Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson

1,769 views

Published on

200-300 level deck on SharePoint Security with a focus on Authentication vs. Authorization with the authentication models introduced in WSS 3.0, MOSS 2007.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,769
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson

    1. 2. Microsoft Office SharePoint Server 2007 Security, Compliance and Policy from Service Accounts to Item Level Permissions Joel Oleson Sr. Product Manager
    2. 3. Key Take Aways <ul><li>Learn in this session </li></ul><ul><ul><li>Configure authentication </li></ul></ul><ul><ul><li>Manage permissions </li></ul></ul><ul><ul><li>Securely configure your web farm </li></ul></ul><ul><ul><li>Enable auditing for compliance </li></ul></ul><ul><ul><li>Manage retention policies </li></ul></ul><ul><ul><li>Report on security related events </li></ul></ul>
    3. 4. Agenda <ul><li>Agenda </li></ul><ul><ul><li>Intro… SharePoint Products & Technologies </li></ul></ul><ul><ul><li>Windows and ASP.NET authentication </li></ul></ul><ul><ul><li>Managing security </li></ul></ul><ul><ul><li>Compliance from bottom to top </li></ul></ul><ul><ul><li>Web farm Configuration </li></ul></ul><ul><ul><li>Questions? </li></ul></ul>
    4. 5. Agenda <ul><li>Agenda </li></ul><ul><ul><li>Intro… SharePoint Products & Technologies </li></ul></ul><ul><ul><li>Windows and ASP.NET authentication </li></ul></ul><ul><ul><li>Managing security </li></ul></ul><ul><ul><li>Compliance from bottom to top </li></ul></ul><ul><ul><li>Web farm Configuration </li></ul></ul><ul><ul><li>Questions? </li></ul></ul>
    5. 6. SharePoint 2007 Feature Areas Docs/tasks/calendars, blogs, wikis, e-mail integration, project management “lite”, Outlook integration, offline docs/lists Collaboration Business Intelligence Portal Enterprise Portal template, Site Directory, My Sites, social networking, privacy control Enterprise scalability, contextual relevance, rich people and business data search Rich and Web forms based front-ends, LOB actions, pluggable SSO Server-based Excel spreadsheets and data visualization, Report Center, BI Web Parts, KPIs/Dashboards Integrated document management, records management, and Web content management with policies and workflow Business Forms Search Content Management Platform Services Workspaces, Mgmt, Security, Storage, Topology, Site Model
    6. 7. SharePoint 2007 Feature Areas Collaboration Business Intelligence Portal Business Forms Search Content Management Platform Services Workspaces, Mgmt, Security, Storage, Topology, Site Model
    7. 8. Agenda <ul><li>Agenda </li></ul><ul><ul><li>Intro… SharePoint Products & Technologies </li></ul></ul><ul><ul><li>Windows and ASP.NET authentication </li></ul></ul><ul><ul><li>Managing security </li></ul></ul><ul><ul><li>Compliance from bottom to top </li></ul></ul><ul><ul><li>Web farm Configuration </li></ul></ul><ul><ul><li>Questions? </li></ul></ul>
    8. 9. User Authentication <ul><li>Authentication = Who are you? </li></ul><ul><ul><li>User identity </li></ul></ul><ul><ul><li>User groups/roles as defined by the directory </li></ul></ul><ul><ul><li>Same in WSS and MOSS! </li></ul></ul><ul><li>Windows </li></ul><ul><ul><li>Windows integrated, Basic, Digest, etc </li></ul></ul><ul><li>ASP.NET Pluggable Authentication </li></ul><ul><ul><li>Forms – locally hosted login form </li></ul></ul><ul><ul><li>Web SSO – remotely hosted login form </li></ul></ul>
    9. 10. Windows Authentication <ul><li>Provided by IIS – SharePoint consumes </li></ul><ul><li>Windows Integrated </li></ul><ul><ul><li>Kerberos/Negotiate </li></ul></ul><ul><ul><li>NTLM </li></ul></ul><ul><li>Basic </li></ul><ul><li>Digest </li></ul><ul><li>Certificates (Must use IIS to configure) </li></ul>
    10. 11. Configuring Kerberos <ul><li>KDC Service Principal Name must match SharePoint application pool account </li></ul>
    11. 12. ASP.NET Authentication <ul><li>Pluggable authentication framework </li></ul><ul><ul><li>User identity is independent from Operating System (OS) identity </li></ul></ul><ul><ul><li>Custom code to handle authentication </li></ul></ul><ul><ul><li>Two related providers </li></ul></ul><ul><ul><ul><li>Membership – user identities </li></ul></ul></ul><ul><ul><ul><li>Role – roles/groups/attributes for a user </li></ul></ul></ul><ul><li>Out-of-the-box providers </li></ul><ul><ul><li>LDAP (Office SharePoint Server) </li></ul></ul><ul><ul><li>SQL Server (ASP.NET) </li></ul></ul><ul><ul><li>AD – single domain only (ASP.NET) </li></ul></ul>
    12. 13. ASP.NET Pipeline Authentication Module Role Manager Membership Provider SharePoint Content Database User/Group Directories User Identity Client Redirects Groups/Roles Authorization Invitations
    13. 14. Web.config <ul><li><membership> </li></ul><ul><li><providers> </li></ul><ul><li><add name=“ YourMembershipProviderName “ connectionStringName=“ YourConnectionString &quot; </li></ul><ul><li>… /> </li></ul><ul><li></providers> </li></ul><ul><li></membership> </li></ul><ul><li><roleManager> </li></ul><ul><li><providers> </li></ul><ul><li><add name=“ YourRoleProviderName “ connectionStringName=“ YourConnectionString “ … /> </li></ul><ul><li></providers> </li></ul><ul><li></roleManager> </li></ul><ul><li><connectionStrings> </li></ul><ul><li><add name=“ YourConnectionString &quot; connectionString=&quot;data source=127.0.0.1;Integrated Security=SSPI;Initial Catalog=aspnetdb&quot; /> </li></ul><ul><li></connectionStrings> </li></ul>
    14. 15. ASP.NET Authentication Limitations <ul><li>Browser clients only </li></ul><ul><ul><li>Search crawler must use Windows </li></ul></ul><ul><ul><li>Office client interaction degraded </li></ul></ul><ul><li>One authentication type per web application </li></ul><ul><ul><li>No Windows and Forms in same domain </li></ul></ul><ul><ul><li>One provider pair per domain </li></ul></ul><ul><li>Forms over Windows accounts </li></ul><ul><ul><li>Forms user not same as Windows user </li></ul></ul>
    15. 16. Authentication & Alternate Access Mappings
    16. 17. Agenda <ul><li>Agenda </li></ul><ul><ul><li>Intro… SharePoint Products & Technologies </li></ul></ul><ul><ul><li>Windows and ASP.NET authentication </li></ul></ul><ul><ul><li>Managing security </li></ul></ul><ul><ul><li>Compliance from bottom to top </li></ul></ul><ul><ul><li>Web farm Configuration </li></ul></ul><ul><ul><li>Questions? </li></ul></ul>
    17. 18. Sample Deployment Governance Model     Permanent Enterprise Search News KPIs - Business Intelligence Corporate Business Taxonomy With Divisional Stakeholders Exists with AD User Ad hoc Self Service w/ Retention Policies Permanent Business Process Management Dashboards Division Scoped Search Group Reporting & Scorecards Site Directories & Site Maps AS Needed Document & Records Mgmt Aggregation Project Reports Short Lived Collaboration Semi Permanent Private & Shared Contextual Collab
    18. 19. Common Information Management Roles <ul><li>Information Worker </li></ul><ul><ul><li>Consumes and creates content </li></ul></ul><ul><li>Site Administrator </li></ul><ul><ul><li>Creates lists, manages site roles & manages permissions </li></ul></ul><ul><li>Business Owner/Application Owner </li></ul><ul><ul><li>Responsible for architecting the departmental top down solution for Enterprise Search, Profiles, Site Hierarchy/Site Map, Site Directory, branding </li></ul></ul><ul><li>IT Pro/Farm Administrator </li></ul><ul><ul><li>Manages the Server Farm, installs & deploys servers, web parts, manages capacity planning </li></ul></ul>
    19. 20. Administrative Architecture <ul><li>Three Tier Admin </li></ul><ul><ul><li>Web-based </li></ul></ul><ul><ul><li>Role & task delineated </li></ul></ul><ul><ul><li>Controlled delegation </li></ul></ul><ul><ul><li>Secure isolation </li></ul></ul><ul><li>Shared Services </li></ul><ul><li>Service Authorization </li></ul><ul><li>Service Configuration </li></ul><ul><li>MOSS only </li></ul><ul><li>Central Admin </li></ul><ul><li>Authentication </li></ul><ul><li>Security Policies </li></ul><ul><li>Farm Configuration </li></ul><ul><li>Site Settings </li></ul><ul><li>Content Authorization </li></ul>Content Admins IT Admins Shared Content Admins
    20. 21. Site Topologies <ul><li>Portals are Sites with a special template and *features* </li></ul>Office SharePoint Server Web Application(s) SSP Admin Central Admin Portal Template Portal Template
    21. 22. Authorization Tools <ul><li>Authorization = What can you do? </li></ul>SharePoint Content Configuration Data Services What can you view, update, delete, and customize? What services and tools can you use? What rules are enforced everywhere in the application?
    22. 23. Permissions Management <ul><li>Group-based permissions management </li></ul><ul><li>Role-based permissions management </li></ul><ul><li>Fine-grained permissions control </li></ul><ul><ul><li>List, library, folder, item, and document </li></ul></ul><ul><li>Anonymous access </li></ul><ul><li>Security trimmed user interface! </li></ul><ul><li>Explicit access denied experience! </li></ul>
    23. 24. SharePoint Groups <ul><li>New permissions management experience </li></ul><ul><ul><li>Three default groups </li></ul></ul><ul><ul><ul><li>Owners – full control </li></ul></ul></ul><ul><ul><ul><li>Members – contribute to existing lists and libraries </li></ul></ul></ul><ul><ul><ul><li>Visitors – read only </li></ul></ul></ul><ul><ul><li>Integrated with user information list </li></ul></ul><ul><li>SharePoint groups can be assigned permissions anywhere in the site collection </li></ul><ul><li>Group administration scales better </li></ul>
    24. 25. Permission Levels <ul><li>Collections of rights , not people </li></ul><ul><ul><li>Full Control – Has full control </li></ul></ul><ul><ul><li>Design – Can view, add, update, delete, approve, and customize </li></ul></ul><ul><ul><li>Contribute – Can view, add, update, and delete </li></ul></ul><ul><ul><li>Read – Can view only </li></ul></ul><ul><li>Customizable </li></ul><ul><li>Inheritable across site collection </li></ul>
    25. 26. Fine Grained Permissions <ul><li>New securable objects </li></ul><ul><ul><li>Web site </li></ul></ul><ul><ul><li>Lists and libraries </li></ul></ul><ul><ul><li>Folders within list or library </li></ul></ul><ul><ul><li>Document or list item </li></ul></ul><ul><li>Consistent user interface top to bottom </li></ul><ul><ul><li>Permission levels </li></ul></ul><ul><ul><li>Inherit from parent or unique permissions </li></ul></ul>
    26. 27. Site Collection Administrators <ul><li>Users with full control over all content in the site collection </li></ul><ul><ul><li>Fix lock out problems </li></ul></ul><ul><ul><li>Recover items from 2nd stage recycle bin </li></ul></ul><ul><ul><li>Cannot be removed from permissions </li></ul></ul>
    27. 28. New Permissions <ul><li>Edit User Information – display name, e-mail, etc </li></ul><ul><li>Approve Items – promote minor to major version </li></ul><ul><li>View Versions </li></ul><ul><li>Delete Versions </li></ul><ul><li>Create Alerts – separated from view items </li></ul><ul><li>Manage Alerts – create alerts for other people </li></ul><ul><li>Enumerate Permissions – read, but not change </li></ul><ul><li>Open Items – view source of server files (ASPX) </li></ul><ul><li>View Application Pages – e.g. _layouts pages </li></ul><ul><li>Use Remote Interfaces – e.g. SOAP </li></ul><ul><li>Use Client Integration Features – e.g. Office </li></ul>
    28. 29. Permissions Management
    29. 30. Shared Services <ul><li>Business data catalog </li></ul><ul><ul><li>Impersonation/delegation </li></ul></ul><ul><ul><ul><li>Kerberos constrained delegation </li></ul></ul></ul><ul><ul><ul><li>Office server SSO </li></ul></ul></ul><ul><ul><li>Trusted subsystem </li></ul></ul><ul><li>Excel trusted locations </li></ul><ul><li>User profile rights </li></ul><ul><ul><li>Property visibility </li></ul></ul><ul><li>Audiences are NOT for security </li></ul>
    30. 31. Shared Services Provider <ul><li>Resource optimization </li></ul><ul><li>Security isolation </li></ul><ul><li>Delegation of administration </li></ul><ul><li>Can be shared across farms </li></ul>
    31. 32. Shared Services Web App Web App Office Server Search Directory import User profile synch Audiences Targeting Business data catalog Excel calculation service Usage Reporting Shared Services App Pool App Pool CorpWeb WinWeb OfficeWeb LegalWeb
    32. 33. Shared Services: Audiences
    33. 34. Security Policy <ul><li>Central enforced permissions for all sites in the web application </li></ul><ul><ul><li>GRANT and DENY </li></ul></ul><ul><ul><li>Bound to web application/zone </li></ul></ul><ul><li>Scenarios </li></ul><ul><ul><li>Full read – search crawling accounts, auditors, legal compliance </li></ul></ul><ul><ul><li>Deny all – security control, regulatory compliance </li></ul></ul><ul><ul><li>Deny write – extranet lockdown </li></ul></ul>
    34. 35. Agenda <ul><li>Agenda </li></ul><ul><ul><li>Intro… SharePoint Products & Technologies </li></ul></ul><ul><ul><li>Windows and ASP.NET authentication </li></ul></ul><ul><ul><li>Managing security </li></ul></ul><ul><ul><li>Compliance from bottom to top </li></ul></ul><ul><ul><li>Web farm Configuration </li></ul></ul><ul><ul><li>Questions? </li></ul></ul>
    35. 36. Business Benefits <ul><li>Reduce costs of retrieving information for legal discovery </li></ul>Reduce risk of non-compliance and legal liability Retain vital records for business continuity
    36. 37. Compliance <ul><li>Auditing </li></ul><ul><ul><li>Content Modifications </li></ul></ul><ul><ul><li>Content Viewing </li></ul></ul><ul><ul><li>Deletion </li></ul></ul><ul><ul><li>More </li></ul></ul><ul><li>Bar Codes (for tracking) </li></ul><ul><li>Expiration </li></ul><ul><li>Security Report </li></ul><ul><li>Policy Modification </li></ul><ul><li>Custom Report </li></ul>
    37. 38. Organizational Styles
    38. 39. Managing Collaborative Spaces Office SharePoint Server Sales Asia Pacific Region Employment Claims Contracts Content Types to classify content Policies to audit and expire information Server side IRM Declared records sent to Records Repository
    39. 40. Records Repository Doc Mgmt Systems Records Repository template Configure policies as per retention schedule Configure repository as per file plan Physical Assets E-mail/services Interface Records Manager Records Repository Contracts Asia Pacific Region Financials Mortgage Transfers document context
    40. 41. Compliance Auditing
    41. 42. Agenda <ul><li>Agenda </li></ul><ul><ul><li>Intro… SharePoint Products & Technologies </li></ul></ul><ul><ul><li>Windows and ASP.NET authentication </li></ul></ul><ul><ul><li>Managing security </li></ul></ul><ul><ul><li>Compliance from bottom to top </li></ul></ul><ul><ul><li>Web farm Configuration </li></ul></ul><ul><ul><li>Questions? </li></ul></ul>
    42. 43. Web Farm Configuration <ul><li>Application pool accounts </li></ul><ul><ul><li>Full control over content </li></ul></ul><ul><ul><li>Act as the “SharePointsystem” account </li></ul></ul><ul><li>Timer service accounts </li></ul><ul><ul><li>Timer </li></ul></ul><ul><ul><li>Admin Service – must run as Local System </li></ul></ul><ul><li>SQL Servers </li></ul><ul><ul><li>Kerberos SPN issue applies here too! </li></ul></ul>
    43. 44. Security Configuration <ul><li>Rights mask </li></ul><ul><li>Blocked file types </li></ul><ul><li>Form digest timeout </li></ul><ul><li>Safe control list </li></ul><ul><li>Code access security </li></ul><ul><li>Code execution paths </li></ul><ul><li>Virus scanning </li></ul>
    44. 45. Office Server SSO <ul><li>Credentials for server-to-server hop </li></ul><ul><li>Unique or shared </li></ul>Client SharePoint External Data Credentials
    45. 46. Admin Access To Data <ul><li>Central administrators no longer have default full access to content </li></ul><ul><li>Central administrators can grant themselves access to any content </li></ul><ul><ul><li>Security policy </li></ul></ul><ul><ul><li>Site collection owners/administrators </li></ul></ul><ul><ul><li>Both actions are audited in NT Event Log </li></ul></ul>
    46. 47. WSS Topology
    47. 48. MOSS Shared Services
    48. 49. Example Multi-Farm Topology
    49. 50. Configuration Best Practices <ul><li>Unique accounts </li></ul><ul><ul><li>Central administration </li></ul></ul><ul><ul><li>Shared services process </li></ul></ul><ul><ul><li>Shared services shared web service account </li></ul></ul><ul><ul><li>Content app pools </li></ul></ul><ul><li>Kerberos on (default = NTLM) </li></ul><ul><ul><li>Each process account must be a registered SPN to work </li></ul></ul><ul><ul><li>SQL 2005 defaults to Kerberos with non-system process ID! </li></ul></ul><ul><li>SSL enabled (default = off) </li></ul><ul><ul><li>Turn on for admin sites and server to server </li></ul></ul><ul><ul><li>Warning provided on credentials pages if SSL is off </li></ul></ul><ul><li>SPAdmin service </li></ul><ul><ul><li>Single server: Off (recommend ‘On’ for OSS) </li></ul></ul><ul><ul><li>Farm: On </li></ul></ul>
    50. 51. Session Summary <ul><li>Pluggable authentication </li></ul><ul><ul><li>Windows – Kerberos, NTLM, Basic </li></ul></ul><ul><ul><li>ASP.NET – Forms and Web SSO </li></ul></ul><ul><li>Managing permissions </li></ul><ul><ul><li>Site settings: Site, list, folder, and item </li></ul></ul><ul><ul><li>Shared services </li></ul></ul><ul><ul><li>Central admin policies and configuration </li></ul></ul><ul><li>Web farm configuration </li></ul><ul><ul><li>Application pool accounts </li></ul></ul><ul><ul><li>Other process accounts </li></ul></ul>
    51. 52. Call To Action <ul><li>Use Kerberos! </li></ul><ul><ul><li>More secure than NTLM </li></ul></ul><ul><ul><li>Better performance than NTLM </li></ul></ul><ul><li>Evaluate Authentication </li></ul><ul><ul><li>Ready for Forms authentication? </li></ul></ul><ul><li>Evaluate content topology </li></ul><ul><ul><li>Does folder and item level permissions change how you deploy SharePoint content? </li></ul></ul><ul><li>Model your groups </li></ul>
    52. 53. References <ul><li>Kerberos Protocol Transition and Constrained Delegation </li></ul><ul><li>ASP.NET Developer Center: Provider Toolkit </li></ul><ul><li>SharePoint Server 2007 Tech Center </li></ul><ul><li>Planning Logical Architecture </li></ul>
    53. 54. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

    ×