best practices for security and governance in share point 2013 published
DESCRIPTION
Microsoft SharePoint provides features and capabilities enabling you to secure access, control authentication and authorize access to information. Choosing the capabilities to make use of, configuring them and understanding their impact can be a complex tax. In this session you will learn about the key security features available in Microsoft SharePoint 2013 and the best practices for using them. The sessions begin by talking about the business reasons that organizations need to consider when security their SharePoint content, and it will then review specific capabilities and options in detail with recommendations. We’ll also review various governance best practices and how they relate to SharePoint security capabilities. Throughout the session, you’ll hear examples from large commercial enterprise, government and military and about the best practices they use to secure their content within SharePoint.TRANSCRIPT
1
Best Practices for Security and Governance
in SharePoint 2013
Antonio MaioProtiviti, Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP
Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2
2
Welcome to Houston TechFest
• Please turn off all electronic devices or set them to vibrate.• If you must take a phone call, please do so in the lobby so as not
to disturb others.• Thanks to our Diamond Sponsors:
Thank you for being a part of the 8th Annual Houston TechFest!
3
5
What Drives our Information Security Needs?
• Information Security comes down to 2 or 3 drivers
• Protecting Your Investments (intellectual property, digital assets, competitive advantage…)
• Reducing Your Liability (avoid compliance violations, fines/sanctions, reputation issues…)
• Public Safety or Mission Success (protect classified information, mission plans, reputation issues…)
• Public Health (health records, health insurance, insurance fraud/theft…)
6
What Drives our Information Security Needs?
• How does this affect us as SharePoint people?• How We Deploy SharePoint• Control Access• Assign Roles and Permissions• Establish Repeatable/Predictable Process• Regulatory Compliance Standards• Auditing & Reporting Obligations
7
SharePoint Deployment• Plan your Deployments and Necessary User Accounts• Use Least Privileged Accounts• Review SharePoint deployment guide before you install
• SharePoint is a web application built on top of SQL Server– Best practice: to use specific user accounts for specific purposes with least
privileges
• Benefits: Separation of Concerns– Targeted auditing of account usage– Multiple points of redundancy– Minimize the risk of compromised accounts
8
Deployment User Accounts• Use 3 Different Deployment Accounts (at minimum)
SQL Server Service Account Setup User Account SharePoint Farm Account
Assign to MSSQLSERVER and SQLSERVERAGENT services when installing SQL Server(ex. domain\SQL_service)
Used to install SharePoint, run Product Config Wizard, install patches/update
Used to run the SharePoint farm; not just for database access (ex. domain\sp_farm_user)
No special domain permissions - given required rights in SQL Server during SQL setup
Login with this when running setup (ex. domain\sp_setup_user)
After Product Config Wizard run, prompted to provide the Database Access Account – this is the all powerful farm account
Must be local admin on each server in SharePoint farm (except SQL Server if its different box)
Given ownership of Config database - also configures several SharePoint services (ex. timer service) to use this as its identity
Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL
9
Deployment User Accounts• At least 3 Different Deployment Accounts
SQL Server Service Account Setup User Account SharePoint Farm Account
• Should all be AD domain accounts
• Do not use personal admin account, especially for Setup User Account
• Test and Production environments should have different accounts
• Configure central email account for all managed accounts
10
Authentication
• Determine that users are who they say they are – typically via login
• SharePoint 2010 Options• Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)• Claims Based Authentication• Forms Based Authentication - through Claims Based Auth.
– UI configuration options only available in UI upon web app creation– To convert non-claims based web app to claims will require PowerShell
• SharePoint 2013 Options• Claims Based Authentication - default• Classic Mode Deprecated - Configuration UI has been removed (Only configurable through PowerShell)
11
Authorization
• Determine if users have access to specific information objects and which level of access are they granted
• Accomplished through Permissions in SharePoint• Allow you to secure any information object or container• Apply to items, documents, folders, lists, libraries, sites• Do not apply to individual column field values, social fields
• Assigning Permissions Includes• The information object or container in question• The user, group or claim that is granted access• The permission level we are granting as part of that access
12
Permission ExamplesUsers, Groups or Claims
• Finance AD Group has Full Control on Library A
• ProjectContractors SP Group has Read access on site B
• John.Smith AD user has Contribute access on Document C
• ‘SecurityClearance=Secret’ has Full Control access on Document X
• ‘EmploymentStatus=FTE’ has Contribute access on Site Z
User, Group, or Claim(also called a ‘Principle’)
Permission Level(collection of permissions)
Information Object(item or container)
13
Users Interacting with Permissions
14
Users Interacting with Permissions
15
Users Interacting with Permissions
16
Users Interacting with Permissions
17
Inherited Permission Model• Hierarchical permission model• Permissions are inherited from
level above• Can break inheritance and apply
unique permissions• Manual process• Permissive Model
SharePoint Farm
Web Application
Site Collection Site Collection
Site Site
Library List
Document
Web Application
Item
Site
DocumentDocument
Item
Demo Members SharePoint Group EditDemo Owners SharePoint Group Full ControlDemo Visitors SharePoint Group Read
Finance Team Domain Group EditSenior Mgmt Domain Group Full Control
Research Team Domain Group Full ControlSenior Mgmt Domain Group Full Control
Research Team Domain Group Full ControlSenior Mgmt Domain Group Full ControlAntonio.Maio Domain User Full Control
18
Permissions and Security Scopes
• Every time permission inheritance is broken a new security scope is created
• Security Scope is made of up principles: • Domain users/groups• SharePoint users/groups• Claims
• Be aware of “Limited Access”
• Limitations• Security Scopes (50K per list)• Size of Scope (5K per scope)
Microsoft SharePoint Boundaries and Limits:http://technet.microsoft.com/en-us/library/cc262787.aspx
19
Information Architecture and Metadata• Information Architecture – The structural design of your
information sharing environment• Organization and Storage• Identification• Retention• Business sensitivity and confidentiality
• Metadata can provide important insight into what type of information you have in SharePoint
• Recommended: Use Metadata to Classify information and Identify its Sensitivity
20
Standardized Metadata
21
Standardized Metadata• Implement Standardized Metadata Fields across sites, libraries, lists
• Library or List Level• Site Column Level• Managed Metadata Service (across Site Collection or Farm)
• Ensure users are adding metadata when adding/editing information (mandatory fields)
• Be aware of situations where SharePoint doesn’t request metadata (multi-file upload, explorer view)
• Keep it Simple: Limit sensitivity classification to 3 or 4 labels– Public, Confidential, Restricted, Highly Restricted– Low Business Impact, Moderate Business Impact, High Business Impact– Unclassified, Confidential, Secret, Top Secret
• Educate, Educate, Educate: What does each label mean/impact?
22
Information GovernanceGovernance means setting out the structures, people, policies, procedures and controls to manage information and support an organization's immediate and future requirements for that information:
• Regulatory Compliance• Legal• Risk• Administrative• Environmental• Operational
23
Information Governance
Ignorance is not always bliss… it’s problematic!
24
Governance and SharePoint
• SharePoint as a platform which offers services to your organization’s users
• Governance for the SharePoint platform means:• Managing existing services in a predictable way• Understanding how to deploy new services in a predictable way• Providing a clear set of guidelines for usage and administration
• Achieve Strong Governance for SharePoint:1. Establish a Governance Team
• Include stakeholders from across the organization
2. Develop a Governance Plan• Cross functional - Identifies ownership for business and technical teams• Regulatory, risk, legal, admin, environmental, organizational Needs
25
Define Information Architecture/Structures
(Includes Metadata Taxonomy)
Confidential
Developing a SharePoint Governance PlanKey Areas to Focus
Define Security Controls/Groups, Permissions and Roles for Assigning
Permissions
Define Roles, Responsibilities, Who has authority?
Determine Training Needs; Plan to Educate User
Community
Define Rules for Site Creation, Management, Decommissioning
26
Conclusion
• Develop a SharePoint Governance Plan with Key Stakeholders• Ignorance is not bliss… it’s problematic!
• Understand the type of information you have• Develop an information architecture• Understand the risks to that information: accidental, insider and external threats• Use Metadata to identify sensitivity• Educate end users on significance of sensitivities – make them part of the solution
• Deploying SharePoint with Appropriate Least Privileged Accounts
• Determine your Authentication and Authorization Needs• Understand how permissions work• Plan for how permissions are given and managed
• Understand SharePoint Security Features• Others: Web App Policies, Anonymous Users, Information Rights Management, Privileged Users ,
Event Auditing
27
Please Leave Feedback During Q&AIf you leave session feedback and provide contact information in the survey, you will be qualified for a prize
Scan the QR Code to the right or go to http://bit.ly/1p13f3n
28
Thanks to all our Sponsors!