Your SlideShare is downloading. ×
Securing Knowledge and Collaboration Systems SharePoint 2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Knowledge and Collaboration Systems SharePoint 2010

1,060
views

Published on

The SharePoint security model can be confusing, with its deep hierarchy of securable objects, granular permissions and policies, and clunky user and group management interfaces. This session …

The SharePoint security model can be confusing, with its deep hierarchy of securable objects, granular permissions and policies, and clunky user and group management interfaces. This session demystifies SharePoint security by dissecting each of these components and presenting best practices for implementing and managing security. Learn when and why it makes sense to leverage Active Directory groups or use SharePoint groups, and take away options for new permission levels and settings that address common business requirements.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,060
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • As the capabilities and use of SharePoint technologies continue to increase, so does the amount of content stored in SharePoint sites. To maintain and manage this content, you need an effective security structure in place to ensure that this content is only accessed by users with the proper permissions. To assist administrators with this gargantuan task, configuration options exist to grant users access with both broad and fi ne-grained settings. Additionally, you can configure this access at several hierarchical levels, making it easy to secure content throughout an environment. The security structure built at the onset of a SharePoint deployment plays a major role in the overall success or failure of the solution and is not to be taken lightly. In this chapter you get an in-depth look at the security configuration options available with SharePoint 2010 and how they can be used to lock down your environment.
  • http://www.shetabtech.com/english/SharePointLiveAuth/default.aspx
  • In the intranet portal, each users has different permission levels, like Read, Contribute, Design, Full Control, Limited Access, Publishing feature, Approve, Restricted read and so and so.
  • Transcript

    • 1. Securing Knowledge and Collaboration Systems Permissions, Identities, and Objects
      K.MohamedFaizal,
      Lead Consultant, NCS (P) Ltd.
      http://faizal-comeacross.blogspot.com/
      ANSES RahRah 9
      Securing Knowledge and Collaboration Systems
    • 2. About Me
      15
    • 3. What ‘s the point ?
      Security is more than just
      Authentication / Authorization
    • 4. What ‘s the point ?
      Security is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) )
    • 5. What’s the point?
      In Security, the WHY is more important than the HOW
    • 6. Portal End-to-End Security
    • 7. Portal focus on
    • 8. Portal Permission Dependency Chart
      http://skurocks.wordpress.com/category/sharepoint/sharepoint-security/
    • 9. SharePoint Security in a Nutshell
      Securable object
      Roles (permission levels)
      Role assignments (“assigning permissions”)
      Record policies
      Auditing
      Authentication
      Users and groups
      Web application policy
      Policy
      Identity/Claim
      Role (permission level)
      Group
      Securable Object
      Record
      Authentication
      Authorization
    • 10. Key ConceptsClaims Based Access Terminology
      Identity
      “Set of attributes that describes a principal (e.g. an user) such as name, gender, age, email address, driver license number, group membership”
      Identity: Mohamed Faizal
      Name:Mohamed Faizal
      DOB: 10 Jan 1973
      Eye Color: Black
      Role:SG Citizen
      Person: Mohamed Faizal
    • 11. Key ConceptsClaims Based Access Terminology
      Claim
      “An attribute about an identity issued by an authority”
      Identity Provider
      “Trusted authority that creates and issues claims”
      Relying Party
      “Application that makes authorisation decisions based on claims”
    • 12. Key ConceptsClaims Based Access Terminology
      Identity: Mohamed Faizal
      Name:Mohamed Faizal
      DOB: 10 Jan 1973
      Eye Color: Black
      Role:SG Citizen
      Person: Mohamed Faizal
    • 13. Key ConceptsClaims Based Access Terminology - Token
      Token
      Claim
      Claim
      “A token consists of a set of claims about the principal, and signed by an authority”
      Claim
      Signature
    • 14. Key ConceptsClaims Based Access Terminology - Token
      Name: Mohamed Faizal
      Token
      DOB: 10 Jan 1973
      Role: SG Citizen
      Identity: Mohamed Faizal
      Name:Mohamed Faizal
      DOB: 10 Jan 1973
      Eye Color: Black
      Role:SG Citizen
      Signed by SG Govt.
      Person: Mohamed Faizal
    • 15. Key ConceptsClaims Based Access Terminology
      Why claims, not attributes?
      Trust depends on scenario
      Identity @ SG Government
      Name:Mohamed Faizal
      DOB: 10 Jan 1973
      Identity @ Facebook
      Mohamed Faizal
      Name:Mohamed Faizal
      DOB: 10 Jan 1990
    • 16. Benefits of ClaimsCurrent Situation – Single Sign On
      Different sign–on requirements for applications
      COMPANY X
      EMPLOYEES
    • 17. Benefits of ClaimsCurrent Situation – Sensitive information leaks
      COMPANY X
      EMPLOYEES
      PARTNERS
      Sensitive information is sent via e-mail since partners do not have access to Company X’s SharePoint site
    • 18. Benefits of ClaimsCurrent Situation – Time and Labour Intensive and still, insecure!
      Access requests and Password Requests handled through help desk
      COMPANY X
      EMPLOYEES
      PARTNERS
      Potential unauthorised access
    • 19. Benefits of ClaimsExtend the Reach of Collaboration – Beyond Your Organisation
      Empower Business
      • Ability to move seamlessly between applications using a single identity
      • 20. Collaborate across organisations securely
      • 21. Making business applications more agile and loosely tied to infrastructure by integrating with cloud services
      Empower IT
      • No need to manage external accounts
      • 22. Simplified and flexible claims-based federation
      • 23. Open & Extensible – Standard Based and interoperable
      COMPANY X
      EMPLOYEES
      PARTNERS
    • 24. Sign-in Scenarios
      Sign-in to SharePoint with both Windows and LDAP directory Identity
      Easily configure Intranet and Extranet users for Collaboration
      Integrate with other customer identity systems (eg. ADFS, etc.)
      Use Office Applications with non-Windows Authentication
    • 25. Normalizing Identities
      Classic
      Claims
      NT TokenWindows Identity
      NT TokenWindows Identity
      SAML1.1+ADFS, etc.
      ASP.Net (FBA)SAL, LDAP, Custom …
      SAML Token
      Claims Based Identity
      SPUser
    • 26. Sign-in Process
    • 27. End User Experience
    • 28. End User Experience
      Classic Mode
    • 29. End User Experience
      Claims Mode
    • 30. SharePoint Logical Structure
      Web Application
      Site CollectionTop-LevelSite
      Site CollectionTop-LevelSite
      Site
      List
      Library
      Site
      [Folder]
      [Folder]
      Item
      Document
    • 31. Issue : # 1 - Search
      SharePoint 2010 by default, Enterprise Search results are trimmed at query time, based on the identity of the user who submitted the query.
      But when users Search the document content is appear on Search Result page. ?
      This is a big security issue, if you stored Confident documents on SharePoint 2010 Intranet Portal
    • 32.
    • 33. Permission Levels
      Permission levels are collectionsof permissions
      Default
      Read
      Contribute
      Design
      Full Control
      Limited Access
      Publishing feature
      Manage hierarchy
      Approve
      Restricted read
    • 34. Permission Levels
      Permission levels are collections of permissions
      Defined at the site collection
      How To
      Customize an existing permission level
      Copy an existing permission level and edit the copy
      Create a new permission level “from scratch”
    • 35. Issue : # 2 - Permission Level
      SharePoint 2010 is a collaboration portal where you can enable set auto check in feature, but in some times the confidence document check out by other authorized personand he/she gone on leave OR Leave the organization.
      Now you need to edit the confidence document since the document check out you are not allow to edit.
      The minimum permission required to check in is Manager. How to overcome this kind specific security issues.
    • 36.
    • 37. Issue : # 3 Groups
      SharePoint Groups OR Active Directory Groups, which is best to use in terms of Intranet Portal and Collaboration site and which one is easy to manage.
    • 38. Group Management Comparison
      Active Directory
      Technical user interface (AD Users & Computers)
      No provisioning (requests, workflows)
      Difficult delegation of membership management
      Centralized security (group membership) management
      SharePoint
      Non-technical user interface (compared to ADUC)
      Easy delegation of group membership management
      Optional provisioning of membership requests
      Unified view of SharePoint groups & users
      Only applies to SharePoint
    • 39. Using Active Directory Groups
      Assigning permissions directly to AD groups
      Possible but not recommended
      Assumes that content will always be hosted in aweb application using AD as its auth provider
      Nest Active Directory groups in SharePoint groups
      Add to a SharePoint group and give permissions (recommended)
      User  Active Directory group  SharePoint group
      Must be a security group (not a distribution group)
      Distribution groups can be used to create audiences
    • 40. User Information List
      Group information list: Site Settings  People and Groups
      User Information List
      /_catalogs/users/simple.aspx
      This list exists at the site collection level
      Visible only to administrators with the URL
      No longer has a link in the UI in 2010
      Users appear when
      Added explicitly to the User Information List
      Given an explicit permission within the site collection
      Contribute to the site
      e.g. able to contribute based on membership in an AD group
      Configure an alert
    • 41. To Nest or Not To Nest
      User  Active Directory group  SharePoint group
      Advantages
      Disadvantages
      Recommendations
    • 42. To Nest or Not To Nest
      User  Active Directory group  SharePoint group
      Advantages
      Provides authentication
      Don’t assign SP permissions directly to AD groups. Not manageable in the long term.
      Centralized management of groups and security
      One AD group can provide access to SharePoint, shared folders, etc.
      User removed from AD group is automatically out of SP groups
      Disadvantages
      Recommendations
    • 43. To Nest or Not To Nest
      User  Active Directory group  SharePoint group
      Advantages
      Disadvantages
      Limited visibility of what’s really happening
      Site will not appear in the users’ My Sites
      User Information List will not show individual users until they have contributed to the site
      AD groups with deep nesting or contacts can break SP
      Recommendations
    • 44. To Nest or Not To Nest
      User  Active Directory group  SharePoint group
      Advantages
      Disadvantages
      Recommendation: Based on governance plan
      Ideal world: Synchronization of membership between Active Directory and SharePoint groups (custom code)
      “Intranet” sites: AD groups  SP groups to define access
      Add site to users’ My Sites with personalization site links
      “Collab” sites: Add users directly to SP groups
      Provide My Site visibility
      Provide visibility of user in user information list
    • 45. Issue : # 4 Policy
      Intranet Portal each department site appear on different look and feel
      How to prevent users from selecting different Branding, Themes and Borders.
    • 46. Web Application Security
      Central Administration  Application Management  Manage Web Applications
      User Policy
      Bound to web application AAM zone
      Permissions
      Full Control
      Full Read
      Deny Write
      Deny All
      Permission policy allows you to create your own policies
      Scenarios
    • 47. Managing Permissions
      Defined at the web application
      Not typical to modify or disable the permissions at the web app
      Central Administration  Web Application Management  User Permissions
      Example: prevent changes to branding
      Deselect Apply Style Sheets and Apply Themes and Borders
    • 48. Issue : # 5 Audit
      SharePoint has an audit logging feature, but most organizations don’t turn it on.
      When suspicious events  you will not find the audit information.
    • 49. Auditing
      Configured at the site collection level
      Site Settings  Site Collection Administration: Site collection audit settings
      Audit log reports
    • 50. Records Management
      New in SharePoint 2010: in-place records management
      Enable the feature at the site collection level
      Declare records management attributes
      Site collection
      Folder
      Content type
      Supports security at the document level without permissions
    • 51. More Information
      Mohamed Faizal: kmfaizal@ncs.com.sg
      @kmdfaizal
      Blog : http://faizal-comeacross.blogspot.com/
      Microsoft Official Curriculum Course 10174A: Configuring and Administering SharePoint 2010
      70-667 Training Kit: Configuring and Administering SharePoint 2010 (Microsoft Press)
    • 52. Questions & Answers
      48
    • 53. Thank You |Let us be a Value Creator for your organisation
      49
      9/26/2011
      49