Successfully reported this slideshow.

Securing Knowledge and Collaboration Systems SharePoint 2010

1,465 views

Published on

The SharePoint security model can be confusing, with its deep hierarchy of securable objects, granular permissions and policies, and clunky user and group management interfaces. This session demystifies SharePoint security by dissecting each of these components and presenting best practices for implementing and managing security. Learn when and why it makes sense to leverage Active Directory groups or use SharePoint groups, and take away options for new permission levels and settings that address common business requirements.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing Knowledge and Collaboration Systems SharePoint 2010

  1. 1. Securing Knowledge and Collaboration Systems Permissions, Identities, and Objects <br />K.MohamedFaizal,<br />Lead Consultant, NCS (P) Ltd.<br />http://faizal-comeacross.blogspot.com/<br />ANSES RahRah 9 <br />Securing Knowledge and Collaboration Systems <br />
  2. 2. About Me<br />15<br />
  3. 3. What ‘s the point ?<br />Security is more than just <br />Authentication / Authorization <br />
  4. 4. What ‘s the point ?<br />Security is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) )<br />
  5. 5. What’s the point?<br />In Security, the WHY is more important than the HOW<br />
  6. 6. Portal End-to-End Security<br />
  7. 7. Portal focus on<br />
  8. 8. Portal Permission Dependency Chart<br />http://skurocks.wordpress.com/category/sharepoint/sharepoint-security/<br />
  9. 9. SharePoint Security in a Nutshell<br />Securable object<br />Roles (permission levels)<br />Role assignments (“assigning permissions”)<br />Record policies<br />Auditing<br />Authentication<br />Users and groups<br />Web application policy<br />Policy<br />Identity/Claim<br />Role (permission level)<br />Group<br />Securable Object<br />Record<br />Authentication<br />Authorization<br />
  10. 10. Key ConceptsClaims Based Access Terminology<br />Identity<br />“Set of attributes that describes a principal (e.g. an user) such as name, gender, age, email address, driver license number, group membership” <br />Identity: Mohamed Faizal<br />Name:Mohamed Faizal<br />DOB: 10 Jan 1973<br />Eye Color: Black<br />Role:SG Citizen<br />Person: Mohamed Faizal<br />
  11. 11. Key ConceptsClaims Based Access Terminology<br />Claim<br />“An attribute about an identity issued by an authority” <br />Identity Provider<br />“Trusted authority that creates and issues claims”<br />Relying Party<br />“Application that makes authorisation decisions based on claims”<br />
  12. 12. Key ConceptsClaims Based Access Terminology<br />Identity: Mohamed Faizal<br />Name:Mohamed Faizal<br />DOB: 10 Jan 1973<br />Eye Color: Black<br />Role:SG Citizen<br />Person: Mohamed Faizal<br />
  13. 13. Key ConceptsClaims Based Access Terminology - Token<br />Token<br />Claim<br />Claim<br />“A token consists of a set of claims about the principal, and signed by an authority” <br />Claim<br />Signature<br />
  14. 14. Key ConceptsClaims Based Access Terminology - Token<br />Name: Mohamed Faizal<br />Token<br />DOB: 10 Jan 1973<br />Role: SG Citizen<br />Identity: Mohamed Faizal<br />Name:Mohamed Faizal<br />DOB: 10 Jan 1973<br />Eye Color: Black<br />Role:SG Citizen<br />Signed by SG Govt.<br />Person: Mohamed Faizal<br />
  15. 15. Key ConceptsClaims Based Access Terminology<br />Why claims, not attributes?<br />Trust depends on scenario<br />Identity @ SG Government<br />Name:Mohamed Faizal<br />DOB: 10 Jan 1973<br />Identity @ Facebook<br />Mohamed Faizal<br />Name:Mohamed Faizal<br />DOB: 10 Jan 1990<br />
  16. 16. Benefits of ClaimsCurrent Situation – Single Sign On<br />Different sign–on requirements for applications <br />COMPANY X<br />EMPLOYEES<br />
  17. 17. Benefits of ClaimsCurrent Situation – Sensitive information leaks<br />COMPANY X<br />EMPLOYEES<br />PARTNERS <br />Sensitive information is sent via e-mail since partners do not have access to Company X’s SharePoint site <br />
  18. 18. Benefits of ClaimsCurrent Situation – Time and Labour Intensive and still, insecure!<br />Access requests and Password Requests handled through help desk<br />COMPANY X<br />EMPLOYEES<br />PARTNERS <br />Potential unauthorised access<br />
  19. 19. Benefits of ClaimsExtend the Reach of Collaboration – Beyond Your Organisation<br />Empower Business<br /><ul><li>Ability to move seamlessly between applications using a single identity
  20. 20. Collaborate across organisations securely
  21. 21. Making business applications more agile and loosely tied to infrastructure by integrating with cloud services</li></ul>Empower IT<br /><ul><li>No need to manage external accounts
  22. 22. Simplified and flexible claims-based federation
  23. 23. Open & Extensible – Standard Based and interoperable</li></ul>COMPANY X<br />EMPLOYEES<br />PARTNERS <br />
  24. 24. Sign-in Scenarios<br />Sign-in to SharePoint with both Windows and LDAP directory Identity<br />Easily configure Intranet and Extranet users for Collaboration<br />Integrate with other customer identity systems (eg. ADFS, etc.)<br />Use Office Applications with non-Windows Authentication<br />
  25. 25. Normalizing Identities<br />Classic<br />Claims<br />NT TokenWindows Identity<br />NT TokenWindows Identity<br />SAML1.1+ADFS, etc.<br />ASP.Net (FBA)SAL, LDAP, Custom …<br />SAML Token<br />Claims Based Identity<br />SPUser<br />
  26. 26. Sign-in Process<br />
  27. 27. End User Experience<br />
  28. 28. End User Experience<br />Classic Mode<br />
  29. 29. End User Experience<br />Claims Mode<br />
  30. 30. SharePoint Logical Structure<br />Web Application<br />Site CollectionTop-LevelSite<br />Site CollectionTop-LevelSite<br />Site<br />List<br />Library<br />Site<br />[Folder]<br />[Folder]<br />Item<br />Document<br />
  31. 31. Issue : # 1 - Search<br />SharePoint 2010 by default, Enterprise Search results are trimmed at query time, based on the identity of the user who submitted the query. <br />But when users Search the document content is appear on Search Result page. ?<br />This is a big security issue, if you stored Confident documents on SharePoint 2010 Intranet Portal<br />
  32. 32.
  33. 33. Permission Levels<br />Permission levels are collectionsof permissions<br />Default<br />Read<br />Contribute<br />Design<br />Full Control<br />Limited Access<br />Publishing feature<br />Manage hierarchy<br />Approve<br />Restricted read<br />
  34. 34. Permission Levels<br />Permission levels are collections of permissions<br />Defined at the site collection<br />How To<br />Customize an existing permission level<br />Copy an existing permission level and edit the copy<br />Create a new permission level “from scratch”<br />
  35. 35. Issue : # 2 - Permission Level<br />SharePoint 2010 is a collaboration portal where you can enable set auto check in feature, but in some times the confidence document check out by other authorized personand he/she gone on leave OR Leave the organization. <br />Now you need to edit the confidence document since the document check out you are not allow to edit. <br />The minimum permission required to check in is Manager. How to overcome this kind specific security issues.<br />
  36. 36.
  37. 37. Issue : # 3 Groups<br />SharePoint Groups OR Active Directory Groups, which is best to use in terms of Intranet Portal and Collaboration site and which one is easy to manage.<br />
  38. 38. Group Management Comparison<br />Active Directory<br />Technical user interface (AD Users & Computers)<br />No provisioning (requests, workflows)<br />Difficult delegation of membership management<br />Centralized security (group membership) management<br />SharePoint<br />Non-technical user interface (compared to ADUC)<br />Easy delegation of group membership management<br />Optional provisioning of membership requests<br />Unified view of SharePoint groups & users<br />Only applies to SharePoint<br />
  39. 39. Using Active Directory Groups<br />Assigning permissions directly to AD groups<br />Possible but not recommended<br />Assumes that content will always be hosted in aweb application using AD as its auth provider<br />Nest Active Directory groups in SharePoint groups<br />Add to a SharePoint group and give permissions (recommended)<br />User  Active Directory group  SharePoint group<br />Must be a security group (not a distribution group)<br />Distribution groups can be used to create audiences<br />
  40. 40. User Information List<br />Group information list: Site Settings  People and Groups<br />User Information List<br />/_catalogs/users/simple.aspx <br />This list exists at the site collection level<br />Visible only to administrators with the URL<br />No longer has a link in the UI in 2010<br />Users appear when<br />Added explicitly to the User Information List<br />Given an explicit permission within the site collection<br />Contribute to the site<br />e.g. able to contribute based on membership in an AD group<br />Configure an alert<br />
  41. 41. To Nest or Not To Nest<br />User  Active Directory group  SharePoint group<br />Advantages<br />Disadvantages<br />Recommendations<br />
  42. 42. To Nest or Not To Nest<br />User  Active Directory group  SharePoint group<br />Advantages<br />Provides authentication <br />Don’t assign SP permissions directly to AD groups. Not manageable in the long term.<br />Centralized management of groups and security<br />One AD group can provide access to SharePoint, shared folders, etc.<br />User removed from AD group is automatically out of SP groups <br />Disadvantages<br />Recommendations<br />
  43. 43. To Nest or Not To Nest<br />User  Active Directory group  SharePoint group<br />Advantages <br />Disadvantages<br />Limited visibility of what’s really happening<br />Site will not appear in the users’ My Sites<br />User Information List will not show individual users until they have contributed to the site<br />AD groups with deep nesting or contacts can break SP<br />Recommendations<br />
  44. 44. To Nest or Not To Nest<br />User  Active Directory group  SharePoint group<br />Advantages<br />Disadvantages<br />Recommendation: Based on governance plan<br />Ideal world: Synchronization of membership between Active Directory and SharePoint groups (custom code)<br />“Intranet” sites: AD groups  SP groups to define access<br />Add site to users’ My Sites with personalization site links<br />“Collab” sites: Add users directly to SP groups<br />Provide My Site visibility<br />Provide visibility of user in user information list<br />
  45. 45. Issue : # 4 Policy <br />Intranet Portal each department site appear on different look and feel <br />How to prevent users from selecting different Branding, Themes and Borders. <br />
  46. 46. Web Application Security<br />Central Administration  Application Management  Manage Web Applications<br />User Policy<br />Bound to web application AAM zone<br />Permissions<br />Full Control<br />Full Read<br />Deny Write<br />Deny All<br />Permission policy allows you to create your own policies<br />Scenarios<br />
  47. 47. Managing Permissions<br />Defined at the web application<br />Not typical to modify or disable the permissions at the web app<br />Central Administration  Web Application Management  User Permissions<br />Example: prevent changes to branding<br />Deselect Apply Style Sheets and Apply Themes and Borders <br />
  48. 48. Issue : # 5 Audit<br />SharePoint has an audit logging feature, but most organizations don’t turn it on. <br />When suspicious events  you will not find the audit information. <br />
  49. 49. Auditing<br />Configured at the site collection level<br />Site Settings  Site Collection Administration: Site collection audit settings<br />Audit log reports<br />
  50. 50. Records Management<br />New in SharePoint 2010: in-place records management<br />Enable the feature at the site collection level<br />Declare records management attributes<br />Site collection<br />Folder<br />Content type<br />Supports security at the document level without permissions<br />
  51. 51. More Information<br />Mohamed Faizal: kmfaizal@ncs.com.sg<br />@kmdfaizal<br />Blog : http://faizal-comeacross.blogspot.com/<br />Microsoft Official Curriculum Course 10174A: Configuring and Administering SharePoint 2010<br />70-667 Training Kit: Configuring and Administering SharePoint 2010 (Microsoft Press)<br />
  52. 52. Questions & Answers<br />48<br />
  53. 53. Thank You |Let us be a Value Creator for your organisation <br />49<br />9/26/2011<br />49<br />

×