Date post: | 09-May-2015 |
Category: |
Technology |
Upload: | nccomms |
View: | 465 times |
Download: | 0 times |
SharePoint Insanity DemystifiedDan HolmeMicrosoft Technologies Analyst & EvangelistMVP, SharePoint Server
danholme http://tiny.cc/[email protected]
ConsultantDan Holme
Dan Holme
INTELLIEM AuthorMAUI, HAWAIIAvePoint
danholme http://tiny.cc/[email protected]
Service Accounts
Directory Services PrerequisitesResourcesInitial deployment administrative and service accounts in SharePoint 2013
http://technet.microsoft.com/en-us/library/ee662513.aspxAccount permissions and security settings in SharePoint 2013
http://technet.microsoft.com/en-us/library/cc678863.aspx
Service AccountsSQL Server service: SQL_Service, *SQL administrator: SQL_AdminSharePoint Administrator and Setup User: SP_AdminSharePoint Farm Service: SP_FarmApplication pool accountsUser-facing web application app pool: SP_WebApps, SP_MySiteApp, *Service application app pool: SP_ServiceApps, *
Default content access (crawl) account: SP_Crawl, *User Profile Synchronization account: SP_UserSyncObject cache accounts: SP_CacheSR, SP_CacheSU
SQL_Service, SQL_Admin, *SQL Database Engine service account: SQL_ServiceSQL service ownership account: SQL_AdminResourcesSecurity Considerations for a SQL Server Installation
http://technet.microsoft.com/en-us/library/ms144228.aspxSQL Server 2012 Security Best Practice Whitepaper
http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx
SQL Agent service account: SQL_Agent
SP_AdminSharePoint Administrator and Setup UserUsed by a service admin to perform bit-level changesInstall SharePoint prerequisites Install SharePoint productsConfigure SharePoint (SharePoint Products Configuration Wizard)Update, patch, add/remove servers, etc.
Unique, “generic” SharePoint administrative accountNot your “normal” user or admin accountRepresents enterprise service administrationCan be locked down (password, disabled) after installation, until needed
Delegate service to administratorsAfter setup, add your admin user accounts to Farm Administrators
SP_AdminDomain user accountAdministratorAdd to the local Administrators group of each SharePoint server in the farm
SQL privilegesCreate a SQL Server login for the SP_Admin account, e.g. CONTOSO\SP_AdminAssign the securityadmin and dbcreator server roles to the login
PowerShell privilegesAssign the SharePoint_Shell_Access database role for any database against which Windows PowerShell will be used (Add-SPShellAdmin)
SP_FarmSharePoint Farm Service Used for highly privileged SharePoint servicesCentral Administration application poolSTS & Topology service application poolWindows services including Timer, Workflow Timer’SharePoint services including User Profile Synchronization
Domain user accountSharePoint assigns permissions automatically
SP_FarmExtra privileges: UPSBefore provisioning User Profile Synchronization Service1. Add SP_Farm to local Administrators group of the server running
UPS2. Reboot3. Provision User Profile Synchronization4. After UPS has started, remove SP_Farm from Administrators group5. Reboot
Application Pool Accounts - Whiteboard
WSS_WPG groupSP_DATA_ACCESS roleWSS_CONTENT_APPLICATION_POOLS role
Collab Intranet
SharePoint Web Apps
SP_WebApps
SharePoint_
Content_Intranet
SharePoint_
Content_Collab
Extranet
SharePoint Extranet Apps
SP_ExtranetApps
SharePoint_
Content_Extranet
SharePoint Web Apps
SP_ServiceApps, SP_WebAppsWeb and service application pool accountsKeeping it simple for this discussion… two accounts
Domain user accountsRegister as managed accounts in the SharePoint farmAssigned as the application pool identityFirst web application app pool: SP_WebApps
Additional web applications are added to the same, shared poolFirst service application app pool: SP_ServiceApps
Additional service applications are added to the same, shared pool
Permissions required depend on the web app or service applicationGenerally assigned automatically by SharePoint
SP_MySiteApp, *My Site web applicationOften isolated in its own application pool to address security concerns
Each user is the site collection administrator of his/her My SiteDetermine security risk: perception vs. reality?
SP_MySiteApp
Account for each application pool to isolate access
SP_Crawl, *SharePoint Search default content access accountCrawler account used when no specific crawl account is specified
Domain user accountRequires read permission to indexed content sourcesAutomatically given Read permission to all SharePoint content
Web application READ user policy applied to each new web appConfigure SP_Crawl before creating web apps or manually grant it Read user policy
Assign Read permission to all other indexed content sourcesDo not give the account the ability to modify any content
Create additional content access accountsFor security isolation or access to disparate systems
SP_UserSyncSharePoint User Profile Synchronization Synchronizes user profile data between Active Directory and SharePoint
Domain user accountRequires Replicating Directory Changes permission on domainIf a Windows Server 2003 domain
Add account to Pre-Windows 2000 Compatible Access groupThis is not a “big deal”!
This permission is really “Detect changes to Domain NC”Does not give access to “secrets” (e.g. passwords)An educated Active Directory team should not have an issue with this
See TechNet user profile synchronization documentation for steps and details
SP_CacheSR, SP_CacheSUObject cache accountsSuper UserSuper Reader
See http://technet.microsoft.com/en-us/library/ff758656.aspx
Note: this is not the same as BLOB cache or remote BLOB store. This has to do with versions & drafts
Other accountsOffice Web Apps (2013)Secure Store
Automation AccountSharePoint Automation: SP_AutomationRights required to perform automated tasks
PowerShell (Add-SPAdmin)Local Administrators groupFarm Administrators groupSite Collection Administrator (of each site collection)User right to log on as a batch service
Über Admin AccountSharePoint Enterprise Administrator: SP_EnterpriseAdminLeast privilege not always possible
Delegate to administrators privilege to use PowerShellPatch/updateUpgrade
SQL Administrator or db_owner of all SharePoint databasesLocal Administrators group of all SharePoint serversFarm Administrators groupDisabled until needed
Accounts for Multiple FarmsEach farm…Dev, test, QA, production
… needs its own “set” of accountsConsider multiple farms in your naming convention
SP_Farm – ProductionSP_Farm_DevSP_Farm_Test
Note: Managed service accounts DOMAIN\username limit is 20 characters!
Why?Least privilegeMonitoring & auditingAutomatic password management
ResourcesAccount permissions and security settings in SharePoint 2013http://technet.microsoft.com/en-us/library/cc678863.aspx
Configure object cache user accounts in SharePoint Server 2013http://technet.microsoft.com/en-us/library/ff758656.aspx
Automate Creation of Service AccountsImport-CSV $filename | New-ADUser -Path $ou –PassThru | Set-ADAccountPassword -Reset –NewPassword (ConvertTo-SecureString –AsPlaintext $password –Force) -PassThru | Enable-ADAccountWrite-Host "Complete"
Managed Accounts
Service AccountsWhat is a service account?A domain user accountUsed as the identity of a service like SQL or SharePoint
The #1 problem with service accounts is….PASSWORD CHANGESService account password is changedUpdate each location in which the service account is used
Painful!Result… Admins set Password never expiresTerrible for securityService accounts are typically highly-privileged
Managed AccountsIn a nutshellAn Active Directory account that has been registered with SharePointSharePoint can then manage the password changes for the account
Register a managed accountCentral Administration Security Configure managed accountsRegister a managed account
Enter the user name and current passwordEnter user name as DOMAIN\name not user principal name ([email protected])
Use a managed accountWhen creating or configuring an application pool for service or web appsWhen managing Windows services related to SharePoint
Timer, Search, Document Conversion
Password ChangesManual Password Change for a managed accountCentral Administration Security Configure managed accounts Edit
BenefitsSharePoint changes the password in Active Directory
Does not require any delegation in Active Directory because the process uses the CHANGE PASSWORD right, not the Reset Password right
SharePoint updates the logon information of componentsServicesApp Pools
Password can be randomReduces risk of an administrator leveraging the privileges of the account
Automatic Password ChangesAutomatic Password Change for an individual managed accountCentral Administration Security Configure managed accounts EditSchedule
Based on scheduled date or domain password policy expiration (whichever comes first)
Notify administrators by emailThe service will be “down” while it recycles with the new password
BenefitsRemoves the management burden of service accountsImproves security and compliance
SharePoint admins don’t know the passwords to highly privileged accounts
SP_Farm (full control access to all SharePoint content)
Managed AccountsUse themConfigure automatic password managementKnow the limitationsEach farm must have separate accountsSome components use “standard” service accounts, not managed accounts
Search crawlProfile syncSecure store
These must be managed using traditional methods (change password in AD and in SharePoint)
Automate with PowerShell
SQL & Storage
SQL aliasSQL AliasSQLSERVER01.contoso.com = NYSQL05.contoso.com today
= NYSQLCLUSTER.contoso.com tomorrow= NYSQLCLUSTER.newcompany.com next year
Configure a SQL aliasCLICONFG.exe on each SharePoint server in the farm
Do not “Fake it out” with a DNS recordKerberos
Consider “tiers” of aliases to support SQL scalingContent Databases: SQLSPCONTENTSearch Databases: SQLSPSEARCHService Application Databases: SQLSPSERVICES
All point to single SQL instance today…
Documents stored in content database
workflows
security
metadata
“Document”BLOB
SQL Content Database
Binary Large Object (BLOB)
Database SizingContent DatabasesInitial SizeGrowth Rate
TempDBInitial SizeGrowth Rate
Model – Monitor – Measure – Modify
Content scaling support & guidanceContent Database200 GB (out-of-box)4 TB (collaboration)*Unlimited (archive)*
Site Collection 200 GB (out-of-box, only site collection in CDB)100 GB (out-of-box, multiple site collections in CDB)Up to size of CDB*
Items per CDB60 million
*Conditions apply: Performance, DR, HA
Quotas
QuotasConfigured per site collection (SPSite)Can be applied with a quota templateConfigured for the web applicationApplied to one or more site collections
Quota template updateApplies new settings to new sitesDoes not modify existing sties that were based on the templateUse PowerShell (scripts can be found on TechNet) to update existing sites
BLOBsBinary Large Objects
Default: BLOBs stored in content database
workflows
security
metadata
“Document”BLOBs
SQL Content Database
BLOB externalization
SQL Content Database
SANNASShareCloud
workflows
security
metadata
“Document”
BLOBs
BLOB externalization alphabet soupBLOBBinary large object: the representation of the content of a document
EBSExternal BLOB StorageSharePoint featureSupported: SharePoint 2007 – SharePoint 2010
RBSRemote BLOB StorageSQL feature – SharePoint is an RBS “client”Supported: SharePoint 2010 – SharePoint 2013
Advantages of BLOB externalizationReduced storage costIncreased performanceIn a real world workload
Externalizing all BLOBs boosts performanceMicrosoft white paper: 25% performance improvementhttp://www.microsoft.com/en-us/download/details.aspx?id=14726 My experience: significant improvement
The noise about performanceTrajectory of guidance: externalize collaborative content at 1MB
Access to features of the underlying storage platformBusiness rules to determine what gets externalized
Shredded Storage
Shredded StorageOffice documentsClient sends updates SharePoint SQLSQL shreds the updated versionUpdate of document library metadata does not generate additional shreds
Non-Office documentsClient sends full file SharePoint SQLSQL shreds the full fileUpdate of document library metadata might generate additional shreds
Shredded Storage RealityReduces I/O between web server and SQL serverFor Office document formats
Potential reduction in storage of Office document versionsAchieves something like “de-duplication” or “differential versioning” of document versionsUpdated document versions show reduced storage footprintUpdating document library metadata only (and not the document) does not generate new shreds
Non-Office document formats don’t benefit as much/at allTotal storage suggests that de-duplication is inefficient or ineffectiveUpdating document library metadata might generate additional shreds
Does not reduce storage in multiple-location scenariosSame document stored in more than one location
Shredded Storage ConsiderationsShreds on new/modified document, not on upgradeCannot currently be turned offFileWriteChunkSize and FileReadChunkSize are farm-wide settings
Overall system performance may be degradedDefault shred size probably not idealGuidance is vectoring towards 1MB for both FileRead and FileWriteChunkSizeDO NOT exceed 4MB!!
Storage Optimization
Storage Guidance*Shredded storage means no RBS in collab scenariosOr set FileRead & FileWriteChunkSize to 1MB, and use size >1MB externalization rule
Use RBS for tiered storage management for archivesAcquire a third-party solution that manages storage: both RBS and backup/restore and archiving
Requires an RBS “Provider”FILESTREAM or, better yet, third Parties
PerformanceBusiness rulesManageability: integration with backup, recovery, high-availability solutions
Watch for Microsoft/Dell white paper
* Fresh if used by [today]
Archiving – Scenarios and SolutionsMove to different location, keep in SharePointRecords management featuresUI: Send To Another LocationWorkflowPowerShellThird-party content management tools
Move to different storage tier, keep in SharePointThird-party RBS tools
Move out of SharePoint entirelyPowerShellThird-Party Tools
Shout OutsRandy WilliamsJeremy ThakeGary LapointeChris GivensAndrew ConnellSpence HarbarJason HimmelsteinTodd BaginskiScot HillierSusan HanleyMatt McDermottEric ShuppsPaul Swider
Shane YoungTodd KlindtWictor WilénAsif RehmaniRob BogueAgnes MolnarSteve FoxMirjam van OlstJasper OosterveldMichael Noel
MAHALO! (thank you!)http://tiny.cc/danholmepresentationshttp://tiny.cc/danholmearticleshttp://tiny.cc/danholmebooks
A HUI HO! (‘til next time!)[email protected]@danholme