content Authorization Content Admins IT Admins Shared Content Admins

Three Tier Admin

Web-based

Role & task delineated

Controlled delegation

Secure isolation

Shared Services

Service Authorization

Service Configuration

MOSS only

Central Admin

Authentication

Security Policies

Farm Configuration

Site Settings

Content Authorization

Site Topologies Portals are Sites with a special template and *features* Office SharePoint Server Web Application(s) SSP Admin Central Admin Portal Template Portal Template

Portals are Sites with a special template and *features*

Authorization Tools Authorization = What can you do? SharePoint Content Configuration Data Services What can you view, update, delete, and customize? What services and tools can you use? What rules are enforced everywhere in the application?

Authorization = What can you do?

Permissions Management Group-based permissions management Role-based permissions management Fine-grained permissions control List, library, folder, item, and document Anonymous access Security trimmed user interface! Explicit access denied experience!

Group-based permissions management

Role-based permissions management

Fine-grained permissions control

List, library, folder, item, and document

Anonymous access

Security trimmed user interface!

Explicit access denied experience!

SharePoint Groups New permissions management experience Three default groups Owners – full control Members – contribute to existing lists and libraries Visitors – read only Integrated with user information list SharePoint groups can be assigned permissions anywhere in the site collection Group administration scales better

New permissions management experience

Three default groups

Owners – full control

Members – contribute to existing lists and libraries

Visitors – read only

Integrated with user information list

SharePoint groups can be assigned permissions anywhere in the site collection

Group administration scales better

Permission Levels Collections of rights , not people Full Control – Has full control Design – Can view, add, update, delete, approve, and customize Contribute – Can view, add, update, and delete Read – Can view only Customizable Inheritable across site collection

Collections of rights , not people

Full Control – Has full control

Design – Can view, add, update, delete, approve, and customize

Contribute – Can view, add, update, and delete

Read – Can view only

Customizable

Inheritable across site collection

Fine Grained Permissions New securable objects Web site Lists and libraries Folders within list or library Document or list item Consistent user interface top to bottom Permission levels Inherit from parent or unique permissions

New securable objects

Web site

Lists and libraries

Folders within list or library

Document or list item

Consistent user interface top to bottom

Permission levels

Inherit from parent or unique permissions

Site Collection Administrators Users with full control over all content in the site collection Fix lock out problems Recover items from 2nd stage recycle bin Cannot be removed from permissions

Users with full control over all content in the site collection

Fix lock out problems

Recover items from 2nd stage recycle bin

Cannot be removed from permissions

New Permissions Edit User Information – display name, e-mail, etc Approve Items – promote minor to major version View Versions Delete Versions Create Alerts – separated from view items Manage Alerts – create alerts for other people Enumerate Permissions – read, but not change Open Items – view source of server files (ASPX) View Application Pages – e.g. _layouts pages Use Remote Interfaces – e.g. SOAP Use Client Integration Features – e.g. Office

Edit User Information – display name, e-mail, etc

Approve Items – promote minor to major version

View Versions

Delete Versions

Create Alerts – separated from view items

Manage Alerts – create alerts for other people

Enumerate Permissions – read, but not change

Open Items – view source of server files (ASPX)

View Application Pages – e.g. _layouts pages

Use Remote Interfaces – e.g. SOAP

Use Client Integration Features – e.g. Office

Permissions Management

Shared Services Business data catalog Impersonation/delegation Kerberos constrained delegation Office server SSO Trusted subsystem Excel trusted locations User profile rights Property visibility Audiences are NOT for security

Business data catalog

Impersonation/delegation

Kerberos constrained delegation

Office server SSO

Trusted subsystem

Excel trusted locations

User profile rights

Property visibility

Audiences are NOT for security

Shared Services Provider Resource optimization Security isolation Delegation of administration Can be shared across farms

Resource optimization

Security isolation

Delegation of administration

Can be shared across farms

Shared Services Web App Web App Office Server Search Directory import User profile synch Audiences Targeting Business data catalog Excel calculation service Usage Reporting Shared Services App Pool App Pool CorpWeb WinWeb OfficeWeb LegalWeb

Shared Services: Audiences

Security Policy Central enforced permissions for all sites in the web application GRANT and DENY Bound to web application/zone Scenarios Full read – search crawling accounts, auditors, legal compliance Deny all – security control, regulatory compliance Deny write – extranet lockdown

Central enforced permissions for all sites in the web application

GRANT and DENY

Bound to web application/zone

Scenarios

Full read – search crawling accounts, auditors, legal compliance

Deny all – security control, regulatory compliance

Deny write – extranet lockdown

Agenda Agenda Intro… SharePoint Products & Technologies Windows and ASP.NET authentication Managing security Compliance from bottom to top Web farm Configuration Questions?

Agenda

Intro… SharePoint Products & Technologies

Windows and ASP.NET authentication

Managing security

Compliance from bottom to top

Web farm Configuration

Questions?

Business Benefits Reduce costs of retrieving information for legal discovery Reduce risk of non-compliance and legal liability Retain vital records for business continuity

Reduce costs of retrieving information for legal discovery

Compliance Auditing Content Modifications Content Viewing Deletion More Bar Codes (for tracking) Expiration Security Report Policy Modification Custom Report

Auditing

Content Modifications

Content Viewing

Deletion

More

Bar Codes (for tracking)

Expiration

Security Report

Policy Modification

Custom Report

Organizational Styles

Managing Collaborative Spaces Office SharePoint Server Sales Asia Pacific Region Employment Claims Contracts Content Types to classify content Policies to audit and expire information Server side IRM Declared records sent to Records Repository

Records Repository Doc Mgmt Systems Records Repository template Configure policies as per retention schedule Configure repository as per file plan Physical Assets E-mail/services Interface Records Manager Records Repository Contracts Asia Pacific Region Financials Mortgage Transfers document context

Compliance Auditing

Agenda Agenda Intro… SharePoint Products & Technologies Windows and ASP.NET authentication Managing security Compliance from bottom to top Web farm Configuration Questions?

Agenda

Intro… SharePoint Products & Technologies

Windows and ASP.NET authentication

Managing security

Compliance from bottom to top

Web farm Configuration

Questions?

Web Farm Configuration Application pool accounts Full control over content Act as the “SharePointsystem” account Timer service accounts Timer Admin Service – must run as Local System SQL Servers Kerberos SPN issue applies here too!

Application pool accounts

Full control over content

Act as the “SharePointsystem” account

Timer service accounts

Timer

Admin Service – must run as Local System

SQL Servers

Kerberos SPN issue applies here too!

Security Configuration Rights mask Blocked file types Form digest timeout Safe control list Code access security Code execution paths Virus scanning

Rights mask

Blocked file types

Form digest timeout

Safe control list

Code access security

Code execution paths

Virus scanning

Office Server SSO Credentials for server-to-server hop Unique or shared Client SharePoint External Data Credentials

Credentials for server-to-server hop

Unique or shared

Admin Access To Data Central administrators no longer have default full access to content Central administrators can grant themselves access to any content Security policy Site collection owners/administrators Both actions are audited in NT Event Log

Central administrators no longer have default full access to content

Central administrators can grant themselves access to any content

Security policy

Site collection owners/administrators

Both actions are audited in NT Event Log

WSS Topology

MOSS Shared Services

Example Multi-Farm Topology

Configuration Best Practices Unique accounts Central administration Shared services process Shared services shared web service account Content app pools Kerberos on (default = NTLM) Each process account must be a registered SPN to work SQL 2005 defaults to Kerberos with non-system process ID! SSL enabled (default = off) Turn on for admin sites and server to server Warning provided on credentials pages if SSL is off SPAdmin service Single server: Off (recommend ‘On’ for OSS) Farm: On

Unique accounts

Central administration

Shared services process

Shared services shared web service account

Content app pools

Kerberos on (default = NTLM)

Each process account must be a registered SPN to work

SQL 2005 defaults to Kerberos with non-system process ID!

SSL enabled (default = off)

Turn on for admin sites and server to server

Warning provided on credentials pages if SSL is off

SPAdmin service

Single server: Off (recommend ‘On’ for OSS)

Farm: On

Session Summary Pluggable authentication Windows – Kerberos, NTLM, Basic ASP.NET – Forms and Web SSO Managing permissions Site settings: Site, list, folder, and item Shared services Central admin policies and configuration Web farm configuration Application pool accounts Other process accounts

Pluggable authentication

Windows – Kerberos, NTLM, Basic

ASP.NET – Forms and Web SSO

Managing permissions

Site settings: Site, list, folder, and item

Shared services

Central admin policies and configuration

Web farm configuration

Application pool accounts

Other process accounts

Call To Action Use Kerberos! More secure than NTLM Better performance than NTLM Evaluate Authentication Ready for Forms authentication? Evaluate content topology Does folder and item level permissions change how you deploy SharePoint content? Model your groups

Use Kerberos!

More secure than NTLM

Better performance than NTLM

Evaluate Authentication

Ready for Forms authentication?

Evaluate content topology

Does folder and item level permissions change how you deploy SharePoint content?

Model your groups

References Kerberos Protocol Transition and Constrained Delegation ASP.NET Developer Center: Provider Toolkit SharePoint Server 2007 Tech Center Planning Logical Architecture

Kerberos Protocol Transition and Constrained Delegation

ASP.NET Developer Center: Provider Toolkit

SharePoint Server 2007 Tech Center

Planning Logical Architecture

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.