TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Understanding the Five Layers of SharePoint Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Understanding the Five Layers of SharePoint Security

on

  • 2,407 views

One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. ...

One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data

Statistics

Views

Total Views
2,407
Views on SlideShare
2,265
Embed Views
142

Actions

Likes
3
Downloads
60
Comments
0

1 Embed 142

http://www3.edumoodle.at 142

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • We value your feedback – please submit your session evaluation to stand in line to win a Leatherman Kick Multi Tool sponsored by Microsoft Virtual Academy

TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Understanding the Five Layers of SharePoint Security Presentation Transcript

  • 1. 17-20 OCTOBER 2011
    DURBAN ICC
  • 2. SharePoint Security in an Insecure World
    Understanding the Five Layers of SharePoint Security
    OFC308
  • 3. SharePoint SecurityLayers of Security in a SharePoint Environment
    1: Infrastructure Security
    Physical Security
    Best Practice Service Account Setup
    Kerberos Authentication
    2: Data Security
    Role Based Access Control (RBAC)
    Transparent Data Encryption (TDE) of SQL Databases
    Antivirus
    3: Transport Security
    Secure Sockets Layer (SSL) from Client to Server
    IPSec from Server to Server
    4: Edge Security
    Inbound Internet Security (Forefront UAG/TMG)
    5: Rights Management
  • 4. Infrastructure Security
    1
    Layer
  • 5. Layer 1: Infrastructure SecuritySample List of Service Accounts
  • 6. Layer 1: Infrastructure SecurityEnable Kerberos
    When creating any Web Applications in Classic-mode, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD.
    Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites.
    Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
  • 7. Layer 1: Infrastructure SecurityKerberos Step 1: Create the Service Principal Names
    Use the setspn utility to create Service Principle Names in AD, the following syntax for example:
    Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAMEMYSiteAppAccount
    Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount
    Setspn.exe -A HTTP/home.companyabc.com DOMAINNAMEHOMEAppAccount
    Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
  • 8. Layer 1: Infrastructure SecurityKerberos Step 2: Enable Kerberos between SP and SQL
    Use setspn to create SPNs for SQL Service Account
    SPNs need to match the name that SharePoint uses to connect to SQL (Ideally SQL Alias, more on this later)
    Syntax similar to following:
    Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB
    Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABCSRV-SQL-DB
    MSSQLSvc = Default instance, if named instance, specify the name instead
    In this example, SRV-SQL-DB is the SQL Admin account
  • 9. Layer 1: Infrastructure SecurityKerberos Step 3: Allow Accounts to Delegate (Optional)
    Required only for Excel Services and other impersonation applications.
    On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation.
    In ADUC, navigate to the computer or user account, right-click and choose Properties.
     Go to the Delegation tab
    Choose Trust this user/computer for delegation to any service (Kerberos)
  • 10. Layer 1: Infrastructure SecurityKerberos Step 4: Enable Kerberos on Web Application
    Go to Application Management – Authentication Providers
    Choose the appropriate Web Application
    Click on the link for ‘Default’ under Zone
    Change to Integrated Windows Authentication - Kerberos (Negotiate)
    Run iisreset /noforce from the command prompt
    If creating Web App from scratch, this step may be unnecessary if you choose Negotiate from the beginning
  • 11. Data Security
    2
    Layer
  • 12. Layer 2: Data SecurityRole Based Access Control (RBAC)
    Role Groups defined within Active Directory (Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc.
    Role Groups added directly into SharePoint ‘Access Groups’ such as ‘Contributors,’ ‘Authors,’ etc.
    Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires.
    SharePoint Group
  • 13. SQL Server 2008 and 2008 R2 Enterprise Edition Feature
    Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key
    Encrypts the backups of the database as well
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL Transparent Data Encryption (TDE)
  • 14. Available with either SQL 2005 or SQL 2008
    Encrypts individual cells in a database
    Requires a password to access the cell
    Requires that columns be changed from their original data type to varbinary
    Advantage is that only specific info is encrypted
    Disadvantage is that you cannot use this for SharePoint Databases
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecurityTDE vs. Cell Level Encryption
  • 15. Two forms, older Encrypting File System (EFS) and Bitlocker
    EFS encrypts data at the File Level
    Bitlocker encrypts data at the Volume Level
    Bitlocker Encrypts every file on the disk, not just database files
    Could be used together with TDE
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecurityTDE vs. File Level Encryption
  • 16. Does not encrypt the Communication Channel (IPSec can be added)
    Does not protect data in memory (DBAs could access)
    Cannot take advantage of SQL 2008 Backup Compression
    TempDB is encrypted for the entire instance, even if only one DB is enabled for TDE, which can have a peprformance effect for other DBs
    Replication or FILESTREAM data is not encrypted when TDE is enabled (i.e. RBS BLOBs not encrypted)
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL Transparent Data Encryption (TDE) Limitations
  • 17. (c) 2011 Microsoft. All rights reserved.
    Key and Cert Hierarchy
    DPAPI Encrypts SMK
    SMK encrypts the DMK for master DB
    Service Master Key
    Data Protection API (DPAPI)
    Database Master Key
    Certificate
    Database Encryption Key
    SQL Instance Level
    Windows OS Level
    master DB Level
    master DB Level
    Content DB Level
    DMK creates Cert in master DB
    Certificate Encrypts DEK in Content DB
    DEK used to encrypt Content DB
  • 18. Symmetric key used to protect private keys and asymmetric keys
    Protected itself by Service Master Key (SMK), which is created by SQL Server setup
    Use syntax as follows:
    USE master;
    GO
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC';
    GO
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL TDE Step 1: Creating the Database Master Key (DMK)
  • 19. Protected by the DMK
    Used to protect the database encryption key
    Use syntax as follows:
    USE master;
    GO
    CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate' ;
    GO
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL TDE Step 2: Creating the TDE Certificate
  • 20. Without a backup, data can be lost
    Backup creates two files, the Cert backup and the Private Key File
    Use following syntax:
    USE master;
    GO
    BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'c:BackupCompanyABCtdeCERT.cer'
    WITH PRIVATE KEY (
    FILE = 'c:BackupCompanyABCtdeDECert.pvk',
    ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' );
    GO
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL TDE Step 3: Backup the Master Key
  • 21. DEK is used to encrypt specific database
    One created for each database
    Encryption method can be chosen for each DEK
    Use following syntax:
    USE SharePointContentDB;
    GO
    CREATE DATABASE ENCRYPTION KEY
    WITH ALGORITHM = AES_256
    ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert
    GO
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL TDE Step 4: Creating the Database Encryption Key (DEK)
  • 22. Data encryption will begin after running command
    Size of DB will determine time it will take, can be lengthy and could cause user blocking
    Use following syntax:
    USE SharePointContentDB
    GO
    ALTER DATABASE SharePointContentDB
    SET ENCRYPTION ON
    GO
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL TDE Step 5: Enable TDE on the Database(s)
  • 23. State is Returned
    State of 2 = Encryption Begun
    State of 3 = Encryption Complete
    Use following syntax:
    USE SharePointContentDB
    GO
    SELECT *
    FROM sys.dm_database_encryption_keys
    WHERE encryption_state = 3;
    GO
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL TDE Step 6: Monitor the TDE Encryption Progress
  • 24. Step 1: Create new Master Key on Target Server (Does not need to match source master key)
    Step 2: Backup Cert and Private Key from Source
    Step 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part of the backup)
    USE master;
    GO
    CREATE CERTIFICATE CompanyABCtdeCert
    FROM FILE = 'C:RestoreCompanyABCtdeCert.cer'
    WITH PRIVATE KEY (
    FILE = 'C:RestoreCompanyABCtdeCert.pvk'
    , DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!'
    )
    Step 4: Restore DB
    (c) 2011 Microsoft. All rights reserved.
    Layer 2: Data SecuritySQL TDE: Restoring a TDE Database to Another Server
  • 25. (c) 2011 Microsoft. All rights reserved.
  • 26. Layer 2: Data SecuritySharePoint Antivirus
  • 27.
  • 28. Layer 2: Data SecuritySharePoint Antivirus VSAPI
    Realtime scanning only uses the VSAPI
    Realtime Scan Settings are Administered through the SharePoint Central Admin Tool
    Realtime Options are grayed out in the ForeFront Admin Console
  • 29. Layer 2: Data SecuritySharePoint Antivirus: FPS Keyword and File Filtering
    Look for specific keywords (sensitive company info, profanity, etc.)
    Block
    Simply detect and notify
    Create Filter List
    Add Keywords, either manually or bulk as lines in a text file
  • 30. Layer 2: Data SecuritySharePoint Antivirus: FPS Profanity Filters
    New Profanity lists in 11 languages available in SP2
    (Run KeywordInstaller.msi to install)
    Import the lists into FF from Program FilesMicrosoft Forefront SecuritySharePointDataExample Keywords
  • 31.
  • 32. Transport Security
    3
    Layer
  • 33. Layer 3: Transport SecurityClient to Server: Using Secure Sockets Layer (SSL) Encryption
    External or Internal Certs highly recommended
    Protects Transport of content
    20% overhead on Web Servers
    Can be offloaded via SSL offloaders if needed
    Don’t forget for SPCA as well!
  • 34. Layer 3: Transport SecurityServer to Server: Using IPSec to encrypt traffic
    By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted
    IPSec encrypts all packets sent between servers in a farm
    For very high security scenarios when all possible data breaches must be addressed
  • 35. Edge Security
    4
    Layer
  • 36. Layer 4: Edge SecurityForefront Unified Access Gateway (UAG) 2010
  • 37.
  • 38. Layer 4: Edge SecurityUAG Comparison with Forefront TMG
  • 39. Rights Management
    5
    Layer
  • 40. Layer 5: Rights ManagementActive Directory Rights Management Services (AD RMS)
    AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content
    Used to restrict activities on files AFTER they have been accessed:
    Cut/Paste
    Print
    Save As…
    Directly integrates with SharePoint DocLibs
  • 41. Layer 5: Rights ManagementHow AD RMS Works
    On first use, authors receive client licensor certificate from RMS server
    Author creates content and assigns rights
    File is distributed to recipient(s)
    Recipient opens file, and their RMS client contacts server for user validation and to obtain a license
    Application opens the file and enforces the restrictions
  • 42. Layer 5: Rights ManagementInstalling AD RMS – Key Storage
    Select Cluster Key Storage
    CSP used for advanced scenarios
  • 43. Layer 5: Rights ManagementInstalling AD RMS – Creating the Cluster Name
  • 44. Layer 5: Rights ManagementInstalling AD RMS – Using an SSL Cert for Transport Encryption
  • 45. Layer 5: Rights ManagementAllowing SharePoint to use AD RMS
    By default, RMS server is configured to only allow the local system account of the RMS server or the Web Application Identity accounts to access the certificate pipeline directly
    SharePoint web servers and/or Web Application Service Accounts need to be added to this security list
    Add the RMS Service Group, the machine account(s) of the SharePoint Server and the Web App Identity accountswith Read and Excecute permissions to the ServerCertification.asmx file in the %systemroot%inetpubwwwroot_wmcsCertification folder on the RMS server
  • 46.
  • 47. Layer 5: Rights ManagementClient Accessing AD RMS Documents
    RMS-enabled client, when accessing document in doclib, will access RMS server to validate credentials
  • 48. Layer 5: Rights ManagementClient Accessing AD RMS Documents
    Effective permissions can be viewed from the document
    The RMS client will enforce the restrictions
  • 49. http://microsoftvirtualacademy.com
    Submit your session evaluation for a chance to win!
    Sponsored by MVA
  • 50. Creating
    the future
    together
  • 51. Thanks for attending!Questions?
    Michael Noel
    Twitter: @MichaelTNoel
    www.cco.com
    Slides: slideshare.net/michaeltnoel