Transcript Slide 1

Designing Secure SharePoint
External Access
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com
Designing Secure SharePoint External Access
MOTIVATION
Why
• Enable internal users to access from outside
• Share portal access with business partners
How
• Forefront Threat Management Gateway
• Forefront Unified Access Gateway
Challenges
• Secure authenticated access
• Smooth document access from Office applications
• Repeated password prompts
• Endpoint compliance
• Intrusion prevention
Designing Secure SharePoint External Access
AUTHENTICATION OVERVIEW
SharePoint Authentication
• Classic Mode Authentication
• NTLM or Kerberos
• Claims Based Authentication
• NTLM or Kerberos
• Basic
• ASP.NET Forms
• Active Directory Federation Services
SharePoint Authentication
Extending Web Applications
.PDF/.DOC
LAN
Kerberos
Intranet Web Site
http://intranet
Web
Application
Content DB
WFE
Visitors READ
Forms
Internet
Extranet Web Site
https://extranet.idtt.com
AD
LDAP
Designing Secure SharePoint External Access
WINDOWS AUTHENTICATION
SharePoint Authentication
• External access for internal users
•
•
•
•
Basic
NTLM (no SSO)
Kerberos (only on intranet)
SSL client certificates
• Not suitable for external users
• accounts in AD
• possibly other access
SharePoint Authentication for Internal Users
• Basic
• plaintext password
• works from internet
• no SSO
• NTLM
• less secure, MD5
• performance problems at 200 +/- users per WFE
• no SSO
• Kerberos
• secure, mutual authentication, AES, smart cards
• faster, smoother
• intranet only
• SSL Client Certificates
• the most secure, mutual authentication
• SSO from outside
Internal Users Authentication
Method
SSO
Mutual
Authentication
Used from
internet
Security
Basic
no
no
yes
little
NTLM
no
no
yes
password
hash
Kerberos
yes
yes
no
password
hash
SSL
Certificate
yes
yes
yes
private key
Notes
performance
problems
Basic Authentication with Port Forwarding
Basic Authentication with Port Forwarding
• Simplest to deploy
• Less secure direct access to the farm
• Must use public certificates on the farm
• NTLM would require custom IE configuration and
has performance problems
Basic Authentication with TMG Inspection
Basic Authentication with TMG Inspection
• Authenticates users at the gateway level
• Forms authentication (cookies)
• Basic authentication
• Inspects clear HTTP
• plus URL filters etc.
• intrusion prevention signatures
• Automatically forwards the basic credentials
• Offloads SSL encryption
• or hides the internal certficates on the farm
TMG and Forms Authentication
TMG Inspection with Kerberos Delegation
TMG Inspection with Kerberos Delegation
• SSO or smart cards and tokens
• No Basic authentication on the internal part
• SharePoint “developers” do not receive your full password
• Mutual authentication with client certificate
• No password guessing
UAG Inspection with Kerberos Delegation
UAG Inspection with Kerberos Delegation
• TMG features plus
• Predefined URL and application inspections
• User portal access
• Endpoint policies and compliance
UAG Portal and Forms Authentication
Windows Authentication Recap
• Deploy UAG with certificate logon and Kerberos
Constrained Delegation, enforce endpoint compliance
• TMG can also authenticate certificates and/or use Kerberos
• Basic authentication is the most simple, but gives too much
freedom to users and SharePoint “administrators”
Designing Secure SharePoint External Access
SHAREPOINT 2010 FORMS
AUTHENTICATION
SharePoint Forms Authentication
• No SSO
• Separate accounts for external users
• AD LDS, SQL DB, XML text file, ...
• You manage the account database
• create accounts
• reset passwords
AD LDS
• Active Directory Lightweight Directory Services
• Standalone LDAP/S server
• Part of Windows Server 2008 and newer
• previously free download ADAM
• Installs on Windows 7 as well
• Managed manually using ADSI Edit
AD LDS Authentication with Port Forwarding
AD LDS Authentication with UAG Inspection
AD LDS with UAG and Certificates
AD LDS Authentication with UAG Inspection
• Pre-authenticates users at the gateway level
• double login prompt or certificates
• Predefined set of URL and application inspections
• User portal access
• Endpoint policies and compliance
Designing Secure SharePoint External Access
ACTIVE DIRECTORY FEDERATION
SERVICES
AD FS
• HTTPS/XML authentication protocol
• Replacement for AD trusts
• Free download
• RTW – released to web
• Accounts managed by Account Partner
• Resource Partner just accepts identity claims
• Requires level of management on the Account Partner part
AD FS Principles
AD FS Principles
AD FS Principles
Designing Secure SharePoint External Access
TAKEAWAY
Takeaway
• Use certificates and/or Kerberos for internal users
• Use AD LDS for external partners without AD FS
• Use AD FS for larger external partners who do want to
manage their own accounts
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com
Don’t forget to submit
your feedback and win a
great Nokia smartphone
and Kindle e-reader!