Best practices for Security and Governance in SharePoint 2013

Antonio Maio
Protiviti, Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
Best Practices for Security and
Governance in SharePoint 2013
Email: Antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2

© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
About Protiviti
INDIA (3)
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in
over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We
also work with smaller, growing companies, including those looking to go public, as well as with government
agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert
Half International is a member of the S&P 500 index.
• 2,500+
professionals
• 1,000+ clients
• 70+ offices
• Over 20
countries in
the Americas,
Europe and
Asia-Pacific
Protiviti is one of
the fastest
growing
consulting firms
worldwide. Our
revenues have
increased from
US $15 million in
2002, to US
$423.8 million in
2011.

Goal
Inform and Educate on Key SharePoint Security Features
Illustrate the Importance of Establishing Strong Governance

What do we know about Security
and Governance?
• Security is critical in government and military deployments
• It’s a critical consideration in business
• Requires good planning
• Requires good awareness of SharePoint capabilities
• Requires knowledge of what SharePoint cannot do
• Yet… Security and Governance are still often an after thought
for many deployments

What Drives our Information Security Needs?
• Information Security comes down to 2 or 3 drivers
– Protecting Your Investments
(intellectual property, digital assets, competitive advantage…)
– Reducing Your Liability
(avoid compliance violations, fines/sanctions, reputation issues…)
– Public Safety or Mission Success
(protect classified information, mission plans, reputation issues…)
– Public Health
(health records, health insurance, insurance fraud/theft…)

What Drives our Information Security Needs?
• How does this affect us as SharePoint people?
– How We Deploy SharePoint
– Control Access
– Assign Roles
– Establish Repeatable/Predictable Process
– Regulatory Compliance Standards
– Auditing & Reporting Obligations

Information Governance
Ignorance is not always bliss… it’s problematic!
… Why?

Information Governance
• Governance means setting out the structures, people,
policies, procedures and controls implemented to
manage information and support an organization's
immediate and future requirements:
– Regulatory
– Legal
– Risk
– Administrative
– Environmental
– Operational

Governance and SharePoint
• SharePoint as a platform which offers services to your
organization’s users
• Governance for the SharePoint platform means:
• Managing existing services in a predictable way
• Deploying new services in a predictable way
• Providing a clear set of guidelines for usage and administration
• Achieve Strong Governance for SharePoint:
1. Develop a Governance Plan
• Cross functional - Identifies ownership for business and technical teams
• Regulatory, risk, legal, admin, environmental, organizational Needs
2. Establish a Governance Team
• Include stakeholders from across the organization

Define Information
Architecture/Structures
(Includes Metadata Taxonomy)
Confidential
Developing a SharePoint Governance Plan
- Key Areas to Focus
Define Security Controls/Groups,
Permissions and Roles for Assigning
Permissions
Define Roles, Responsibilities,
Authority
Determine Training Needs;
Plan to Educate User
Community
Define Rules for Site Creation,
Management, Decommissioning

SharePoint Deployment
• Plan your Deployments and Necessary User Accounts
• Use Least Privileged Accounts
• Review SharePoint deployment guide before you install
• SharePoint is a web application built on top of SQL Server
– Best practice: to use specific user accounts for specific purposes with
least privileges
• Benefits: Separation of Concerns
– Multiple points of redundancy
– Targeted auditing of account usage
– Minimize the risk of compromised accounts

Deployment User Accounts
• Use 3 Different Deployment Accounts (at minimum)
SQL Server Service Account Setup User Account SharePoint Farm Account
Assign to MSSQLSERVER and
SQLSERVERAGENT services when
installing SQL Server
(ex. domainSQL_service)
Used to install SharePoint, run
Product Config Wizard, install
patches/update
Used to run the SharePoint farm;
not just for database access (ex.
domainsp_farm_user)
No special domain permissions -
given required rights in SQL Server
during SQL setup
Login with this when running setup
(ex. domainsp_setup_user)
After Product Config Wizard run,
prompted to provide the Database
Access Account – this is the all
powerful farm account
Must be local admin on each server
in SharePoint farm (except SQL
Server if its different box)
Given ownership of Config
database - also configures several
SharePoint services (ex. timer
service) to use this as its identity
Before starting SharePoint setup,
assign the securityadmin and
dbcreator roles in SQL

Deployment User Accounts
• Use 3 Different Deployment Accounts (at minimum)
SQL Server Service Account Setup User Account SharePoint Farm Account
• Should all be AD domain accounts (user accounts)
• Do not use personal admin account, especially for Setup User Account
• Configure central email account for all managed accounts

Authentication
• Determine that users are who they say they are (via login)
• Configured on each web app
• Multiple authentication methods per web app
• SharePoint 2010 Options
• Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)
• Claims Based Authentication
• Forms Based Authentication available - through Claims Based Auth.
– UI configuration options only available in UI upon web app creation
– To convert non-claims based web app to claims will require PowerShell
• SharePoint 2013 Options
• Claims Based Authentication - default
• Classic Mode Deprecated - Configuration UI has been removed
(Only configurable through PowerShell)

Authorization
• Determine if users have access to specific information
objects and which level of access are they granted
• Accomplished through Permissions in SharePoint
• Allow you to secure any information object or container
• Apply to items, documents, folders, lists, libraries, sites
• Do not apply to individual column field values
• Assigning Permissions Includes
• The information object or container in question
• The user, group or claim that is granted access
• The permission level we are granting as part of that access

Permission Examples: Users and Groups
• Finance AD Group has Full Control on Library A
• ProjectXContractor SP Group has Read access on site B
• Antonio.Maio AD user has Contribute access on Document C
User or Group
(also called a ‘Principle’)
Permission Level
(collection of permissions)
Information Object
(item or container)

Permission Examples: Claims
• Remember: Claims are trusted attributes about a user
• May assign a Claim as part of a permission to an object
or container (like a user or group)
• ‘SecurityClearance=Secret’ has Full Control access on Document X
• ‘ITARCleared=True’ has Read access on Library Y
• ‘EmploymentStatus=FTE’ has Contribute access on Site Z

Users Interacting with Permissions

Inherited Permission Model
• Hierarchical permission model
• Permissions are inherited from
level above
• Can break inheritance and apply
unique permissions
• Manual process
• Permissive Model
SharePoint Farm
Web Application
Site Collection Site Collection
Site Site
Library List
Document
Web Application
Item
Site
Document
Document
Item
Demo Members SharePoint Group Edit
Demo Owners SharePoint Group Full Control
Demo Visitors SharePoint Group Read
Finance Team Domain Group Edit
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Research Team Domain Group Full Control
Antonio.Maio Domain User Full Control

Permissions and Security Scopes
• Every time permission inheritance
is broken a new security scope is
created
• Security Scope is made of up
principles:
• Domain users/groups
• SharePoint users/groups
• Claims
• Be aware of “Limited Access”
• Limitations
• Security Scopes (50K per list)
• Size of Scope (5K per scope)
Microsoft SharePoint Boundaries and Limits:
http://technet.microsoft.com/en-us/library/cc262787.aspx

Information Architecture and Metadata
• Information Architecture – The structural design of your
information sharing environment
• Organization and Storage
• Identification
• Retention
• Business sensitivity and confidentiality
• …
• Metadata can provide important insight into what type of
information you have in SharePoint
• Recommended: Use Metadata to Classify information and
Identify its Sensitivity

Standardized Metadata

Standardized Metadata
• Implement Standardized Metadata Fields across libraries/lists
• Library or List Level
• Site Column Level
• Managed Metadata Service (across Site Collection or Farm)
• Ensure users are adding metadata when adding/editing
information (mandatory fields)
• Be aware of situations where SharePoint doesn’t request metadata
(multi-file upload, explorer view)
• Keep it Simple: Limit sensitivity classification to 3 or 4 labels
– Public, Confidential, Restricted, Highly Restricted
– Low Business Impact, Moderate Business Impact, High Business Impact
– Unclassified, Confidential, Secret, Top Secret
• Educate, Educate, Educate: What does each label mean/impact?

Recap
• Develop a SharePoint Governance Plan with Key Stakeholders
• Ignorance is not bliss… it’s problematic!
• Understand the type of information you have
• Develop an information architecture
• Understand the risks to that information: accidental, insider and external threats
• Use Metadata to identify sensitivity
• Educate end users on significance of sensitivities – make them part of the solution
• Deploying SharePoint with Appropriate Least Privileged Accounts
• Determine your Authentication and Authorization Needs
• Understand how permissions work
• Plan for how permissions are given and managed
• Understand SharePoint Security Features
• Others: Web App Policies, Anonymous Users, Information Rights Management,
Privileged Users , Event Auditing

Antonio Maio
Protiviti, Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
Thank You!
Email: Antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2

Best practices for Security and Governance in SharePoint 2013

More Related Content

What's hot (20)

Similar to Best practices for Security and Governance in SharePoint 2013 (20)

More from AntonioMaio2 (13)

Recently uploaded (20)

Best practices for Security and Governance in SharePoint 2013