SharePoint Security A to Z

SharePoint Security A-Z:
Who Has Access to What?

Steve Goldberg, Axceler

steve.goldberg@axceler.com
@iamgoldberg

About Me

Steve Goldberg, Sales Engineer at Axceler

• Software Engineer at Axceler for ControlPoint- a SharePoint administration
product
• Prior to Axceler, was a consultant at Computer Sciences Corporation
(CSC), specializing in SharePoint development
• Current Role:
• Talk to 30-40 people weekly about how to govern SharePoint
• Managing permissions is the #1 issue administrators face
• Manage and cleanup

• Twitter: @iamgoldberg Blog: iamgoldberg.com Email: steve.goldberg@axceler.com

Email Cell Twitter Blog
cbuck@axceler.com 425.246.2823 @buckleyplanet http://buckleyplanet.com

Axceler Overview

Improving Collaboration Since 2007
 Mission: To enable enterprises to simplify, optimize, and
secure their collaborative platforms
 Delivered award-winning administration and migration
software since 1994
 Over 2,500 global customers

Dramatically improve the management
of SharePoint
 Innovative products that improve security, scalability,
reliability, “deployability”
 Making IT more effective and efficient and lower the total
cost of ownership

Focus on solving specific SharePoint problems
(Administration & Migration)
 Coach enterprises on SharePoint best practices
 Give administrators the most innovative tools available
 Anticipate customers’ needs
 Deliver best of breed offerings
 Stay in lock step with SharePoint development and market trends

Always Ask Yourself…

How is your organization using SharePoint?

Is there secure content in your SharePoint
environment?

Who needs to have access to SharePoint?

Are there ways you can expand the use of SharePoint to
offer more benefits to your organization?
6/4/2012

6/4/2012

Authentication Methods

A SharePoint environment must
support user accounts that can be
authenticated by a trusted authority

How do you authenticate your users?

Windows Authentication

 NTLM:
 Users authenticated by using the credentials on the running thread
 Simple to implement
 SharePoint will not be integrated with other applications

 Kerberos
 If your SharePoint sites use external data
 Credentials passed from one server to another (“double hop”)
 Faster, more secure, and can be less error prone then NTLM
 Anonymous Access
 No authentication needed to browse the site


Active Directory Domain Services
(AD DS)

Authentication based on user account and password from AD

This works well for Windows environments

Do you need support Internet, partner, or cloud-based
computing models?

6/4/2012

Forms-based Authentication

Used mostly for Extranets

 Credentials stored in:
 Lightweight Directory Access Protocol (LDAP) data store (Novell, Sun)
 AD DS
 SQL or other database
 Custom or third-party membership and role providers

In SharePoint 2010, forms-based authentication is only available when you
use claims-based authentication


Claims-Based Authentication
(SharePoint 2010)

Usually for external customers or partners

An outside identity provider authenticates users

A claim is just a piece of information describing a
user: name, email, age, hire date, etc. used to
authenticate the user


So Much Potential…

Integration with Facebook, Google, Live ID, etc.

1. “I’d like to access the Axceler Microsoft technology partners site.”
2. “Not until you can prove to me that you are in the Axceler
Microsoft technology partners group.”
3. “Here is my Live ID and password.”
4. “Hi, Steve. I see you are in the Axceler Microsoft technology
partners group. Here is a token you can use.”
5. “I’d like to access the Axceler Microsoft technology partner
document, and here’s proof I have access to it!”

6/4/2012

SharePoint Authentication

Defined at the web application level


Who Needs to Access SharePoint?

Claims-based authentication mode: use any supported
authentication method or else you will support only
Windows authentication

6/4/2012

Now That We’ve Authenticated
Our Users….

Is permission management part of your
governance plan?


Governance is about taking action to
help your organization
organize, optimize, and manage your
systems and resources.


What do your permissions
look like in SharePoint?


How did that happen?

No plan

The business grows and evolves

People and project turn over

Securable Objects

What can we secure?
Site
Library or List
Folder
Document or Item

Structure/Architecture
Sub-site
Site
Sub-site
Site
Site
Collection

Web App Site Sub-site

Site
Site
Farm Collection

Site
Site
Web App
Collection
Site Sub-site


Plan!

How granular do you need to control access to content?

Who manages all the different parts of your SharePoint farm?

How do you want to manage your users?


Farm Administrators Group

Assigned in Central Admin and has permission to
all servers and settings in the farm

Central Administration access, create new web
apps, manage services, stsadm/PowerShell command
Can take ownership of content: make
themselves Site Collection Administrators

6/4/2012

Web Application Policies

Quick way to apply permissions across web
applications

Users can be explicitly denied access
Set in Central Admin

6/4/2012

Site Collection Administrators

Given full control over all sites in a
site collection

Access to settings pages: Manage
users, restores items, manage site hierarchy
Cannot access Central Admin
6/4/2012

Your Content

Lists/Libraries Lists/Libraries

Site Sub-Sites
Site
Lists/Libraries Lists/Libraries
Collection
Site Sub-site


Permission Levels

Collections of permissions that
allow users to perform a set of
related tasks

Permission levels are defined at the
site collection level

SharePoint Groups

A group of users that are defined at site collection level for
easy management of permissions

The default SharePoint groups are Owners, Visitors, and
Members, with Full Control, Read, and Contribute as their
default permission levels respectively

Anyone with Full Control permission can create custom groups

6/4/2012

Customizing Permission Levels

The default permission levels are Full
Control, Design, Contribute, Read, and Limited Access

What does “Read” mean to
your organization?

6/4/2012

The Basics: Permissions

Permissions are applied on objects:
1. Directly to users
2. Directly to domain groups (visibility warning)
3. To SharePoint Groups


Check Permission Button

SharePoint 2010 lets administrators Check
Permissions to determine a user or group’s permissions
on all content

6/4/2012

Inheritance

If all sites and site content inherit
those permissions defined at the
site collection, what’s so hard
about managing permissions if
they are defined so high in the
hierarchy?

Fine Grained Permissions

Sites, lists, libraries, folders, docum
ents, items can all have unique
security


What Exactly is Happening?

Copies groups, users, and
permission levels from the parent
object to the child object

Changes to parent object
do not affect the child

6/4/2012

Limited Access

Auto applied to every securable objects above the
uniquely permissioned item

Is not directly “applied”

6/4/2012

Permissions Management Becomes
Impossible

“If you use fine-grained permissions
extensively, you will spend more time
managing the permissions, and users will
experience slower performance when
they try to access site content”
~Planning site permissions, technet http://bit.ly/InKv9i

Permission management (additions, deletions, edits) is done
one securable object at a time!

6/4/2012

Performance is Affected too!

Performance is reduced once 1000 objects have broken
inheritance in a list or library

 Sites, lists, and libraries need to
build security trimmed navigation

 List load time increases

*Apply unique permissions to folders if need be*

6/4/2012

Orphaned Domain Users

Deleted and disabled Active Directory users are not
updated in SharePoint

Permissions
User Profiles
My Sites

6/4/2012

Distributed Administration

SharePoint is designed to have
site administrators and power users

6/4/2012

Be Careful!

Train your admins and power users!

“I didn’t know that restoring inheritance
would remove our unique security model!”
~Countless well intentioned site admins

6/4/2012

Power Users Tip

Manage power users through the
“Owners” SharePoint groups.

limit the members to only those users you trust to
change the structure, settings, or appearance of the site

6/4/2012

Best Practice

Make most users members of the Members or
Visitors groups
 Members group can contribute to the site by adding or
removing items or documents, but cannot change the
structure, site settings, or appearance of the site.
 Visitors group has read-only access to the site, which
means that they can see pages and items, and open items
and documents, but cannot add or remove pages, items, or
documents.

6/4/2012

Stick to the Plan

If you do break inheritance, Microsoft recommends
using groups to avoid having to track individual users

People move in and out of teams and change
responsibilities frequently

Tracking those changes and updating the permissions
for uniquely secured objects would be time-consuming
and error-prone.
6/4/2012

Plan for Permission Inheritance

Arrange sites and subsites, and lists and libraries
so they can share most permissions

Separate sensitive data into their own
lists, libraries, or subsite
Permission worksheet:
http://go.microsoft.com/fwlink/p/?LinkID=213970&clcid=0x409

6/4/2012

It’s SharePoint’s Fault!

Administrators can audit permission changes by going
to the site collection’s settings page

6/4/2012

Contact me

Steve Goldberg
steve.goldberg@axceler.com
@iamgoldberg

Additional Resources available
 11 Strategic Considerations for SharePoint Migrations http://bit.ly/j4Vuln
 The Insider’s Guide to Upgrading to SharePoint 2010 http://bit.ly/mIpOBZ
 Why Do SharePoint Projects Fail? http://bit.ly/d1mJmw
 Best practices for capacity management for SharePoint Server 2010,
TechNet http://bit.ly/nvNrig
 What to Look for in a SharePoint Management Tool http://bit.ly/l26ida
 The Five Secrets to Controlling Your SharePoint
Environment http://bit.ly/kzdTjZ

We want your feedback!
Use this QR code or visit:
http://sps.la/feedback

Silver Sponsors:

Victory Lap- social event
"SharePoint Victory Lap" Social Event for
SPSLA will be at: 5:30pm to 8pm at
Di Piazzas (5205 E. Pacific Coast Hwy, 90804)

Windows Authentication

- Basic:
- Users have previously assigned Windows credentials
- Browser provides credentials during HTTP transaction
- Not encrypted- should enable Secure Sockets Layer
(SSL) encryption
- Digest
- Credentials are encrypted

These are set directly in IIS


Zones

Each "zone" is essentially a new IIS Website
 Access the same content through a different URL
Allows for multiple authentication methods to the
same site
Since SharePoint 2010 allows web applications to
have mixed authentication methods when choosing
claims based authentication, zones are more useful to
for load balancing, caching, content databases, and
custom modules
6/4/2012

Audience targeting

To display content such as list or library
items, navigation links, and entire Web Parts to specific
groups of people.
This is useful when you want to present information
that is relevant only to a particular group of people.
For example, you can add a Web Part to the legal
department's portal site that contains a list of legal
contracts that is visible only to that department.

6/4/2012

SharePoint Security A to Z

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to SharePoint Security A to Z (20)

Recently uploaded (20)

SharePoint Security A to Z

Editor's Notes