1.
Bert Johnson<br />SharePoint Architect and MCM - PointBridge<br />Securing the SharePoint Platform<br />

2.
Bert Johnson<br />SharePoint Architect with PointBridge Solutions<br />Microsoft Certified Master – SharePoint Server 2010<br />Twitter: @SPBert Event Hashtag: #SPSChicago<br />Email: bjohnson@pointbridge.com<br />Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/<br />

3.
About PointBridge<br />By The Numbers:<br />Founded in 2004<br />250+ SharePoint projects<br />350,000+ hours of SharePoint experience <br />30,000+ monthly blog hits<br />2010 Microsoft Midwest District Award for Best Customer Experience<br />2009 Microsoft Central US Partner of the Year<br />2009 SharePoint Conference Award: Multi-Solution Capability<br />2008 Global Partner of the Year finalist: Citizenship<br />2007 Microsoft US Partner of the Year: SharePoint<br />One of 35 Microsoft National Systems Integrators<br />One of 15 members of Microsoft Partner Advisory Council for SharePoint<br />

4.
Agenda<br />The Importance of SharePoint Security<br />Facets of SharePoint Security<br />Resources<br />Q & A<br />

5.
The Importance of SharePoint Security<br />

6.
What is SharePoint?<br />SharePoint is:<br />“A site-provisioning engine”<br />No really, SharePoint is:<br />A website<br />A series of databases<br />An application platform<br />SharePoint touches:<br />Your network<br />Your Active Directory<br />Your LOB Systems<br />SharePoint is a platform with a large attack surface<br />

7.
SharePoint is Everywhere<br />Over 20,000 new SharePoint seats have been added every day for 5 years<br />Over 1,500 high profile websites on SharePoint<br />SharePoint is becoming increasingly “business critical”<br />SharePoint is commonly used for<br />Intranets<br />Extranets<br />Internet Sites<br />Application platforms<br />

8.
Types of Security Threats<br />Threats we’re going to explore today:<br />Data disclosure / theft<br />Data loss<br />System downtime<br />Types of attacks:<br />Cross-site scripting (XSS)<br />Cross-site request forgery (CSRF)<br />Clickjacking<br />Privilege escalation<br />“Man in the middle” / replay attacks<br />SQL injection<br />If it’s a threat to other websites or databases, it’s a threat to SharePoint<br />

9.
Software Security in the News<br />March 17 – RSA SecureID Compromised<br />March 24 - Comodo Security Breach<br />April 4 - Epsilon Data Leak<br />April 12 - Largest Microsoft Patch Tuesday<br />April 20 – PlayStation Network Hack<br />May 30 – LulzSec (PBS, Sony, NHS, etc.) <br />June 9 – Citigroup Accounts Accessed<br />* Concise history of recent Sony hacks<br />http://attrition.org/security/rants/sony_aka_sownage.html<br />

10.
Facets of SharePoint Security<br />

11.
Example:They keep piling up!<br />

12.
Planning for Security<br />

13.
Planning for Security<br />Plan personas and define permission matrices<br />Understand content and security contexts<br />Determine authentication, SSO, and federation goals<br />Use the SharePoint 2010 upgrade as an opportunity to apply governance<br />Don’t expect the default settings to protect you<br />

14.
Example:How’d you build that?<br />

15.
Anonymous Access<br />Carefully decide if SharePoint is the right platform for anonymous access<br />Especially consider implications for public blogs and wikis<br />Always use the site lockdown feature<br />“Get-SPFeatureviewformpageslockdown”<br />Further restrict pages using web.config or UAG<br />Add SharePoint to your website security testing<br />Don’t lock out the /_layouts path altogether<br />

16.
Example:I don’t think we’ve met…<br />

17.
Authentication and Directory Security<br />Synchronize only the AD users relevant for social features<br />Don’t bring confidential information into user profiles<br />Understand the impacts of third-party federation<br />Track and block rogue SharePoint installations with “Service Connection Points”<br />Develop a password change / managed account strategy<br />

18.
Example:Private audience?<br />

19.
Content Security<br />Audiences are not security<br />Search content rollups make bypassing audiences simple<br />Item-level permissions / broken permission inheritance should be the exception, not the rule<br />Avoid using policies to override permissions<br />PDFs = Pretty Dangerous Files<br />Consider Information Rights Management and auditing<br />

20.
Example:The man in the middle…<br />

21.
Network Security<br />Always use SSL for authenticated access<br />Firewall all nonessential public ports<br />Host all servers on the same vLAN<br />Use IPSec for geo-distributed communication<br />Be aware of “loopback check” implications<br />

22.
Network Security<br />

23.
Example:I’m with him…<br />

24.
Application Security<br />Never expose SharePoint’s application tier to the internet<br />Don’t host Central Administration on a web front-end<br />Isolate service accounts and use standard naming conventions<br />Use multiple IIS application pools (but not too many)<br />Never use CNames<br />

25.
Example:Thanks for the backup!<br />

26.
Database Security<br />Isolate SharePoint databases from other systems<br />Minimize the SQL surface area by disabling unneeded features<br />Consider SQL 2008 “Transparent Data Encryption”<br />Performance impact, backup size impact, and file stream impacts<br />Don’t leave SharePoint backups within the content database or on web-front ends<br />

27.
Example:Your health is showing.<br />

28.
Connected System Security<br />Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers<br />Leverage the Secure Store Service for safely accessing external systems via BCS<br />Avoid reliance on Flash content<br />Consider ForeFront UAG endpoint security<br />Set policies regarding data being stored offline<br />

29.
Example:Could you do this for me?<br />

30.
Custom Development Security<br />Build security testing into the SDLC for all custom and third-party components<br />Take advantage of CAS policies and the ULS logs<br />Utilize sandbox solutions whenever possible<br />Minimize use of RunWithElevatedPrivilege()<br />With SharePoint 2010, Javascript is now the biggest threat<br />

31.
Example:You don’t want this help…<br />

32.
Security Maintenance and Monitoring<br />If running WSS/MOSS, patch to October 2010 CU or install MS10-039<br />Keep SharePoint, Windows, and SQL patched to latest service packs<br />Deploy server-side virus protection<br />Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks<br />Build security assessments and spot checks into other SharePoint maintenance plans<br />Familiarize self with “Site Permissions > Check Permissions”<br />

33.
Resources<br />

34.
Resources<br />Downloadable book: Security for Office SharePoint Server 2007<br />http://technet.microsoft.com/en-us/library/cc262619(office.12).aspx<br />Locking down Office SharePoint Server sites<br />http://technet.microsoft.com/en-us/library/ee191479(office.12).aspx<br />Plan for and design security<br />http://technet.microsoft.com/en-us/library/cc262331(office.12).aspx<br />Bert Johnson security blogs<br />http://blogs.pointbridge.com/Blogs/Johnson_Bert/<br />

35.
Q & A<br />

36.
Bert Johnson<br />SharePoint Architect with PointBridge Solutions<br />Microsoft Certified Master – SharePoint Server 2010<br />Twitter: @SPBert Event Hashtag: #SPSChicago<br />Email: bjohnson@pointbridge.com<br />Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/<br />

37.
Housekeeping<br />Please remember to submit your session evaluation forms after each session you attend to increase your chances at the raffle<br />Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago<br />

38.
Thanks to Our Sponsors!<br />Premier<br />Gold<br />Silver<br />Bronze<br />Sponsors<br />