SlideShare a Scribd company logo

SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel

Download as PPTX, PDF
Michael Noel
Michael Noel
Technology
1 of 48
#SPSBE End to End SharePoint Security #SPSBE19 Michael Noel @MichaelTNoel
MICHAEL NOEL • Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles . • Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
SHAREPOINT SECURITY LAYERS OF SECURITY IN A SHAREPOINT ENVIRONMENT • 1: Infrastructure Security • Physical Security • Best Practice Service Account Setup • Kerberos Authentication • 2: Data Security • Role Based Access Control (RBAC) • Transparent Data Encryption (TDE) of SQL Databases • Antivirus • 3: Transport Security • Secure Sockets Layer (SSL) from Client to Server • IPSec from Server to Server • 4: Edge Security • Inbound Internet Security (Forefront UAG/TMG) • 5: Rights Management
INFRASTRUCTURE SECURITY Layer
LAYER 1: INFRASTRUCTURE SECURITY SAMPLE LIST OF SERVICE ACCOUNTS Service Account Name Role of Service Account Special Permissions COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs) COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate admin Local Admin on Database Server(s) (Generally, some accounts from SP accounts. exceptions apply) COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be standard N/A admin accounts. RBAC principles apply ideally. COMPANYABCSRV-SP-Search Search Account N/A COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to be crawled COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read attributes from users in domain) and „Replicate Directory Changes‟ rights in AD – Temporary Farm Admin and Local Admin (for provisioning of UPA). COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint DBCreator and Security Admin on SQL. Create Central Admin. and Modify contacts rights in OU used for mail. COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the Content related N/A App Pool (Portal, MySites, etc.) Additional as needed for security.
LAYER 1: INFRASTRUCTURE SECURITY ENABLE KERBEROS • When creating any Web Applications in Classic-mode, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn‟t have to keep asking for auth requests from AD. • Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites. • Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 1: CREATE THE SERVICE PRINCIPAL NAMES • Use the setspn utility to create Service Principle Names in AD, the following syntax for example: • Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAMEMYSiteAppAccount • Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount • Setspn.exe -A HTTP/home.companyabc.com DOMAINNAMEHOMEAppAccount • Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 2: ENABLE KERBEROS BETWEEN SP AND SQL • Use setspn to create SPNs for SQL Service Account • SPNs need to match the name that SharePoint uses to connect to SQL (Ideally SQL Alias, more on this later) • Syntax similar to following: • Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB • Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABCSRV-SQL-DB • MSSQLSvc = Default instance, if named instance, specify the name instead • In this example, SRV-SQL-DB is the SQL Admin account and spsql.companyabc.com is the alias used to connect to SQL server (Listener/Client Access Point if using AlwaysOn Availability Groups with SQL 2012)
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 3: ALLOW ACCOUNTS TO DELEGATE (OPTIONAL) • Required only for Excel Services and other impersonation applications. • On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. • In ADUC, navigate to the computer or user account, right- click and choose Properties. • Go to the Delegation tab • Choose Trust this user/computer for delegation to any service (Kerberos)
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 4: ENABLE KERBEROS ON WEB APPLICATION • Go to Application Management – Authentication Providers • Choose the appropriate Web Application • Click on the link for „Default‟ under Zone • Change to Integrated Windows Authentication - Kerberos (Negotiate) • Run iisreset /noforce from the command prompt • If creating Web App from scratch, this step may be unnecessary if you choose Negotiate from the beginning
DATA SECURITY Layer
LAYER 2: DATA SECURITY ROLE BASED ACCESS CONTROL (RBAC) • Role Groups defined within Active Directory (Universal Groups) – i.e. „Marketing,‟ „Sales,‟ „IT,‟ etc. • Role Groups added directly into SharePoint „Access Groups‟ such as „Contributors,‟ „Authors,‟ etc. • Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires. User1 SharePoint Role Group or Group direct rights to SP User2
LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) • SQL Server 2008, 2008 R2, 2012 Enterprise Edition Feature • Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key • Encrypts the backups of the database as well
LAYER 2: DATA SECURITY TDE VS. CELL LEVEL ENCRYPTION • Available with either SQL 2005, SQL 2008, or SQL 2012 • Encrypts individual cells in a database • Requires a password to access the cell • Requires that columns be changed from their original data type to varbinary • Advantage is that only specific info is encrypted • Disadvantage is that you cannot use this for SharePoint Databases
LAYER 2: DATA SECURITY TDE VS. FILE LEVEL ENCRYPTION • Two forms, older Encrypting File System (EFS) and Bitlocker • EFS encrypts data at the File Level • Bitlocker encrypts data at the Volume Level • Bitlocker Encrypts every file on the disk, not just database files • Could be used together with TDE
LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) LIMITATIONS • Does not encrypt the Communication Channel (IPSec can be added) • Does not protect data in memory (DBAs could access) • Cannot take advantage of SQL 2008 Backup Compression • TempDB is encrypted for the entire instance, even if only one DB is enabled for TDE, which can have a performance effect for other DBs • Replication or FILESTREAM data is not encrypted when TDE is enabled (i.e. RBS BLOBs not encrypted)
Key and OS Level Hierarchy Windows Cert Data Protection API (DPAPI) DPAPI Encrypts SMK SQL Instance Level Service Master Key SMK encrypts the DMK for master DB master DB Level Database Master Key DMK creates Cert in master DB master DB Level Certificate Certificate Encrypts DEK in Content DB Content DB Level Database Encryption Key DEK used to encrypt Content DB
LAYER 2: DATA SECURITY SQL TDE STEP 1: CREATING THE DATABASE MASTER KEY (DMK) • Symmetric key used to protect private keys and asymmetric keys • Protected itself by Service Master Key (SMK), which is created by SQL Server setup • Use syntax as follows: • USE master; • GO • CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; • GO
LAYER 2: DATA SECURITY SQL TDE STEP 2: CREATING THE TDE CERTIFICATE • Protected by the DMK • Used to protect the database encryption key • Use syntax as follows: USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate' ; GO
LAYER 2: DATA SECURITY SQL TDE STEP 3: BACKUP THE MASTER KEY • Without a backup, data can be lost • Backup creates two files, the Cert backup and the Private Key File • Use following syntax: USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'c:BackupCompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'c:BackupCompanyABCtdeDECert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ); GO
LAYER 2: DATA SECURITY SQL TDE STEP 4: CREATING THE DATABASE ENCRYPTION KEY (DEK) • DEK is used to encrypt specific database • One created for each database • Encryption method can be chosen for each DEK • Use following syntax: USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO
LAYER 2: DATA SECURITY SQL TDE STEP 5: ENABLE TDE ON THE DATABASE(S) • Data encryption will begin after running command • Size of DB will determine time it will take, can be lengthy and could cause user blocking • Use following syntax: USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO
LAYER 2: DATA SECURITY SQL TDE STEP 6: MONITOR THE TDE ENCRYPTION PROGRESS • State is Returned • State of 2 = Encryption Begun • State of 3 = Encryption Complete • Use following syntax: USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO
LAYER 2: DATA SECURITY SQL TDE: RESTORING A TDE DATABASE TO ANOTHER SERVER • Step 1: Create new Master Key on Target Server (Does not need to match source master key) • Step 2: Backup Cert and Private Key from Source • Step 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part of the backup) USE master; GO CREATE CERTIFICATE CompanyABCtdeCert FROM FILE = 'C:RestoreCompanyABCtdeCert.cer' WITH PRIVATE KEY ( FILE = 'C:RestoreCompanyABCtdeCert.pvk' , DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ) • Step 4: Restore DB
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS VSAPI • Realtime scanning only uses the VSAPI • Realtime Scan Settings are Administered through the SharePoint Central Admin Tool • Realtime Options are grayed out in the ForeFront Admin Console
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS KEYWORD AND FILE FILTERING • Look for specific keywords (sensitive company info, profanity, etc.) • Block • Simply detect and notify • Create Filter List • Add Keywords, either manually or bulk as lines in a text file
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS PROFANITY FILTERS • New Profanity lists in 11 languages available in SP2 • (Run KeywordInstaller.msi to install) • Import the lists into FF from Program FilesMicrosoft Forefront SecuritySharePointDataExample Keywords
TRANSPORT SECURITY Layer
LAYER 3: TRANSPORT SECURITY CLIENT TO SERVER: USING SECURE SOCKETS LAYER (SSL) ENCRYPTION • External or Internal Certs highly recommended • Protects Transport of content • 20% overhead on Web Servers • Can be offloaded via SSL offloaders if needed • Don‟t forget for SPCA as well!
LAYER 3: TRANSPORT SECURITY SERVER TO SERVER: USING IPSEC TO ENCRYPT TRAFFIC • By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted • IPSec encrypts all packets sent between servers in a farm • For very high security scenarios when all possible data breaches must be addressed
EDGE SECURITY Layer
LAYER 4: EDGE SECURITY FOREFRONT UNIFIED ACCESS GATEWAY (UAG) 2010
LAYER 4: EDGE SECURITY UAG COMPARISON WITH FOREFRONT TMG Capability TMG 2010 UAG 2010 Publish Web applications using HTTPS X X Publish internal mobile applications to roaming mobile devices X X Layer 3 firewall X X Outbound scenarios support X X Array support X X Globalization and administration console localization X X Wizards and predefined settings to publish SharePoint sites and Exchange X X Rich authentication (for example, one-time password, forms-based, smart card) X X Application protection (Web application firewall) Basic Full Active Directory Federation Services (ADFS) support X Information leakage prevention X Granular access policy X Unified Portal X
RIGHTS MANAGEMENT Layer
LAYER 5: RIGHTS MANAGEMENT ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES (AD RMS) • AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content • Used to restrict activities on files AFTER they have been accessed: • Cut/Paste • Print • Save As… • Directly integrates with SharePoint DocLibs
LAYER 5: RIGHTS MANAGEMENT HOW AD RMS WORKS 1. On first use, authors receive client licensor certificate from RMS server 2. Author creates content and assigns rights 3. File is distributed to recipient(s) 4. Recipient opens file, and their RMS client contacts server for user validation and to obtain a license 5. Application opens the file and enforces the restrictions
LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – KEY STORAGE • Select Cluster Key Storage • CSP used for advanced scenarios
LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – CREATING THE CLUSTER NAME
LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – USING AN SSL CERT FOR TRANSPORT ENCRYPTION
LAYER 5: RIGHTS MANAGEMENT ALLOWING SHAREPOINT TO USE AD RMS • By default, RMS server is configured to only allow the local system account of the RMS server or the Web Application Identity accounts to access the certificate pipeline directly • SharePoint web servers and/or Web Application Service Accounts need to be added to this security list • Add the RMS Service Group, the machine account(s) of the SharePoint Server and the Web App Identity accountswith Read and Excecute permissions to the ServerCertification.asmx file in the %systemroot%inetpubwwwroot_wmcsCerti fication folder on the RMS server
LAYER 5: RIGHTS MANAGEMENT CLIENT ACCESSING AD RMS DOCUMENTS • Effective permissions can be viewed from the document • The RMS client will enforce the restrictions
SESSION SUMMARY • Determine Security Risk for your SharePoint Environment • Identify any Regulatory Compliance Requirements for SharePoint • Determine which aspects of SharePoint need to be secured, touching on all five layers of SharePoint Security
Michael Noel Twitter: @MichaelTNoel www.cco.com Slides: slideshare.net/michaeltnoel Travel blog: sharingtheglobe.com
A big thanks to our sponsors Platinum Sponsors Gold Premium Sponsors Venue Sponsor Gold Sponsors
We need your feedback! Scan this QR code or visit http://svy.mk/sps2012be Our sponsors:

Recommended

SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...Michael Noel
 
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Michael Noel
 
SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012Michael Noel
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint SecurityAUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 
Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...
Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...
Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...SPTechCon
 
Sp2010 high availlability_sql
Sp2010 high availlability_sqlSp2010 high availlability_sql
Sp2010 high availlability_sqlSamuel Zürcher
 
Microsoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 BertucciMicrosoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 BertucciMark Ginnebaugh
 

Recommended

SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...Michael Noel
 
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Michael Noel
 
SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012Michael Noel
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint SecurityAUSPC 2013 - Understanding the Five Layers of SharePoint Security
AUSPC 2013 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 
Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...
Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...
Part II: SharePoint 2013 Administration by Todd Klindt and Shane Young - SPTe...SPTechCon
 
Sp2010 high availlability_sql
Sp2010 high availlability_sqlSp2010 high availlability_sql
Sp2010 high availlability_sqlSamuel Zürcher
 
Microsoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 BertucciMicrosoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 BertucciMark Ginnebaugh
 
NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices Session
NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices SessionNZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices Session
NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices SessionMichael Noel
 
Sp2010 high availlability
Sp2010 high availlabilitySp2010 high availlability
Sp2010 high availlabilitySamuel Zürcher
 
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...Michael Noel
 
Architecture and tools
Architecture and toolsArchitecture and tools
Architecture and toolssanjay_jha
 
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...SPTechCon
 
Ugf9796 weblogic for ebs and obiee
Ugf9796 weblogic for ebs and obieeUgf9796 weblogic for ebs and obiee
Ugf9796 weblogic for ebs and obieeBerry Clemens
 
Effective Usage of SQL Server 2005 Database Mirroring
Effective Usage of SQL Server 2005 Database MirroringEffective Usage of SQL Server 2005 Database Mirroring
Effective Usage of SQL Server 2005 Database Mirroringwebhostingguy
 
ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...Nancy Thomas
 
Dinesh Wp Siebel Crm To Fusion Crm
Dinesh Wp Siebel Crm To Fusion CrmDinesh Wp Siebel Crm To Fusion Crm
Dinesh Wp Siebel Crm To Fusion CrmDr.Dinesh Chandrasekar PhD(hc)
 
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov1712.2 secure configureconsole_adop_changes_aioug_appsdba_nov17
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17pasalapudi
 
Multiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidMultiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidpasalapudi
 
Online patching ebs122_aioug_appsdba_nov2017
Online patching ebs122_aioug_appsdba_nov2017Online patching ebs122_aioug_appsdba_nov2017
Online patching ebs122_aioug_appsdba_nov2017pasalapudi
 
IBM Websphere introduction and installation for beginners
IBM Websphere introduction and installation for beginnersIBM Websphere introduction and installation for beginners
IBM Websphere introduction and installation for beginnersShubham Gupta
 
Kerberos: The Four Letter Word
Kerberos: The Four Letter WordKerberos: The Four Letter Word
Kerberos: The Four Letter WordKenneth Maglio
 
SQL Server User Group 02/2009
SQL Server User Group 02/2009SQL Server User Group 02/2009
SQL Server User Group 02/2009Database Architechs
 
Ibm web sphere_job_interview_preparation_guide
Ibm web sphere_job_interview_preparation_guideIbm web sphere_job_interview_preparation_guide
Ibm web sphere_job_interview_preparation_guideKhemnath Chauhan
 
1. planning an sql server install
1. planning an sql server install1. planning an sql server install
1. planning an sql server installprageeth Athulathmudali
 
Siebel Resume Arquitecture
Siebel Resume ArquitectureSiebel Resume Arquitecture
Siebel Resume ArquitectureJose Martinez
 
OFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationOFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationChandima Kulathilake
 
SharePoint 2010 High Availability - SPC2C
SharePoint 2010 High Availability - SPC2CSharePoint 2010 High Availability - SPC2C
SharePoint 2010 High Availability - SPC2CMichael Noel
 
SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]Imperva
 
Planeación de Intranet con SharePoint
Planeación de Intranet con SharePointPlaneación de Intranet con SharePoint
Planeación de Intranet con SharePointHaaron Gonzalez
 

More Related Content

What's hot

NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices Session
NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices SessionNZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices Session
NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices SessionMichael Noel
 
Sp2010 high availlability
Sp2010 high availlabilitySp2010 high availlability
Sp2010 high availlabilitySamuel Zürcher
 
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...Michael Noel
 
Architecture and tools
Architecture and toolsArchitecture and tools
Architecture and toolssanjay_jha
 
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...SPTechCon
 
Ugf9796 weblogic for ebs and obiee
Ugf9796 weblogic for ebs and obieeUgf9796 weblogic for ebs and obiee
Ugf9796 weblogic for ebs and obieeBerry Clemens
 
Effective Usage of SQL Server 2005 Database Mirroring
Effective Usage of SQL Server 2005 Database MirroringEffective Usage of SQL Server 2005 Database Mirroring
Effective Usage of SQL Server 2005 Database Mirroringwebhostingguy
 
ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...Nancy Thomas
 
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov1712.2 secure configureconsole_adop_changes_aioug_appsdba_nov17
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17pasalapudi
 
Multiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidMultiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidpasalapudi
 
Online patching ebs122_aioug_appsdba_nov2017
Online patching ebs122_aioug_appsdba_nov2017Online patching ebs122_aioug_appsdba_nov2017
Online patching ebs122_aioug_appsdba_nov2017pasalapudi
 
IBM Websphere introduction and installation for beginners
IBM Websphere introduction and installation for beginnersIBM Websphere introduction and installation for beginners
IBM Websphere introduction and installation for beginnersShubham Gupta
 
Kerberos: The Four Letter Word
Kerberos: The Four Letter WordKerberos: The Four Letter Word
Kerberos: The Four Letter WordKenneth Maglio
 
Ibm web sphere_job_interview_preparation_guide
Ibm web sphere_job_interview_preparation_guideIbm web sphere_job_interview_preparation_guide
Ibm web sphere_job_interview_preparation_guideKhemnath Chauhan
 
Siebel Resume Arquitecture
Siebel Resume ArquitectureSiebel Resume Arquitecture
Siebel Resume ArquitectureJose Martinez
 
OFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationOFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationChandima Kulathilake
 
SharePoint 2010 High Availability - SPC2C
SharePoint 2010 High Availability - SPC2CSharePoint 2010 High Availability - SPC2C
SharePoint 2010 High Availability - SPC2CMichael Noel
 

What's hot (20)

NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices Session
NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices SessionNZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices Session
NZSPC 2013 - Ultimate SharePoint Infrastructure Best Practices Session
 
Sp2010 high availlability
Sp2010 high availlabilitySp2010 high availlability
Sp2010 high availlability
 
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
 
Architecture and tools
Architecture and toolsArchitecture and tools
Architecture and tools
 
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...
Tutorial: SharePoint 2013 Admin in the Hybrid World by Jason Himmelstein - SP...
 
Ugf9796 weblogic for ebs and obiee
Ugf9796 weblogic for ebs and obieeUgf9796 weblogic for ebs and obiee
Ugf9796 weblogic for ebs and obiee
 
Effective Usage of SQL Server 2005 Database Mirroring
Effective Usage of SQL Server 2005 Database MirroringEffective Usage of SQL Server 2005 Database Mirroring
Effective Usage of SQL Server 2005 Database Mirroring
 
ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...
 
Dinesh Wp Siebel Crm To Fusion Crm
Dinesh Wp Siebel Crm To Fusion CrmDinesh Wp Siebel Crm To Fusion Crm
Dinesh Wp Siebel Crm To Fusion Crm
 
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov1712.2 secure configureconsole_adop_changes_aioug_appsdba_nov17
12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17
 
Multiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidMultiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oid
 
Online patching ebs122_aioug_appsdba_nov2017
Online patching ebs122_aioug_appsdba_nov2017Online patching ebs122_aioug_appsdba_nov2017
Online patching ebs122_aioug_appsdba_nov2017
 
IBM Websphere introduction and installation for beginners
IBM Websphere introduction and installation for beginnersIBM Websphere introduction and installation for beginners
IBM Websphere introduction and installation for beginners
 
Kerberos: The Four Letter Word
Kerberos: The Four Letter WordKerberos: The Four Letter Word
Kerberos: The Four Letter Word
 
SQL Server User Group 02/2009
SQL Server User Group 02/2009SQL Server User Group 02/2009
SQL Server User Group 02/2009
 
Ibm web sphere_job_interview_preparation_guide
Ibm web sphere_job_interview_preparation_guideIbm web sphere_job_interview_preparation_guide
Ibm web sphere_job_interview_preparation_guide
 
1. planning an sql server install
1. planning an sql server install1. planning an sql server install
1. planning an sql server install
 
Siebel Resume Arquitecture
Siebel Resume ArquitectureSiebel Resume Arquitecture
Siebel Resume Arquitecture
 
OFC418 Advanced MOSS Administration
OFC418 Advanced MOSS AdministrationOFC418 Advanced MOSS Administration
OFC418 Advanced MOSS Administration
 
SharePoint 2010 High Availability - SPC2C
SharePoint 2010 High Availability - SPC2CSharePoint 2010 High Availability - SPC2C
SharePoint 2010 High Availability - SPC2C
 

Viewers also liked

SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]Imperva
 
Planeación de Intranet con SharePoint
Planeación de Intranet con SharePointPlaneación de Intranet con SharePoint
Planeación de Intranet con SharePointHaaron Gonzalez
 
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...Christian Buckley
 
Sp24 design a share point 2013 architecture – the basics
Sp24 design a share point 2013 architecture – the basicsSp24 design a share point 2013 architecture – the basics
Sp24 design a share point 2013 architecture – the basicsAlexander Meijers
 
A Real World Guide to Building Highly Available Fault Tolerant SharePoint Farms
A Real World Guide to Building Highly Available Fault Tolerant SharePoint FarmsA Real World Guide to Building Highly Available Fault Tolerant SharePoint Farms
A Real World Guide to Building Highly Available Fault Tolerant SharePoint FarmsEric Shupps
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security RisksImperva
 
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...Nik Patel
 

Viewers also liked (7)

SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]
 
Planeación de Intranet con SharePoint
Planeación de Intranet con SharePointPlaneación de Intranet con SharePoint
Planeación de Intranet con SharePoint
 
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
 
Sp24 design a share point 2013 architecture – the basics
Sp24 design a share point 2013 architecture – the basicsSp24 design a share point 2013 architecture – the basics
Sp24 design a share point 2013 architecture – the basics
 
A Real World Guide to Building Highly Available Fault Tolerant SharePoint Farms
A Real World Guide to Building Highly Available Fault Tolerant SharePoint FarmsA Real World Guide to Building Highly Available Fault Tolerant SharePoint Farms
A Real World Guide to Building Highly Available Fault Tolerant SharePoint Farms
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
 
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
 

Similar to SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel

SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...Knowledge Cue
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Sql Server 2008 Security Enhanments
Sql Server 2008 Security EnhanmentsSql Server 2008 Security Enhanments
Sql Server 2008 Security EnhanmentsEduardo Castro
 
Tackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsTackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsKonveyor Community
 
The Very Very Latest in Database Development - Oracle Open World 2012
The Very Very Latest in Database Development - Oracle Open World 2012The Very Very Latest in Database Development - Oracle Open World 2012
The Very Very Latest in Database Development - Oracle Open World 2012Lucas Jellema
 
SQL Server 2008 Security Overview
SQL Server 2008 Security OverviewSQL Server 2008 Security Overview
SQL Server 2008 Security Overviewukdpe
 
Best Practice SharePoint Architecture
Best Practice SharePoint ArchitectureBest Practice SharePoint Architecture
Best Practice SharePoint ArchitectureMichael Noel
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cClone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cAlfredo Krieg
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersTobias Koprowski
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahksqlserver.co.il
 
Relational Database Services on AWS - Bill Baldwin, Gareth Eagar
Relational Database Services on AWS - Bill Baldwin, Gareth EagarRelational Database Services on AWS - Bill Baldwin, Gareth Eagar
Relational Database Services on AWS - Bill Baldwin, Gareth EagarAmazon Web Services
 
Oracle & SQL Server on the Cloud: Database Week SF
Oracle & SQL Server on the Cloud: Database Week SFOracle & SQL Server on the Cloud: Database Week SF
Oracle & SQL Server on the Cloud: Database Week SFAmazon Web Services
 
Oracle & SQL Server on the Cloud: Database Week San Francisco
Oracle & SQL Server on the Cloud: Database Week San FranciscoOracle & SQL Server on the Cloud: Database Week San Francisco
Oracle & SQL Server on the Cloud: Database Week San FranciscoAmazon Web Services
 
Oracle and SQL Server on the Cloud
Oracle and SQL Server on the CloudOracle and SQL Server on the Cloud
Oracle and SQL Server on the CloudAmazon Web Services
 
Oracle and SQL Server on the Cloud - Bill Baldwin
Oracle and SQL Server on the Cloud - Bill BaldwinOracle and SQL Server on the Cloud - Bill Baldwin
Oracle and SQL Server on the Cloud - Bill BaldwinAmazon Web Services
 
Building the Perfect SharePoint 2010 Farm - Sharing the Point South America
Building the Perfect SharePoint 2010 Farm - Sharing the Point South AmericaBuilding the Perfect SharePoint 2010 Farm - Sharing the Point South America
Building the Perfect SharePoint 2010 Farm - Sharing the Point South AmericaMichael Noel
 

Similar to SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel (20)

SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
 
Day2
Day2Day2
Day2
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
 
Sql Server 2008 Security Enhanments
Sql Server 2008 Security EnhanmentsSql Server 2008 Security Enhanments
Sql Server 2008 Security Enhanments
 
Tackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsTackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy Applications
 
The Very Very Latest in Database Development - Oracle Open World 2012
The Very Very Latest in Database Development - Oracle Open World 2012The Very Very Latest in Database Development - Oracle Open World 2012
The Very Very Latest in Database Development - Oracle Open World 2012
 
The Very Very Latest In Database Development - Lucas Jellema - Oracle OpenWor...
The Very Very Latest In Database Development - Lucas Jellema - Oracle OpenWor...The Very Very Latest In Database Development - Lucas Jellema - Oracle OpenWor...
The Very Very Latest In Database Development - Lucas Jellema - Oracle OpenWor...
 
SQL Server 2008 Security Overview
SQL Server 2008 Security OverviewSQL Server 2008 Security Overview
SQL Server 2008 Security Overview
 
Best Practice SharePoint Architecture
Best Practice SharePoint ArchitectureBest Practice SharePoint Architecture
Best Practice SharePoint Architecture
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cClone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahk
 
Relational Database Services on AWS - Bill Baldwin, Gareth Eagar
Relational Database Services on AWS - Bill Baldwin, Gareth EagarRelational Database Services on AWS - Bill Baldwin, Gareth Eagar
Relational Database Services on AWS - Bill Baldwin, Gareth Eagar
 
Oracle & SQL Server on the Cloud: Database Week SF
Oracle & SQL Server on the Cloud: Database Week SFOracle & SQL Server on the Cloud: Database Week SF
Oracle & SQL Server on the Cloud: Database Week SF
 
Oracle & SQL Server on the Cloud: Database Week San Francisco
Oracle & SQL Server on the Cloud: Database Week San FranciscoOracle & SQL Server on the Cloud: Database Week San Francisco
Oracle & SQL Server on the Cloud: Database Week San Francisco
 
Oracle and SQL Server on the Cloud
Oracle and SQL Server on the CloudOracle and SQL Server on the Cloud
Oracle and SQL Server on the Cloud
 
Oracle and SQL Server on the Cloud - Bill Baldwin
Oracle and SQL Server on the Cloud - Bill BaldwinOracle and SQL Server on the Cloud - Bill Baldwin
Oracle and SQL Server on the Cloud - Bill Baldwin
 
Building the Perfect SharePoint 2010 Farm - Sharing the Point South America
Building the Perfect SharePoint 2010 Farm - Sharing the Point South AmericaBuilding the Perfect SharePoint 2010 Farm - Sharing the Point South America
Building the Perfect SharePoint 2010 Farm - Sharing the Point South America
 

More from Michael Noel

AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...
AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...
AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...Michael Noel
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024Michael Noel
 
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023Michael Noel
 
IT Insecurity - ST Digital Brazzaville
IT Insecurity - ST Digital BrazzavilleIT Insecurity - ST Digital Brazzaville
IT Insecurity - ST Digital BrazzavilleMichael Noel
 
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...Michael Noel
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Understanding the Tools and Features of Office 365 : DWT Africa 2018
Understanding the Tools and Features of Office 365 : DWT Africa 2018Understanding the Tools and Features of Office 365 : DWT Africa 2018
Understanding the Tools and Features of Office 365 : DWT Africa 2018Michael Noel
 
SPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep DiveSPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep DiveMichael Noel
 
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 MelbourneAzure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 MelbourneMichael Noel
 
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018Michael Noel
 
Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018
Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018
Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018Michael Noel
 
Understanding the Tools and Features of Office 365 - New Zealand Digital Work...
Understanding the Tools and Features of Office 365 - New Zealand Digital Work...Understanding the Tools and Features of Office 365 - New Zealand Digital Work...
Understanding the Tools and Features of Office 365 - New Zealand Digital Work...Michael Noel
 
Office 365; A Detailed Analysis - SPS Kampala 2017
Office 365; A Detailed Analysis - SPS Kampala 2017Office 365; A Detailed Analysis - SPS Kampala 2017
Office 365; A Detailed Analysis - SPS Kampala 2017Michael Noel
 
Office 365; une Analyse Détaillée
Office 365; une Analyse Détaillée Office 365; une Analyse Détaillée
Office 365; une Analyse Détaillée Michael Noel
 
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...Michael Noel
 
Breaking Down and Understanding Office 365 - SPSJHB 2015
Breaking Down and Understanding Office 365 - SPSJHB 2015Breaking Down and Understanding Office 365 - SPSJHB 2015
Breaking Down and Understanding Office 365 - SPSJHB 2015Michael Noel
 
Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015
Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015
Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015Michael Noel
 
Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...
Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...
Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...Michael Noel
 
SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014
SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014
SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014Michael Noel
 

More from Michael Noel (20)

AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...
AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...
AI is Hacking You - How Cybercriminals Leveral Artificial Intelligence - DWCN...
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
 
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023
 
IT Insecurity - ST Digital Brazzaville
IT Insecurity - ST Digital BrazzavilleIT Insecurity - ST Digital Brazzaville
IT Insecurity - ST Digital Brazzaville
 
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Understanding the Tools and Features of Office 365 : DWT Africa 2018
Understanding the Tools and Features of Office 365 : DWT Africa 2018Understanding the Tools and Features of Office 365 : DWT Africa 2018
Understanding the Tools and Features of Office 365 : DWT Africa 2018
 
SPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep DiveSPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
SPS Lisbon 2018 - Azure AD Connect Technical Deep Dive
 
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 MelbourneAzure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
Azure Active Directory Connect: Technical Deep Dive - DWCAU 2018 Melbourne
 
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
Azure Active Directory Connect: Technical Deep Dive - EU Collab Summit 2018
 
Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018
Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018
Breaking Down the Tools and Features in Office 365 - EU Collab Summit 2018
 
Understanding the Tools and Features of Office 365 - New Zealand Digital Work...
Understanding the Tools and Features of Office 365 - New Zealand Digital Work...Understanding the Tools and Features of Office 365 - New Zealand Digital Work...
Understanding the Tools and Features of Office 365 - New Zealand Digital Work...
 
Office 365; A Detailed Analysis - SPS Kampala 2017
Office 365; A Detailed Analysis - SPS Kampala 2017Office 365; A Detailed Analysis - SPS Kampala 2017
Office 365; A Detailed Analysis - SPS Kampala 2017
 
Office 365; une Analyse Détaillée
Office 365; une Analyse Détaillée Office 365; une Analyse Détaillée
Office 365; une Analyse Détaillée
 
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...
 
Breaking Down and Understanding Office 365 - SPSJHB 2015
Breaking Down and Understanding Office 365 - SPSJHB 2015Breaking Down and Understanding Office 365 - SPSJHB 2015
Breaking Down and Understanding Office 365 - SPSJHB 2015
 
Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015
Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015
Understanding Office 365 Service Offerings - O365 Saturday Sydney 2015
 
Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...
Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...
Ultimate SharePoint Infrastructure Best Practises Session - Isle of Man Share...
 
SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014
SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014
SQL 2014 AlwaysOn Availability Groups for SharePoint Farms - SPS Sydney 2014
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel

  • 1. #SPSBE End to End SharePoint Security #SPSBE19 Michael Noel @MichaelTNoel
  • 2. MICHAEL NOEL • Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles . • Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
  • 3. SHAREPOINT SECURITY LAYERS OF SECURITY IN A SHAREPOINT ENVIRONMENT • 1: Infrastructure Security • Physical Security • Best Practice Service Account Setup • Kerberos Authentication • 2: Data Security • Role Based Access Control (RBAC) • Transparent Data Encryption (TDE) of SQL Databases • Antivirus • 3: Transport Security • Secure Sockets Layer (SSL) from Client to Server • IPSec from Server to Server • 4: Edge Security • Inbound Internet Security (Forefront UAG/TMG) • 5: Rights Management
  • 4. INFRASTRUCTURE SECURITY Layer
  • 5. LAYER 1: INFRASTRUCTURE SECURITY SAMPLE LIST OF SERVICE ACCOUNTS Service Account Name Role of Service Account Special Permissions COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs) COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate admin Local Admin on Database Server(s) (Generally, some accounts from SP accounts. exceptions apply) COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be standard N/A admin accounts. RBAC principles apply ideally. COMPANYABCSRV-SP-Search Search Account N/A COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to be crawled COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read attributes from users in domain) and „Replicate Directory Changes‟ rights in AD – Temporary Farm Admin and Local Admin (for provisioning of UPA). COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint DBCreator and Security Admin on SQL. Create Central Admin. and Modify contacts rights in OU used for mail. COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the Content related N/A App Pool (Portal, MySites, etc.) Additional as needed for security.
  • 6. LAYER 1: INFRASTRUCTURE SECURITY ENABLE KERBEROS • When creating any Web Applications in Classic-mode, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn‟t have to keep asking for auth requests from AD. • Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites. • Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
  • 7. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 1: CREATE THE SERVICE PRINCIPAL NAMES • Use the setspn utility to create Service Principle Names in AD, the following syntax for example: • Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAMEMYSiteAppAccount • Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount • Setspn.exe -A HTTP/home.companyabc.com DOMAINNAMEHOMEAppAccount • Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
  • 8. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 2: ENABLE KERBEROS BETWEEN SP AND SQL • Use setspn to create SPNs for SQL Service Account • SPNs need to match the name that SharePoint uses to connect to SQL (Ideally SQL Alias, more on this later) • Syntax similar to following: • Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB • Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABCSRV-SQL-DB • MSSQLSvc = Default instance, if named instance, specify the name instead • In this example, SRV-SQL-DB is the SQL Admin account and spsql.companyabc.com is the alias used to connect to SQL server (Listener/Client Access Point if using AlwaysOn Availability Groups with SQL 2012)
  • 9. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 3: ALLOW ACCOUNTS TO DELEGATE (OPTIONAL) • Required only for Excel Services and other impersonation applications. • On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. • In ADUC, navigate to the computer or user account, right- click and choose Properties. • Go to the Delegation tab • Choose Trust this user/computer for delegation to any service (Kerberos)
  • 10. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 4: ENABLE KERBEROS ON WEB APPLICATION • Go to Application Management – Authentication Providers • Choose the appropriate Web Application • Click on the link for „Default‟ under Zone • Change to Integrated Windows Authentication - Kerberos (Negotiate) • Run iisreset /noforce from the command prompt • If creating Web App from scratch, this step may be unnecessary if you choose Negotiate from the beginning
  • 11. DATA SECURITY Layer
  • 12. LAYER 2: DATA SECURITY ROLE BASED ACCESS CONTROL (RBAC) • Role Groups defined within Active Directory (Universal Groups) – i.e. „Marketing,‟ „Sales,‟ „IT,‟ etc. • Role Groups added directly into SharePoint „Access Groups‟ such as „Contributors,‟ „Authors,‟ etc. • Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires. User1 SharePoint Role Group or Group direct rights to SP User2
  • 13. LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) • SQL Server 2008, 2008 R2, 2012 Enterprise Edition Feature • Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key • Encrypts the backups of the database as well
  • 14. LAYER 2: DATA SECURITY TDE VS. CELL LEVEL ENCRYPTION • Available with either SQL 2005, SQL 2008, or SQL 2012 • Encrypts individual cells in a database • Requires a password to access the cell • Requires that columns be changed from their original data type to varbinary • Advantage is that only specific info is encrypted • Disadvantage is that you cannot use this for SharePoint Databases
  • 15. LAYER 2: DATA SECURITY TDE VS. FILE LEVEL ENCRYPTION • Two forms, older Encrypting File System (EFS) and Bitlocker • EFS encrypts data at the File Level • Bitlocker encrypts data at the Volume Level • Bitlocker Encrypts every file on the disk, not just database files • Could be used together with TDE
  • 16. LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) LIMITATIONS • Does not encrypt the Communication Channel (IPSec can be added) • Does not protect data in memory (DBAs could access) • Cannot take advantage of SQL 2008 Backup Compression • TempDB is encrypted for the entire instance, even if only one DB is enabled for TDE, which can have a performance effect for other DBs • Replication or FILESTREAM data is not encrypted when TDE is enabled (i.e. RBS BLOBs not encrypted)
  • 17. Key and OS Level Hierarchy Windows Cert Data Protection API (DPAPI) DPAPI Encrypts SMK SQL Instance Level Service Master Key SMK encrypts the DMK for master DB master DB Level Database Master Key DMK creates Cert in master DB master DB Level Certificate Certificate Encrypts DEK in Content DB Content DB Level Database Encryption Key DEK used to encrypt Content DB
  • 18. LAYER 2: DATA SECURITY SQL TDE STEP 1: CREATING THE DATABASE MASTER KEY (DMK) • Symmetric key used to protect private keys and asymmetric keys • Protected itself by Service Master Key (SMK), which is created by SQL Server setup • Use syntax as follows: • USE master; • GO • CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; • GO
  • 19. LAYER 2: DATA SECURITY SQL TDE STEP 2: CREATING THE TDE CERTIFICATE • Protected by the DMK • Used to protect the database encryption key • Use syntax as follows: USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate' ; GO
  • 20. LAYER 2: DATA SECURITY SQL TDE STEP 3: BACKUP THE MASTER KEY • Without a backup, data can be lost • Backup creates two files, the Cert backup and the Private Key File • Use following syntax: USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'c:BackupCompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'c:BackupCompanyABCtdeDECert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ); GO
  • 21. LAYER 2: DATA SECURITY SQL TDE STEP 4: CREATING THE DATABASE ENCRYPTION KEY (DEK) • DEK is used to encrypt specific database • One created for each database • Encryption method can be chosen for each DEK • Use following syntax: USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO
  • 22. LAYER 2: DATA SECURITY SQL TDE STEP 5: ENABLE TDE ON THE DATABASE(S) • Data encryption will begin after running command • Size of DB will determine time it will take, can be lengthy and could cause user blocking • Use following syntax: USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO
  • 23. LAYER 2: DATA SECURITY SQL TDE STEP 6: MONITOR THE TDE ENCRYPTION PROGRESS • State is Returned • State of 2 = Encryption Begun • State of 3 = Encryption Complete • Use following syntax: USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO
  • 24. LAYER 2: DATA SECURITY SQL TDE: RESTORING A TDE DATABASE TO ANOTHER SERVER • Step 1: Create new Master Key on Target Server (Does not need to match source master key) • Step 2: Backup Cert and Private Key from Source • Step 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part of the backup) USE master; GO CREATE CERTIFICATE CompanyABCtdeCert FROM FILE = 'C:RestoreCompanyABCtdeCert.cer' WITH PRIVATE KEY ( FILE = 'C:RestoreCompanyABCtdeCert.pvk' , DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ) • Step 4: Restore DB
  • 25. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS
  • 26.
  • 27. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS VSAPI • Realtime scanning only uses the VSAPI • Realtime Scan Settings are Administered through the SharePoint Central Admin Tool • Realtime Options are grayed out in the ForeFront Admin Console
  • 28. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS KEYWORD AND FILE FILTERING • Look for specific keywords (sensitive company info, profanity, etc.) • Block • Simply detect and notify • Create Filter List • Add Keywords, either manually or bulk as lines in a text file
  • 29. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS PROFANITY FILTERS • New Profanity lists in 11 languages available in SP2 • (Run KeywordInstaller.msi to install) • Import the lists into FF from Program FilesMicrosoft Forefront SecuritySharePointDataExample Keywords
  • 30.
  • 32. LAYER 3: TRANSPORT SECURITY CLIENT TO SERVER: USING SECURE SOCKETS LAYER (SSL) ENCRYPTION • External or Internal Certs highly recommended • Protects Transport of content • 20% overhead on Web Servers • Can be offloaded via SSL offloaders if needed • Don‟t forget for SPCA as well!
  • 33. LAYER 3: TRANSPORT SECURITY SERVER TO SERVER: USING IPSEC TO ENCRYPT TRAFFIC • By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted • IPSec encrypts all packets sent between servers in a farm • For very high security scenarios when all possible data breaches must be addressed
  • 34. EDGE SECURITY Layer
  • 35. LAYER 4: EDGE SECURITY FOREFRONT UNIFIED ACCESS GATEWAY (UAG) 2010
  • 36. LAYER 4: EDGE SECURITY UAG COMPARISON WITH FOREFRONT TMG Capability TMG 2010 UAG 2010 Publish Web applications using HTTPS X X Publish internal mobile applications to roaming mobile devices X X Layer 3 firewall X X Outbound scenarios support X X Array support X X Globalization and administration console localization X X Wizards and predefined settings to publish SharePoint sites and Exchange X X Rich authentication (for example, one-time password, forms-based, smart card) X X Application protection (Web application firewall) Basic Full Active Directory Federation Services (ADFS) support X Information leakage prevention X Granular access policy X Unified Portal X
  • 38. LAYER 5: RIGHTS MANAGEMENT ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES (AD RMS) • AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content • Used to restrict activities on files AFTER they have been accessed: • Cut/Paste • Print • Save As… • Directly integrates with SharePoint DocLibs
  • 39. LAYER 5: RIGHTS MANAGEMENT HOW AD RMS WORKS 1. On first use, authors receive client licensor certificate from RMS server 2. Author creates content and assigns rights 3. File is distributed to recipient(s) 4. Recipient opens file, and their RMS client contacts server for user validation and to obtain a license 5. Application opens the file and enforces the restrictions
  • 40. LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – KEY STORAGE • Select Cluster Key Storage • CSP used for advanced scenarios
  • 41. LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – CREATING THE CLUSTER NAME
  • 42. LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – USING AN SSL CERT FOR TRANSPORT ENCRYPTION
  • 43. LAYER 5: RIGHTS MANAGEMENT ALLOWING SHAREPOINT TO USE AD RMS • By default, RMS server is configured to only allow the local system account of the RMS server or the Web Application Identity accounts to access the certificate pipeline directly • SharePoint web servers and/or Web Application Service Accounts need to be added to this security list • Add the RMS Service Group, the machine account(s) of the SharePoint Server and the Web App Identity accountswith Read and Excecute permissions to the ServerCertification.asmx file in the %systemroot%inetpubwwwroot_wmcsCerti fication folder on the RMS server
  • 44. LAYER 5: RIGHTS MANAGEMENT CLIENT ACCESSING AD RMS DOCUMENTS • Effective permissions can be viewed from the document • The RMS client will enforce the restrictions
  • 45. SESSION SUMMARY • Determine Security Risk for your SharePoint Environment • Identify any Regulatory Compliance Requirements for SharePoint • Determine which aspects of SharePoint need to be secured, touching on all five layers of SharePoint Security
  • 46. Michael Noel Twitter: @MichaelTNoel www.cco.com Slides: slideshare.net/michaeltnoel Travel blog: sharingtheglobe.com
  • 47. A big thanks to our sponsors Platinum Sponsors Gold Premium Sponsors Venue Sponsor Gold Sponsors
  • 48. We need your feedback! Scan this QR code or visit http://svy.mk/sps2012be Our sponsors: