Transcript Slide 1

Communication & Collaboration
Comprehensive Security for Microsoft Office
SharePoint Server 2007
Presented by: Yaroslav Pentsarskyy
Blog: www.sharemuch.com
Twitter: @spentsarsky
Agenda
•
•
•
•
SharePoint Security – What’s ‘IN’ the box?
How you can leverage it?
What’s NOT in the box?
How can we solve it?
SharePoint Security we’ll talk about today
• IT administrators face the following security and access
issues
Authentication and authorization
Viruses, malware and inappropriate content
Information Leakage Prevention
Part 1 – What’s ‘IN’ the box?
Authentication – Who are you?
•
•
•
•
•
Windows Authentication
Extended Web Applications and Zones
Authentication Providers
Forms Based Authentication
Single Sign On Service
•
•
•
•
Web Application Security Policy
SharePoint Users and Groups
Permission Levels and Permissions
Securable Objects
Authorization – What can you do?
WSS Authentication Providers
Windows Authentication
•
•
•
IIS performs authentication with client
Users authenticated to Windows account (AD or local)
Only type supported in WSS V2 and SPS 2003
ASP.NET Forms Authentication
•
•
Based on ASP.NET 2.0 authentication provider FX
IIS configured for anonymous access
Web Single Sign On
•
Based on Federation
Application Pool Identity
WSS runtime is hosted by IIS Application Pools
•
•
•
•
Each WSS Web Application runs in a IIS Web site
Each IIS Web site runs with in a specific IIS application pool
Application pool identity configured with local or domain account
Domain account recommended in farms of two or more servers
SHAREPOINT\System Account
WSS 3.0 introduces SHAREPOINT\system account
•
•
•
Hides IIS Application Pool Identity from users
Runs as God within WSS authorization system
Removes need to treat Application Pool Identity as site user
WSS Identity versus Windows Identity
• It’s important to understand the difference
Web Application Worker Process
Authorized using SharePoint
Identity
Pages, Lists &
Documents
SharePoint content
Authorized using Windows Identity
Northwind Database
SQL Server
XML File
local file system
Web Server
Authentication And WSS Zones
WSS authentication configured in terms of zones
•
•
•
•
There is one zone per IIS Web site
Each zone has its own web.configfile
Each zone has exactly one authentication provider
Web Application can be extended with multiple zones
Zone 1
Intranet
User
http://inventory
Default Zone
Windows integrated
authentication
Zone 2
Extranet
User
http://inventory.partners.Litwareinc.com
Extranet Zone
Forms-based
authentication
Extended
Web Application
Content
Database
Integrated Windows Authentication
Authentication using Windows protocols
•
•
•
Enhancements to WSS V3 enable Kerberos protocol
WSS V3 still uses NTLM protocol when necessary
Authentication results in creation of Windows security token
Active Directory
Login
Bob
Mary
Wally
PWD
xoxoxo
oxox
xoxox
Domain Controller
Application
Windows Server 2003
Browser
Office 12
Custom App
Desktop
Windows XP
WSS
token
Web Server
Windows Server 2003
Default authentication mechanism
Pros
• Rich client application integration
• Native AD support
• Takes care of authentication logistics OOB
Forms-based Authentication (FBA)
WSS 3.0 supports FBA introduced in ASP.NET 2.0
•
•
•
•
Decouples SharePoint from Active Directory
Based on pluggable authentication providers
Providers available out-of-box with ASP.NET 2.0
Companies can create their own providers as well
WSS
Application
Browser
Office App
Custom App
Internet
Authentication
Provider
Identity Store
Login
PWD
Bob
xoxoxo
Mary
oxox
Wally
xoxox
Desktop
Windows XP
Web Server
Identity Mgmt App
Windows Server 2003
Operating System
Alternative authentication method
Pros
• Supports more platforms
• Allows custom authentication steps
Custom membership provider
Check out available solutions, there is even …
Make your own
•
Custom membership provider can be created as
an Assembly inheriting MembershipProvider
Custom membership provider – minimal logic
Custom membership provider – provisioning
What’s next
•
•
•
•
Provider DLL into GAC
Set forms authentication on your site
Web.config of your site and SharePoint Central
Administration modified with provider settings
Set site collection administrator for the site as
existing Custom Provider user
Extend the
Web
Application
Authentication Provider
Remember Authentication is by ZONE!
• E.g. Extranet
Extranet Zone Configuration
Forms Based Sign In Page
Where to go from here?
•
•
•
Community Kit for SharePoint -http://www.codeplex.com/cks
Has great tools and support for administration of FBAusers
Alsohas “SharePoint” versions of all out of the box membership
provider controls –sign me up, forgot password, etc.
MOSS Single Sign-On Service
Provides credential mapping
• Maps identities between identity management systems
•
e.g. map authenticated Windows user to SAP credentials
Stores credentials in encrypted form in SSO database
Where is it used?
•
Custom Web Parts, BDC, Excel Services, etc.
MOSS Farm
Bob
Web Server
SAP
BDC Web Parts
LOB System
Browser
Custom Web Parts
SSO
database
DB2
some really old database
demo
Authentication
Part 1 – What’s ‘IN’ the box?
Authentication – Who are you?
•
•
•
•
•
Windows Authentication
Extended Web Applications and Zones
Authentication Providers
Forms Based Authentication
Single Sign On Service
•
•
•
•
Web Application Security Policy
SharePoint Users and Groups
Permission Levels and Permissions
Securable Objects
Authorization – What can you do?
Assignment of User Rights
This is done at several different levels
•
•
•
•
Farm
Web Application
Site Collection
Site
General permission management
Web Application Security Policy
New with WSS 3.0
•
•
Allows farm administrator to grant or deny access
Web application policy overrides site collection
SharePoint Groups
Features Out of the Box Groups
•
•
•
•
Group has assigned permission level
Canplace AD Users or AD Groups to SharePoint Groups
Then assignpermissions (e.g. to a Document Library) to SharePoint Group
Youcan create your own SharePoint Groups with custom permission levels
Adding User to the Site / Site Collection
Add user to group or individually
• Can directly assign permission level, including custom
Permission Levels
WSS rights managed through permission levels
•
•
•
•
Each permission level consists of a set of rights
Permission level defines rights required by business roles
Defined on a per site basis
Permissions assigned to people and groups
Manage permission levels
Permissions Managed Using Rights
Securable Objects
site collection
-- top-level site
-- list1
-- item1
-- item2
-- documentlibrary1
-- document1
-- document2
-- childsite1
-- list1
-- item1
-- item2
Custom Permissions to Securable Object
Permissions set to Inherit from Parent by Default
•
•
•
Can “break” the chain at any point
But you are now on your own to maintain
Always leave the Owners group access!
Permission inheritance and breaking inheritance
Permission inheritance and resuming inheritance
Anonymous access
What’s actually “Entire site” of anonymous access
How to change anonymous permission mask
through custom feature
using (SPWeb rootweb = (new SPSite(”http://localhost”)).OpenWeb())
{
rootweb.AnonymousState = SPWeb.WebAnonymousState.On;
rootweb.AnonymousPermMask64 = SPBasePermissions.ViewListItem|
SPBasePermissions.ViewFormPages;
rootweb.Update();
}
demo
Authorization
Dealing with viruses, malware and inappropriate
content
What`s in the box
• Antivirus
• Upload/Download file scanning
• File filtering
demo
Protection
SharePoint Antivirus
Forefront Security for SharePoint – antivirus
SharePoint – file filtering
Forefront file filtering
Forefront scan notifications
SharePoint detection alert – on upload
SharePoint detection alert & file cleanup
Forefront protection options in short
Real-Time Scan Job
• Scans files being uploaded to or downloaded
from SharePoint sites.
• Works with Web browser or any applications
accessing SharePoint sites
Manual Scan Job
• Scans all or part of SharePoint document
library on demand
• Scans can be scheduled
• Can be used to scan with different engines
Forefront protection actions in short
Skip
• Detect only—logs presence of virus, but does
not block or delete it.
• Good for testing/evaluation purposes
Clean
• Repair document—attempts to clean the file.
If failed – blocks the document.
Delete
• Blocks document.
Forefront - filtering
File filtering
• Proactively blocks a specific range of
potentially dangerous.
Keyword filtering
• Filter lists can enable search for words,
phrases, and sentences.
• Multiple languages supported
demo
Prevention
RMS at a glance
Firewall Perimeter
Access Control
List Perimeter
Authorized
Users
Authorized
Users
Unauthorized
Users
Unauthorized
Users
How SharePoint works with RMS
Microsoft Office
SharePoint Server
2007
3
AD RMS Server
4
1
2
5
Recipient
Enabling IRM functionality in SharePoint Central
Administration
Enabling IRM functionality in SharePoint
Document Library
Prevention in short …
Protect Data In Storage
•
AD RMS ensures policies continue to remain
with the: documents, spreadsheets,
presentations, and e-mail messages-no matter
where it goes or how it is stored.
Protect Data In Storage
•
Applies common set of rights through creation
of Usage Policy Templates that are applied to
content. No need to recreate the usage rights
settings for every file
… Prevention in short
Extensible Platform
•
AD RMS – enables SharePoint to help safeguard
sensitive information. ISVs are enabled to
integrate information protection into serverbased solutions such as document and records
management, e-mail gateways and archival
systems, automated workflows, and content
inspection.
resources
snurl.com/techdays-dev
www.microsoft.com/learning
www.microsoft.com/msdn
www.microsoft.com/technet