Getting Started SharePoint “2013”



Prepared bySriram BalaSharePoint Practice MACROBUTTON AcceptAllChangesInDoc Microsoft SharePoint 2013 - Configuring SecurityVerified Against Build #15.0.4128.1014Table of Contents TOC \o "1-3" \h \z \u HYPERLINK \l "_Toc391754276" Configuring Security PAGEREF _Toc391754276 \h 4Security and least privileges PAGEREF _Toc391754277 \h 4Farm security PAGEREF _Toc391754278 \h 4SharePoint 2013 local groups PAGEREF _Toc391754279 \h 5Farm administrative accounts PAGEREF _Toc391754280 \h 5Farm application accounts PAGEREF _Toc391754281 \h 5Managed accounts PAGEREF _Toc391754282 \h 6Unmanaged accounts PAGEREF _Toc391754283 \h 6Auditing farm-level changes PAGEREF _Toc391754284 \h 6Designing extranet farm security PAGEREF _Toc391754285 \h 7Multiple farms or single-farm PAGEREF _Toc391754286 \h 7Authentication PAGEREF _Toc391754287 \h 8Designing SharePoint Online security PAGEREF _Toc391754288 \h 8Microsoft Online accounts PAGEREF _Toc391754289 \h 8Single sign-on PAGEREF _Toc391754290 \h 8ADFS 2.0 PAGEREF _Toc391754291 \h 8Network security PAGEREF _Toc391754292 \h 9Ports PAGEREF _Toc391754293 \h 9Internet Protocol security PAGEREF _Toc391754294 \h 10Request Management PAGEREF _Toc391754295 \h 10Database security PAGEREF _Toc391754296 \h 10Database roles PAGEREF _Toc391754297 \h 10Web application pool account security PAGEREF _Toc391754298 \h 10Database administrator security PAGEREF _Toc391754299 \h 11Backup security PAGEREF _Toc391754300 \h 11Database and file encryption PAGEREF _Toc391754301 \h 11SQL Server network encryption with SSL PAGEREF _Toc391754302 \h 11SQL Server Transparent Data Encryption PAGEREF _Toc391754303 \h 12Application-layer encryption PAGEREF _Toc391754304 \h 12Remote Blob Storage Encryption PAGEREF _Toc391754305 \h 12Service application security PAGEREF _Toc391754306 \h 12Search security PAGEREF _Toc391754307 \h 12Secure Store PAGEREF _Toc391754308 \h 13BCS PAGEREF _Toc391754309 \h 13User Profile services PAGEREF _Toc391754310 \h 13Web application security PAGEREF _Toc391754311 \h 13Authentication providers PAGEREF _Toc391754312 \h 14NTLM PAGEREF _Toc391754313 \h 14Kerberos PAGEREF _Toc391754314 \h 14Claims-based authentication PAGEREF _Toc391754315 \h 14ADFS 2.0 PAGEREF _Toc391754316 \h 14Configuring Forms Based Authentication in SharePoint 2013 PAGEREF _Toc391754317 \h 15Configuring SharePoint PAGEREF _Toc391754318 \h 15Web application access policies PAGEREF _Toc391754319 \h 21SSL PAGEREF _Toc391754320 \h 22App Model security PAGEREF _Toc391754321 \h 22OAuth 2.0 PAGEREF _Toc391754322 \h 22Server-to-server authentication PAGEREF _Toc391754323 \h 23Site collection administrators PAGEREF _Toc391754324 \h 23SharePoint Designer PAGEREF _Toc391754325 \h 24Site, list, and item security PAGEREF _Toc391754326 \h 24SharePoint users and groups PAGEREF _Toc391754327 \h 24Permission levels PAGEREF _Toc391754328 \h 24Permissions PAGEREF _Toc391754329 \h 25Permission assignment and inheritance PAGEREF _Toc391754330 \h 25Inheritance PAGEREF _Toc391754331 \h 25Sharing PAGEREF _Toc391754332 \h 26Information Management Policies PAGEREF _Toc391754333 \h 26Information Rights Management PAGEREF _Toc391754334 \h 26Designing an auditing strategy PAGEREF _Toc391754335 \h 27Configuring SecurityThe challenge with security in SharePoint 2013 is that it can be applied at different levels of granularity within the logical hierarchy of the platform and in different UIs and application programming interfaces (APIs). The logical hierarchy of SharePoint has remained consistent over the last few major versions, with the exception of the architectural change of the Shared Service Provider (SSP) being replaced by the service applications in SharePoint 2010.Security and least privileges As a quick review, here some very simple generic goals of implementing security: Keep the wrong individuals out Let the right individuals in Allow individuals to do only what they are supposed to do Keep track of and audit what individuals do Farm securityA strong knowledge of Windows Server, Internet Information Services (IIS), SQL Server, and Active Directory is required when configuring security at a SharePoint 2013 farm level. The SharePoint platform uses all of these technologies, and in many cases you will only be allowed to use Active Directory accounts to manage the various layers.Farm setup account initial group of accounts to use for farm creation are,1. Setup user account2. Server farm accountSetup user administrator account requires the following permissions:● It must be a domain user account● It must be a member of the local administrators group on each server in the SharePoint farm (this does not include the server running SQL Server or the Simple Mail Transfer Protocol [SMTP] server, unless you have a single-server farm with all roles running on it)● DBCreator and SecurityAdmin fixed-server roles on the SQL Server(s) where the various SharePoint databases will be storedSharePoint 2013 local groupsAfter you run the SharePoint Configuration Wizard, you will notice the following machine-level groups are created:● WSS_ADMIN_WPG This group has read and write access to local server resources.● WSS_RESTRICTED_WPG This group can read the encrypted farm administration credential registry entry. You use this group only for encryption and decryption of passwords that are stored in the configuration database.● WSS_WPG This group allows write access to the LOGS directory of the SharePoint Root, and read access to the remainder of the local resources. All application pool accounts should be a member of this group.The purpose of these groups is to give local services access to various parts of the file system and registry.Farm administrative accountsTo reduce the risk of untraceable actions and security breaches on a SharePoint 2013 farm, it is highly recommended that you keep the farm setup account user name and password under extreme guard within the IT organization. In operations teams, these credentials are often used not only to set up the SharePoint 2013 server, but also to administer it.In essence, you will have at least four levels of users at the farm-administration level:Farm setup accountSharePoint farm administrators (with local admin rightsSharePoint farm administrators (no local admin rights)Service application administratorsFarm application accountsThe ability to trace what Windows-level activity in the event log is occurring by which service account greatly enhances troubleshooting. It identifies which role has the problem because each service account is mapped to an individual role. This practice has become less important with the extreme detail and logging capabilities that is offered by the Unified Logging Service (ULS) of SharePoint, provided you have the tools to diagnose issues quickly.The types of services that will need specific identities include:● Windows services● Service application identities● Application pool identitiesManaged accountsSharePoint managed accounts are designed to save a user name and password to the configuration database for use in the various services across SharePoint. With a managed account, you can manually generate a new password, a random password, set the password to something specific, or have SharePoint generate a password based on a rotating schedule.Everything you do in SharePoint requires a domain or local account, and it is very likely that the account’s password will change in the future.Automatic password change policiesPart of the managed account functionality is the ability for SharePoint to automatically change the password of an account. Forcing the change of a password is a very common requirement in highly secured environments such as government and government contractors. Because of the sensitive nature of their businesses, these environments enforce very strict rules specifying that all Active Directory accounts within the domain are required to change their password every 30, 45, or 60 days. Configuring SharePoint to change the password before that limit is encountered prevents SharePoint-related services from using the old password and locking out the account, causing services to stop functioning. When using managed accounts, you can avoid these types of situations.Unmanaged accountsIt is important to note that not all areas for which a user name and password are used are set up as managed accounts. In this case, you will need to change those account passwords manually via the corresponding UIs or a script.Examples of some of these areas include the following:● All Windows services that are running other services such as FAST Search in the older SharePoint 2010 product● Task scheduler jobs● Office Web AppsAuditing farm-level changesSharePoint 2013 currently falls short when it comes to tracking changes that users make at the highest levels of the farm. It is well known that SharePoint does not have an ability to easily monitor or track (other than the IIS and ULS logs) actions made above the site-collection level, such as changing web application or farm-level settings. Even if you were to attempt to monitor the IIS and ULS logs, you would find the implementation of a monitoring solution for each type of change to be very difficult at best because the format is so inconsistent. You would end up stopping just as quickly as you started your endeavor.Designing extranet farm securityThere is always a debate as to how a company should implement an extranet with SharePoint. There are several options to choose from, and which one is right for you is driven by a number of factors such as cost and complexity. There are several ways to approach this interesting problem.Multiple farms or single-farmThe first decision you should make is whether to utilize your already existing farm or to create a second farm in the perimeter network. Most organizations fall toward creating a separate farm in the perimeter network simply because if it is hacked, the intruder only has access to the content in that farm and won’t have any ability to get at other corporate data. This might seem like the logical choice, but it results in higher licensing and server hardware costs.AuthenticationMore often than not, the simplest way to implement external-user authentication is to create a custom forms authentication mechanism.Designing SharePoint Online securityYou might have started to experiment with SharePoint Online as a viable replacement for your on-premises installation of SharePoint. In terms of the UI differences, you will notice that various things don’t exist, such as Central Administration. This is because you are not allowed to change or modify features that can affect more than just your part of the infrastructure.Microsoft Online accountsThe default settings for a SharePoint Online service instance utilize the accounts you set up in the Microsoft Office 365 instance. These accounts will typically be Microsoft-based domain name user accounts such as example@contoso..Single sign-onIn addition to the ability to use Microsoft Online accounts, you also have the option to set up an authentication provider external to SharePoint Online to provide your own user accounts.you have to consider options for allowing both internal and external parties to be able to federate authentication to your corporate network. Typically this means setting up an entry point into your network for this authentication exchange.ADFS 2.0ADFS 2.0 is software that supports the Web Services Trust Language (WS-Trust), WS-Federation, and Security Assertion Markup Language (SAML). These technologies accommodate remote authentication to other user directories, which then pass back the attributes of those users in the form of claims.Azure Access Control Services 2.0Azure Access Control Services (ACS) is a cloud-based version of authentication and authorization similar to ADFS 2.0. Although similar, ACS is much more advanced than ADFS 2.0. Its support of multiple authentication providers with little to no configuration is unparalleled. Following are some features of ACS:● Out-of-the-box support for Microsoft Account (formally LiveID), Google, Yahoo, and Facebook● Support for ADFS 2.0● Support for Open Authorization (OAuth) 2.0, WS-Trust and WS-Federation● Support for JSON Web Token (JWT), SAML 1.1/2.0 and Simple Web Token (SWT) token formatsNetwork securityAt a high level, SharePoint 2013 is a set of web applications ( and Windows Communication Foundation [WCF]) and databases. As such, you will need to open the typical ports, such as HTTP (80 and 443) and SQL (1433 and 1434). Although these make up a majority of the traffic, there are several other applications and their respective ports that you need to consider.PortsThe following is a list of default ports for various SharePoint services (yours could be different if your company policy states that you must change them to reduce attack surface):● Web application ports TCP 80 and 443● Active Directory (NLTM) TCP\UDP 389 (LDAP)● Kerberos TCP\UDP 88 and UDP 464● AppFabric (Distributed Cache Service) TCP 22233-22236 and ICMP traffic● Workflow Manager TCP 12290 and 12291● SQL Server TCP 1433● Basic service applications 32843-32845● Other WCF services 808● Sandboxed solution service 32846● Search components TCP 16500-16519● ForeFront Identity Manager TCP 5725● DNS TCP\UDP 53● Office Web Apps 809You will find that you must do some configuration to get the windows firewall to allow all the various services of SharePoint 2013 to communicate. If you need to quickly get the services up and running, you can turn off the firewall, get the systems set up, and then re-enable and analyze the ports you need to allow for communication to continue to succeed.Internet Protocol securityInternet Protocol security (IPsec) is another method of locking down your server communications such that only certain servers can communicate with one another. Similar to SSL, you can use IPsec to secure the traffic between your web front-ends (WFE) and your SQL Server.Request ManagementRequest Management is a new feature in SharePoint 2013 that has several goals. A few of which help ensure the security of your farm through throttling of network traffic based on source and destination and server load.Database securityDatabase rolesSharePoint has evolved over the years to add best practices in the realm of SQL Server database permission assignments. This is demonstrated by the use of custom database roles in the configuration and content databases. This is much improved since the days of simply giving the connecting service the database owner (DBO) role. SharePoint 2013 content databases have several database roles that you can assign to give the proper permission needs for that service. These roles include the following:1. WSS_Content_Application_Pools This is the configuration database role for the web application app pools. You should give each app pool identity this role in order to query the database and serve content to the users.2. SharePoint_Shell_Access Rather than assign DBO to an account for the configuration database, you can assign this role to allow access to all the stored procedures and tables in the database.3. SPReadOnly This role exists in both the Configuration and Content databases. Assigning this role grants select (read) permissions on all table and view objects in the database. You would assign the target account this role to ensure that they can’t make any changes.Web application pool account securityWhen assigning an application pool to a SQL Server database, the following database roles are configured automatically for the application pool:The application pool is assigned to the SPDataAccess role with the target content database.The application pool is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.The application pool is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.Database administrator securityIt is important to note that database administrators will have full access to your SharePoint data even if they are not a farm, site collection, or site administrator. In SharePoint 2010 and previous versions, a database administrator (DBA) could simply run a few Transact-SQL (T-SQL) commands mixed with Windows PowerShell commands and have the entire database dumped out without needing a SharePoint farm.Backup securityOne of the last areas that SharePoint administrators consider is the database backups. These databases contain your files, list data, and possible many other pieces of information about your company. Every day you are backing up this data and putting it in a share somewhere, copying it to tape, tapes continually getting shipped somewhere, and lastly, a copy sent to your developers (if you have such a role in your company), and they are copying them to the development server, their laptops, their home computer, or any other random place you wouldn’t have anticipated (that USB stick that they left at the training center last week).Database and file encryptionSharePoint security alone might not be enough to meet the stringent requirements of your security team. In some cases they might ask you to go several steps further than simply locking down who are farm administrators, site-collection administrators, site administrators, and who is in which groups. In some cases, you might be required to encrypt the database files at rest, or even encrypt the files before or during their upload to SharePoint. You can implement this type of encryption in several ways.SQL Server network encryption with SSLAside from using IPsec, you can also force SQL Server traffic to use SSL to encrypt the traffic between the server and clients. This is not something that is commonly done today, but as hardware continues to become more efficient, you might start to see more organizations using it.SQL Server Transparent Data EncryptionAlthough SQL Server has no way to encrypt the data at the application layer, it can take the data as it is being saved and encrypt it at the data-file level. This prevents anyone who gains access to the data files from restoring the database and retrieving its contents without the encryption keys.Application-layer encryptionThere are several vendors that provide application-layer encryption to SharePoint 2013. These applications typically work by encrypting the file on upload and decrypting it on download. Other ways include encrypting upon check-in and decrypting on check-out. This makes it possible for the data to be encrypted when not in use and encrypted when at rest.Remote Blob Storage EncryptionAnother way to encrypt your file contents (but not your list contents) is by implementing a Remote Blob Storage (RBS) provider that features data encryption. As the files are written to the SharePoint 2013 database, the database will write out the file to the RBS provider, which will in turn encrypt the data on the disk. This means the data files at rest cannot be viewed by anyone who has access to the share that contains them. Because this encryption is occurring in a layer outside of SharePoint (and thus the files become unencrypted when requested by a user), all of the built-in features of SharePoint 2013 will still work properly.Service application securityService applications have database-level permissions that must be considered, you must also consider the higher-level API calls that a service application exposes. These API calls cannot be made by any individual or service account. They must be granted permission to perform those actions. In this case, you aren’t just managing database-level permissions but application-level permissions, as well.Search securitySearch works by indexing the files and data in content sources. These content sources can be any number of things. When the crawler hits each resource, it requests ACL information. This information is then saved in the index. The process of getting to the data is done by using the credentials of the default access account. This account must have access to all the content that needs to be indexed. As discussed in earlier chapters, it is not always best to set up this account to have full read access to all the data in your organization. You should then revert to crawl accounts to break apart the access into separate accounts. The main reason for this is because in highly secure and sensitive government installations, you will find foreign governments very eager to hack into systems and obtain data. If you use one default access account and that account is compromised, you have just given full read access to the hacker. This is something you should avoid at all costs by using the aforementioned recommendation.Secure StoreWhen setting up applications to use the Secure Store, you must ensure that you don’t set up the applications to use an account that will give the users of that application more access than what they need. A good example is if you create a Business Connectivity Service (BCS) model and utilize the Secure Store to expose the data behind the scenes. If users are allowed to make calls to the BCS model, the code behind the process will use the account assigned to it, which might give a user access to data that they would not otherwise have.BCSOne of the more interesting uses of BCS is to extend your search to index external content. This approach works very well, but most people don’t implement the proper setup when it comes to the security of the system.User Profile servicesThe User Profile service (UPS) application supports a variety of different operations that are valuable to the users of SharePoint 2013. One of the biggest features is the ability to have a User Profile for each user.From a security standpoint, you need to consider your executive team and if they want their mobile-phone details exposed. In most large organizations, this is frowned upon and removed from the feed. There are several ways to do this, including but not limited to the following:● Remove the property from Active Directory so that it is not imported● Run a clean-up script to remove the property from the profiles● Set the property privacy to “Only Me”Web application securityA SharePoint 2013 web application is the container for your content databases and site collections. It is also the layer in the SharePoint architecture where you define how individuals will be authenticated to that content. In terms of what it actually is, it is simply an site in IIS.It can be configured with any number of authentication mechanisms allowing various users access to the content in the site collections.Authentication providersThe authentication aspect is focused on what credentials end-users can use to prove that they are who they say they are, because of the extensibility and standards-based support of SharePoint 2013, the possibilities for authentication are endless, but at the very least, coverage of the two main options shown in the UI is required here.NTLMNTLM is an older protocol widely used today because of its simplicity and ease of use.NTLM works via a challenge-response process, and as a result, it generates an access token specific to a particular resource for a set period of time. This token can only be used for the requested resource. This means having to re-authenticate for each resource a user needs to access; in most cases, this is unacceptable to users today.KerberosKerberos is the second protocol that you can choose for your web application authentication. Kerberos works by issuing tickets—and no, not the speeding kind. When a user has logged on, that ticket is not resource based and can be used on any system that supports Kerberos. There are three parties involved in the process, also known as the famous three heads, the Key Distribution Center (KDC), the user, and the server.Claims-based authenticationAs part of the authentication process, after you have successfully logged on, the authentication provider returns a set of claims. The package in which these claims are stored can be one of the following formats:● Windows claims● SAML-based claims● Forms-based authentication claims● JWT● SWTADFS 2.0It is also possible to set up an ADFS trust with your SharePoint farm such that all authentication is routed through ADFS (no NTLM\Kerberos), and thus, all authentication ends up at the respective authentication providers. This is considered outbound authentication.Configuring Forms Based Authentication in SharePoint 2013Configuring forms based authentication (FBA) in SharePoint 2013 is very similar to SharePoint 2010, but there are some differences due to SharePoint 2013 using .Net 4.0. The web.config entries are slightly different. As well, IIS doesn’t support editing .Net 4.0 membership provider configuration through the IIS interface, so all of the configuration has to be done directly in the .config files. I’ll go through all of the steps required to setup FBA for SharePoint 2013, from start to finish.Configuring SharePointNow that the membership and role provider have been configured, we can configure SharePoint to use them. For this example create a new SharePoint web application. The same settings can be applied to an existing web application through the Authentication Providers dialog.Open SharePoint Central Administration -> Application Management -> Manage Web Applications.Click “New” to create a new Web Application.Name the web application and adjust any other options to your preferences.Check “Enable Forms Based Authentication (FBA)”. Enter the Membership Provider Name and Role Provider Name that you configured in the web.config. For this example we used “FBAMembershipProvider” and “FBARoleProvider” (Without the quotation marks).Also, for this example we left “Enable Windows Authentication” checked. This allows us to login either via Windows Authentication or Forms Based Authentication (SharePoint will prompt you when you login for which method you’d like to use).Click OK.An Application Created dialog will appear. Click the “Create Site Collection” link to create the first site collection for this web application.From the Create Site Collection dialog, give the site collection a name and URL and select a template.For the Primary Site Collection administrator, leave it as my Windows administrator account, so that I can login without FBA. For the Secondary Site Collection Administrator can set it to ‘fbaadmin’ – the FBA account we setup in Part 2 (If you skipped Part 2 because you’re using the SharePoint 2013 FBA Pack, then you can just leave this blank for now and use your domain account to login to SharePoint and create your FBA users). You can set these to whatever is appropriate for your setup. Click OK.You’ll get the “Top-Level Site Successfully Created” dialog. You can click on the URL to visit the new site collection you just created.When authenticating to the site collection, if you enabled both Windows Authentication and Forms Based Authentication, you’ll be prompted for which method you’d like to use to authenticate. I’m going to choose to authenticate with Forms Authentication.You’ll be prompted for a username and password. Enter the username and password that we created in and also set as the Secondary Site Collection Administrator.You’re now logged into the site as a site collection administrator.Now you can authenticate to the site with Forms Based Authentication.Web application access policiesThese policies are scoped at the web-application level. You can add or remove permissions across all the site collections in a web application based on these policies.SharePoint 2013 has no notion of deny at the site-collection and web level. Any type of permission-deny must be done at a web-application policy level. Some uses of web application policy include the following:Grant read access to your search content access accounts (note that this is done automatically for you when configured through the search service application UI)Create an Auditor roleCreate a web application administrator roleDeny a set of users any type of write capability to web application contentDeny users access to content completelyIt is important to note that site-collection administrators and site administrations will not see the values of the web application policy. In other words, they will have no idea that you have granted someone access to the site unless that person modified something. You can apply each web application policy to a specific zone or to all zones. There are four out-of-the-box permission sets from which you can choose:Full Control Gives full control to anyone specified, no matter what permission they have across the web applications, site collections, and sites.Full Read Supplements any existing permission with full-read across the entire web application.Deny Write Leaves any read permission intact, but removes any write permission the user has across the web application.Deny All Locks out the user completely. This is valuable for people who have been terminated or must be explicitly denied access to a system.SSLWhen users access their site collections, sites, libraries, lists, and documents, that traffic typically flows over HTTP. HTTP is a stateless protocol that does not encrypt traffic by default. It simple sends what it is told from point A to point B by using TCP/IP. Any HTML text files are all sent into the wilds of the network it traverses, capable of being seen by anyone who is watching.App Model securityWith the App Model, both internal and external developers can build applications (“apps”) that make calls back to SharePoint over the Client Object Model (CSOM).The user opens the app and SharePoint 2013 makes a call out to the ACS in the cloud to get a context token. Next, SharePoint 2013 passes this context token to the remote application. The remote application then requests an access token from ACS which it turns around and uses to access the SharePoint farm. This process is just one of the flows defined in the OAuth 2.0 specification, and it is used extensively in SharePoint 2013. Not only can this basic form of authorization be accomplished, you can use more advanced flows by employing the new OAuth 2.0 features.OAuth 2.0OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner, or end-user. The client then uses the access token to access the protected resources hosted by the resource server. OAuth is commonly used as a way for web surfers to log into third party web sites using their Google, Facebook or Twitter accounts, without worrying about their access credentials being compromised.OAuth is the standardization and combined wisdom of many well established industry protocols. It is similar to other protocols currently in use (Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, Amazon Web Services API, etc). Each protocol provides a proprietary method for exchanging user credentials for an access token or ticker. OAuth was created by carefully studying each of these protocols and extracting the best practices and commonality that will allow new implementations as well as a smooth transition for existing services to support OAuth.An area where OAuth is more evolved than some of the other protocols and services is its direct handling of non-website services. OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites. Many of the protocols today use a shared secret hardcoded into your software to communicate, something which pose an issue when the service trying to access your private data is open source.Server-to-server authenticationSharePoint 2013 extends OAuth to implement a server-to-server (S2S) authentication protocol that can be used by services such as SharePoint 2013 to authenticate with other services such as Microsoft Exchange Server 2013, Microsoft Lync Server 2013 or any other services that are compliant with the S2S authentication protocol. SharePoint 2013 has a dedicated local S2S security token service (STS) that provides server-to-server security tokens which contain user identity claims to enable cross-server authenticated access. The other service utilizes these identity claims to lookup the user against its own identity provider. The new server-to-server STS in SharePoint 2013 issues access tokens for S2S authentication.Site collection administratorsThe Site Collection Administrators group is a special group that is initially granted to the primary and optional secondary site-collection administrator when creating the site collection. Users in this group are granted fully elevated permissions to the site collection. Site collection administrators can also grant membership to this exclusive group In Central Administration. To do so, in the upper-right corner of the Home page, click the Settings icon (the small gear graphic), and then, on the Site Settings page, click Site Collection Administrators.SharePoint DesignerThe reality is that the right way to disable SharePoint Designer is via an Http Handler that will intercept the SharePoint Designer HTTP header and deny access for the user context. Even though this could be hacked to gain access, very few people will know how to do that, and you will still have logs of what they did if they tried. Using this approach, you can then specify Active Directory groups or specific users to have or not have access to Designer. There are several tools available with which you can do this, and they are included in the referenced URL.Site, list, and item securitySharePoint would not be SharePoint without the sites, document libraries, lists, documents, and items. These core components to the system are what we work so hard to create, manage, and retire when the time comes.SharePoint users and groupsSomething that has always been an issue in SharePoint is when you export a site collection or part of a site collection and import it into a new site collection (by using the Windows PowerShell Import-SPWeb or Export-SPWeb cmdlets). In some cases, you will find that the ID of the user might have existed in the target site collection and is overwritten by the import command. This leads to a loss of permission of that user, even though the UI might show that the user still has access. Be careful when importing and exporting content by using the –export security switch. Always fully test your imports and exports in a development environment to ensure that everything works the way you intend it to.Permission levelsPermission levels are groupings of permissions that you can assign to users, groups, or application principles. Out of the box, SharePoint 2013 has various permission levels that are available configured based on a core set of allowable actions. The most common of these are Full Control, Contribute, and Read. It is important as a site-collection or site administrator that you understand what each of these permissions levels do.Following is a list of the default permission levels on a typical site:● View Only Users can view application pages. The View Only permission level is used for the Excel Services Viewers group.● Limited Access Users can access shared resources and a specific asset. Limited Access is designed to be combined with fine-grained permissions to grant users access a specific list, document library, folder, list item, or document, without granting access the entire site. You cannot edit or delete Limited Access.● Read Users can view pages and list items, and download documents.● Contribute Users can manage personal views, edit items and user information, delete versions in existing lists and document libraries, and add, remove, and update personal Web Parts.● Edit Users can manage lists.● Design Users can view, add, update, delete, approve, and customize items or pages on the website.● Full Control Users can have full control of the website.If you use a site template other than the Team Site template, you might see a different list of permission levels. Some examples include the following that you would see in a publishing site:● Restricted Read Users acan view pages and documents. For publishing sites only.● Approve Users can edit and approve pages, list items, and documents. For publishing sites only.● Manage Hierarchy Users can create sites; edit pages, list items, and documents; and change site permissions.PermissionsPermissions are categorized as list permissions, site permissions, and personal permissions, depending on the objects to which they can be applied. For example, site permissions apply to a particular site, list permissions apply only to lists and libraries, and personal permissions apply only to certain objects, such as personal views and private Web Parts.Permission assignment and inheritanceInheritanceWhen a site collection is first created, a root site is also created and all the lists inside that site inherit the same security as the site itself. This is known as inheritance. You can break the inheritance so that each level can have its own unique permissions. At a later time, you can also choose to re-inherit the parent’s permissions. A list can have up to 50,000 different permission scopes.The following are some best practices when breaking inheritance:● Set unique scopes on parent objects such as folders.● Do not create a system with many uniquely permissioned objects below an object that has many scopes.● If you require more than 50,000 uniquely permissioned items in a list or document library, you must move some items to a different list or document librarySharingSharing is a new quick permission assignment feature of SharePoint 2013. With Sharing, you can quickly type in a set of users and share the item with them. The default permission level is to give Contribute rmation Management PoliciesAs mentioned, this must be built; the out-of-the-box management policies do not allow for permission assignment but do allow for the following:● Auditing specifies which auditing flags should be enabled for the targeted content.● Barcodes Generates Code39 barcodes for your items.● Retention You can specify how long you should keep content, where it should go when “expired,” and what action to perform when it needs to be removed.● Labels Sets a specific value based on other column values with the idea of creating a meaningful rmation Rights Management “What’s new in SharePoint 2013,” Information Rights Management (IRM) is finally a mature technology that has been given focus in SharePoint 2013. SharePoint 2013 combined with IRM is finally a mixture of all the best worlds when it comes to protecting your sensitive content and utilizing the tools you want such as Office clients and Office Web Apps. Among others, IRM helps with restricting or allowing users to the following actions:● View a document● Print a document● Forward a document● Prevent copying of content● And many moreDesigning an auditing strategyAt some point in the future, or even right now, you might notice that individuals have been given access to things to which they shouldn’t have access. You might see that items have disappeared that shouldn’t have. You might see items show up that you weren’t expecting to appear. All of these things can be audited by using the SharePoint auditing features. By default, auditing is turned off for sites. You must turn it on via the Site Settings page for each site. Given that you might have hundreds, if not thousands of sites, this is most easily accomplished via Windows PowerShell; however, you might find this is not so easy in SharePoint Online. The basics of the audit revolve around the AuditSettings.aspx page. It has several check boxes to turn on auditing of different events:● Opening or downloading documents, viewing items in lists, or viewing item properties● Editing items● Checking out or checking in items● Moving or copying items to another location in the site● Deleting or restoring items● Editing content types and columns● Searching site content● Editing users and permissionsA complete checklist of the required things you should do to secure your SharePoint Farm include the following:● Implement SSL on your web applications (including Central Administration) and supporting services.● Ensure that you are auditing user usage via auditing.● Implement a technical governance control on your site creation and permission assignments.● Implement a site-owner reminder to ensure that permissions are accurate throughout the lifetime of the site.● Implement rights management to protect resources from leaving your network in uncontrolled ways.● Ensure that you review the management policies and procedures of your external authentication providers.● Review your database backup procedures to ensure that anyone with access does not compromise your content security.● Ensure that you are resetting passwords in a manner that is appropriate for your business environment and that you have the scripts to reset those passwords in an optimized fashion. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download