sharepoint lockdown: security and bi chris conte premier field engineer 25 feb 2014 welcome....
TRANSCRIPT
SharePoint Lockdown: Security and BI
Chris ContePremier Field Engineer25 Feb 2014
Welcome.Microsoft Services helps businesses around the world maximize their investment in Microsoft products and technologies.
2
The Threat
Authentication & STS
Authorization
Applying Permissions
SQL Server
Call to Action
OBJECTIVE
Understand the basics of SharePoint Security and an overview of good practices for securing a sensitive data environment
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Distrust and caution are the parents of security.
– Benjamin Franklin
3
Authentication Providers
CMA (Classic-Mode)CBA (Claims Based Authentication)SAML (Security Assertion Markup Language)FBA (Forms-Based Authentication)
Classic = BAD!
Name
EmailJob Title
STS (Security Token Service)
Authorization notAuthentication
Membership and Role Providers
User Permissions
Permission level Description Permissions included by default
Limited Access Allows access to shared resources in the Web site so that the users can access an item within the site. Designed to give users access to a specific list, document library, folder, list item, or document, without giving them access to the entire site. Cannot be customized or deleted.
• View Application Pages• Browse User Information• Use Remote Interfaces• Use Client Integration Features• Open
Read View pages, list items and download documents. • Limited Access permissions, plus:• View Items• Open Items• View Versions• Create Alerts• Use Self-Service Site Creation• View Pages
Contribute View, add, update, and delete items in the existing lists and document libraries.
• Read permissions, plus:• Add Items• Edit Items• Delete Items• Delete Versions• Browse Directories• Edit Personal User Information• Manage Personal Views• Add/Remove Personal Web• PartsUpdate Personal Web Parts
Design View, add, update, delete, approve, and customize items or pages in the Web site.
• Approve permissions, plus:• Manage Lists• Add and Customize Pages• Apply Themes and Borders• Apply Style Sheets
Full Control Allows full control of the scope. • All permissions
Applying Permissions
Groups (and Nesting)Farm Admins (Web App / Policy)Site Collection Inheritance
SharePoint Group
AD Group
User
SQL Server Security
Security starts with code, then patchingSeparate roles of SQL Server engine, reporting services, ETL, etc.Separate accounts for Engine, Agent, SSIS, SSRS, etc.Limit access, use AD groups, use SQL RolesDo not turn on unnecessary components under SP_CONFIGUREAuditing, log transfer, ACSEncryption of DBs, IPSecSecured backups/mediaBPA, STIG/HardeningRemember, with enough time and resources, nothing is hack-proof, only resistant. All we can do is harden and monitor
Governance
Who Does the Security Work?How we handle SharePoint SecurityWho is responsible for Authentication?Group Management?Privilege user requirements?Determining appropriate data storage?New Web Application/Site Collection/Site/Library/ListAnonymous, what does that mean?
Reporting (PowerShell)
Search AD
$strFilterStart = “(&(objectCategory=group)(cn=“$strFilterEnd = “))”$strFilterDisplayName = “filter”
$strFilter = $strFilterStart + $strFilterDisplayName + $strFilterEndWrite-Host $strFilter
objDomain = New-Object System.DirectoryServices.DirectoryEntryobjSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain$objSearcher.PageSize = 1000$objSearcher.Filter = $strFilter$objSearcher.SearchScope = “SubTree”
$PropList = “name”Foreach ($i in $PropList)
{$objSearcher.PropertiesToLoad.Add($i)}
$objResults = $objSearcher.FindAll()Foreach ($objResult in $objRestults)
{$objResult}
Reporting (PowerShell)
Pull Farm Permissions$webApps = Get-SPWebApplication –Identity http://URL/
foreach($webApp in $webApps){“Web Application = “ + $webApp >> e:\test.csv$SPSites = Get-SPSite –WebApplication $webApp}foreach($SPSite in $SPSites)
{“Scanning Site” >> e:\test.csv“Site = ” + $SPSite >> e:\test.csv“Owner = ” + $SPSite.owner >> e:\test.csv“Secondary Owner = “ + $SpSite.SecondaryContact >> e:\test.csv$SPWebs = Get-SPWeb –site $SPSite –Limit All
foreach($SPWeb in $SPWebs){“SPWeb = “ + $SPWeb >> e:\test.csv“Permissions Below” >> e:\test.csv$SPWebRoleAssignments >> e:\test.csv“Finished Scanning “ + $SPWeb >> e:\test.csv}
$Groups = $SPSite.RootWeb.sitegroupsforeach ($Group in $Groups){“” >> e:\test.csv“Group “ + $Group.Name >> e:\test.csv
foreach ($User in $Group.users){“user: “ + $user.name >> e:\test.csv}}}}
Reporting (PowerShell)
PowerShell Basics\extras• Add-PSSnapin Microsoft.SharePoint.Powershell –ea 0• Write-host to troubleshoot• | FL• Get-help• Get-command• This is an exert that can be added to pulling farm permissions for additional details under SPWeb
$RoleAssignments = $SPWeb.roleassignmentsforeach ($roleAssignment in $RoleAssignments)
{foreach ($RoleDefinitionBinding in $RoleAssignment.Roledefinitionbinding)
{if ($RoleDefinitionBinding –eq “fullmask”){$roleAssignment$GroupName =
$RoleAssignment.member}}}$groups = $SPSite.RootWeb.SiteGroupsForeach ($group in $groups)
{if($group.name –eq $groupname){ $Group.name
foreach ($user in $group.users){$user.name}
}}
Use Service Accounts
Start a Governance Plan; Create Policy and Process
Inventory – Organize
Get Help – Get Your Help Trained
KPIs – You need them
Call To Action
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Contact
Chris ContePremier Field Engineer(813) [email protected]
www.microsoft.com/microsoftservices