securing knowledge and collaboration systems sharepoint 2010
DESCRIPTION
The SharePoint security model can be confusing, with its deep hierarchy of securable objects, granular permissions and policies, and clunky user and group management interfaces. This session demystifies SharePoint security by dissecting each of these components and presenting best practices for implementing and managing security. Learn when and why it makes sense to leverage Active Directory groups or use SharePoint groups, and take away options for new permission levels and settings that address common business requirements.TRANSCRIPT
Securing Knowledge and Collaboration Systems
Permissions, Identities, and Objects
K.Mohamed Faizal,
Lead Consultant, NCS (P) Ltd.http://faizal-comeacross.blogspot.com/
ANSES RahRah 9 Securing Knowledge and Collaboration Systems
About Me
15
What ‘s the point ?
Security is more than just Authentication / Authorization
What ‘s the point ?
Security is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) )
What’s the point?
In Security, the WHY is more important than the HOW
Portal End-to-End Security
Title
Fun
ctio
nFu
ncti
on
Phase
Intranet Portal End-to-EndSecurity
Portal focus on
Content
Communication
Collaboration
Activity
Portal Permission Dependency Chart
http://skurocks.wordpress.com/category/sharepoint/sharepoint-security/
SharePoint Security in a NutshellAuthenticationUsers and groupsWeb application policy
Securable objectRoles (permission levels)Role assignments (“assigning permissions”)Record policiesAuditing
Identity/Claim Policy Role (permission level)Group Securable Object
Record
Authentication Authorization
Key ConceptsClaims Based Access Terminology
“Set of attributes that describes a principal (e.g. an user) such as name, gender, age, email address, driver license number, group
membership”
Identity
Name: Mohamed FaizalDOB: 10 Jan 1973Eye Color: BlackRole: SG Citizen
Person: Mohamed Faizal
Identity: Mohamed Faizal
Key ConceptsClaims Based Access Terminology
“An attribute about an identity issued by an authority”
“Trusted authority that creates and issues claims”
“Application that makes authorisation decisions based on claims”
Identity Provider
Claim
Relying Party
Key ConceptsClaims Based Access Terminology
Name: Mohamed FaizalDOB: 10 Jan 1973Eye Color: BlackRole: SG Citizen
Person: Mohamed Faizal
Identity: Mohamed Faizal
Key ConceptsClaims Based Access Terminology - Token
“A token consists of a set of claims about the principal, and signed by an authority”
Token
Signature
Claim
Claim
Claim
Key ConceptsClaims Based Access Terminology - Token
Token
Signed by SG Govt.
Name: Mohamed Faizal
DOB: 10 Jan 1973
Role: SG CitizenName: Mohamed FaizalDOB: 10 Jan 1973Eye Color: BlackRole: SG Citizen
Person: Mohamed Faizal
Identity: Mohamed Faizal
Key ConceptsClaims Based Access Terminology
Why claims, not attributes?Trust depends on scenario
Name: Mohamed FaizalDOB: 10 Jan 1973
Mohamed Faizal
Identity @ SG Government
Identity @ Facebook
Name: Mohamed FaizalDOB: 10 Jan 1990
Benefits of ClaimsCurrent Situation – Single Sign On
Different sign–on requirements for applications
Benefits of ClaimsCurrent Situation – Sensitive information leaks
Sensitive information is sent via e-mail since partners do not have access to Company
X’s SharePoint site
Benefits of ClaimsCurrent Situation – Time and Labour Intensive and still, insecure!
Potential unauthorised access
Access requests and Password Requests
handled through help desk
Benefits of ClaimsExtend the Reach of Collaboration – Beyond Your Organisation
Empower Business• Ability to move seamlessly between
applications using a single identity
• Collaborate across organisations securely
• Making business applications more agile and loosely tied to infrastructure by integrating with cloud services
Empower IT• No need to manage external accounts
• Simplified and flexible claims-based federation
• Open & Extensible – Standard Based and interoperable
Sign-in Scenarios
Sign-in to SharePoint with both Windows and LDAP directory IdentityEasily configure Intranet and Extranet users for CollaborationIntegrate with other customer identity systems (eg. ADFS, etc.)Use Office Applications with non-Windows Authentication
Normalizing Identities
NT TokenWindows Identity
ASP.Net (FBA)SAL, LDAP, Custom …
SAML TokenClaims Based Identity
SPUser
NT TokenWindows Identity
SAML1.1+ADFS, etc.
Classic Claims
Sign-in Process
Active Directory
LiveID
ASP.net Membership Trust
SharePointSTS
Client
SharePoint
Service token request5
Identity ProviderSecurity Token Service
(IP-STS)
SAML Based
SharePointAuthorization
ClaimsProviders
Trust
Request Resource with service token
7
Security token response6
End User Experience
End User Experience
Classic Mode
End User Experience
Claims Mode
SharePoint Logical Structure
Web Application
Site Collection
Top-LevelSite
Site Collection
Top-LevelSite
Site List Library
[Folder] [Folder]
Item Document
Site
Issue : # 1 - Search
SharePoint 2010 by default, Enterprise Search results are trimmed at query time, based on the identity of the user who submitted the query. But when users Search the document content is appear on Search Result page. ?This is a big security issue, if you stored Confident documents on SharePoint 2010 Intranet Portal
Permission LevelsPermission levels are collections of permissions
DefaultReadContributeDesignFull ControlLimited Access
Publishing featureManage hierarchyApproveRestricted read
Permission LevelsPermission levels are collections of permissionsDefined at the site collectionHow To
Customize an existing permission levelCopy an existing permission level and edit the copyCreate a new permission level “from scratch”
Issue : # 2 - Permission Level
SharePoint 2010 is a collaboration portal where you can enable set auto check in feature, but in some times the confidence document check out by other authorized person and he/she gone on leave OR Leave the organization. Now you need to edit the confidence document since the document check out you are not allow to edit. The minimum permission required to check in is Manager. How to overcome this kind specific security issues.
Issue : # 3 Groups
SharePoint Groups OR Active Directory Groups, which is best to use in terms of Intranet Portal and Collaboration site and which one is easy to manage.
Group Management ComparisonActive Directory
Technical user interface (AD Users & Computers)No provisioning (requests, workflows)Difficult delegation of membership managementCentralized security (group membership) management
SharePointNon-technical user interface (compared to ADUC)Easy delegation of group membership managementOptional provisioning of membership requestsUnified view of SharePoint groups & usersOnly applies to SharePoint
Using Active Directory GroupsAssigning permissions directly to AD groups
Possible but not recommendedAssumes that content will always be hosted in aweb application using AD as its auth provider
Nest Active Directory groups in SharePoint groupsAdd to a SharePoint group and give permissions (recommended)
User Active Directory group SharePoint groupMust be a security group (not a distribution group)
Distribution groups can be used to create audiences
User Information ListGroup information list: Site Settings People and GroupsUser Information List
/_catalogs/users/simple.aspx This list exists at the site collection levelVisible only to administrators with the URL
No longer has a link in the UI in 2010
Users appear whenAdded explicitly to the User Information ListGiven an explicit permission within the site collectionContribute to the site
e.g. able to contribute based on membership in an AD group
Configure an alert
To Nest or Not To NestUser Active Directory group SharePoint groupAdvantagesDisadvantagesRecommendations
To Nest or Not To NestUser Active Directory group SharePoint groupAdvantages
Provides authentication Don’t assign SP permissions directly to AD groups. Not manageable in the long term.
Centralized management of groups and securityOne AD group can provide access to SharePoint, shared folders, etc.User removed from AD group is automatically out of SP groups
DisadvantagesRecommendations
To Nest or Not To NestUser Active Directory group SharePoint groupAdvantages Disadvantages
Limited visibility of what’s really happeningSite will not appear in the users’ My SitesUser Information List will not show individual users until they have contributed to the site
AD groups with deep nesting or contacts can break SP
Recommendations
To Nest or Not To NestUser Active Directory group SharePoint groupAdvantagesDisadvantagesRecommendation: Based on governance plan
Ideal world: Synchronization of membership between Active Directory and SharePoint groups (custom code)“Intranet” sites: AD groups SP groups to define access
Add site to users’ My Sites with personalization site links
“Collab” sites: Add users directly to SP groups
Provide My Site visibilityProvide visibility of user in user information list
Issue : # 4 Policy
Intranet Portal each department site appear on different look and feel How to prevent users from selecting different Branding, Themes and Borders.
Web Application SecurityCentral Administration Application Management Manage Web ApplicationsUser Policy
Bound to web application AAM zonePermissions
Full ControlFull ReadDeny WriteDeny AllPermission policy allows you to create your own policies
Scenarios
Managing PermissionsDefined at the web applicationNot typical to modify or disable the permissions at the web appCentral Administration Web Application Management User PermissionsExample: prevent changes to branding
Deselect Apply Style Sheets and Apply Themes and Borders
Issue : # 5 Audit
SharePoint has an audit logging feature, but most organizations don’t turn it on. When suspicious events you will not find the audit information.
AuditingConfigured at the site collection levelSite Settings Site Collection Administration: Site collection audit settingsAudit log reports
Records ManagementNew in SharePoint 2010: in-place records managementEnable the feature at the site collection levelDeclare records management attributes
Site collectionFolderContent type
Supports security at the document level without permissions
More InformationMohamed Faizal: [email protected]
@kmdfaizal Blog : http://faizal-comeacross.blogspot.com/
Microsoft Official Curriculum Course 10174A: Configuring and Administering SharePoint 201070-667 Training Kit: Configuring and Administering SharePoint 2010 (Microsoft Press)
48
Questions & Answers
49
Thank You | Let us be a Value Creator for your organisation Thank You | Let us be a Value Creator for your organisation
04/10/2023 49