Securing Knowledge and Collaboration Systems

Permissions, Identities, and Objects

K.Mohamed Faizal,

Lead Consultant, NCS (P) Ltd.http://faizal-comeacross.blogspot.com/

ANSES RahRah 9 Securing Knowledge and Collaboration Systems

About Me

15

What ‘s the point ?

Security is more than just Authentication / Authorization

What ‘s the point ?

Security is like dressing for the cold (do it in layers; aka: DiD (Defense in Depth) )

What’s the point?

In Security, the WHY is more important than the HOW

Portal End-to-End Security

Title

Fun

ctio

nFu

ncti

on

Phase

Intranet Portal End-to-EndSecurity

Portal focus on

Content

Communication

Collaboration

Activity

Portal Permission Dependency Chart

http://skurocks.wordpress.com/category/sharepoint/sharepoint-security/

SharePoint Security in a NutshellAuthenticationUsers and groupsWeb application policy

Securable objectRoles (permission levels)Role assignments (“assigning permissions”)Record policiesAuditing

Identity/Claim Policy Role (permission level)Group Securable Object

Record

Authentication Authorization

Key ConceptsClaims Based Access Terminology

“Set of attributes that describes a principal (e.g. an user) such as name, gender, age, email address, driver license number, group

membership”

Identity

Name: Mohamed FaizalDOB: 10 Jan 1973Eye Color: BlackRole: SG Citizen

Person: Mohamed Faizal

Identity: Mohamed Faizal

Key ConceptsClaims Based Access Terminology

“An attribute about an identity issued by an authority”

“Trusted authority that creates and issues claims”

“Application that makes authorisation decisions based on claims”

Identity Provider

Claim

Relying Party

Key ConceptsClaims Based Access Terminology

Name: Mohamed FaizalDOB: 10 Jan 1973Eye Color: BlackRole: SG Citizen

Person: Mohamed Faizal

Identity: Mohamed Faizal

Key ConceptsClaims Based Access Terminology - Token

“A token consists of a set of claims about the principal, and signed by an authority”

Token

Signature

Claim

Claim

Claim

Key ConceptsClaims Based Access Terminology - Token

Token

Signed by SG Govt.

Name: Mohamed Faizal

DOB: 10 Jan 1973

Role: SG CitizenName: Mohamed FaizalDOB: 10 Jan 1973Eye Color: BlackRole: SG Citizen

Person: Mohamed Faizal

Identity: Mohamed Faizal

Key ConceptsClaims Based Access Terminology

Why claims, not attributes?Trust depends on scenario

Name: Mohamed FaizalDOB: 10 Jan 1973

Mohamed Faizal

Identity @ SG Government

Identity @ Facebook

Name: Mohamed FaizalDOB: 10 Jan 1990

Benefits of ClaimsCurrent Situation – Single Sign On

Different sign–on requirements for applications

Benefits of ClaimsCurrent Situation – Sensitive information leaks

Sensitive information is sent via e-mail since partners do not have access to Company

X’s SharePoint site

Benefits of ClaimsCurrent Situation – Time and Labour Intensive and still, insecure!

Potential unauthorised access

Access requests and Password Requests

handled through help desk

Benefits of ClaimsExtend the Reach of Collaboration – Beyond Your Organisation

Empower Business• Ability to move seamlessly between

applications using a single identity

• Collaborate across organisations securely

• Making business applications more agile and loosely tied to infrastructure by integrating with cloud services

Empower IT• No need to manage external accounts

• Simplified and flexible claims-based federation

• Open & Extensible – Standard Based and interoperable

Sign-in Scenarios

Sign-in to SharePoint with both Windows and LDAP directory IdentityEasily configure Intranet and Extranet users for CollaborationIntegrate with other customer identity systems (eg. ADFS, etc.)Use Office Applications with non-Windows Authentication

Normalizing Identities

NT TokenWindows Identity

ASP.Net (FBA)SAL, LDAP, Custom …

SAML TokenClaims Based Identity

SPUser

NT TokenWindows Identity

SAML1.1+ADFS, etc.

Classic Claims

Sign-in Process

Active Directory

LiveID

ASP.net Membership Trust

SharePointSTS

Client

SharePoint

Service token request5

Identity ProviderSecurity Token Service

(IP-STS)

SAML Based

SharePointAuthorization

ClaimsProviders

Trust

Request Resource with service token

7

Security token response6

End User Experience

End User Experience

Classic Mode

End User Experience

Claims Mode

SharePoint Logical Structure

Web Application

Site Collection

Top-LevelSite

Site Collection

Top-LevelSite

Site List Library

[Folder] [Folder]

Item Document

Site

Issue : # 1 - Search

SharePoint 2010 by default, Enterprise Search results are trimmed at query time, based on the identity of the user who submitted the query. But when users Search the document content is appear on Search Result page. ?This is a big security issue, if you stored Confident documents on SharePoint 2010 Intranet Portal

Permission LevelsPermission levels are collections of permissions

DefaultReadContributeDesignFull ControlLimited Access

Publishing featureManage hierarchyApproveRestricted read

Permission LevelsPermission levels are collections of permissionsDefined at the site collectionHow To

Customize an existing permission levelCopy an existing permission level and edit the copyCreate a new permission level “from scratch”

Issue : # 2 - Permission Level

SharePoint 2010 is a collaboration portal where you can enable set auto check in feature, but in some times the confidence document check out by other authorized person and he/she gone on leave OR Leave the organization. Now you need to edit the confidence document since the document check out you are not allow to edit. The minimum permission required to check in is Manager. How to overcome this kind specific security issues.

Issue : # 3 Groups

SharePoint Groups OR Active Directory Groups, which is best to use in terms of Intranet Portal and Collaboration site and which one is easy to manage.

Group Management ComparisonActive Directory

Technical user interface (AD Users & Computers)No provisioning (requests, workflows)Difficult delegation of membership managementCentralized security (group membership) management

SharePointNon-technical user interface (compared to ADUC)Easy delegation of group membership managementOptional provisioning of membership requestsUnified view of SharePoint groups & usersOnly applies to SharePoint

Using Active Directory GroupsAssigning permissions directly to AD groups

Possible but not recommendedAssumes that content will always be hosted in aweb application using AD as its auth provider

Nest Active Directory groups in SharePoint groupsAdd to a SharePoint group and give permissions (recommended)

User Active Directory group SharePoint groupMust be a security group (not a distribution group)

Distribution groups can be used to create audiences

User Information ListGroup information list: Site Settings People and GroupsUser Information List

/_catalogs/users/simple.aspx This list exists at the site collection levelVisible only to administrators with the URL

No longer has a link in the UI in 2010

Users appear whenAdded explicitly to the User Information ListGiven an explicit permission within the site collectionContribute to the site

e.g. able to contribute based on membership in an AD group

Configure an alert

To Nest or Not To NestUser Active Directory group SharePoint groupAdvantagesDisadvantagesRecommendations

To Nest or Not To NestUser Active Directory group SharePoint groupAdvantages

Provides authentication Don’t assign SP permissions directly to AD groups. Not manageable in the long term.

Centralized management of groups and securityOne AD group can provide access to SharePoint, shared folders, etc.User removed from AD group is automatically out of SP groups

DisadvantagesRecommendations

To Nest or Not To NestUser Active Directory group SharePoint groupAdvantages Disadvantages

Limited visibility of what’s really happeningSite will not appear in the users’ My SitesUser Information List will not show individual users until they have contributed to the site

AD groups with deep nesting or contacts can break SP

Recommendations

To Nest or Not To NestUser Active Directory group SharePoint groupAdvantagesDisadvantagesRecommendation: Based on governance plan

Ideal world: Synchronization of membership between Active Directory and SharePoint groups (custom code)“Intranet” sites: AD groups SP groups to define access

Add site to users’ My Sites with personalization site links

“Collab” sites: Add users directly to SP groups

Provide My Site visibilityProvide visibility of user in user information list

Issue : # 4 Policy

Intranet Portal each department site appear on different look and feel How to prevent users from selecting different Branding, Themes and Borders.

Web Application SecurityCentral Administration Application Management Manage Web ApplicationsUser Policy

Bound to web application AAM zonePermissions

Full ControlFull ReadDeny WriteDeny AllPermission policy allows you to create your own policies

Scenarios

Managing PermissionsDefined at the web applicationNot typical to modify or disable the permissions at the web appCentral Administration Web Application Management User PermissionsExample: prevent changes to branding

Deselect Apply Style Sheets and Apply Themes and Borders

Issue : # 5 Audit

SharePoint has an audit logging feature, but most organizations don’t turn it on. When suspicious events  you will not find the audit information.

AuditingConfigured at the site collection levelSite Settings Site Collection Administration: Site collection audit settingsAudit log reports

Records ManagementNew in SharePoint 2010: in-place records managementEnable the feature at the site collection levelDeclare records management attributes

Site collectionFolderContent type

Supports security at the document level without permissions

More InformationMohamed Faizal: kmfaizal@ncs.com.sg

@kmdfaizal Blog : http://faizal-comeacross.blogspot.com/

Microsoft Official Curriculum Course 10174A: Configuring and Administering SharePoint 201070-667 Training Kit: Configuring and Administering SharePoint 2010 (Microsoft Press)

48

Questions & Answers

49

Thank You | Let us be a Value Creator for your organisation Thank You | Let us be a Value Creator for your organisation

04/10/2023 49