51
17-20 OCTOBER 2011 DURBAN ICC
| Date post: | 08-Jun-2015 |
| Category: |
Technology |
| Upload: | michael-noel |
| View: | 2,050 times |
| Download: | 1 times |
2. SharePoint Security in an Insecure World
Understanding the Five Layers of SharePoint Security
OFC308
3. SharePoint SecurityLayers of Security in a SharePoint
Environment
1: Infrastructure Security
Physical Security
Best Practice Service Account Setup
Kerberos Authentication
2: Data Security
Role Based Access Control (RBAC)
Transparent Data Encryption (TDE) of SQL Databases
Antivirus
3: Transport Security
Secure Sockets Layer (SSL) from Client to Server
IPSec from Server to Server
4: Edge Security
Inbound Internet Security (Forefront UAG/TMG)
5: Rights Management
4. Infrastructure Security
1
Layer
5. Layer 1: Infrastructure SecuritySample List of Service
Accounts
6. Layer 1: Infrastructure SecurityEnable Kerberos
When creating any Web Applications in Classic-mode, USE KERBEROS.It
is much more secure and also faster with heavy loads as the SP
server doesnt have to keep asking for auth requests from AD.
Kerberos auth does require extra steps, which makes people shy away
from it, but once configured, it improves security considerably and
can improve performance on high-load sites.
Should also be configured on SPCA Site! (Best Practice = Configure
SPCA for NLB, SSL, and Kerberos (i.e.
https://spca.companyabc.com)
7. Layer 1: Infrastructure SecurityKerberos Step 1: Create the
Service Principal Names
Use the setspn utility to create Service Principle Names in AD, the
following syntax for example:
Setspn.exe -A HTTP/mysite.companyabc.com
DOMAINNAMEMYSiteAppAccount
Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount
Setspn.exe -A HTTP/home.companyabc.com
DOMAINNAMEHOMEAppAccount
Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
8. Layer 1: Infrastructure SecurityKerberos Step 2: Enable Kerberos
between SP and SQL
Use setspn to create SPNs for SQL Service Account
SPNs need to match the name that SharePoint uses to connect to SQL
(Ideally SQL Alias, more on this later)
Syntax similar to following:
Setspn.exe-A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB
Setspn.exe A MSSQLSvc/spsql.companyabc.com:1433
COMPANYABCSRV-SQL-DB
MSSQLSvc = Default instance, if named instance, specify the name
instead
In this example, SRV-SQL-DB is the SQL Admin account
9. Layer 1: Infrastructure SecurityKerberos Step 3: Allow Accounts
to Delegate (Optional)
Required only for Excel Services and other impersonation
applications.
On all SP Computer accounts and on the Application Identity
accounts, check the box in ADUC to allow for delegation.
In ADUC, navigate to the computer or user account, right-click and
choose Properties.
Go to the Delegation tab
Choose Trust this user/computer for delegation to any service
(Kerberos)
10. Layer 1: Infrastructure SecurityKerberos Step 4: Enable
Kerberos on Web Application
Go to Application Management Authentication Providers
Choose the appropriate Web Application
Click on the link for Default under Zone
Change to Integrated Windows Authentication - Kerberos
(Negotiate)
Run iisreset /noforce from the command prompt
If creating Web App from scratch, this step may be unnecessary if
you choose Negotiate from the beginning
11. Data Security
2
Layer
12. Layer 2: Data SecurityRole Based Access Control (RBAC)
Role Groups defined within Active Directory (Universal Groups) i.e.
Marketing, Sales, IT, etc.
Role Groups added directly into SharePoint Access Groups such as
Contributors, Authors, etc.
Simply by adding a user account into the associated Role Group,
they gain access to whatever rights their role requires.
SharePoint Group
13. SQL Server 2008 and 2008 R2 Enterprise Edition Feature
Encrypts SQL Databases Transparently, SharePoint is unaware of the
encryption and does not need a key
Encrypts the backups of the database as well
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL Transparent Data Encryption (TDE)
14. Available with either SQL 2005 or SQL 2008
Encrypts individual cells in a database
Requires a password to access the cell
Requires that columns be changed from their original data type to
varbinary
Advantage is that only specific info is encrypted
Disadvantage is that you cannot use this for SharePoint
Databases
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecurityTDE vs. Cell Level Encryption
15. Two forms, older Encrypting File System (EFS) and
Bitlocker
EFS encrypts data at the File Level
Bitlocker encrypts data at the Volume Level
Bitlocker Encrypts every file on the disk, not just database
files
Could be used together with TDE
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecurityTDE vs. File Level Encryption
16. Does not encrypt the Communication Channel (IPSec can be
added)
Does not protect data in memory (DBAs could access)
Cannot take advantage of SQL 2008 Backup Compression
TempDB is encrypted for the entire instance, even if only one DB is
enabled for TDE, which can have a peprformance effect for other
DBs
Replication or FILESTREAM data is not encrypted when TDE is enabled
(i.e. RBS BLOBs not encrypted)
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL Transparent Data Encryption (TDE)
Limitations
17. (c) 2011 Microsoft. All rights reserved.
Key and Cert Hierarchy
DPAPI Encrypts SMK
SMK encrypts the DMK for master DB
Service Master Key
Data Protection API (DPAPI)
Database Master Key
Certificate
Database Encryption Key
SQL Instance Level
Windows OS Level
master DB Level
master DB Level
Content DB Level
DMK creates Cert in master DB
Certificate Encrypts DEK in Content DB
DEK used to encrypt Content DB
18. Symmetric key used to protect private keys and asymmetric
keys
Protected itself by Service Master Key (SMK), which is created by
SQL Server setup
Use syntax as follows:
USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD =
'CrypticTDEpw4CompanyABC';
GO
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL TDE Step 1: Creating the Database Master
Key (DMK)
19. Protected by the DMK
Used to protect the database encryption key
Use syntax as follows:
USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE
Certificate' ;
GO
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL TDE Step 2: Creating the TDE
Certificate
20. Without a backup, data can be lost
Backup creates two files, the Cert backup and the Private Key
File
Use following syntax:
USE master;
GO
BACKUP CERTIFICATE CompanyABCtdeCert TO FILE =
'c:BackupCompanyABCtdeCERT.cer'
WITH PRIVATE KEY (
FILE = 'c:BackupCompanyABCtdeDECert.pvk',
ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' );
GO
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL TDE Step 3: Backup the Master Key
21. DEK is used to encrypt specific database
One created for each database
Encryption method can be chosen for each DEK
Use following syntax:
USE SharePointContentDB;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert
GO
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL TDE Step 4: Creating the Database
Encryption Key (DEK)
22. Data encryption will begin after running command
Size of DB will determine time it will take, can be lengthy and
could cause user blocking
Use following syntax:
USE SharePointContentDB
GO
ALTER DATABASE SharePointContentDB
SET ENCRYPTION ON
GO
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL TDE Step 5: Enable TDE on the
Database(s)
23. State is Returned
State of 2 = Encryption Begun
State of 3 = Encryption Complete
Use following syntax:
USE SharePointContentDB
GO
SELECT *
FROM sys.dm_database_encryption_keys
WHERE encryption_state = 3;
GO
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL TDE Step 6: Monitor the TDE Encryption
Progress
24. Step 1: Create new Master Key on Target Server (Does not need
to match source master key)
Step 2: Backup Cert and Private Key from Source
Step 3: Restore Cert and Private Key onto Target (No need to export
the DEK as it is part of the backup)
USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert
FROM FILE = 'C:RestoreCompanyABCtdeCert.cer'
WITH PRIVATE KEY (
FILE = 'C:RestoreCompanyABCtdeCert.pvk'
, DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!'
)
Step 4: Restore DB
(c) 2011 Microsoft. All rights reserved.
Layer 2: Data SecuritySQL TDE: Restoring a TDE Database to Another
Server
25. (c) 2011 Microsoft. All rights reserved.
26. Layer 2: Data SecuritySharePoint Antivirus
27. 28. Layer 2: Data SecuritySharePoint Antivirus VSAPI
Realtime scanning only uses the VSAPI
Realtime Scan Settings are Administered through the SharePoint
Central Admin Tool
Realtime Options are grayed out in the ForeFront Admin
Console
29. Layer 2: Data SecuritySharePoint Antivirus: FPS Keyword and
File Filtering
Look for specific keywords (sensitive company info, profanity,
etc.)
Block
Simply detect and notify
Create Filter List
Add Keywords, either manually or bulk as lines in a text file
30. Layer 2: Data SecuritySharePoint Antivirus: FPS Profanity
Filters
New Profanity lists in 11 languages available in SP2
(Run KeywordInstaller.msi to install)
Import the lists into FF from Program FilesMicrosoft Forefront
SecuritySharePointDataExample Keywords
31. 32. Transport Security
3
Layer
33. Layer 3: Transport SecurityClient to Server: Using Secure
Sockets Layer (SSL) Encryption
External or Internal Certs highly recommended
Protects Transport of content
20% overhead on Web Servers
Can be offloaded via SSL offloaders if needed
Dont forget for SPCA as well!
34. Layer 3: Transport SecurityServer to Server: Using IPSec to
encrypt traffic
By default, traffic between SharePoint Servers (i.e. Web and SQL)
is unencrypted
IPSec encrypts all packets sent between servers in a farm
For very high security scenarios when all possible data breaches
must be addressed
35. Edge Security
4
Layer
36. Layer 4: Edge SecurityForefront Unified Access Gateway (UAG)
2010
37. 38. Layer 4: Edge SecurityUAG Comparison with Forefront
TMG
39. Rights Management
5
Layer
40. Layer 5: Rights ManagementActive Directory Rights Management
Services (AD RMS)
AD RMS is a form of Digital Rights Management (DRM) technology,
used in various forms to protect content
Used to restrict activities on files AFTER they have been
accessed:
Cut/Paste
Print
Save As
Directly integrates with SharePoint DocLibs
41. Layer 5: Rights ManagementHow AD RMS Works
On first use, authors receive client licensor certificate from RMS
server
Author creates content and assigns rights
File is distributed to recipient(s)
Recipient opens file, and their RMS client contacts server for user
validation and to obtain a license
Application opens the file and enforces the restrictions
42. Layer 5: Rights ManagementInstalling AD RMS Key Storage
Select Cluster Key Storage
CSP used for advanced scenarios
43. Layer 5: Rights ManagementInstalling AD RMS Creating the
Cluster Name
44. Layer 5: Rights ManagementInstalling AD RMS Using an SSL Cert
for Transport Encryption
45. Layer 5: Rights ManagementAllowing SharePoint to use AD
RMS
By default, RMS server is configured to only allow the local system
account of the RMS server or the Web Application Identity accounts
to access the certificate pipeline directly
SharePoint web servers and/or Web Application Service Accounts need
to be added to this security list
Add the RMS Service Group, the machine account(s) of the SharePoint
Server and the Web App Identity accountswith Read and Excecute
permissions to the ServerCertification.asmx file in the
%systemroot%inetpubwwwroot_wmcsCertification folder on the RMS
server
46. 47. Layer 5: Rights ManagementClient Accessing AD RMS
Documents
RMS-enabled client, when accessing document in doclib, will access
RMS server to validate credentials
48. Layer 5: Rights ManagementClient Accessing AD RMS
Documents
Effective permissions can be viewed from the document
The RMS client will enforce the restrictions
49. http://microsoftvirtualacademy.com
Submit your session evaluation for a chance to win!
Sponsored by MVA
50. Creating
the future
together
51. Thanks for attending!Questions?
Michael Noel
Twitter: @MichaelTNoel
www.cco.com
Slides: slideshare.net/michaeltnoel
