Who do you trust to manage all the different parts of your SharePoint farm?
- Kerberos: Less traffic between servers, clients, and domain controllers- uses tickets instead of tokens so it doesn’t have to do a double hop to AD with each requestMuch more planning needed Anonymous: Instead, add the all Authenticated users security instead. This way actions can be traced to users.
Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches. An Active Directory domain controller is a server that is running AD DS.Used for many things in your organization besides SharePointThe potential for SharePoint to be used and accessed by people outside your organization…2010 makes it easier!
Organization don’t want external user accounts within their internal domains so forms based authentication is used.
Less user management
Seeing more and more login pages with “use facebook or twitter to log in”
We’re going to be talking mostly about securing intranet content- not an extranet
Break the inheritance and customize the Read permission level for a subsite to define what “read” really means to your organization
Still hard to manage at lower levels
More work! Harder to manage!
There designed to make your life easier…I swear!
If you restore inherited permissions, the child object will inherit its users, groups, and permission levels from the parent again, and you will lose any users, groups, or permission levels that were unique to the child object.
Why Permissions Drive your Governance Strategy
Christian Buckley, Director of Product Evangelism at Axceler• Microsoft MVP for SharePoint Server• Most recently at Microsoft, part of the Microsoft Managed Services team (now Office365-Dedicated) and then Advertising Operations• Prior to Microsoft, was a senior consultant, working in the software, supply chain, and grid technology spaces focusing on collaboration• Co-founded and sold a collaboration software company to Rational Software. At another startup (E2open), helped design, build, and deploy a SharePoint-like collaboration platform (Collaboration Manager), onboarding numerous high-tech manufacturing companies, including Hitachi, Matsushita (Panasonic), and Seagate• Co-authored „Microsoft SharePoint 2010: Creating and Implementing Real-World Projects‟ link (MS Press, March 2012) and 3 books on software configuration management.• Twitter: @buckleyplanet Blog: buckleyplanet.com Email: firstname.lastname@example.org
Just released from Microsoft PressOrder your copy at http://oreil.ly/qC4loTTackle 10 common business problems with provenSharePoint solutions• Set up a help desk solution to track service requests• Build a modest project management system• Design a scheduling system to manage resources• Create a site to support geographically dispersed teams• Implement a course registration system• Build a learning center with training classes and resources• Design a team blog platform to review content• Create a process to coordinate RFP responses• Set up a FAQ system to help users find answers quickly• Implement a cost-effective contact management system
Improving Collaboration since 2007Mission: To enable enterprises to simplify, optimize, andsecure their collaborative platforms Delivered award-winning administration and migration software since 1994, for SharePoint since 2007 Over 2,000 global customersDramatically improve the managementof SharePoint Innovative products that improve security, scalability, reliability, “deployability” Making IT more effective and efficient and lower the total cost of ownershipFocus on solving specific SharePointproblems (Administration & Migration) Coach enterprises on SharePoint best practices Give administrators the most innovative tools available Anticipate customers’ needs Deliver best of breed offerings Stay in lock step with SharePoint development and market trends
What do your permissions look like in SharePoint?
• You deployed SharePoint out-of-the-box• You had no specific plan for permissions• The business grew and evolved• People came and went• Projects came and went• And suddenly you found yourself with a bit of a mess
Governance is about taking action tohelp your organizationorganize, optimize, and manageyour systems and resources.
• SharePoint out of the box is a powerful platform• But many organizations don‟t think they have the time, money, people to spend on planning• The same can be said for governance• The result? o Site sprawl o Unfettered content o Process lawlessness
• Central to your governance implementation is understanding roles and responsibilities within your SharePoint environment • Understanding how the organization uses SharePoint • Identifying secure content within the environment • Determining who needs access • Creating policies that secure and protect, but are also flexible enough to meet the growing demands of your organization to collaborate
It starts with a plan• How granular do you need to control access to your content?• Who manages all the different parts of your SharePoint farm?• How do you want to manage your users?
Securable Objects• What can we secure? • Site • Library or List • Folder • Document or Item
A SharePoint environment must support useraccounts that can be authenticated by a trustedauthorityHow do you authenticate your users?
Windows Authentication• NT LAN Manager (NTLM): • Microsoft security protocol, users authenticated by using the credentials on the running thread • Simple to implement – but SharePoint will not be integrated with other applications• Kerberos • If your SharePoint sites use external data • Credentials passed from one server to another (“double hop”) • Faster, more secure, and can be less error prone then NTLM• Anonymous Access • No authentication needed to browse the site
• Authentication based on user account and password from AD• This works well for Windows environments• However, do you need support for internal, partner, or cloud-based computing models?
Planning for Extranets• Credentials stored in: • Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun) • AD DS • SQL or other database • Custom or third-party membership and role providers• In SharePoint 2010, forms-based authentication is only available when you use claims-based authentication
• Usually for external customers or partners• Defined at the web application level• An outside identity provider authenticates users• A claim is just a piece of information describing a user: name, email, age, hire date, etc. used to authenticate the user
Integration with Facebook, Google, Live ID, etc. isbecoming more and more common. A scenario:1. “I‟d like to access the Axceler Microsoft technology partners site.”2. “Not until you can prove to me that you are in the Axceler Microsoft technology partners group.”3. “Here is my Live ID and password.”4. “Hi, Steve. I see you are in the Axceler Microsoft technology partners group. Here is a token you can use.”5. “I‟d like to access the Axceler Microsoft technology partner document, and here‟s proof I have access to it!”
How do we makepermissions management part of our governance plan?
Sub-site Site Sub-site Site Site Collection Web App Site Sub-site Site SiteFarm Collection Site Site Web App Collection Site Sub-site
Lists/Libraries Lists/Libraries Site Sub-Sites Site Lists/Libraries Lists/LibrariesCollection Site Sub-site
Sub-site Site Sub-site Site Site Collection Web App Site Sub-site Site Site Farm Collection Site Site Web App Collection Site Sub-siteDefine the role:• Assigned in Central Admin and has permission to all servers and settings in the farm• Central Administration access, create new web apps, manage services, stsadm/PowerShell command• Can take ownership of content, and make themselves Site Collection Administrators
Sub-site Site Sub-site Site Site CollectionDefine the role: Site Sub-site• Given full control over all sites in a site collection• Access to settings pages: Manage users, restores items, manage site hierarchy• Cannot access Central Admin
Other Permission LevelsDefine the roles:• Site Admins, Team Leads, Power Users, End Users• Collections of permissions that allow users to perform a set of related tasks• Defined at the site collection level
A group of users that are defined at the site collection levelfor easy management of permissions• The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively• Anyone with Full Control permission can create custom groups
The default permission levels are Full Control, Design, Contribute, Read, and Limited Access• What does “Read” mean to your organization?
Permissions are applied on objects:1. Directly to users2. Directly to domain groups (visibility warning)3. To SharePoint Groups
SharePoint 2010 lets administrators CheckPermissions to determine a user or group‟spermissions on all content
Inheritance If all sites and site content inherit those permissions defined at the site collection, what‟s so hard about managingpermissions if they are defined so high in the hierarchy?
Fine Grained PermissionsSites, lists, libraries, folders, documen ts, and items can all have unique security …but that doesn‟t men they should
• Copies groups, users, and permission levels from the parent object to the child object• Changes to parent object do not affect the child
“If you use fine-grained permissions extensively, you will spend more time managing the permissions, and users willexperience slower performance when they try to access site content” ~Planning site permissions, technet http://bit.ly/InKv9i As a result, permissions management (additions, deletions, edits) is done one securable object at a time!
Performance is reduced once 1000 objects have broken inheritance in a list or library• Sites, lists, and libraries need to build security trimmed navigation• List load time increases *Apply unique permissions to folders if need be*
Deleted and disabled Active Directory usersare not updated in SharePoint• Permissions• User Profiles• My Sites
SharePoint is designed to havesite administrators and power users
• Train your admins and power users! “I didn‟t know that restoring inheritance would remove our unique security model!” ~Countless well intentioned site admins• Manage power users through the “Owners” SharePoint groups• Limit the members to only those users you trust to change the structure, settings, or appearance of the site
Make most users members of the Members or Visitors groups• Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.• Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.
If you do break inheritance, Microsoft recommendsusing groups to avoid having to track individual users• People move in and out of teams and change responsibilities frequently• Tracking those changes and updating the permissions for uniquely secured objects would be time-consuming and error-prone.
• Arrange sites and sub-sites, and lists and libraries so they can share most permissions• Separate sensitive data into their own lists, libraries, or sub-site• Microsoft provides a permissions worksheet (Excel file) http://bit.ly/SK0bP6
Administrators can audit permission changesby going to the site collection‟s settings page
Christian Buckleycbuck@axceler.com+1 425-246-2823@buckleyPLANETwww.buckleyPLANET.comand http://info.axceler.com Order your copy at http://oreil.ly/qC4loT Additional Resources available Permissions Worksheet (Microsoft) http://bit.ly/SK0bP6 Developing and Enforcing SharePoint Governance Policies with Axceler ControlPoint http://bit.ly/SJVq8a What to Look for in a SharePoint Management Tool http://bit.ly/l26ida The Five Secrets to Controlling Your SharePoint Environment http://bit.ly/kzdTjZ