SharePoint Authorization and Authentication-Controlling Access to Documents and Data
•Download as PPTX, PDF•
0 likes•856 views
Slides accompanied my presentation at SPTechCon Austin 2015
Recommended
Recommended
More Related Content
What's hot
What's hot (12)
Similar to SharePoint Authorization and Authentication-Controlling Access to Documents and Data
Similar to SharePoint Authorization and Authentication-Controlling Access to Documents and Data (20)
More from Tom Resing
More from Tom Resing (20)
Recently uploaded
Recently uploaded (20)
SharePoint Authorization and Authentication-Controlling Access to Documents and Data
- 1. Tom Resing, MCM + Author Managing Authentication and Authorization -- Controlling Access to Documents and Data
- 2. Photo by mbrand - Creative Commons Attribution-NonCommercial License https://www.flickr.com/photos/87317539@N00 Created with Haiku Deck
- 3. Photo by YanivG - Creative Commons Attribution-NonCommercial-ShareAlike License https://www.flickr.com/photos/17796222@N00 Created with Haiku Deck
- 4. Photo by ell brown - Creative Commons Attribution License https://www.flickr.com/photos/39415781@N06 Created with Haiku Deck
- 5. Photo by cackhanded - Creative Commons Attribution-NonCommercial License https://www.flickr.com/photos/37354253@N00 Created with Haiku Deck
- 6. Photo by mikecogh - Creative Commons Attribution-NonCommercial-ShareAlike License https://www.flickr.com/photos/89165847@N00 Created with Haiku Deck
- 7. Photo by Jamison_Judd - Creative Commons Attribution License https://www.flickr.com/photos/14072475@N07 Created with Haiku Deck
- 8. Photo by Stuck in Customs - Creative Commons Attribution-NonCommercial-ShareAlike License https://www.flickr.com/photos/95572727@N00 Created with Haiku Deck
- 9. Photo by kevin dooley - Creative Commons Attribution License https://www.flickr.com/photos/12836528@N00 Created with Haiku Deck
- 11. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 11 Tom Resing 2x Past Microsoft Most Valuable Professional (MVP) Award Winner 2013, 2014
- 12. The leading provider of modern communication and collaboration solutions for business.
- 14. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 14 Authentication Topics • Authentication Types • Focus on Claims • Active Directory Integration
- 17. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 17 • Most common authentication provider for SharePoint • Easy to use with claims or classic mode • Integrates with Active Directory Federation Services (AD FS) for SAML 2.0 support Active Directory
- 19. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 19 Hierarchy Topics • Physical Security • Network Security • Content Databases • Farm Level • SharePoint Objects and Groupings
- 20. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 20 Physical and Network Security • Servers • Backups • Tapes • File copies • Network
- 21. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 21 • Wikipedia says: “In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or aprogram depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.[1][2]”- • Must apply at every level – Including the file system and tape backups! Principle Of Least Privilege
- 23. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 23 Authorization Topics • Permissions Boundaries • Self Service Site Creation • Managing Authentication and Authorization with PowerShell • Troubleshooting Tools • Search Permission Trimming
- 24. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 24 User Policy
- 25. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 25 • Example: My Sites Self Service Site Creation
- 26. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 26 • Create Classic Mode Web Application https://technet.microsoft.com/en-us/library/gg276326.aspx • Turn on Developer Dashboard PowerShell Tips New-SPWebApplication -Name “Classic AuthN Site" -ApplicationPool “OctoberSP AppPool"-ApplicationPoolAccount (Get-SPManagedAccount "CONTOSOsp_farm") -Port 81 -URL "http://octobersp.cloudapp.net/" $svc = [Microsoft.SharePoint.Administration.SPWebService]::ContentService $dds = $svc.DeveloperDashboardSettings $dds.DisplayLevel = "On" $dds.Update()
- 27. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 27 ULS Viewer
- 28. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 28 • Honors permissions – Must be maintained Search
- 30. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 30 Reference ULSViewer.exe download (MSDN archive version) http://www.benjaminathawes.com/2014/05/26/ulsviewer-exe-download/ Plan self-service site creation in SharePoint 2013 https://technet.microsoft.com/en-us/library/cc263483.aspx Fiddler http://www.telerik.com/fiddler
- 31. © 2015 Jive Software, Inc. All rights reserved | Jive Confidential Page 31 Reference What’s new in SharePoint 2013 Administration – Todd and Shane Professional SharePoint 2013 Administration (2010 edition, too)
- 32. Tom Resing’s SharePoint Blog www.tomresing.com Email Resingnet-website@yahoo.com Twitter @resing Connect
- 33. © 2015 Jive Software, Inc. All rights reserved | Jive ConfidentialJive is the leading provider of modern communication and collaboration solutions for business. For more information, visit www.jivesoftware.com
Editor's Notes
- One of SharePoint's core strengths is secure content management on the web. Maybe because of that core strength, managing access to that content is one of the more common pains, as well. As a SharePoint Administrator, questions about securing SharePoint and its content are often thrown your way. In this class, we'll discuss access considerations which are key from the planning and architecture through end user support and disaster recovery. 8:30AM-9:45 1hr15min Areas covered will include: Authentication Types; Permissions Boundaries; Self Service Site Creation; Managing Authentication and Authorization with PowerShell; Troubleshooting Tools; Active Directory Integration; Search Permission Trimming
- I’m proud to work at Jive Software, a recognized leader in modern communication for business. Feel free to ask me more about it after the presentation.
- Let's dive into authentication.
- SharePoint itself, doesn't authenticate your users. Never has. Whenenever you enter your username and password
- Here’s what the new web application screen looks like in 2010. Note the choice of claims or classic.
- It’s the third element I mentioned, but the first I’d like to dig deeper into. Let’s take a look at the layers of access control.
- The layers of SharePoint are many. The first two topics are really not SharePoint Specific. I’ll spend less time on them.
- The first layer is physical security, You may not always have direct influence or responsibility for the full physical security of your documents and data, but as an IT Pro with SharePoint responsibility you will always have some. Physical access control to the hardware is probably the most obvious. For the most part, we’ve moved beyond the days of SharePoint running on desktop PCs sitting under someone’s desk for more reasons than just security. Most customers I’ve worked with in the last 7 years offered very little physical access to the actual servers running their SharePoint Farm, if any. What might be a little less obvious is physical access to other SharePoint related assets. In the case of Edward Snowden, I believe he got access to the SharePoint content databases, even though access to them wasn’t needed for his role. It could have been access to a backup of the database, either on a file share or a physical copy on a tape. Or, through his user account, he may have had direct network access to the server through the network. If you’re responsible for access control to documents and data stored in SharePoint, it’s your responsibility to limit that access.
- It’s the third element I mentioned, but the first I’d like to dig deeper into. Let’s take a look at the layers of access control.
- The layers of SharePoint are many. The first two topics are really not SharePoint Specific. I’ll spend less time on them.
- Let’s talk about a web application layer override called User Policy. User Policy can be applied to users or groups of users on a web application zone level. My recommendation is to ignore this screen, in most cases. Why? Because the site collection administrators have no visibility into these settings. In the end, it causes confusion when their permission settings don’t work. Two exceptions. 1) If it entirely obvious why you’re doing this and it won’t cause confusion or 2) You need to apply a user policy to a service account for configuration
- SharePoint’s logging system is great for all things SharePoint. Make sure to visit your familiar Windows Event Viewer for System, Application and Security logs from Windows and IIS. Those aren’t in ULS and can be very helpful for troubleshooting Authentication issues.