Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013 - Antonio Maio
1. Introduction to Security in
Microsoft SharePoint 2013
Email: Antonio.maio@titus.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2
Antonio Maio
Senior Product Manager, TITUS
Microsoft SharePoint Server MVP
2. 2
Goal
Inform and Educate on Key SharePoint Security Features
We know its critical in government and military deployments
We know its critical consideration in business
Security is still often its an after thought for many deployments
Requires good planning
Requires good awareness of the capabilities available
Requires knowledge of what SharePoint cannot do
3. 3
Agenda
What Drives our Security Needs in SharePoint?
Deployment Planning & Least Privileged Accounts
Authentication
Permissions or Authorization
Governance and Awareness
Web Application Policies & Anonymous Access
Other Security Features
4. Why SharePoint?
Content repository and document
management
Extranet portals, External Portal/Site
(partner and client access)
Information Lifecycle Management (ILM)
& workflows
Records management
4
5. What Drives our Information Security Needs?
Information Security comes down to 2 or 3 drivers:
Protecting Your Investments
(intellectual property, digital assets, competitive advantage…)
Reducing Your Liability
(avoid compliance violations, fines/sanctions, reputation issues…)
Public Safety or Mission Success
(protect classified information, mission plans, reputation issues…)
Public Health
(health records, health insurance, insurance fraud/theft…)
5
6. What Drives our Information Security Needs?
How does this affect us as SharePoint people?
How We Deploy SharePoint
Control Access
Assign Roles & Establish Repeatable/Predictable Process
Regulatory Compliance Standards
Auditing & Reporting Obligations
6
7. Deployment Planning & Least Privileged
Accounts
SharePoint is a web application built on top of SQL Server
Best practice: to use specific user accounts for specific purposes
with least privileges
Benefits: Separation of Concerns
Multiple points of redundancy
Targeted auditing of account usage
Minimize the risk of compromised accounts
Review SharePoint deployment guide before you install
8. 3 Deployment Accounts (minimum)
1. SQL Server Service Account
Assign to MSSQLSERVER and SQLSERVERAGENT services when you install SQL Server
(ex: domainSQL_service)
No special domain permissions - given required rights in SQL Server during SQL setup
2. Setup User Account
Used to install SharePoint, run Product Config Wizard, install patches/updates
login with this account when running setup (ex: domainsp_setup_user)
Must be local admin on each server in SharePoint farm (except SQL Server if different box)
Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL
3. SharePoint Farm Account
Used to run the SharePoint farm; not just for database access (ex. domainsp_farm_user)
After Product Config Wizard is run, prompted to provide the Database Access Account –
misnamed in UI, this is really the all powerful farm account
Given ownership of Config database - also configures several SharePoint services
including the timer service to use Farm account as its identity
Should all be AD domain accounts (user accounts)
Do not use personal admin account, especially for Setup User Account
Configure central email account for all managed accounts
9. Authentication
Determine that users are who they say they are (login)
Configured on each web app
Multiple authentication methods per web app
SharePoint 2010 Options
Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)
Claims Based Authentication
Forms Based Authentication available- done through Claims Based Auth.
UI configuration options only available in UI upon web app creation
To convert non-claims based web app to claims will require PowerShell
SharePoint 2013 Options
Claims Based Authentication - default
Classic Mode Configuration UI has been removed
(Only configurable through PowerShell)
10. Permissions
Allow you to secure any information object or container
Determine who gets access to what information objects and what type of
access
Apply to items, folders, lists, libraries, sites, site collection…
Do not apply to individual column field values (not a securable object)
Assigning Permissions Includes
The user or group we are enabling with access
The information object in question
The permission level we are granting as part of that access
Examples
Finance AD Group has Full Control on Library
ProjectX-Contractor SP Group has Read access on site
Antonio.Maio AD user has Contribute access on Document
15. Inherited Permissions
Hierarchical permission model
Permissions are inherited from
level above
Can break inheritance and
apply unique permissions
Manual process
Permissive Model
SharePoint Farm
Web Application
Site Collection Site Collection
Site Site
Library List
Document
Web Application
Item
Site
Document
Document
Item
Demo Members SharePoint Group Edit
Demo Owners SharePoint Group Full Control
Demo Visitors SharePoint Group Read
Finance Team Domain Group Edit
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Antonio.Maio Domain User Full Control
16. Permissions and Security Scopes
Every time permission inheritance is
broken a new security scope is
created
Security Scope is made of up
principles:
Domain users/groups
SharePoint users/groups
Claims
Be aware of “Limited Access”
Limitations
Security Scopes
(50,000 per list)
Size of Security Scope
(5,000 per scope)
Resources
Microsoft SharePoint Boundaries
and Limits:
http://technet.microsoft.com/en-
us/library/cc262787.aspx
17. Fine Grained Permissions
Trend: sensitive content sitting beside non-sensitive content
Leads to customers exploring fine grained permissions
Confidential
Public
Internal
Recommendation
Use metadata to identify which data
to protect
User attributes (claims) to determine
who should have access
Implemented automated solution to
manage fine-grained permissions
18. Governance Challenges
Operational Management
Change Management
User training
Auditing and Monitoring
Document handling culture
Compliance
Make End-Users
Responsible & Accountable
for Sensitive Information
20. Responsibility vs Ignorance
How do you consistently enforce a culture of
security awareness?
Workers upload, send, copy, print, etc. content
Employees are typically not aware of sensitive information or how
to handle it
Consider applying standardized security labels –
headers, footers and watermarks
Compliance laws dictate need for headers/footers
and watermarks.
SharePoint‟s limited labeling capabilities are deprecated in
SharePoint 2013!
22. Promote Accountability
Date & Time
Stamp
Date & Time
Stamp
Current User‟s
Name
Mark downloaded SharePoint documents with identifying information
23. Web Application Policies
User Permissions
Permissions available within permission levels at site collection level
Permission Policies
Define groups of permissions (similar to permission levels)
Control if site collection admins have full control on any object in site col.
Only place with a “Deny” capability (default: deny write, deny all)
User Policies
Assign permission policies to users and groups for the entire web app
Ex. Deny group from deleting items within an entire web app – applicable to
public facing web app
Blocked File Types
Prevent specific files types from being added to libraries within web app
24. Anonymous Access
Turn on or off for web application – only making available for
sites
Central Admin> Manage Web Apps> Authentication Providers
Edit an Authentication Provider
Check on „Enable Anonymous Access‟ for that provider
Select “Anonymous Policy” for the web app
Select zone and policy for anonymous access
25. Site Owners must explicitly enable on each site (this is a good thing)
Site Settings> Site Permissions
Anonymous Access
27. Questions?
Thank you!
Email: Antonio.maio@titus.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2
Antonio Maio
Senior Product Manager, TITUS
Microsoft SharePoint Server MVP
29. Risk: Inadvertent exposure of internal data on a public web site
All form pages and _vti_bin web services are accessible - PUBLICLY
Modify the URL of a public facing SharePoint site:
http://www.mypublicsite.com/SitePages/Home.aspx to
http://www.mypublicsite.com/_layouts/viewlsts.aspx
View All Site Content page is now exposed, typically in SharePoint
branding, with all site content visible
Desired behavior: User is presented with a login page, or an HTTP error
Accessible pages
/_layouts/adminrecyclebin.aspx /_layouts/policy.axpx /_layouts/recyclebin.aspx
/_layouts/bpcf.aspx /_layouts/policyconfig.asp /_layouts/wrkmng.aspx
/_layouts/create.aspx /_layouts/policycts.aspx /_layouts/vsubwebs.aspx
/_layouts/listfeed.aspx /_layouts/policylist.aspx /_layouts/pagesettings.aspx
/_layouts/managefeatures.aspx /_layouts/mcontent.aspx /_layouts/settings.aspx
/_layouts/mngsiteadmin.aspx /_layouts/sitemanager.aspx /_layouts/newsbweb.aspx
/_layouts/mngsubwebs.aspx /_layouts/stor_man.aspx /_layouts/userdisp.aspx
Anonymous Access and Exposure Risk
30. Anonymous Access and Public Facing Sites
Remove View Application Pages permission & Use Remote Interfaces
permission from Limited Access permission level
Limited Access is what‟s used for anonymous users
Prevents anonymous users from accessing form pages
To Do This… Turn on the “Lockdown” Feature
Remove all anonymous access from the site
Open command prompt and go to the folder C:Program FilesCommon FilesMicrosoft SharedWeb Server
Extensions14BIN
Check whether the feature is enabled or not (If ViewFormPagesLockDown is listed, it's enabled):
get-spfeature -site http://url
If not listed then we must enable it using:
stsadm -o activatefeature -url -filename ViewFormPagesLockDownfeature.xml
To disable it:
stsadm -o deactivatefeature -url -filename ViewFormPagesLockDownfeature.xml
Reset anonymous access on the site
Will result in users getting an Authentication Page when accessing these forms pages
Available in MOSS2007, SharePoint 2010 and SharePoint 2013
On by default for Publishing Portal Site Template – for other site templates must turn it on
manually
31. To prevent access to _layouts pages and web services we must also
modify web.config to include:
<location path="_layouts/error.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="_layouts/accessdenied.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<add path="configuration">
<location path="_layouts">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="_vti_bin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="_layouts/login.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Anonymous Access and Public Facing Sites
Notes de l'éditeur
least privileged accounts means that an account is given only the permissions it requires to perform very specific tasks and nothing moreMinimize risk of compromised accountsMinimize risk of information leaks
SQL Server Service Account - it’s possible in some cases to use a local or system account but the best practice is that this needs to be a user account in Active Directory (AD) domain, secured in accordance with your IT security policiesSetup User Account - a domain user account; add it to the local Administrators group of each SharePoint server in the farm. It should not have any special rights or privileges on the SQL Server system as long as SQL server is separate from the SharePoint servers. If SQL Server is on a dedicated system or VM, the Setup User Account should not have any administrative accesson that system. When running SharePoint setup and configuration as the setup user account, this process will use your credentials to create databases and to create SQL logins for SharePoint accounts. So before starting to set up SharePoint, assign the setup user account the securityadmin and dbcreator server roles in SQL Server. Those are the privileges that are leveraged during SharePoint setup and configuration.SP Farm Account – this is the service account that is all-powerful within SharePoint. When you specify this account in the Configuration Wizard, the wizard uses the credentials you’re logged on as (the setup user account) to give the Farm account ownership of the Config database. It also configures several SharePoint services, including the timer service, to use Farm account as their identity. The Farm account is also used as the identity for the Central Administration website.Do not use personal admin accountThe setup user account becomes the “owner” of the SharePoint farm – Farm admin becomes dbowner of the SharePoint Config database. There’s many places where the account and its email address get integrated into the farm. Use a dedicated account for setup user so that the farm isn’t owned by your account that has privileges on other systems. That way, when your role within the organization changes your user account won’t be left owning the SharePoint farm.Configure central email account for all managed service accounts – not your email addressThe setup user account (and other service accounts) should have email addresses that reflect that they are part of the SharePoint infrastructure, not “you.” For example, assign all accounts the address “sharepointservice@company.com” as the email address in Active Directory. That way, all notifications related to SharePoint go to a single email inbox, which is not yours, that can be monitored by a SharePoint team (and not only you).
Each web application can have different methods of authentication enabled… and multipleSharePoint 2013 – Forms Based Auth is still available, through Claims
Permissions relate to a process called “Authorization”Authorization is different from AuthenticationAuthorization is the process of determining what content is a user permitted to access and which actions are they permitted to perform
That kiss is a bit TOO passionate for a brother and sister…. If they only knew!In Iceland there is an App – hugely popular – that lets you know if the person you are asking on a date is related to you! Information = better decisions.
Workers want to work from home and collaborate. But they could be far too free with what they are sending, how they are sending.What do you have that can add watermarks easily and consistently to all documents? Manually applying them is not the answer. SharePoint used to be able to on WORD documents, but not in 2013