SlideShare une entreprise Scribd logo

Michael noel end-toendsecurity-spsbe19

Télécharger en tant que PPTX, PDF
BIWUG
BIWUG

One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data.

Technologie
1  sur  48
#SPSBE End to End SharePoint Security #SPSBE19 Michael Noel @MichaelTNoel
MICHAEL NOEL • Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles . • Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
SHAREPOINT SECURITY LAYERS OF SECURITY IN A SHAREPOINT ENVIRONMENT • 1: Infrastructure Security • Physical Security • Best Practice Service Account Setup • Kerberos Authentication • 2: Data Security • Role Based Access Control (RBAC) • Transparent Data Encryption (TDE) of SQL Databases • Antivirus • 3: Transport Security • Secure Sockets Layer (SSL) from Client to Server • IPSec from Server to Server • 4: Edge Security • Inbound Internet Security (Forefront UAG/TMG) • 5: Rights Management
INFRASTRUCTURE SECURITY Layer
LAYER 1: INFRASTRUCTURE SECURITY SAMPLE LIST OF SERVICE ACCOUNTS Service Account Name Role of Service Account Special Permissions COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs) COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate admin Local Admin on Database Server(s) (Generally, some accounts from SP accounts. exceptions apply) COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be standard N/A admin accounts. RBAC principles apply ideally. COMPANYABCSRV-SP-Search Search Account N/A COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to be crawled COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read attributes from users in domain) and „Replicate Directory Changes‟ rights in AD – Temporary Farm Admin and Local Admin (for provisioning of UPA). COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint DBCreator and Security Admin on SQL. Create Central Admin. and Modify contacts rights in OU used for mail. COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the Content related N/A App Pool (Portal, MySites, etc.) Additional as needed for security.
LAYER 1: INFRASTRUCTURE SECURITY ENABLE KERBEROS • When creating any Web Applications in Classic-mode, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn‟t have to keep asking for auth requests from AD. • Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites. • Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 1: CREATE THE SERVICE PRINCIPAL NAMES • Use the setspn utility to create Service Principle Names in AD, the following syntax for example: • Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAMEMYSiteAppAccount • Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount • Setspn.exe -A HTTP/home.companyabc.com DOMAINNAMEHOMEAppAccount • Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 2: ENABLE KERBEROS BETWEEN SP AND SQL • Use setspn to create SPNs for SQL Service Account • SPNs need to match the name that SharePoint uses to connect to SQL (Ideally SQL Alias, more on this later) • Syntax similar to following: • Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB • Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABCSRV-SQL-DB • MSSQLSvc = Default instance, if named instance, specify the name instead • In this example, SRV-SQL-DB is the SQL Admin account and spsql.companyabc.com is the alias used to connect to SQL server (Listener/Client Access Point if using AlwaysOn Availability Groups with SQL 2012)
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 3: ALLOW ACCOUNTS TO DELEGATE (OPTIONAL) • Required only for Excel Services and other impersonation applications. • On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. • In ADUC, navigate to the computer or user account, right- click and choose Properties. • Go to the Delegation tab • Choose Trust this user/computer for delegation to any service (Kerberos)
LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 4: ENABLE KERBEROS ON WEB APPLICATION • Go to Application Management – Authentication Providers • Choose the appropriate Web Application • Click on the link for „Default‟ under Zone • Change to Integrated Windows Authentication - Kerberos (Negotiate) • Run iisreset /noforce from the command prompt • If creating Web App from scratch, this step may be unnecessary if you choose Negotiate from the beginning
DATA SECURITY Layer
LAYER 2: DATA SECURITY ROLE BASED ACCESS CONTROL (RBAC) • Role Groups defined within Active Directory (Universal Groups) – i.e. „Marketing,‟ „Sales,‟ „IT,‟ etc. • Role Groups added directly into SharePoint „Access Groups‟ such as „Contributors,‟ „Authors,‟ etc. • Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires. User1 SharePoint Role Group or Group direct rights to SP User2
LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) • SQL Server 2008, 2008 R2, 2012 Enterprise Edition Feature • Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key • Encrypts the backups of the database as well
LAYER 2: DATA SECURITY TDE VS. CELL LEVEL ENCRYPTION • Available with either SQL 2005, SQL 2008, or SQL 2012 • Encrypts individual cells in a database • Requires a password to access the cell • Requires that columns be changed from their original data type to varbinary • Advantage is that only specific info is encrypted • Disadvantage is that you cannot use this for SharePoint Databases
LAYER 2: DATA SECURITY TDE VS. FILE LEVEL ENCRYPTION • Two forms, older Encrypting File System (EFS) and Bitlocker • EFS encrypts data at the File Level • Bitlocker encrypts data at the Volume Level • Bitlocker Encrypts every file on the disk, not just database files • Could be used together with TDE
LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) LIMITATIONS • Does not encrypt the Communication Channel (IPSec can be added) • Does not protect data in memory (DBAs could access) • Cannot take advantage of SQL 2008 Backup Compression • TempDB is encrypted for the entire instance, even if only one DB is enabled for TDE, which can have a performance effect for other DBs • Replication or FILESTREAM data is not encrypted when TDE is enabled (i.e. RBS BLOBs not encrypted)
Key and OS Level Hierarchy Windows Cert Data Protection API (DPAPI) DPAPI Encrypts SMK SQL Instance Level Service Master Key SMK encrypts the DMK for master DB master DB Level Database Master Key DMK creates Cert in master DB master DB Level Certificate Certificate Encrypts DEK in Content DB Content DB Level Database Encryption Key DEK used to encrypt Content DB
LAYER 2: DATA SECURITY SQL TDE STEP 1: CREATING THE DATABASE MASTER KEY (DMK) • Symmetric key used to protect private keys and asymmetric keys • Protected itself by Service Master Key (SMK), which is created by SQL Server setup • Use syntax as follows: • USE master; • GO • CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; • GO
LAYER 2: DATA SECURITY SQL TDE STEP 2: CREATING THE TDE CERTIFICATE • Protected by the DMK • Used to protect the database encryption key • Use syntax as follows: USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate' ; GO
LAYER 2: DATA SECURITY SQL TDE STEP 3: BACKUP THE MASTER KEY • Without a backup, data can be lost • Backup creates two files, the Cert backup and the Private Key File • Use following syntax: USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'c:BackupCompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'c:BackupCompanyABCtdeDECert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ); GO
LAYER 2: DATA SECURITY SQL TDE STEP 4: CREATING THE DATABASE ENCRYPTION KEY (DEK) • DEK is used to encrypt specific database • One created for each database • Encryption method can be chosen for each DEK • Use following syntax: USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO
LAYER 2: DATA SECURITY SQL TDE STEP 5: ENABLE TDE ON THE DATABASE(S) • Data encryption will begin after running command • Size of DB will determine time it will take, can be lengthy and could cause user blocking • Use following syntax: USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO
LAYER 2: DATA SECURITY SQL TDE STEP 6: MONITOR THE TDE ENCRYPTION PROGRESS • State is Returned • State of 2 = Encryption Begun • State of 3 = Encryption Complete • Use following syntax: USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO
LAYER 2: DATA SECURITY SQL TDE: RESTORING A TDE DATABASE TO ANOTHER SERVER • Step 1: Create new Master Key on Target Server (Does not need to match source master key) • Step 2: Backup Cert and Private Key from Source • Step 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part of the backup) USE master; GO CREATE CERTIFICATE CompanyABCtdeCert FROM FILE = 'C:RestoreCompanyABCtdeCert.cer' WITH PRIVATE KEY ( FILE = 'C:RestoreCompanyABCtdeCert.pvk' , DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ) • Step 4: Restore DB
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS VSAPI • Realtime scanning only uses the VSAPI • Realtime Scan Settings are Administered through the SharePoint Central Admin Tool • Realtime Options are grayed out in the ForeFront Admin Console
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS KEYWORD AND FILE FILTERING • Look for specific keywords (sensitive company info, profanity, etc.) • Block • Simply detect and notify • Create Filter List • Add Keywords, either manually or bulk as lines in a text file
LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS PROFANITY FILTERS • New Profanity lists in 11 languages available in SP2 • (Run KeywordInstaller.msi to install) • Import the lists into FF from Program FilesMicrosoft Forefront SecuritySharePointDataExample Keywords
TRANSPORT SECURITY Layer
LAYER 3: TRANSPORT SECURITY CLIENT TO SERVER: USING SECURE SOCKETS LAYER (SSL) ENCRYPTION • External or Internal Certs highly recommended • Protects Transport of content • 20% overhead on Web Servers • Can be offloaded via SSL offloaders if needed • Don‟t forget for SPCA as well!
LAYER 3: TRANSPORT SECURITY SERVER TO SERVER: USING IPSEC TO ENCRYPT TRAFFIC • By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted • IPSec encrypts all packets sent between servers in a farm • For very high security scenarios when all possible data breaches must be addressed
EDGE SECURITY Layer
LAYER 4: EDGE SECURITY FOREFRONT UNIFIED ACCESS GATEWAY (UAG) 2010
LAYER 4: EDGE SECURITY UAG COMPARISON WITH FOREFRONT TMG Capability TMG 2010 UAG 2010 Publish Web applications using HTTPS X X Publish internal mobile applications to roaming mobile devices X X Layer 3 firewall X X Outbound scenarios support X X Array support X X Globalization and administration console localization X X Wizards and predefined settings to publish SharePoint sites and Exchange X X Rich authentication (for example, one-time password, forms-based, smart card) X X Application protection (Web application firewall) Basic Full Active Directory Federation Services (ADFS) support X Information leakage prevention X Granular access policy X Unified Portal X
RIGHTS MANAGEMENT Layer
LAYER 5: RIGHTS MANAGEMENT ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES (AD RMS) • AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content • Used to restrict activities on files AFTER they have been accessed: • Cut/Paste • Print • Save As… • Directly integrates with SharePoint DocLibs
LAYER 5: RIGHTS MANAGEMENT HOW AD RMS WORKS 1. On first use, authors receive client licensor certificate from RMS server 2. Author creates content and assigns rights 3. File is distributed to recipient(s) 4. Recipient opens file, and their RMS client contacts server for user validation and to obtain a license 5. Application opens the file and enforces the restrictions
LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – KEY STORAGE • Select Cluster Key Storage • CSP used for advanced scenarios
LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – CREATING THE CLUSTER NAME
LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – USING AN SSL CERT FOR TRANSPORT ENCRYPTION
LAYER 5: RIGHTS MANAGEMENT ALLOWING SHAREPOINT TO USE AD RMS • By default, RMS server is configured to only allow the local system account of the RMS server or the Web Application Identity accounts to access the certificate pipeline directly • SharePoint web servers and/or Web Application Service Accounts need to be added to this security list • Add the RMS Service Group, the machine account(s) of the SharePoint Server and the Web App Identity accountswith Read and Excecute permissions to the ServerCertification.asmx file in the %systemroot%inetpubwwwroot_wmcsCerti fication folder on the RMS server
LAYER 5: RIGHTS MANAGEMENT CLIENT ACCESSING AD RMS DOCUMENTS • Effective permissions can be viewed from the document • The RMS client will enforce the restrictions
SESSION SUMMARY • Determine Security Risk for your SharePoint Environment • Identify any Regulatory Compliance Requirements for SharePoint • Determine which aspects of SharePoint need to be secured, touching on all five layers of SharePoint Security
Michael Noel Twitter: @MichaelTNoel www.cco.com Slides: slideshare.net/michaeltnoel Travel blog: sharingtheglobe.com
A big thanks to our sponsors Platinum Sponsors Gold Premium Sponsors Venue Sponsor Gold Sponsors
We need your feedback! Scan this QR code or visit http://svy.mk/sps2012be Our sponsors:

Recommandé

Joris bollen governance-spsbe03
Joris bollen governance-spsbe03Joris bollen governance-spsbe03
Joris bollen governance-spsbe03BIWUG
 
Biwug share point 2013 search – get it running fast
Biwug share point 2013 search – get it running fastBiwug share point 2013 search – get it running fast
Biwug share point 2013 search – get it running fastBIWUG
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23BIWUG
 
Intro apps
Intro appsIntro apps
Intro appsBIWUG
 
SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...
SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...
SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...BIWUG
 
Role_Based_Permissions
Role_Based_PermissionsRole_Based_Permissions
Role_Based_Permissionswear
 
Creating and Using User Roles and Permissions in EnergyCAP
Creating and Using User Roles and Permissions in EnergyCAPCreating and Using User Roles and Permissions in EnergyCAP
Creating and Using User Roles and Permissions in EnergyCAPEnergyCAP, Inc.
 
Biwug20190425
Biwug20190425Biwug20190425
Biwug20190425BIWUG
 

Recommandé

Joris bollen governance-spsbe03
Joris bollen governance-spsbe03Joris bollen governance-spsbe03
Joris bollen governance-spsbe03BIWUG
 
Biwug share point 2013 search – get it running fast
Biwug share point 2013 search – get it running fastBiwug share point 2013 search – get it running fast
Biwug share point 2013 search – get it running fastBIWUG
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23BIWUG
 
Intro apps
Intro appsIntro apps
Intro appsBIWUG
 
SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...
SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...
SharePoint Saturday Belgium SharePoint Farm Architecture bringing it all toge...BIWUG
 
Role_Based_Permissions
Role_Based_PermissionsRole_Based_Permissions
Role_Based_Permissionswear
 
Creating and Using User Roles and Permissions in EnergyCAP
Creating and Using User Roles and Permissions in EnergyCAPCreating and Using User Roles and Permissions in EnergyCAP
Creating and Using User Roles and Permissions in EnergyCAPEnergyCAP, Inc.
 
Biwug20190425
Biwug20190425Biwug20190425
Biwug20190425BIWUG
 
Working with PowerShell, Visual Studio Code and Github for the reluctant IT Pro
Working with PowerShell, Visual Studio Code and Github for the reluctant IT ProWorking with PowerShell, Visual Studio Code and Github for the reluctant IT Pro
Working with PowerShell, Visual Studio Code and Github for the reluctant IT ProBIWUG
 
Global Office 365 Developer Bootcamp
Global Office 365 Developer BootcampGlobal Office 365 Developer Bootcamp
Global Office 365 Developer BootcampBIWUG
 
Deep dive into advanced teams development
Deep dive into advanced teams developmentDeep dive into advanced teams development
Deep dive into advanced teams developmentBIWUG
 
SharePoint wizards - no magic needed, just use Microsoft Flow
SharePoint wizards - no magic needed, just use Microsoft FlowSharePoint wizards - no magic needed, just use Microsoft Flow
SharePoint wizards - no magic needed, just use Microsoft FlowBIWUG
 
Make IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalMake IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalBIWUG
 
Modern collaboration in teams and projects with Microsoft 365
Modern collaboration in teams and projects with Microsoft 365Modern collaboration in teams and projects with Microsoft 365
Modern collaboration in teams and projects with Microsoft 365BIWUG
 
Mining SharePoint data with PowerBI
Mining SharePoint data with PowerBIMining SharePoint data with PowerBI
Mining SharePoint data with PowerBIBIWUG
 
Don't simply deploy, transform! Build your digital workplace in Office 365
Don't simply deploy, transform! Build your digital workplace in Office 365Don't simply deploy, transform! Build your digital workplace in Office 365
Don't simply deploy, transform! Build your digital workplace in Office 365BIWUG
 
Connect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADConnect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADBIWUG
 
Cloud First. Be Prepared
Cloud First. Be PreparedCloud First. Be Prepared
Cloud First. Be PreparedBIWUG
 
APIs, APIs Everywhere!
APIs, APIs Everywhere!APIs, APIs Everywhere!
APIs, APIs Everywhere!BIWUG
 
Advanced PowerShell for Office 365
Advanced PowerShell for Office 365Advanced PowerShell for Office 365
Advanced PowerShell for Office 365BIWUG
 
New era of customizing site provisioning
New era of customizing site provisioningNew era of customizing site provisioning
New era of customizing site provisioningBIWUG
 
Understanding SharePoint Framework Extensions
Understanding SharePoint Framework ExtensionsUnderstanding SharePoint Framework Extensions
Understanding SharePoint Framework ExtensionsBIWUG
 
Microsoft Flow in Real World Projects: 2 Years later & What's next
Microsoft Flow in Real World Projects: 2 Years later & What's nextMicrosoft Flow in Real World Projects: 2 Years later & What's next
Microsoft Flow in Real World Projects: 2 Years later & What's nextBIWUG
 
Microsoft Stream - Your enterprise video portal unleashed
Microsoft Stream - Your enterprise video portal unleashedMicrosoft Stream - Your enterprise video portal unleashed
Microsoft Stream - Your enterprise video portal unleashedBIWUG
 
What's new in SharePoint Server 2019
What's new in SharePoint Server 2019What's new in SharePoint Server 2019
What's new in SharePoint Server 2019BIWUG
 
Why you shouldn't probably care about Machine Learning
Why you shouldn't probably care about Machine LearningWhy you shouldn't probably care about Machine Learning
Why you shouldn't probably care about Machine LearningBIWUG
 
Transforming your classic team sites in group connected team sites
Transforming your classic team sites in group connected team sitesTransforming your classic team sites in group connected team sites
Transforming your classic team sites in group connected team sitesBIWUG
 
Teams - There's no place like home
Teams - There's no place like homeTeams - There's no place like home
Teams - There's no place like homeBIWUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Contenu connexe

Plus de BIWUG

Working with PowerShell, Visual Studio Code and Github for the reluctant IT Pro
Working with PowerShell, Visual Studio Code and Github for the reluctant IT ProWorking with PowerShell, Visual Studio Code and Github for the reluctant IT Pro
Working with PowerShell, Visual Studio Code and Github for the reluctant IT ProBIWUG
 
Global Office 365 Developer Bootcamp
Global Office 365 Developer BootcampGlobal Office 365 Developer Bootcamp
Global Office 365 Developer BootcampBIWUG
 
Deep dive into advanced teams development
Deep dive into advanced teams developmentDeep dive into advanced teams development
Deep dive into advanced teams developmentBIWUG
 
SharePoint wizards - no magic needed, just use Microsoft Flow
SharePoint wizards - no magic needed, just use Microsoft FlowSharePoint wizards - no magic needed, just use Microsoft Flow
SharePoint wizards - no magic needed, just use Microsoft FlowBIWUG
 
Make IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalMake IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalBIWUG
 
Modern collaboration in teams and projects with Microsoft 365
Modern collaboration in teams and projects with Microsoft 365Modern collaboration in teams and projects with Microsoft 365
Modern collaboration in teams and projects with Microsoft 365BIWUG
 
Mining SharePoint data with PowerBI
Mining SharePoint data with PowerBIMining SharePoint data with PowerBI
Mining SharePoint data with PowerBIBIWUG
 
Don't simply deploy, transform! Build your digital workplace in Office 365
Don't simply deploy, transform! Build your digital workplace in Office 365Don't simply deploy, transform! Build your digital workplace in Office 365
Don't simply deploy, transform! Build your digital workplace in Office 365BIWUG
 
Connect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADConnect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADBIWUG
 
Cloud First. Be Prepared
Cloud First. Be PreparedCloud First. Be Prepared
Cloud First. Be PreparedBIWUG
 
APIs, APIs Everywhere!
APIs, APIs Everywhere!APIs, APIs Everywhere!
APIs, APIs Everywhere!BIWUG
 
Advanced PowerShell for Office 365
Advanced PowerShell for Office 365Advanced PowerShell for Office 365
Advanced PowerShell for Office 365BIWUG
 
New era of customizing site provisioning
New era of customizing site provisioningNew era of customizing site provisioning
New era of customizing site provisioningBIWUG
 
Understanding SharePoint Framework Extensions
Understanding SharePoint Framework ExtensionsUnderstanding SharePoint Framework Extensions
Understanding SharePoint Framework ExtensionsBIWUG
 
Microsoft Flow in Real World Projects: 2 Years later & What's next
Microsoft Flow in Real World Projects: 2 Years later & What's nextMicrosoft Flow in Real World Projects: 2 Years later & What's next
Microsoft Flow in Real World Projects: 2 Years later & What's nextBIWUG
 
Microsoft Stream - Your enterprise video portal unleashed
Microsoft Stream - Your enterprise video portal unleashedMicrosoft Stream - Your enterprise video portal unleashed
Microsoft Stream - Your enterprise video portal unleashedBIWUG
 
What's new in SharePoint Server 2019
What's new in SharePoint Server 2019What's new in SharePoint Server 2019
What's new in SharePoint Server 2019BIWUG
 
Why you shouldn't probably care about Machine Learning
Why you shouldn't probably care about Machine LearningWhy you shouldn't probably care about Machine Learning
Why you shouldn't probably care about Machine LearningBIWUG
 
Transforming your classic team sites in group connected team sites
Transforming your classic team sites in group connected team sitesTransforming your classic team sites in group connected team sites
Transforming your classic team sites in group connected team sitesBIWUG
 
Teams - There's no place like home
Teams - There's no place like homeTeams - There's no place like home
Teams - There's no place like homeBIWUG
 

Plus de BIWUG (20)

Working with PowerShell, Visual Studio Code and Github for the reluctant IT Pro
Working with PowerShell, Visual Studio Code and Github for the reluctant IT ProWorking with PowerShell, Visual Studio Code and Github for the reluctant IT Pro
Working with PowerShell, Visual Studio Code and Github for the reluctant IT Pro
 
Global Office 365 Developer Bootcamp
Global Office 365 Developer BootcampGlobal Office 365 Developer Bootcamp
Global Office 365 Developer Bootcamp
 
Deep dive into advanced teams development
Deep dive into advanced teams developmentDeep dive into advanced teams development
Deep dive into advanced teams development
 
SharePoint wizards - no magic needed, just use Microsoft Flow
SharePoint wizards - no magic needed, just use Microsoft FlowSharePoint wizards - no magic needed, just use Microsoft Flow
SharePoint wizards - no magic needed, just use Microsoft Flow
 
Make IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalMake IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professional
 
Modern collaboration in teams and projects with Microsoft 365
Modern collaboration in teams and projects with Microsoft 365Modern collaboration in teams and projects with Microsoft 365
Modern collaboration in teams and projects with Microsoft 365
 
Mining SharePoint data with PowerBI
Mining SharePoint data with PowerBIMining SharePoint data with PowerBI
Mining SharePoint data with PowerBI
 
Don't simply deploy, transform! Build your digital workplace in Office 365
Don't simply deploy, transform! Build your digital workplace in Office 365Don't simply deploy, transform! Build your digital workplace in Office 365
Don't simply deploy, transform! Build your digital workplace in Office 365
 
Connect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADConnect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure AD
 
Cloud First. Be Prepared
Cloud First. Be PreparedCloud First. Be Prepared
Cloud First. Be Prepared
 
APIs, APIs Everywhere!
APIs, APIs Everywhere!APIs, APIs Everywhere!
APIs, APIs Everywhere!
 
Advanced PowerShell for Office 365
Advanced PowerShell for Office 365Advanced PowerShell for Office 365
Advanced PowerShell for Office 365
 
New era of customizing site provisioning
New era of customizing site provisioningNew era of customizing site provisioning
New era of customizing site provisioning
 
Understanding SharePoint Framework Extensions
Understanding SharePoint Framework ExtensionsUnderstanding SharePoint Framework Extensions
Understanding SharePoint Framework Extensions
 
Microsoft Flow in Real World Projects: 2 Years later & What's next
Microsoft Flow in Real World Projects: 2 Years later & What's nextMicrosoft Flow in Real World Projects: 2 Years later & What's next
Microsoft Flow in Real World Projects: 2 Years later & What's next
 
Microsoft Stream - Your enterprise video portal unleashed
Microsoft Stream - Your enterprise video portal unleashedMicrosoft Stream - Your enterprise video portal unleashed
Microsoft Stream - Your enterprise video portal unleashed
 
What's new in SharePoint Server 2019
What's new in SharePoint Server 2019What's new in SharePoint Server 2019
What's new in SharePoint Server 2019
 
Why you shouldn't probably care about Machine Learning
Why you shouldn't probably care about Machine LearningWhy you shouldn't probably care about Machine Learning
Why you shouldn't probably care about Machine Learning
 
Transforming your classic team sites in group connected team sites
Transforming your classic team sites in group connected team sitesTransforming your classic team sites in group connected team sites
Transforming your classic team sites in group connected team sites
 
Teams - There's no place like home
Teams - There's no place like homeTeams - There's no place like home
Teams - There's no place like home
 

Dernier

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Dernier (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Michael noel end-toendsecurity-spsbe19

  • 1. #SPSBE End to End SharePoint Security #SPSBE19 Michael Noel @MichaelTNoel
  • 2. MICHAEL NOEL • Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles . • Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
  • 3. SHAREPOINT SECURITY LAYERS OF SECURITY IN A SHAREPOINT ENVIRONMENT • 1: Infrastructure Security • Physical Security • Best Practice Service Account Setup • Kerberos Authentication • 2: Data Security • Role Based Access Control (RBAC) • Transparent Data Encryption (TDE) of SQL Databases • Antivirus • 3: Transport Security • Secure Sockets Layer (SSL) from Client to Server • IPSec from Server to Server • 4: Edge Security • Inbound Internet Security (Forefront UAG/TMG) • 5: Rights Management
  • 4. INFRASTRUCTURE SECURITY Layer
  • 5. LAYER 1: INFRASTRUCTURE SECURITY SAMPLE LIST OF SERVICE ACCOUNTS Service Account Name Role of Service Account Special Permissions COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs) COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate admin Local Admin on Database Server(s) (Generally, some accounts from SP accounts. exceptions apply) COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be standard N/A admin accounts. RBAC principles apply ideally. COMPANYABCSRV-SP-Search Search Account N/A COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to be crawled COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read attributes from users in domain) and „Replicate Directory Changes‟ rights in AD – Temporary Farm Admin and Local Admin (for provisioning of UPA). COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint DBCreator and Security Admin on SQL. Create Central Admin. and Modify contacts rights in OU used for mail. COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the Content related N/A App Pool (Portal, MySites, etc.) Additional as needed for security.
  • 6. LAYER 1: INFRASTRUCTURE SECURITY ENABLE KERBEROS • When creating any Web Applications in Classic-mode, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn‟t have to keep asking for auth requests from AD. • Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites. • Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
  • 7. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 1: CREATE THE SERVICE PRINCIPAL NAMES • Use the setspn utility to create Service Principle Names in AD, the following syntax for example: • Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAMEMYSiteAppAccount • Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount • Setspn.exe -A HTTP/home.companyabc.com DOMAINNAMEHOMEAppAccount • Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
  • 8. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 2: ENABLE KERBEROS BETWEEN SP AND SQL • Use setspn to create SPNs for SQL Service Account • SPNs need to match the name that SharePoint uses to connect to SQL (Ideally SQL Alias, more on this later) • Syntax similar to following: • Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB • Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABCSRV-SQL-DB • MSSQLSvc = Default instance, if named instance, specify the name instead • In this example, SRV-SQL-DB is the SQL Admin account and spsql.companyabc.com is the alias used to connect to SQL server (Listener/Client Access Point if using AlwaysOn Availability Groups with SQL 2012)
  • 9. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 3: ALLOW ACCOUNTS TO DELEGATE (OPTIONAL) • Required only for Excel Services and other impersonation applications. • On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. • In ADUC, navigate to the computer or user account, right- click and choose Properties. • Go to the Delegation tab • Choose Trust this user/computer for delegation to any service (Kerberos)
  • 10. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 4: ENABLE KERBEROS ON WEB APPLICATION • Go to Application Management – Authentication Providers • Choose the appropriate Web Application • Click on the link for „Default‟ under Zone • Change to Integrated Windows Authentication - Kerberos (Negotiate) • Run iisreset /noforce from the command prompt • If creating Web App from scratch, this step may be unnecessary if you choose Negotiate from the beginning
  • 11. DATA SECURITY Layer
  • 12. LAYER 2: DATA SECURITY ROLE BASED ACCESS CONTROL (RBAC) • Role Groups defined within Active Directory (Universal Groups) – i.e. „Marketing,‟ „Sales,‟ „IT,‟ etc. • Role Groups added directly into SharePoint „Access Groups‟ such as „Contributors,‟ „Authors,‟ etc. • Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires. User1 SharePoint Role Group or Group direct rights to SP User2
  • 13. LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) • SQL Server 2008, 2008 R2, 2012 Enterprise Edition Feature • Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key • Encrypts the backups of the database as well
  • 14. LAYER 2: DATA SECURITY TDE VS. CELL LEVEL ENCRYPTION • Available with either SQL 2005, SQL 2008, or SQL 2012 • Encrypts individual cells in a database • Requires a password to access the cell • Requires that columns be changed from their original data type to varbinary • Advantage is that only specific info is encrypted • Disadvantage is that you cannot use this for SharePoint Databases
  • 15. LAYER 2: DATA SECURITY TDE VS. FILE LEVEL ENCRYPTION • Two forms, older Encrypting File System (EFS) and Bitlocker • EFS encrypts data at the File Level • Bitlocker encrypts data at the Volume Level • Bitlocker Encrypts every file on the disk, not just database files • Could be used together with TDE
  • 16. LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) LIMITATIONS • Does not encrypt the Communication Channel (IPSec can be added) • Does not protect data in memory (DBAs could access) • Cannot take advantage of SQL 2008 Backup Compression • TempDB is encrypted for the entire instance, even if only one DB is enabled for TDE, which can have a performance effect for other DBs • Replication or FILESTREAM data is not encrypted when TDE is enabled (i.e. RBS BLOBs not encrypted)
  • 17. Key and OS Level Hierarchy Windows Cert Data Protection API (DPAPI) DPAPI Encrypts SMK SQL Instance Level Service Master Key SMK encrypts the DMK for master DB master DB Level Database Master Key DMK creates Cert in master DB master DB Level Certificate Certificate Encrypts DEK in Content DB Content DB Level Database Encryption Key DEK used to encrypt Content DB
  • 18. LAYER 2: DATA SECURITY SQL TDE STEP 1: CREATING THE DATABASE MASTER KEY (DMK) • Symmetric key used to protect private keys and asymmetric keys • Protected itself by Service Master Key (SMK), which is created by SQL Server setup • Use syntax as follows: • USE master; • GO • CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; • GO
  • 19. LAYER 2: DATA SECURITY SQL TDE STEP 2: CREATING THE TDE CERTIFICATE • Protected by the DMK • Used to protect the database encryption key • Use syntax as follows: USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate' ; GO
  • 20. LAYER 2: DATA SECURITY SQL TDE STEP 3: BACKUP THE MASTER KEY • Without a backup, data can be lost • Backup creates two files, the Cert backup and the Private Key File • Use following syntax: USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'c:BackupCompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'c:BackupCompanyABCtdeDECert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ); GO
  • 21. LAYER 2: DATA SECURITY SQL TDE STEP 4: CREATING THE DATABASE ENCRYPTION KEY (DEK) • DEK is used to encrypt specific database • One created for each database • Encryption method can be chosen for each DEK • Use following syntax: USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO
  • 22. LAYER 2: DATA SECURITY SQL TDE STEP 5: ENABLE TDE ON THE DATABASE(S) • Data encryption will begin after running command • Size of DB will determine time it will take, can be lengthy and could cause user blocking • Use following syntax: USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO
  • 23. LAYER 2: DATA SECURITY SQL TDE STEP 6: MONITOR THE TDE ENCRYPTION PROGRESS • State is Returned • State of 2 = Encryption Begun • State of 3 = Encryption Complete • Use following syntax: USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO
  • 24. LAYER 2: DATA SECURITY SQL TDE: RESTORING A TDE DATABASE TO ANOTHER SERVER • Step 1: Create new Master Key on Target Server (Does not need to match source master key) • Step 2: Backup Cert and Private Key from Source • Step 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part of the backup) USE master; GO CREATE CERTIFICATE CompanyABCtdeCert FROM FILE = 'C:RestoreCompanyABCtdeCert.cer' WITH PRIVATE KEY ( FILE = 'C:RestoreCompanyABCtdeCert.pvk' , DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ) • Step 4: Restore DB
  • 25. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS
  • 26.
  • 27. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS VSAPI • Realtime scanning only uses the VSAPI • Realtime Scan Settings are Administered through the SharePoint Central Admin Tool • Realtime Options are grayed out in the ForeFront Admin Console
  • 28. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS KEYWORD AND FILE FILTERING • Look for specific keywords (sensitive company info, profanity, etc.) • Block • Simply detect and notify • Create Filter List • Add Keywords, either manually or bulk as lines in a text file
  • 29. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS PROFANITY FILTERS • New Profanity lists in 11 languages available in SP2 • (Run KeywordInstaller.msi to install) • Import the lists into FF from Program FilesMicrosoft Forefront SecuritySharePointDataExample Keywords
  • 30.
  • 32. LAYER 3: TRANSPORT SECURITY CLIENT TO SERVER: USING SECURE SOCKETS LAYER (SSL) ENCRYPTION • External or Internal Certs highly recommended • Protects Transport of content • 20% overhead on Web Servers • Can be offloaded via SSL offloaders if needed • Don‟t forget for SPCA as well!
  • 33. LAYER 3: TRANSPORT SECURITY SERVER TO SERVER: USING IPSEC TO ENCRYPT TRAFFIC • By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted • IPSec encrypts all packets sent between servers in a farm • For very high security scenarios when all possible data breaches must be addressed
  • 34. EDGE SECURITY Layer
  • 35. LAYER 4: EDGE SECURITY FOREFRONT UNIFIED ACCESS GATEWAY (UAG) 2010
  • 36. LAYER 4: EDGE SECURITY UAG COMPARISON WITH FOREFRONT TMG Capability TMG 2010 UAG 2010 Publish Web applications using HTTPS X X Publish internal mobile applications to roaming mobile devices X X Layer 3 firewall X X Outbound scenarios support X X Array support X X Globalization and administration console localization X X Wizards and predefined settings to publish SharePoint sites and Exchange X X Rich authentication (for example, one-time password, forms-based, smart card) X X Application protection (Web application firewall) Basic Full Active Directory Federation Services (ADFS) support X Information leakage prevention X Granular access policy X Unified Portal X
  • 38. LAYER 5: RIGHTS MANAGEMENT ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES (AD RMS) • AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content • Used to restrict activities on files AFTER they have been accessed: • Cut/Paste • Print • Save As… • Directly integrates with SharePoint DocLibs
  • 39. LAYER 5: RIGHTS MANAGEMENT HOW AD RMS WORKS 1. On first use, authors receive client licensor certificate from RMS server 2. Author creates content and assigns rights 3. File is distributed to recipient(s) 4. Recipient opens file, and their RMS client contacts server for user validation and to obtain a license 5. Application opens the file and enforces the restrictions
  • 40. LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – KEY STORAGE • Select Cluster Key Storage • CSP used for advanced scenarios
  • 41. LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – CREATING THE CLUSTER NAME
  • 42. LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS – USING AN SSL CERT FOR TRANSPORT ENCRYPTION
  • 43. LAYER 5: RIGHTS MANAGEMENT ALLOWING SHAREPOINT TO USE AD RMS • By default, RMS server is configured to only allow the local system account of the RMS server or the Web Application Identity accounts to access the certificate pipeline directly • SharePoint web servers and/or Web Application Service Accounts need to be added to this security list • Add the RMS Service Group, the machine account(s) of the SharePoint Server and the Web App Identity accountswith Read and Excecute permissions to the ServerCertification.asmx file in the %systemroot%inetpubwwwroot_wmcsCerti fication folder on the RMS server
  • 44. LAYER 5: RIGHTS MANAGEMENT CLIENT ACCESSING AD RMS DOCUMENTS • Effective permissions can be viewed from the document • The RMS client will enforce the restrictions
  • 45. SESSION SUMMARY • Determine Security Risk for your SharePoint Environment • Identify any Regulatory Compliance Requirements for SharePoint • Determine which aspects of SharePoint need to be secured, touching on all five layers of SharePoint Security
  • 46. Michael Noel Twitter: @MichaelTNoel www.cco.com Slides: slideshare.net/michaeltnoel Travel blog: sharingtheglobe.com
  • 47. A big thanks to our sponsors Platinum Sponsors Gold Premium Sponsors Venue Sponsor Gold Sponsors
  • 48. We need your feedback! Scan this QR code or visit http://svy.mk/sps2012be Our sponsors: