Your SlideShare is downloading. ×
0
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

AUSPC 2013 - Understanding the Five Layers of SharePoint Security

453

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
453
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Michael Noel, CCO
  • 2. Thank you to our sponsors
  • 3. Great to be back in Beautiful Australia!
  • 4. • 1: Infrastructure Security• Physical Security• Best Practice Service Account Setup• Kerberos Authentication• 2: Data Security• Role Based Access Control (RBAC)• Transparent Data Encryption (TDE) of SQL Databases• 3: Transport Security• Secure Sockets Layer (SSL) from Client to Server• IPSec from Server to Server• 4: Edge Security• Inbound Internet Security (Forefront UAG)• 5: Rights Management
  • 5. Layer
  • 6. Service Account Name Role of Service Account Special PermissionsCOMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separateadmin accounts from SP accounts.Local Admin on Database Server(s)(Generally, some exceptions apply)COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also bestandard admin accounts. RBAC principles applyideally.N/ACOMPANYABCSRV-SP-Search Search Account N/ACOMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources tobe crawledCOMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to readattributes from users in domain) and‘Replicate Directory Changes’ rights in AD.COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePointCentral Admin.DBCreator and Security Admin on SQL. Createand Modify contacts rights in OU used for mail.COMPANYABCSRV-SP-AP-Data Application Pool Identity account for theContent related App Pool (Portal, MySites, etc.)Additional as needed for security.N/A
  • 7. • When creating any Web Applications, USE KERBEROS. It ismuch more secure and also faster with heavy loads as the SPserver doesn’t have to keep asking for auth requests fromAD.• Kerberos auth does require extra steps, which makes peopleshy away from it, but once configured, it improves securityconsiderably and can improve performance on high-loadsites.• Should also be configured on SPCA Site! (Best Practice =Configure SPCA for NLB, SSL, and Kerberos (i.e.https://spca.companyabc.com)
  • 8. • Use the setspn utility to create Service PrincipleNames in AD, the following syntax for example:• Setspn.exe -A HTTP/mysite.companyabc.comDOMAINNAMEMYSiteAppAccount• Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount• Setspn.exe -A HTTP/home.companyabc.comDOMAINNAMEHOMEAppAccount• Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
  • 9. • Use setspn to create SPNs for SQL Service Account• SPNs need to match the name that SharePoint usesto connect to SQL• Syntax similar to following:• Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB• Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433COMPANYABCSRV-SQL-DB• MSSQLSvc = Default instance, if named instance, specify thename instead• In this example, SRV-SQL-DB is the SQL Admin account
  • 10. • Required only for ExcelServices and otherimpersonation applications.• On all SP Computeraccounts and on theApplication Identityaccounts, check the box inADUC to allow fordelegation.• In ADUC, navigate to thecomputer or user account,right-click and chooseProperties.• Go to the Delegation tab• Choose Trust thisuser/computer for delegationto any service (Kerberos)
  • 11. • Go to Application Management• Choose the appropriate WebApplication – click AuthenticationProviders• Click on the link for ‘Default’under Zone• Change to Integrated WindowsAuthentication – Negotiate /Kerberos)• Run iisreset /noforce from thecommand prompt• If creating Web App from scratch,this step may be unnecessary ifyou choose Negotiate from thebeginning
  • 12. Layer
  • 13. • Role Groups defined within Active Directory(Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc.• Role Groups added directly into SharePoint ‘AccessGroups’ such as ‘Contributors,’ ‘Authors,’ etc.• Simply by adding a user account into the associatedRole Group, they gain access to whatever rights theirrole requires.User1User2RoleGroupSharePointGroup
  • 14. • SQL Server Enterprise EditionFeature• Encrypts SQL DatabasesTransparently, SharePoint is unawareof the encryption and does not needa key• Encrypts the backups of thedatabase as well
  • 15. • Does not encrypt the Communication Channel (IPSeccan be added)• Does not protect data in memory (DBAs couldaccess)• Cannot take advantage of SQL 2008 BackupCompression• TempDB is encrypted for the entire instance, even ifonly one DB is enabled for TDE, which can have aperformance effect for other DBs• Replication or FILESTREAM data is not encryptedwhen TDE is enabled (i.e. RBS BLOBs not encrypted)
  • 16. Key and Cert HierarchySMK encrypts the DMK for master DBService Master KeySQL Instance LevelDPAPI Encrypts SMKData Protection API (DPAPI)Windows OS LevelDMK creates Cert in master DBDatabase Master Keymaster DB LevelCertificate Encrypts DEK in Content DBCertificatemaster DB LevelDEK used to encrypt Content DBDatabase Encryption KeyContent DB Level
  • 17. • Symmetric key used to protect private keysand asymmetric keys• Protected itself by Service Master Key(SMK), which is created by SQL Serversetup• Use syntax as follows:• USE master;• GO• CREATE MASTER KEY ENCRYPTION BY PASSWORD =CrypticTDEpw4CompanyABC;• GO
  • 18. • Protected by the DMK• Used to protect the database encryptionkey• Use syntax as follows:USE master;GOCREATE CERTIFICATE CompanyABCtdeCertWITH SUBJECT = CompanyABC TDECertificate ;GO
  • 19. • Without a backup, data can be lost• Backup creates two files, the Cert backup and the PrivateKey File• Use following syntax:USE master;GOBACKUP CERTIFICATE CompanyABCtdeCert TO FILE =c:BackupCompanyABCtdeCERT.cerWITH PRIVATE KEY (FILE = c:BackupCompanyABCtdeDECert.pvk,ENCRYPTION BY PASSWORD = CrypticTDEpw4CompanyABC! );GO
  • 20. • DEK is used to encrypt specific database• One created for each database• Encryption method can be chosen foreach DEK• Use following syntax:USE SharePointContentDB;GOCREATE DATABASE ENCRYPTION KEYWITH ALGORITHM = AES_256ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCertGO
  • 21. • Data encryption will begin after runningcommand• Size of DB will determine time it will take,can be lengthy and could cause userblocking• Use following syntax:USE SharePointContentDBGOALTER DATABASE SharePointContentDBSET ENCRYPTION ONGO
  • 22. • State is Returned• State of 2 = Encryption Begun• State of 3 = Encryption Complete• Use following syntax:USE SharePointContentDBGOSELECT *FROM sys.dm_database_encryption_keysWHERE encryption_state = 3;GO
  • 23. • Step 1: Create new Master Key on Target Server (Does not need tomatch source master key)• Step 2: Backup Cert and Private Key from Source• Step 3: Restore Cert and Private Key onto Target (No need toexport the DEK as it is part of the backup)USE master;GOCREATE CERTIFICATE CompanyABCtdeCertFROM FILE = C:RestoreCompanyABCtdeCert.cerWITH PRIVATE KEY (FILE = C:RestoreCompanyABCtdeCert.pvk, DECRYPTION BY PASSWORD = CrypticTDEpw4CompanyABC!)• Step 4: Restore DB
  • 24. Layer
  • 25. • External or Internal Certs highlyrecommended• Protects Transport of content• 20% overhead on Web Servers• Can be offloaded via SSLoffloaders if needed• Don’t forget for SPCA as well!
  • 26. • By default, traffic betweenSharePoint Servers (i.e. Web andSQL) is unencrypted• IPSec encrypts all packets sentbetween servers in a farm• For very high security scenarioswhen all possible data breachesmust be addressed
  • 27. Layer
  • 28. Layer
  • 29. • AD RMS is a form of Digital Rights Management(DRM) technology, used in various forms toprotect content• Used to restrict activities on files AFTER theyhave been accessed:• Cut/Paste• Print• Save As…• Directly integrates with SharePoint DocLibs
  • 30. • Select Cluster Key Storage• CSP used for advanced scenarios
  • 31. • By default, RMS server is configuredto only allow the local systemaccount of the RMS server or theWeb Application Identity accountsto access the certificate pipelinedirectly• SharePoint web servers and/or WebApplication Service Accounts needto be added to this security list• Add the RMS Service Group, themachine account(s) of theSharePoint Server and the Web AppIdentity accountswith Read andExcecute permissions to theServerCertification.asmx file in the%systemroot%inetpubwwwroot_wmcsCertification folder on the RMSserver
  • 32. • RMS-enabled client, when accessingdocument in doclib, will access RMSserver to validate credentials
  • 33. • Effectivepermissions canbe viewed fromthe document• The RMS clientwill enforce therestrictions
  • 34. • Determine Security Risk for your SharePointEnvironment• Identify any Regulatory ComplianceRequirements for SharePoint• Determine which aspects of SharePoint needto be secured, touching on all five layers ofSharePoint Security
  • 35. Michael NoelCompany Site: http://www.cco.comTwitter: http://twitter.com/michaeltnoelLinkedIn: http://linkedin.com/in/michaeltnoelFacebook: http://facebook.com/michaelnoelSlides: http://slideshare.net/michaeltnoelTravel blog: http://sharingtheglobe.com
  • 36. Thank you to our sponsors

×