Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Securing the SharePoint Platform

Wird geladen in …3

Hier ansehen

1 von 38 Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)


Ähnlich wie Securing the SharePoint Platform (20)

Aktuellste (20)


Securing the SharePoint Platform

  1. 1. Bert Johnson<br />SharePoint Architect and MCM - PointBridge<br />Securing the SharePoint Platform<br />
  2. 2. Bert Johnson<br />SharePoint Architect with PointBridge Solutions<br />Microsoft Certified Master – SharePoint Server 2010<br />Twitter: @SPBert Event Hashtag: #SPSChicago<br />Email: bjohnson@pointbridge.com<br />Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/<br />
  3. 3. About PointBridge<br />By The Numbers:<br />Founded in 2004<br />250+ SharePoint projects<br />350,000+ hours of SharePoint experience <br />30,000+ monthly blog hits<br />2010 Microsoft Midwest District Award for Best Customer Experience<br />2009 Microsoft Central US Partner of the Year<br />2009 SharePoint Conference Award: Multi-Solution Capability<br />2008 Global Partner of the Year finalist: Citizenship<br />2007 Microsoft US Partner of the Year: SharePoint<br />One of 35 Microsoft National Systems Integrators<br />One of 15 members of Microsoft Partner Advisory Council for SharePoint<br />
  4. 4. Agenda<br />The Importance of SharePoint Security<br />Facets of SharePoint Security<br />Resources<br />Q & A<br />
  5. 5. The Importance of SharePoint Security<br />
  6. 6. What is SharePoint?<br />SharePoint is:<br />“A site-provisioning engine”<br />No really, SharePoint is:<br />A website<br />A series of databases<br />An application platform<br />SharePoint touches:<br />Your network<br />Your Active Directory<br />Your LOB Systems<br />SharePoint is a platform with a large attack surface<br />
  7. 7. SharePoint is Everywhere<br />Over 20,000 new SharePoint seats have been added every day for 5 years<br />Over 1,500 high profile websites on SharePoint<br />SharePoint is becoming increasingly “business critical”<br />SharePoint is commonly used for<br />Intranets<br />Extranets<br />Internet Sites<br />Application platforms<br />
  8. 8. Types of Security Threats<br />Threats we’re going to explore today:<br />Data disclosure / theft<br />Data loss<br />System downtime<br />Types of attacks:<br />Cross-site scripting (XSS)<br />Cross-site request forgery (CSRF)<br />Clickjacking<br />Privilege escalation<br />“Man in the middle” / replay attacks<br />SQL injection<br />If it’s a threat to other websites or databases, it’s a threat to SharePoint<br />
  9. 9. Software Security in the News<br />March 17 – RSA SecureID Compromised<br />March 24 - Comodo Security Breach<br />April 4 - Epsilon Data Leak<br />April 12 - Largest Microsoft Patch Tuesday<br />April 20 – PlayStation Network Hack<br />May 30 – LulzSec (PBS, Sony, NHS, etc.) <br />June 9 – Citigroup Accounts Accessed<br />* Concise history of recent Sony hacks<br />http://attrition.org/security/rants/sony_aka_sownage.html<br />
  10. 10. Facets of SharePoint Security<br />
  11. 11. Example:They keep piling up!<br />
  12. 12. Planning for Security<br />
  13. 13. Planning for Security<br />Plan personas and define permission matrices<br />Understand content and security contexts<br />Determine authentication, SSO, and federation goals<br />Use the SharePoint 2010 upgrade as an opportunity to apply governance<br />Don’t expect the default settings to protect you<br />
  14. 14. Example:How’d you build that?<br />
  15. 15. Anonymous Access<br />Carefully decide if SharePoint is the right platform for anonymous access<br />Especially consider implications for public blogs and wikis<br />Always use the site lockdown feature<br />“Get-SPFeatureviewformpageslockdown”<br />Further restrict pages using web.config or UAG<br />Add SharePoint to your website security testing<br />Don’t lock out the /_layouts path altogether<br />
  16. 16. Example:I don’t think we’ve met…<br />
  17. 17. Authentication and Directory Security<br />Synchronize only the AD users relevant for social features<br />Don’t bring confidential information into user profiles<br />Understand the impacts of third-party federation<br />Track and block rogue SharePoint installations with “Service Connection Points”<br />Develop a password change / managed account strategy<br />
  18. 18. Example:Private audience?<br />
  19. 19. Content Security<br />Audiences are not security<br />Search content rollups make bypassing audiences simple<br />Item-level permissions / broken permission inheritance should be the exception, not the rule<br />Avoid using policies to override permissions<br />PDFs = Pretty Dangerous Files<br />Consider Information Rights Management and auditing<br />
  20. 20. Example:The man in the middle…<br />
  21. 21. Network Security<br />Always use SSL for authenticated access<br />Firewall all nonessential public ports<br />Host all servers on the same vLAN<br />Use IPSec for geo-distributed communication<br />Be aware of “loopback check” implications<br />
  22. 22. Network Security<br />
  23. 23. Example:I’m with him…<br />
  24. 24. Application Security<br />Never expose SharePoint’s application tier to the internet<br />Don’t host Central Administration on a web front-end<br />Isolate service accounts and use standard naming conventions<br />Use multiple IIS application pools (but not too many)<br />Never use CNames<br />
  25. 25. Example:Thanks for the backup!<br />
  26. 26. Database Security<br />Isolate SharePoint databases from other systems<br />Minimize the SQL surface area by disabling unneeded features<br />Consider SQL 2008 “Transparent Data Encryption”<br />Performance impact, backup size impact, and file stream impacts<br />Don’t leave SharePoint backups within the content database or on web-front ends<br />
  27. 27. Example:Your health is showing.<br />
  28. 28. Connected System Security<br />Remove the X-HealthScore, MicrosoftSharePointTeamServices, and other identifying headers<br />Leverage the Secure Store Service for safely accessing external systems via BCS<br />Avoid reliance on Flash content<br />Consider ForeFront UAG endpoint security<br />Set policies regarding data being stored offline<br />
  29. 29. Example:Could you do this for me?<br />
  30. 30. Custom Development Security<br />Build security testing into the SDLC for all custom and third-party components<br />Take advantage of CAS policies and the ULS logs<br />Utilize sandbox solutions whenever possible<br />Minimize use of RunWithElevatedPrivilege()<br />With SharePoint 2010, Javascript is now the biggest threat<br />
  31. 31. Example:You don’t want this help…<br />
  32. 32. Security Maintenance and Monitoring<br />If running WSS/MOSS, patch to October 2010 CU or install MS10-039<br />Keep SharePoint, Windows, and SQL patched to latest service packs<br />Deploy server-side virus protection<br />Use Systems Center Operations Manager with SP health rules to monitor for performance spikes or errors related to attacks<br />Build security assessments and spot checks into other SharePoint maintenance plans<br />Familiarize self with “Site Permissions > Check Permissions”<br />
  33. 33. Resources<br />
  34. 34. Resources<br />Downloadable book: Security for Office SharePoint Server 2007<br />http://technet.microsoft.com/en-us/library/cc262619(office.12).aspx<br />Locking down Office SharePoint Server sites<br />http://technet.microsoft.com/en-us/library/ee191479(office.12).aspx<br />Plan for and design security<br />http://technet.microsoft.com/en-us/library/cc262331(office.12).aspx<br />Bert Johnson security blogs<br />http://blogs.pointbridge.com/Blogs/Johnson_Bert/<br />
  35. 35. Q & A<br />
  36. 36. Bert Johnson<br />SharePoint Architect with PointBridge Solutions<br />Microsoft Certified Master – SharePoint Server 2010<br />Twitter: @SPBert Event Hashtag: #SPSChicago<br />Email: bjohnson@pointbridge.com<br />Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/<br />
  37. 37. Housekeeping<br />Please remember to submit your session evaluation forms after each session you attend to increase your chances at the raffle<br />Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago<br />
  38. 38. Thanks to Our Sponsors!<br />Premier<br />Gold<br />Silver<br />Bronze<br />Sponsors<br />

Hinweis der Redaktion

  • [1 minute]
  • [1 minute]
  • [1 minute]
  • [2 minutes]“Application platform” includes custom development, Project Server, SAP Duet, FAST Search, TFS.
  • [1 minute]
  • [2 minutes]
  • [2 minutes]
  • [2 minutes]On one of my first SharePoint assessments, a major firm I was working with had no idea how much data or what kinds of data they had, how many users they had, or how permissions were configured. They estimated a couple thousand people had access to SharePoint. It turned out over 22,000 did.
  • [3 minutes]The farm configuration wizard creates some security gaps by default.
  • [5 minutes]Unless the site feature is activated, standard SharePoint endpoints are available, making data discovery easy./Forms/AllItems.aspx/_layouts/viewlsts.aspx/_vti_bin/sites.asmx
  • [2 minutes]SharePoint people search results have no form of security trimming. If a user can see any people results, they can see them all.
  • [2 minutes]Too often, SharePoint site owners rely on obfuscation or audience targeting to try and secure content.
  • [3 minutes]Any party who can manipulate SharePoint’s HTML directly or impersonate third party Javascript can compromise the site.
  • [2 minutes]The InfoPath forms service web service proxy caches credentials, allowing for subsequent users to impersonate preceding users if accessed directly.
  • [3 minutes]SharePoint designer backups are exported to the root of your SharePoint site as unencrypted CMP packages.
  • [3 minutes]SharePoint 2010 added a new header called X-HealthScore for preventing Office client abuse. In public sites, it advertises server load. All SharePoint versions reveal their version number in a header by default.
  • [4 minutes]Malicious Javascript can be used to manipulate data when another user runs it.
  • [2 minutes]MOSS 2007 below August 2009 has XSS bug in the help pages allowing arbitrary code injection.
  • [1 minute]