Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Best Practices for Security inMicrosoft SharePoint 2013Antonio Maio Senior Product Manager, TITUSMicrosoft SharePoint Serv...
www.sharepointsummit.org2IntroductionGoal: Inform and Educate on Key SharePoint Security Features We know its critical in...
www.sharepointsummit.org3IntroductionTopics• What Drives our Security Needs in SharePoint?• Deployment Planning & Accounts...
www.sharepointsummit.orgWhat Drives our Information Security Needs?Information Security comes down to 2 or 3 drivers: Pro...
www.sharepointsummit.orgWhat Drives our Information Security Needs?How does this affect us as SharePoint people? How We D...
www.sharepointsummit.orgDeployment Planning/Managed AccountsSharePoint is a web application built on top of SQL Server Be...
www.sharepointsummit.orgExamples of Managed Accounts1. SQL Server Service Account Assign to MSSQLSERVER and SQLSERVERAGEN...
www.sharepointsummit.orgAuthenticationDetermine that users are who they say they are (login) Configured on each web app ...
www.sharepointsummit.orgPermissionsAllow you to secure any information object or container Determine who gets access to w...
www.sharepointsummit.orgUsers Interacting with Permissions10
www.sharepointsummit.orgUsers Interacting with Permissions11
www.sharepointsummit.orgUsers Interacting with Permissions12
www.sharepointsummit.orgUsers Interacting with Permissions13
www.sharepointsummit.orgInherited Permissions Hierarchical permission model Permissions are inherited fromlevel above C...
www.sharepointsummit.orgPermissions and Security Scopes Every time permission inheritance isbroken a new security scope i...
www.sharepointsummit.orgFine Grained PermissionsTrend: sensitive content sitting beside non-sensitive contentLeads to cust...
www.sharepointsummit.orgWeb Application PoliciesUser Permissions Permissions available within permission levels at site c...
www.sharepointsummit.orgAnonymous AccessTurn on or off for web application – only making available forsites Central Admin...
www.sharepointsummit.org Site Owners must explicitly enable on each site (this is a good thing) Site Settings> Site Perm...
www.sharepointsummit.orgRisk: Inadvertent exposure of internal data on a public web site All form pages and _vti_bin web ...
www.sharepointsummit.orgAnonymous Access and Public Facing SitesRemove View Application Pages permission & Use Remote Inte...
www.sharepointsummit.orgTo prevent access to _layouts pages and web services we must alsomodify web.config to include:<loc...
www.sharepointsummit.orgOther Security Features Information Rights Management Event Auditing Privileged Users
Thank you for your attention!This presentation will be available on the TorontoSharePoint Summit web site a few days after...
Please rate this session!Fill out the survey and get a chance to win a Surface
Nächste SlideShare
Wird geladen in …5
×

Best Practices for Security in Microsoft SharePoint 2013

28.759 Aufrufe

Veröffentlicht am

Best Practices for Security in Microsoft SharePoint 2013

Veröffentlicht in: Technologie
  • A professional Paper writing services can alleviate your stress in writing a successful paper and take the pressure off you to hand it in on time. Check out, please ⇒ www.WritePaper.info ⇐
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • A professional Paper writing services can alleviate your stress in writing a successful paper and take the pressure off you to hand it in on time. Check out, please ⇒ www.HelpWriting.net ⇐
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • You can hardly find a student who enjoys writing a college papers. Among all the other tasks they get assigned in college, writing essays is one of the most difficult assignments. Fortunately for students, there are many offers nowadays which help to make this process easier. The best service which can help you is ⇒ www.HelpWriting.net ⇐
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Você pode obter ajuda de ⇒ www.boaaluna.club ⇐ Sucesso e cumprimentos!
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Best Practices for Security in Microsoft SharePoint 2013

  1. 1. Best Practices for Security inMicrosoft SharePoint 2013Antonio Maio Senior Product Manager, TITUSMicrosoft SharePoint Server MVPEmail: Antonio.maio@titus.comBlog: www.trustsharepoint.comTwitter: @AntonioMaio2
  2. 2. www.sharepointsummit.org2IntroductionGoal: Inform and Educate on Key SharePoint Security Features We know its critical in government and military deployments We know its critical consideration in business Security is still often its an after thought for many deployments Requires good planning Requires good awareness of the capabilities available Requires knowledge of what SharePoint cannot do
  3. 3. www.sharepointsummit.org3IntroductionTopics• What Drives our Security Needs in SharePoint?• Deployment Planning & Accounts• Authentication• Permissions• Web Application Policies & Anonymous Access• Security Considerations for Public Facing Web Sites• Other Security Features
  4. 4. www.sharepointsummit.orgWhat Drives our Information Security Needs?Information Security comes down to 2 or 3 drivers: Protecting Your Investments(intellectual property, digital assets, competitive advantage…) Reducing Your Liability(avoid compliance violations, fines/sanctions, reputation issues…) Public Safety or Mission Success(protect classified information, mission plans, reputation issues…)4
  5. 5. www.sharepointsummit.orgWhat Drives our Information Security Needs?How does this affect us as SharePoint people? How We Deploy SharePoint Control Access Assign Roles & Establish Repeatable/Predictable Process Regulatory Compliance Standards Auditing & Reporting Obligations5
  6. 6. www.sharepointsummit.orgDeployment Planning/Managed AccountsSharePoint is a web application built on top of SQL Server Best practice: to have specific managed accounts for specificpurposes with least privilegesBenefits: Separation of Concerns Separation of data Multiple points of redundancy Targeted auditing of account usageReview SharePoint deployment guide before you install
  7. 7. www.sharepointsummit.orgExamples of Managed Accounts1. SQL Server Service Account Assign to MSSQLSERVER and SQLSERVERAGENT services when you install SQL Server(ex: domainSQL_service) No special domain permissions - given required rights on the SQL Server during setup2. Setup User Account Used to install SharePoint, run Product Config Wizard, install patches/updates login with this account when running setup (ex: domainsp_setup_user) Must be local admin on each server in SharePoint farm (except SQL Server if different box)3. SharePoint Farm Account Used to run the SharePoint farm; not just for database access (ex. domainsp_farm_user) After Product Config Wizard is run, prompted to provide the Database Access Account –misnamed in UI, this is really the farm service accountShould all be AD domain accountsDo not use personal admin account, especially for Farm AccountConfigure central email account for all managed accounts
  8. 8. www.sharepointsummit.orgAuthenticationDetermine that users are who they say they are (login) Configured on each web app Multiple authentication methods per web appSharePoint 2010 Options Classic Mode Authentication (Integrated Auth, NTLM, Kerberos) Claims Based Authentication Forms Based Authentication available- done through Claims Based Auth.UI configuration only available in UI upon web app creationTo convert non-claims based web app to claims will require PowerShellSharePoint 2013 Options Claims Based Authentication - default Classic Mode Configuration UI has been removed(Only configurable through PowerShell)
  9. 9. www.sharepointsummit.orgPermissionsAllow you to secure any information object or container Determine who gets access to what information objects and what type ofaccess Apply to items, folders, lists, libraries, sites, site collection… Do not apply to individual column field values (not a securable object)Assigning Permissions Includes The user or group we are enabling with access The information object in question The permission level we are granting as part of that accessExamples Finance AD Group has Full Control on Library ProjectX-Contractor SP Group has Read access on site Antonio.Maio AD user has Contribute access on Document
  10. 10. www.sharepointsummit.orgUsers Interacting with Permissions10
  11. 11. www.sharepointsummit.orgUsers Interacting with Permissions11
  12. 12. www.sharepointsummit.orgUsers Interacting with Permissions12
  13. 13. www.sharepointsummit.orgUsers Interacting with Permissions13
  14. 14. www.sharepointsummit.orgInherited Permissions Hierarchical permission model Permissions are inherited fromlevel above Can break inheritance andapply unique permissions Manual process Permissive ModelSharePoint FarmWeb ApplicationSite Collection Site CollectionSite SiteLibrary ListDocumentWeb ApplicationItemSiteDocumentDocumentItemDemo Members SharePoint Group EditDemo Owners SharePoint Group Full ControlDemo Visitors SharePoint Group ReadFinance Team Domain Group EditSenior Mgmt Domain Group Full ControlResearch Team Domain Group Full ControlSenior Mgmt Domain Group Full ControlResearch Team Domain Group Full ControlSenior Mgmt Domain Group Full ControlAntonio.Maio Domain User Full Control
  15. 15. www.sharepointsummit.orgPermissions and Security Scopes Every time permission inheritance isbroken a new security scope iscreated Security Scope is made of upprinciples: Domain users/groups SharePoint users/groups Claims Be aware of “Limited Access” Limitations Security Scopes(50,000 per list) Size of Security Scope(5,000 per scope) Resources Microsoft SharePoint Boundariesand Limits:http://technet.microsoft.com/en-us/library/cc262787.aspx
  16. 16. www.sharepointsummit.orgFine Grained PermissionsTrend: sensitive content sitting beside non-sensitive contentLeads to customers exploring fine grained permissionsConfidentialPublicInternalRecommendation Use metadata to identify which datato protect User attributes (claims) to determinewho should have access Implemented automated solution tomanage fine-grained permissions
  17. 17. www.sharepointsummit.orgWeb Application PoliciesUser Permissions Permissions available within permission levels at site collection levelPermission Policies Define groups of permissions (similar to permission levels) Control if site collection admins have full control on any object in site col. Only place with a “Deny” capability (default: deny write, deny all)User Policies Assign permission policies to users and groups for the entire web app Ex. Deny group from deleting items within an entire web app – applicable topublic facing web appBlocked File Types Prevent specific files types from being added to libraries within web app
  18. 18. www.sharepointsummit.orgAnonymous AccessTurn on or off for web application – only making available forsites Central Admin> Manage Web Apps> Authentication Providers Edit an Authentication Provider Check on „Enable Anonymous Access‟ for that provider Select “Anonymous Policy” for the web app Select zone and policy for anonymous access
  19. 19. www.sharepointsummit.org Site Owners must explicitly enable on each site (this is a good thing) Site Settings> Site PermissionsAnonymous Access
  20. 20. www.sharepointsummit.orgRisk: Inadvertent exposure of internal data on a public web site All form pages and _vti_bin web services are accessible - PUBLICLY Modify the URL of a public facing SharePoint site:http://www.mypublicsite.com/SitePages/Home.aspx tohttp://www.mypublicsite.com/_layouts/viewlsts.aspx View All Site Content page is now exposed, typically in SharePointbranding, with all site content visible Desired behavior: User is presented with a login page, or an HTTP error Accessible pages/_layouts/adminrecyclebin.aspx /_layouts/policy.axpx /_layouts/recyclebin.aspx/_layouts/bpcf.aspx /_layouts/policyconfig.asp /_layouts/wrkmng.aspx/_layouts/create.aspx /_layouts/policycts.aspx /_layouts/vsubwebs.aspx/_layouts/listfeed.aspx /_layouts/policylist.aspx /_layouts/pagesettings.aspx/_layouts/managefeatures.aspx /_layouts/mcontent.aspx /_layouts/settings.aspx/_layouts/mngsiteadmin.aspx /_layouts/sitemanager.aspx /_layouts/newsbweb.aspx/_layouts/mngsubwebs.aspx /_layouts/stor_man.aspx /_layouts/userdisp.aspxAnonymous Access and Exposure Risk
  21. 21. www.sharepointsummit.orgAnonymous Access and Public Facing SitesRemove View Application Pages permission & Use Remote Interfacespermission from Limited Access permission level Limited Access is what‟s used for anonymous users Prevents anonymous users from accessing form pagesTo Do This… Turn on the “Lockdown” Feature Remove all anonymous access from the site Open command prompt and go to the folder C:Program FilesCommon FilesMicrosoft SharedWeb ServerExtensions14BIN Check whether the feature is enabled or not (If ViewFormPagesLockDown is listed, its enabled):get-spfeature -site http://url If not listed then we must enable it using:stsadm -o activatefeature -url -filename ViewFormPagesLockDownfeature.xml To disable it:stsadm -o deactivatefeature -url -filename ViewFormPagesLockDownfeature.xml Reset anonymous access on the siteWill result in users getting an Authentication Page when accessing these forms pagesAvailable in MOSS2007, SharePoint 2010 and SharePoint 2013On by default for Publishing Portal Site Template – for other site templates must turn it onmanually
  22. 22. www.sharepointsummit.orgTo prevent access to _layouts pages and web services we must alsomodify web.config to include:<location path="_layouts/error.aspx"><system.web><authorization><allow users="?" /></authorization></system.web></location><location path="_layouts/accessdenied.aspx"><system.web><authorization><allow users="?" /></authorization></system.web></location><add path="configuration"><location path="_layouts"><system.web><authorization><deny users="?" /></authorization></system.web></location><location path="_vti_bin"><system.web><authorization><deny users="?" /></authorization></system.web></location><location path="_layouts/login.aspx"><system.web><authorization><allow users="?" /></authorization></system.web></location>Anonymous Access and Public Facing Sites
  23. 23. www.sharepointsummit.orgOther Security Features Information Rights Management Event Auditing Privileged Users
  24. 24. Thank you for your attention!This presentation will be available on the TorontoSharePoint Summit web site a few days after the event.Antonio Maio Senior Product Manager, TITUSMicrosoft SharePoint Server MVPEmail: Antonio.maio@titus.comBlog: www.trustsharepoint.comTwitter: @AntonioMaio2
  25. 25. Please rate this session!Fill out the survey and get a chance to win a Surface

×