Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AUSPC 2013 - Understanding the Five Layers of SharePoint Security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

AUSPC 2013 - Understanding the Five Layers of SharePoint Security

  1. 1. Michael Noel, CCO
  2. 2. Thank you to our sponsors
  3. 3. Great to be back in Beautiful Australia!
  4. 4. • 1: Infrastructure Security• Physical Security• Best Practice Service Account Setup• Kerberos Authentication• 2: Data Security• Role Based Access Control (RBAC)• Transparent Data Encryption (TDE) of SQL Databases• 3: Transport Security• Secure Sockets Layer (SSL) from Client to Server• IPSec from Server to Server• 4: Edge Security• Inbound Internet Security (Forefront UAG)• 5: Rights Management
  5. 5. Layer
  6. 6. Service Account Name Role of Service Account Special PermissionsCOMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separateadmin accounts from SP accounts.Local Admin on Database Server(s)(Generally, some exceptions apply)COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also bestandard admin accounts. RBAC principles applyideally.N/ACOMPANYABCSRV-SP-Search Search Account N/ACOMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources tobe crawledCOMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to readattributes from users in domain) and‘Replicate Directory Changes’ rights in AD.COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePointCentral Admin.DBCreator and Security Admin on SQL. Createand Modify contacts rights in OU used for mail.COMPANYABCSRV-SP-AP-Data Application Pool Identity account for theContent related App Pool (Portal, MySites, etc.)Additional as needed for security.N/A
  7. 7. • When creating any Web Applications, USE KERBEROS. It ismuch more secure and also faster with heavy loads as the SPserver doesn’t have to keep asking for auth requests fromAD.• Kerberos auth does require extra steps, which makes peopleshy away from it, but once configured, it improves securityconsiderably and can improve performance on high-loadsites.• Should also be configured on SPCA Site! (Best Practice =Configure SPCA for NLB, SSL, and Kerberos (i.e.
  8. 8. • Use the setspn utility to create Service PrincipleNames in AD, the following syntax for example:• Setspn.exe -A HTTP/mysite.companyabc.comDOMAINNAMEMYSiteAppAccount• Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount• Setspn.exe -A HTTP/home.companyabc.comDOMAINNAMEHOMEAppAccount• Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
  9. 9. • Use setspn to create SPNs for SQL Service Account• SPNs need to match the name that SharePoint usesto connect to SQL• Syntax similar to following:• Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB• Setspn.exe –A MSSQLSvc/• MSSQLSvc = Default instance, if named instance, specify thename instead• In this example, SRV-SQL-DB is the SQL Admin account
  10. 10. • Required only for ExcelServices and otherimpersonation applications.• On all SP Computeraccounts and on theApplication Identityaccounts, check the box inADUC to allow fordelegation.• In ADUC, navigate to thecomputer or user account,right-click and chooseProperties.• Go to the Delegation tab• Choose Trust thisuser/computer for delegationto any service (Kerberos)
  11. 11. • Go to Application Management• Choose the appropriate WebApplication – click AuthenticationProviders• Click on the link for ‘Default’under Zone• Change to Integrated WindowsAuthentication – Negotiate /Kerberos)• Run iisreset /noforce from thecommand prompt• If creating Web App from scratch,this step may be unnecessary ifyou choose Negotiate from thebeginning
  12. 12. Layer
  13. 13. • Role Groups defined within Active Directory(Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc.• Role Groups added directly into SharePoint ‘AccessGroups’ such as ‘Contributors,’ ‘Authors,’ etc.• Simply by adding a user account into the associatedRole Group, they gain access to whatever rights theirrole requires.User1User2RoleGroupSharePointGroup
  14. 14. • SQL Server Enterprise EditionFeature• Encrypts SQL DatabasesTransparently, SharePoint is unawareof the encryption and does not needa key• Encrypts the backups of thedatabase as well
  15. 15. • Does not encrypt the Communication Channel (IPSeccan be added)• Does not protect data in memory (DBAs couldaccess)• Cannot take advantage of SQL 2008 BackupCompression• TempDB is encrypted for the entire instance, even ifonly one DB is enabled for TDE, which can have aperformance effect for other DBs• Replication or FILESTREAM data is not encryptedwhen TDE is enabled (i.e. RBS BLOBs not encrypted)
  16. 16. Key and Cert HierarchySMK encrypts the DMK for master DBService Master KeySQL Instance LevelDPAPI Encrypts SMKData Protection API (DPAPI)Windows OS LevelDMK creates Cert in master DBDatabase Master Keymaster DB LevelCertificate Encrypts DEK in Content DBCertificatemaster DB LevelDEK used to encrypt Content DBDatabase Encryption KeyContent DB Level
  17. 17. • Symmetric key used to protect private keysand asymmetric keys• Protected itself by Service Master Key(SMK), which is created by SQL Serversetup• Use syntax as follows:• USE master;• GO• CREATE MASTER KEY ENCRYPTION BY PASSWORD =CrypticTDEpw4CompanyABC;• GO
  18. 18. • Protected by the DMK• Used to protect the database encryptionkey• Use syntax as follows:USE master;GOCREATE CERTIFICATE CompanyABCtdeCertWITH SUBJECT = CompanyABC TDECertificate ;GO
  19. 19. • Without a backup, data can be lost• Backup creates two files, the Cert backup and the PrivateKey File• Use following syntax:USE master;GOBACKUP CERTIFICATE CompanyABCtdeCert TO FILE =c:BackupCompanyABCtdeCERT.cerWITH PRIVATE KEY (FILE = c:BackupCompanyABCtdeDECert.pvk,ENCRYPTION BY PASSWORD = CrypticTDEpw4CompanyABC! );GO
  20. 20. • DEK is used to encrypt specific database• One created for each database• Encryption method can be chosen foreach DEK• Use following syntax:USE SharePointContentDB;GOCREATE DATABASE ENCRYPTION KEYWITH ALGORITHM = AES_256ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCertGO
  21. 21. • Data encryption will begin after runningcommand• Size of DB will determine time it will take,can be lengthy and could cause userblocking• Use following syntax:USE SharePointContentDBGOALTER DATABASE SharePointContentDBSET ENCRYPTION ONGO
  22. 22. • State is Returned• State of 2 = Encryption Begun• State of 3 = Encryption Complete• Use following syntax:USE SharePointContentDBGOSELECT *FROM sys.dm_database_encryption_keysWHERE encryption_state = 3;GO
  23. 23. • Step 1: Create new Master Key on Target Server (Does not need tomatch source master key)• Step 2: Backup Cert and Private Key from Source• Step 3: Restore Cert and Private Key onto Target (No need toexport the DEK as it is part of the backup)USE master;GOCREATE CERTIFICATE CompanyABCtdeCertFROM FILE = C:RestoreCompanyABCtdeCert.cerWITH PRIVATE KEY (FILE = C:RestoreCompanyABCtdeCert.pvk, DECRYPTION BY PASSWORD = CrypticTDEpw4CompanyABC!)• Step 4: Restore DB
  24. 24. Layer
  25. 25. • External or Internal Certs highlyrecommended• Protects Transport of content• 20% overhead on Web Servers• Can be offloaded via SSLoffloaders if needed• Don’t forget for SPCA as well!
  26. 26. • By default, traffic betweenSharePoint Servers (i.e. Web andSQL) is unencrypted• IPSec encrypts all packets sentbetween servers in a farm• For very high security scenarioswhen all possible data breachesmust be addressed
  27. 27. Layer
  28. 28. Layer
  29. 29. • AD RMS is a form of Digital Rights Management(DRM) technology, used in various forms toprotect content• Used to restrict activities on files AFTER theyhave been accessed:• Cut/Paste• Print• Save As…• Directly integrates with SharePoint DocLibs
  30. 30. • Select Cluster Key Storage• CSP used for advanced scenarios
  31. 31. • By default, RMS server is configuredto only allow the local systemaccount of the RMS server or theWeb Application Identity accountsto access the certificate pipelinedirectly• SharePoint web servers and/or WebApplication Service Accounts needto be added to this security list• Add the RMS Service Group, themachine account(s) of theSharePoint Server and the Web AppIdentity accountswith Read andExcecute permissions to theServerCertification.asmx file in the%systemroot%inetpubwwwroot_wmcsCertification folder on the RMSserver
  32. 32. • RMS-enabled client, when accessingdocument in doclib, will access RMSserver to validate credentials
  33. 33. • Effectivepermissions canbe viewed fromthe document• The RMS clientwill enforce therestrictions
  34. 34. • Determine Security Risk for your SharePointEnvironment• Identify any Regulatory ComplianceRequirements for SharePoint• Determine which aspects of SharePoint needto be secured, touching on all five layers ofSharePoint Security
  35. 35. Michael NoelCompany Site: http://www.cco.comTwitter: blog:
  36. 36. Thank you to our sponsors