SharePoint Security A to Z

SharePoint Security A-Z:Who Has Access to What?

Steve Goldberg, Axceler

[email protected]@iamgoldberg

Email Cell Twitter Blog

[email protected] 425.246.2823 @buckleyplanet http://buckleyplanet.com

About Me

Steve Goldberg, Sales Engineer at Axceler

• Software Engineer at Axceler for ControlPoint- a SharePoint administration product

• Prior to Axceler, was a consultant at Computer Sciences Corporation (CSC), specializing in SharePoint development

• Current Role:

• Talk to 30-40 people weekly about how to govern SharePoint

• Managing permissions is the #1 issue administrators face

• Manage and cleanup

• Twitter: @iamgoldberg Blog: iamgoldberg.com Email: [email protected]



Improving Collaboration Since 2007 Mission: To enable enterprises to simplify, optimize, and

secure their collaborative platforms Delivered award-winning administration and migration

software since 1994 Over 2,500 global customers

Dramatically improve the management of SharePoint

Innovative products that improve security, scalability, reliability, “deployability”

Making IT more effective and efficient and lower the total cost of ownership

Focus on solving specific SharePoint problems (Administration & Migration)

Coach enterprises on SharePoint best practices Give administrators the most innovative tools available Anticipate customers’ needs Deliver best of breed offerings Stay in lock step with SharePoint development and market trends

Axceler Overview



How is your organization using SharePoint?

Is there secure content in your SharePoint environment?

Who needs to have access to SharePoint?

Are there ways you can expand the use of SharePoint to offer more benefits to your

organization? 04/10/2023

Always Ask Yourself…



04/10/2023



A SharePoint environment must support user accounts that can be

authenticated by a trusted authority

How do you authenticate your users?

Authentication Methods



NTLM: Users authenticated by using the credentials on the running

thread Simple to implement

SharePoint will not be integrated with other applications

Kerberos If your SharePoint sites use external data

Credentials passed from one server to another (“double hop”) Faster, more secure, and can be less error prone then NTLM

Anonymous Access No authentication needed to browse the site

Windows Authentication



Authentication based on user account and password from AD

This works well for Windows environments

Do you need support Internet, partner, or cloud-based computing models?

04/10/2023

Active Directory Domain Services (AD DS)



Used mostly for Extranets

Credentials stored in: Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun) AD DS SQL or other database Custom or third-party membership and role providers

In SharePoint 2010, forms-based authentication is only available when you use claims-based authentication

Forms-based Authentication



Usually for external customers or partners

An outside identity provider authenticates users

A claim is just a piece of information describing a user: name, email, age, hire date, etc. used to authenticate the user

Claims-Based Authentication (SharePoint

2010)



Integration with Facebook, Google, Live ID, etc.

1. “I’d like to access the Axceler Microsoft technology partners site.”

2. “Not until you can prove to me that you are in the Axceler Microsoft technology partners group.”

3. “Here is my Live ID and password.”4. “Hi, Steve. I see you are in the Axceler Microsoft

technology partners group. Here is a token you can use.”5. “I’d like to access the Axceler Microsoft technology

partner document, and here’s proof I have access to it!”

04/10/2023

So Much Potential…



Defined at the web application level

SharePoint Authentication



Claims-based authentication mode: use any supported authentication method or else you will support only Windows authentication

04/10/2023

Who Needs to Access SharePoint?



Is permission management part of your governance plan?

Now That We’ve Authenticated Our Users….



Governance is about taking action to help your organization

organize, optimize, and manage your systems and

resources.



What do your permissions look like in SharePoint?





No plan

The business grows and evolves

People and project turn over

How did that happen?



What can we secure?SiteLibrary or ListFolderDocument or Item

Securable Objects



Structure/Architecture

Farm

Web App

Site Collectio

n

SiteSub-site

Sub-siteSite

Site Sub-site

Site Collectio

nSite

Web AppSite

Collection

Site

Site Sub-site



How granular do you need to control access to content?

Who manages all the different parts of your SharePoint farm?

How do you want to manage your users?

Plan!



Assigned in Central Admin and has permission to all servers and settings in the

farm

Central Administration access, create new web apps, manage services, stsadm/PowerShell commandCan take ownership of content: make

themselves Site Collection Administrators04/10/2023

Farm Administrators Group



Quick way to apply permissions across web applications

Users can be explicitly denied access

Set in Central Admin

04/10/2023

Web Application Policies



Given full control over all sites in a site collection

Access to settings pages: Manage users, restores items, manage site hierarchy

Cannot access Central Admin04/10/2023

Site Collection Administrators



Your Content

Site Collectio

n

Site Sub-Sites

Site Sub-site

Lists/Libraries

Lists/Libraries

Lists/Libraries

Lists/Libraries



Collections of permissions that allow users to perform

a set of related tasks

Permission levels are defined at the site collection level

Permission Levels



A group of users that are defined at site collection level for easy management of permissions

The default SharePoint groups are Owners, Visitors, and Members, with Full Control, Read, and Contribute as their default permission levels respectively

Anyone with Full Control permission can create custom groups

04/10/2023

SharePoint Groups



The default permission levels are Full Control, Design, Contribute, Read, and

Limited Access

What does “Read” mean to your organization?

04/10/2023

Customizing Permission Levels



Permissions are applied on objects:1. Directly to users2. Directly to domain groups

(visibility warning)

3. To SharePoint Groups

The Basics: Permissions



SharePoint 2010 lets administrators Check Permissions to determine a user or group’s permissions on all content

04/10/2023

Check Permission Button



If all sites and site content inherit those permissions

defined at the site collection, what’s so hard about managing permissions if they are defined

so high in the hierarchy?

Inheritance



Sites, lists, libraries, folders, documents, items can all

have unique security

Fine Grained Permissions



Copies groups, users, and permission levels from the parent object to the child object

Changes to parent object do not affect the child

04/10/2023

What Exactly is Happening?



Auto applied to every securable objects above the uniquely

permissioned item

Is not directly “applied”

04/10/2023

Limited Access



“If you use fine-grained permissions extensively, you will spend more time managing the permissions, and users will experience slower performance

when they try to access site content”~Planning site permissions, technet http://bit.ly/InKv9i

Permission management (additions, deletions, edits) is done one securable object at a time!

04/10/2023

Permissions Management Becomes Impossible

http://bit.ly/InKv9i

http://bit.ly/InKv9i



Performance is reduced once 1000 objects have broken inheritance in a list or library

Sites, lists, and libraries need to build security trimmed navigation

List load time increases

*Apply unique permissions to folders if need be*

04/10/2023

Performance is Affected too!



Deleted and disabled Active Directory users are not updated in SharePoint

PermissionsUser ProfilesMy Sites

04/10/2023

Orphaned Domain Users



SharePoint is designed to have

site administrators and power users

04/10/2023

Distributed Administration



Train your admins and power users!

“I didn’t know that restoring inheritance would remove our unique security model!”

~Countless well intentioned site admins

04/10/2023

Be Careful!



Manage power users through the “Owners” SharePoint groups.

limit the members to only those users you trust to change the structure, settings, or appearance of the site

04/10/2023

Power Users Tip



Make most users members of the Members or Visitors groups

Members group can contribute to the site by adding or removing items or documents, but cannot change the structure, site settings, or appearance of the site.

Visitors group has read-only access to the site, which means that they can see pages and items, and open items and documents, but cannot add or remove pages, items, or documents.

04/10/2023

Best Practice



If you do break inheritance, Microsoft recommends using groups to avoid having to

track individual users

People move in and out of teams and change responsibilities frequently

Tracking those changes and updating the permissions for uniquely secured objects would be

time-consuming and error-prone.04/10/2023

Stick to the Plan



Arrange sites and subsites, and lists and libraries so they can share most

permissions

Separate sensitive data into their own lists, libraries, or subsite

Permission worksheet:http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409

04/10/2023

Plan for Permission Inheritance

http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409



Administrators can audit permission changes by going to the site collection’s

settings page

04/10/2023

It’s SharePoint’s Fault!

Questions and Answers



Steve [email protected]@iamgoldberg

Additional Resources available 11 Strategic Considerations for SharePoint Migrations http://

bit.ly/j4Vuln

The Insider’s Guide to Upgrading to SharePoint 2010 http://bit.ly/mIpOBZ

Why Do SharePoint Projects Fail? http://bit.ly/d1mJmw

Best practices for capacity management for SharePoint Server 2010, TechNet http://bit.ly/nvNrig

What to Look for in a SharePoint Management Tool http://bit.ly/l26ida

The Five Secrets to Controlling Your SharePoint Environment http://bit.ly/kzdTjZ

Contact me

mailto:[email protected]

http://bit.ly/j4Vuln

http://bit.ly/j4Vuln

http://bit.ly/mIpOBZ

http://bit.ly/mIpOBZ

http://bit.ly/d1mJmw

http://bit.ly/d1mJmw

http://bit.ly/nvNrig

http://bit.ly/nvNrig

http://bit.ly/l26ida

http://bit.ly/l26ida

http://bit.ly/kzdTjZ

http://bit.ly/kzdTjZ

We want your feedback!Use this QR code or visit:http://sps.la/feedback

Silver Sponsors:

http://sps.la/feedback

Victory Lap- social event "SharePoint Victory Lap" Social Event for

SPSLA will be at: 5:30pm to 8pm at Di Piazzas (5205 E. Pacific Coast Hwy, 90804)

What I left out…



- Basic: - Users have previously assigned Windows credentials- Browser provides credentials during HTTP transaction- Not encrypted- should enable Secure Sockets Layer

(SSL) encryption

- Digest- Credentials are encrypted

These are set directly in IIS

Windows Authentication



Each "zone" is essentially a new IIS Website Access the same content through a different

URLAllows for multiple authentication methods

to the same siteSince SharePoint 2010 allows web

applications to have mixed authentication methods when choosing claims based authentication, zones are more useful to for load balancing, caching, content databases, and custom modules

04/10/2023

Zones



To display content such as list or library items, navigation links, and entire Web Parts to specific groups of people. This is useful when you want to present

information that is relevant only to a particular group of people. For example, you can add a Web Part to the legal department's portal site that contains a list of legal contracts that is visible only to that department.

04/10/2023

Audience targeting

Date post:	18-Jan-2015
Category:	Technology
Upload:	steve-goldberg
View:	946 times
Download:	1 times

SharePoint Security A to Z

Technology