1

Best Practices for Security and Governance

in SharePoint 2013

Antonio MaioProtiviti, Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP

Email: Antonio.maio@protiviti.comBlog: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2

2

Welcome to Houston TechFest

• Please turn off all electronic devices or set them to vibrate.• If you must take a phone call, please do so in the lobby so as not

to disturb others.• Thanks to our Diamond Sponsors:

Thank you for being a part of the 8th Annual Houston TechFest!

3

5

What Drives our Information Security Needs?

• Information Security comes down to 2 or 3 drivers

• Protecting Your Investments (intellectual property, digital assets, competitive advantage…)

• Reducing Your Liability (avoid compliance violations, fines/sanctions, reputation issues…)

• Public Safety or Mission Success (protect classified information, mission plans, reputation issues…)

• Public Health (health records, health insurance, insurance fraud/theft…)

6

What Drives our Information Security Needs?

• How does this affect us as SharePoint people?• How We Deploy SharePoint• Control Access• Assign Roles and Permissions• Establish Repeatable/Predictable Process• Regulatory Compliance Standards• Auditing & Reporting Obligations

7

SharePoint Deployment• Plan your Deployments and Necessary User Accounts• Use Least Privileged Accounts• Review SharePoint deployment guide before you install

• SharePoint is a web application built on top of SQL Server– Best practice: to use specific user accounts for specific purposes with least

privileges

• Benefits: Separation of Concerns– Targeted auditing of account usage– Multiple points of redundancy– Minimize the risk of compromised accounts

8

Deployment User Accounts• Use 3 Different Deployment Accounts (at minimum)

SQL Server Service Account Setup User Account SharePoint Farm Account

Assign to MSSQLSERVER and SQLSERVERAGENT services when installing SQL Server(ex. domain\SQL_service)

Used to install SharePoint, run Product Config Wizard, install patches/update

Used to run the SharePoint farm; not just for database access (ex. domain\sp_farm_user)

No special domain permissions - given required rights in SQL Server during SQL setup

Login with this when running setup (ex. domain\sp_setup_user)

After Product Config Wizard run, prompted to provide the Database Access Account – this is the all powerful farm account

Must be local admin on each server in SharePoint farm (except SQL Server if its different box)

Given ownership of Config database - also configures several SharePoint services (ex. timer service) to use this as its identity

Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL

9

Deployment User Accounts• At least 3 Different Deployment Accounts

SQL Server Service Account Setup User Account SharePoint Farm Account

• Should all be AD domain accounts

• Do not use personal admin account, especially for Setup User Account

• Test and Production environments should have different accounts

• Configure central email account for all managed accounts

10

Authentication

• Determine that users are who they say they are – typically via login

• SharePoint 2010 Options• Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)• Claims Based Authentication• Forms Based Authentication - through Claims Based Auth.

– UI configuration options only available in UI upon web app creation– To convert non-claims based web app to claims will require PowerShell

• SharePoint 2013 Options• Claims Based Authentication - default• Classic Mode Deprecated - Configuration UI has been removed (Only configurable through PowerShell)

11

Authorization

• Determine if users have access to specific information objects and which level of access are they granted

• Accomplished through Permissions in SharePoint• Allow you to secure any information object or container• Apply to items, documents, folders, lists, libraries, sites• Do not apply to individual column field values, social fields

• Assigning Permissions Includes• The information object or container in question• The user, group or claim that is granted access• The permission level we are granting as part of that access

12

Permission ExamplesUsers, Groups or Claims

• Finance AD Group has Full Control on Library A

• ProjectContractors SP Group has Read access on site B

• John.Smith AD user has Contribute access on Document C

• ‘SecurityClearance=Secret’ has Full Control access on Document X

• ‘EmploymentStatus=FTE’ has Contribute access on Site Z

User, Group, or Claim(also called a ‘Principle’)

Permission Level(collection of permissions)

Information Object(item or container)

13

Users Interacting with Permissions

14

Users Interacting with Permissions

15

Users Interacting with Permissions

16

Users Interacting with Permissions

17

Inherited Permission Model• Hierarchical permission model• Permissions are inherited from

level above• Can break inheritance and apply

unique permissions• Manual process• Permissive Model

SharePoint Farm

Web Application

Site Collection Site Collection

Site Site

Library List

Document

Web Application

Item

Site

DocumentDocument

Item

Demo Members SharePoint Group EditDemo Owners SharePoint Group Full ControlDemo Visitors SharePoint Group Read

Finance Team Domain Group EditSenior Mgmt Domain Group Full Control

Research Team Domain Group Full ControlSenior Mgmt Domain Group Full Control

Research Team Domain Group Full ControlSenior Mgmt Domain Group Full ControlAntonio.Maio Domain User Full Control

18

Permissions and Security Scopes

• Every time permission inheritance is broken a new security scope is created

• Security Scope is made of up principles: • Domain users/groups• SharePoint users/groups• Claims

• Be aware of “Limited Access”

• Limitations• Security Scopes (50K per list)• Size of Scope (5K per scope)

Microsoft SharePoint Boundaries and Limits:http://technet.microsoft.com/en-us/library/cc262787.aspx

19

Information Architecture and Metadata• Information Architecture – The structural design of your

information sharing environment• Organization and Storage• Identification• Retention• Business sensitivity and confidentiality

• Metadata can provide important insight into what type of information you have in SharePoint

• Recommended: Use Metadata to Classify information and Identify its Sensitivity

20

Standardized Metadata

21

Standardized Metadata• Implement Standardized Metadata Fields across sites, libraries, lists

• Library or List Level• Site Column Level• Managed Metadata Service (across Site Collection or Farm)

• Ensure users are adding metadata when adding/editing information (mandatory fields)

• Be aware of situations where SharePoint doesn’t request metadata (multi-file upload, explorer view)

• Keep it Simple: Limit sensitivity classification to 3 or 4 labels– Public, Confidential, Restricted, Highly Restricted– Low Business Impact, Moderate Business Impact, High Business Impact– Unclassified, Confidential, Secret, Top Secret

• Educate, Educate, Educate: What does each label mean/impact?

22

Information GovernanceGovernance means setting out the structures, people, policies, procedures and controls to manage information and support an organization's immediate and future requirements for that information:

• Regulatory Compliance• Legal• Risk• Administrative• Environmental• Operational

23

Information Governance

Ignorance is not always bliss… it’s problematic!

24

Governance and SharePoint

• SharePoint as a platform which offers services to your organization’s users

• Governance for the SharePoint platform means:• Managing existing services in a predictable way• Understanding how to deploy new services in a predictable way• Providing a clear set of guidelines for usage and administration

• Achieve Strong Governance for SharePoint:1. Establish a Governance Team

• Include stakeholders from across the organization

2. Develop a Governance Plan• Cross functional - Identifies ownership for business and technical teams• Regulatory, risk, legal, admin, environmental, organizational Needs

25

Define Information Architecture/Structures

(Includes Metadata Taxonomy)

Confidential

Developing a SharePoint Governance PlanKey Areas to Focus

Define Security Controls/Groups, Permissions and Roles for Assigning

Permissions

Define Roles, Responsibilities, Who has authority?

Determine Training Needs; Plan to Educate User

Community

Define Rules for Site Creation, Management, Decommissioning

26

Conclusion

• Develop a SharePoint Governance Plan with Key Stakeholders• Ignorance is not bliss… it’s problematic!

• Understand the type of information you have• Develop an information architecture• Understand the risks to that information: accidental, insider and external threats• Use Metadata to identify sensitivity• Educate end users on significance of sensitivities – make them part of the solution

• Deploying SharePoint with Appropriate Least Privileged Accounts

• Determine your Authentication and Authorization Needs• Understand how permissions work• Plan for how permissions are given and managed

• Understand SharePoint Security Features• Others: Web App Policies, Anonymous Users, Information Rights Management, Privileged Users ,

Event Auditing

27

Please Leave Feedback During Q&AIf you leave session feedback and provide contact information in the survey, you will be qualified for a prize

Scan the QR Code to the right or go to http://bit.ly/1p13f3n

28

Thanks to all our Sponsors!