Date post: | 18-Jan-2015 |
Category: |
Technology |
Upload: | steve-goldberg |
View: | 946 times |
Download: | 1 times |
SharePoint Security A-Z:Who Has Access to What?
Steve Goldberg, Axceler
[email protected]@iamgoldberg
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
About Me
Steve Goldberg, Sales Engineer at Axceler
• Software Engineer at Axceler for ControlPoint- a SharePoint administration product
• Prior to Axceler, was a consultant at Computer Sciences Corporation (CSC), specializing in SharePoint development
• Current Role:
• Talk to 30-40 people weekly about how to govern SharePoint
• Managing permissions is the #1 issue administrators face
• Manage and cleanup
• Twitter: @iamgoldberg Blog: iamgoldberg.com Email: [email protected]
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Improving Collaboration Since 2007 Mission: To enable enterprises to simplify, optimize, and
secure their collaborative platforms Delivered award-winning administration and migration
software since 1994 Over 2,500 global customers
Dramatically improve the management of SharePoint
Innovative products that improve security, scalability, reliability, “deployability”
Making IT more effective and efficient and lower the total cost of ownership
Focus on solving specific SharePoint problems (Administration & Migration)
Coach enterprises on SharePoint best practices Give administrators the most innovative tools available Anticipate customers’ needs Deliver best of breed offerings Stay in lock step with SharePoint development and market trends
Axceler Overview
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
How is your organization using SharePoint?
Is there secure content in your SharePoint environment?
Who needs to have access to SharePoint?
Are there ways you can expand the use of SharePoint to offer more benefits to your
organization? 04/10/2023
Always Ask Yourself…
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
04/10/2023
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
A SharePoint environment must support user accounts that can be
authenticated by a trusted authority
How do you authenticate your users?
Authentication Methods
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
NTLM: Users authenticated by using the credentials on the running
thread Simple to implement
SharePoint will not be integrated with other applications
Kerberos If your SharePoint sites use external data
Credentials passed from one server to another (“double hop”) Faster, more secure, and can be less error prone then NTLM
Anonymous Access No authentication needed to browse the site
Windows Authentication
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Authentication based on user account and password from AD
This works well for Windows environments
Do you need support Internet, partner, or cloud-based computing models?
04/10/2023
Active Directory Domain Services (AD DS)
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Used mostly for Extranets
Credentials stored in: Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun) AD DS SQL or other database Custom or third-party membership and role providers
In SharePoint 2010, forms-based authentication is only available when you use claims-based authentication
Forms-based Authentication
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Usually for external customers or partners
An outside identity provider authenticates users
A claim is just a piece of information describing a user: name, email, age, hire date, etc. used to authenticate the user
Claims-Based Authentication (SharePoint
2010)
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Integration with Facebook, Google, Live ID, etc.
1. “I’d like to access the Axceler Microsoft technology partners site.”
2. “Not until you can prove to me that you are in the Axceler Microsoft technology partners group.”
3. “Here is my Live ID and password.”4. “Hi, Steve. I see you are in the Axceler Microsoft
technology partners group. Here is a token you can use.”5. “I’d like to access the Axceler Microsoft technology
partner document, and here’s proof I have access to it!”
04/10/2023
So Much Potential…
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Defined at the web application level
SharePoint Authentication
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Claims-based authentication mode: use any supported authentication method or else you will support only Windows authentication
04/10/2023
Who Needs to Access SharePoint?
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Is permission management part of your governance plan?
Now That We’ve Authenticated Our Users….
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Governance is about taking action to help your organization
organize, optimize, and manage your systems and
resources.
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
What do your permissions look like in SharePoint?
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
No plan
The business grows and evolves
People and project turn over
How did that happen?
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
What can we secure?SiteLibrary or ListFolderDocument or Item
Securable Objects
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Structure/Architecture
Farm
Web App
Site Collectio
n
SiteSub-site
Sub-siteSite
Site Sub-site
Site Collectio
nSite
Web AppSite
Collection
Site
Site Sub-site
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
How granular do you need to control access to content?
Who manages all the different parts of your SharePoint farm?
How do you want to manage your users?
Plan!
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Assigned in Central Admin and has permission to all servers and settings in the
farm
Central Administration access, create new web apps, manage services, stsadm/PowerShell commandCan take ownership of content: make
themselves Site Collection Administrators04/10/2023
Farm Administrators Group
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Quick way to apply permissions across web applications
Users can be explicitly denied access
Set in Central Admin
04/10/2023
Web Application Policies
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Given full control over all sites in a site collection
Access to settings pages: Manage users, restores items, manage site hierarchy
Cannot access Central Admin04/10/2023
Site Collection Administrators
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Your Content
Site Collectio
n
Site Sub-Sites
Site Sub-site
Lists/Libraries
Lists/Libraries
Lists/Libraries
Lists/Libraries
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Collections of permissions that allow users to perform
a set of related tasks
Permission levels are defined at the site collection level
Permission Levels
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
A group of users that are defined at site collection level for easy management of permissions
The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively
Anyone with Full Control permission can create custom groups
04/10/2023
SharePoint Groups
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
The default permission levels are Full Control, Design, Contribute, Read, and
Limited Access
What does “Read” mean to your organization?
04/10/2023
Customizing Permission Levels
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Permissions are applied on objects:1. Directly to users2. Directly to domain groups
(visibility warning)
3. To SharePoint Groups
The Basics: Permissions
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
SharePoint 2010 lets administrators Check Permissions to determine a user or group’s permissions on all content
04/10/2023
Check Permission Button
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
If all sites and site content inherit those permissions
defined at the site collection, what’s so hard about managing permissions if they are defined
so high in the hierarchy?
Inheritance
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Sites, lists, libraries, folders, documents, items can all
have unique security
Fine Grained Permissions
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Copies groups, users, and permission levels from the parent object to the child object
Changes to parent object do not affect the child
04/10/2023
What Exactly is Happening?
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Auto applied to every securable objects above the uniquely
permissioned item
Is not directly “applied”
04/10/2023
Limited Access
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
“If you use fine-grained permissions extensively, you will spend more time managing the permissions, and users will experience slower performance
when they try to access site content”~Planning site permissions, technet http://bit.ly/InKv9i
Permission management (additions, deletions, edits) is done one securable object at a time!
04/10/2023
Permissions Management Becomes Impossible
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Performance is reduced once 1000 objects have broken inheritance in a list or library
Sites, lists, and libraries need to build security trimmed navigation
List load time increases
*Apply unique permissions to folders if need be*
04/10/2023
Performance is Affected too!
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Deleted and disabled Active Directory users are not updated in SharePoint
PermissionsUser ProfilesMy Sites
04/10/2023
Orphaned Domain Users
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
SharePoint is designed to have
site administrators and power users
04/10/2023
Distributed Administration
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Train your admins and power users!
“I didn’t know that restoring inheritance would remove our unique security model!”
~Countless well intentioned site admins
04/10/2023
Be Careful!
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Manage power users through the “Owners” SharePoint groups.
limit the members to only those users you trust to change the structure, settings, or appearance of the site
04/10/2023
Power Users Tip
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Make most users members of the Members or Visitors groups
Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.
Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.
04/10/2023
Best Practice
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
If you do break inheritance, Microsoft recommends using groups to avoid having to
track individual users
People move in and out of teams and change responsibilities frequently
Tracking those changes and updating the permissions for uniquely secured objects would be
time-consuming and error-prone.04/10/2023
Stick to the Plan
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Arrange sites and subsites, and lists and libraries so they can share most
permissions
Separate sensitive data into their own lists, libraries, or subsite
Permission worksheet:http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409
04/10/2023
Plan for Permission Inheritance
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Administrators can audit permission changes by going to the site collection’s
settings page
04/10/2023
It’s SharePoint’s Fault!
Questions and Answers
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Steve [email protected]@iamgoldberg
Additional Resources available 11 Strategic Considerations for SharePoint Migrations http://
bit.ly/j4Vuln
The Insider’s Guide to Upgrading to SharePoint 2010 http://bit.ly/mIpOBZ
Why Do SharePoint Projects Fail? http://bit.ly/d1mJmw
Best practices for capacity management for SharePoint Server 2010, TechNet http://bit.ly/nvNrig
What to Look for in a SharePoint Management Tool http://bit.ly/l26ida
The Five Secrets to Controlling Your SharePoint Environment http://bit.ly/kzdTjZ
Contact me
We want your feedback!Use this QR code or visit:http://sps.la/feedback
Silver Sponsors:
Victory Lap- social event "SharePoint Victory Lap" Social Event for
SPSLA will be at: 5:30pm to 8pm at Di Piazzas (5205 E. Pacific Coast Hwy, 90804)
What I left out…
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
- Basic: - Users have previously assigned Windows credentials- Browser provides credentials during HTTP transaction- Not encrypted- should enable Secure Sockets Layer
(SSL) encryption
- Digest- Credentials are encrypted
These are set directly in IIS
Windows Authentication
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
Each "zone" is essentially a new IIS Website Access the same content through a different
URLAllows for multiple authentication methods
to the same siteSince SharePoint 2010 allows web
applications to have mixed authentication methods when choosing claims based authentication, zones are more useful to for load balancing, caching, content databases, and custom modules
04/10/2023
Zones
Email Cell Twitter Blog
[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com
To display content such as list or library items, navigation links, and entire Web Parts to specific groups of people. This is useful when you want to present
information that is relevant only to a particular group of people. For example, you can add a Web Part to the legal department's portal site that contains a list of legal contracts that is visible only to that department.
04/10/2023
Audience targeting