Microsoft Office SharePoint Server 2007:
Download
1 / 38

Windows Mobile Feature Pack 5.0: Mobile Messaging and Security - PowerPoint PPT Presentation


  • 299 Views
  • Uploaded on

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive. Name 03/28/07. Agenda. MOSS 2007 Security Challenges Pluggable Authentication / Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows Mobile Feature Pack 5.0: Mobile Messaging and Security' - bernad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive

Name

03/28/07


Agenda
Agenda

  • MOSS 2007 Security Challenges

  • Pluggable Authentication / Zones

  • Encryption of Application Connection Strings

  • Targeted Content for Secure Collaboration

  • Information Rights Management

  • MOSS 2007 Customer Facing Scenario


Microsoft office sharepoint server 2007
Microsoft Office SharePoint Server 2007

  • MOSS 2007 eases the implementation of effective security:

    • Simplifies implementing Internet-facing environments (extranets).

    • Enables support for heterogeneous environments.

    • Uses pluggable forms-based authentication (FBA) providers.

    • Reduces management overhead and improves securely.

    • Offers granular rights management of business assets.


Agenda1
Agenda

  • MOSS 2007 Security Challenges

  • Pluggable Authentication / Zones

  • Encryption of Application Connection Strings

  • Targeted Content for Secure Collaboration

  • Information Rights Management

  • MOSS 2007 Customer Facing Scenario


Challenges for MOSS 2007 Security

  • The challenges for MOSS 2007 are to:

    • Support authentication for multiple identify management systems.

    • Provide authentication that maps user accounts for third-party applications to LOB systems.

    • Configure entry locations for MOSS/control URL site mapping.

    • Protect valuable application connection string data.

    • Lockdown site collections and restrict user access over MOSS.

    • Provide client-level protection of sensitive information.


Agenda2
Agenda

  • MOSS 2007 Security Challenges

  • Pluggable Authentication / Zones

  • Encryption of Application Connection Strings

  • Targeted Content for Secure Collaboration

  • Information Rights Management

  • MOSS 2007 Customer Facing Scenario


Pluggable authentication provider
Pluggable Authentication Provider

  • MOSS integrates ASP .NET 2.0 pluggable authentication for Windows and non-Windows.

  • Supports shipped, Windows-based authentication methods.

  • Sets up Internet-facing SharePoint authentication.

  • Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture.

  • ASP.NET 2.0 pluggable providers can employ membership data stores including:

    • Microsoft Access

    • Oracle databases

    • XML files

    • Flat text files


Asp net 2 0 membership provider
ASP .NET 2.0 Membership Provider

  • Supports configurable directories in a member data store.

  • Stores pluggable provider credentials in the machine.config file.

  • MOSS membership providers include:

    • LDAP V3 directory (with MOSS)

    • SQL Server

    • Active Directory (ASP .NET 2.0)

  • Pluggable membership providers:

    • Inherit from the ASP.NET MembershipProvider interface;

    • This interface inherits from the ProviderBase class.


Considerations for asp net authentication
Considerations for ASP .NET Authentication

  • MOSS services use Windows accounts – even with a pluggable provider.

  • Use Windows identities to reduce Microsoft Office client interoperation.

  • Authentication types, not resolving to a Windows identity, must use a MOSS zone.

  • A mandated PKI infrastructure such as for smartcards typically resolves to a Windows identity.

  • PKI implementation may require a MOSS zone or other configuration.

Add a diagram here

Company A

(Windows Authentication)

Company B

(Non-Windows Authentication)


Pluggable single sign on sso
Pluggable Single Sign-On (SSO)

  • The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems.

  • Aids in retrieving critical information through MOSS mechanisms:

    • Business Data Catalog (BDC)

    • SharePoint DataView Web Parts (DVWP)

  • Can specify a pluggable SSO provider, instead of SpsSsoProvider.

  • Registers only one SSO provider per LOB system at a time.


Forms based authentication
Forms-Based Authentication

  • Utilizes pluggable authentication and role providers to enable Internet-style security.

  • Supports a customized login process geared to users' needs.

  • Forms authentication cookies and authentication tickets are encrypted and tamper-proof.

  • The form identity provider, called Web SSO, can plug into an external identify management system.


Web single sign on
Web Single Sign-On

  • MOSS supports federated authentication between Web SSO vendors.

  • Employs an HTTP module for external authentication.

  • Allows external partners to authenticate to MOSS using their user credentials.

  • Delegates log in and password reset to partners.

  • Web SSO authentication requires an extranet zone.

Partner Application


Alternate access mapping aam
Alternate Access Mapping (AAM)

  • AAM ensures internal and public URL mappings work correctly.

  • The //MOSS URL is mapped by default, but can be extended to additional URLs.

  • Alternate URLs can be mapped to one physical path such as //MOSS.

  • MOSS entry points can use different authentication providers / Web application security policies.

  • Compensates for different domains, reverse proxies, and other URL redirection mechanisms.

Intranet

Users

http://contoso

http://MOSS

Extranet

Users

http://extranet.contoso.com


Aam example configuration
AAM Example Configuration

  • Example: The //MOSS site has two AAM URLs: internal corporate users and external partners.

  • The Intranet URL, //contoso, is mapped to:

    • Intranet zone: Resolves to domain-authenticated Windows identities.

  • The Extranet, //extranet.contoso.com , is mapped to a different zone:

    • Extranet zone: Log in is via Web SSO authentication.

Intranet

Users

http://contoso

http://MOSS

Extranet

Users

http://extranet.contoso.com


Zones alternate access mapping aam
Zones Alternate Access Mapping (AAM)

  • A zone maps multiple Web applications to a single set of content databases, allowing greater control over AAM.

  • Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content.

  • Recommended: Bind the zone to an authentication mechanism.

Default

  • An AAM URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone.

  • Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet.


Zones aam configuration
Zones AAM Configuration

  • Zones affect how people are authenticated and routed through the portal from URL entry points.

  • New Web applications can be extended by specifying the zone in the Load Balancing URL section of the settings.

Extranet

  • Within each zone, bind global Web application security policy that defines permissions settings for users in the zone.


Zones aam planning scenario
Zones AAM Planning Scenario

  • Zones Require Planning!

    This example scenario shows decisions that the authentication system must make when a Web crawler attempts to authenticate.


Aam global security policies
AAM / Global Security Policies

  • MOSS supports global security policies that bind policy settings to a specific user or group within the application.

  • Examples: Full access, full read access, deny-write access, or deny-all access.

  • Overrides the MOSS granular permission settings, managed from SharePoint Central Administration interface.

  • Binding security policies to zones gives trusted external users full-read access – No manual settings are required.


Agenda3
Agenda

  • MOSS 2007 Security Challenges

  • Pluggable Authentication / Zones

  • Encryption of Application Connection Strings

  • Targeted Content for Secure Collaboration

  • Information Rights Management

  • MOSS 2007 Customer Facing Scenario


Encryption of application connection strings
Encryption of Application Connection Strings

  • Storing connection string data in plain text in the web.config file creates a security vulnerability.

  • ASP.NET 2.0 functionality can be used to encrypt application connection string data using either:

    • Windows Data Protection API (DPAPI): Encrypts and decrypts using the MOSS server machine key.

    • RSA encryption: Uses public key algorithms, but adds appropriate containers for the encryption keys.

  • Pluggable encryption providers can use different encryption tools.


Connection string encryption best practices
Connection String Encryption Best Practices

  • For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the <connectionStrings> node in cipher text:

  • DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands:

  • Encrypt the connection strings node specifying the section parameter:


Connection string encryption best practices continued
Connection String Encryption Best Practices (continued)

  • After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values:

  • This pluggable model can support custom encryption providers to manage cipher text for relevant MOSS configuration files.

  • Considerations:

    • Encryption using the local machine key can only use the configuration node on the MOSS server on which it was created.

    • If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string.

    • Decryption causes a minor application performance hit.


Agenda4
Agenda

  • MOSS 2007 Security Challenges

  • Pluggable Authentication / Zones

  • Encryption of Application Connection Strings

  • Targeted Content for Secure Collaboration

  • Information Rights Management

  • MOSS 2007 Customer Facing Scenario


Targeted content for secure collaboration
Targeted Content for Secure Collaboration

  • MOSS ECM Common Services control access to stored information.

  • Lockdown permits users to access the authorized information only:

    • Binds an identity to a specific object – from a site collection to a document or list.

    • Enforces granular access controls and explicit membership to an item.

    • Denies access and adjusts the UI to show accessible items only.


Item level security ils secured objects so
Item Level Security (ILS) / Secured Objects (SO)

  • Scales MOSS object permissions from site collections to individual objects.

  • Allows for permission inheritance from parent to child objects.

  • 33 default permissions can be assigned to a user or SharePoint group.

  • Permissions can be specified on event items, such as an Events list.

  • Returned search results can map back to the security context of the user.

  • These controls trim the UI to the exclusive user context.


Permission management architecture
Permission Management Architecture

  • Sets permissions for SharePoint users, groups, and domain groups.

  • Default groups include:

    • Owners (get full control)

    • Visitors (get contributor rights)

    • Members (get read rights)

  • Custom groups can be created and managed by site collection.

  • Group membership is consistent within the site collection.

  • Custom groups are reusable across different project sites.


Agenda5
Agenda

  • MOSS 2007 Security Challenges

  • Pluggable Authentication / Zones

  • Encryption of Application Connection Strings

  • Targeted Content for Secure Collaboration

  • Information Rights Management

  • MOSS 2007 Customer Facing Scenario


Information rights management irm
Information Rights Management (IRM)

  • Protects sensitive information at the client level, even when business information is taken offline.

  • This may be essential in order for companies to deal with regulations, such as privacy legislation including:

    • California Senate Bill No. 1386

    • Sarbanes-Oxley Act (SOX Compliance)

    • Health Insurance Portability and Accountability Act (HIPAA)

    • Other government and regulatory requirements


Moss 2007 and irm
MOSS 2007 and IRM

  • Server-side IRM integrates with MOSS repositories through the WRM framework.

  • IRM imposes access restrictions at the document level: “no matter where it is stored or who tries to open it”.

  • Common IRM permits authorized viewing or printing only.

  • A “protector” is used to provide IRM functionality. Several are installed with MOSS.

  • A protector manages the encryption process for all files types stored in MOSS.

  • The MOSS application architecture supports pluggable protectors for other file types.


Irm scenarios
IRM Scenarios

  • Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector.

  • IRM extended scenarios include:

    • User credential verification after a certain time period

    • Disallow user upload of assets that so not use IRM.

    • Schedule an expiration tag to drop the restriction policy.

    • Bind to a global organization IRM permission policy


Irm requirements
IRM Requirements

  • Ensure that all the requirements are met in the MOSS environment:

    • Windows Rights Management (WRM) Services Client on MOSS Web servers.

    • Microsoft Rights Management Services (RMS) connectivity to the MOSS Web servers.

    • RMS server for MOSS assimilates through SharePoint Central Administration, either:

      • By using the default in Active Directory

      • Specifying the location


Irm implementation
IRM Implementation

  • IRM works directly with SharePoint data store structures such as document libraries to maintain permissions:

  • A user navigates to an IRM-enabled document library and attempts to download a document.

  • MOSS binds roles to the document library for the documents.

  • MOSS protector encrypts the document and adds an issuance license.Result: 1:1 mapping between MOSS and document permissions.

  • SharePoint roles for the document translate into IRM permission levels on the document.

  • The document is encrypted locally for offline protection.


Agenda6
Agenda

  • MOSS 2007 Security Challenges

  • Pluggable Authentication / Zones

  • Encryption of Application Connection Strings

  • Targeted Content for Secure Collaboration

  • Information Rights Management

  • MOSS 2007 Customer Facing Scenario


Scenario back to back perimeter with content publishing
Scenario:Back-to-Back Perimeter with Content Publishing

  • Example: Back-to-back perimeter topology that hosts static content.

  • Identity Manager permits SharePoint authentication of external users.


Summary
Summary

Allows for the easyimplementation of Internet-facingenvironments (extranets).

ü

Built to enable support for heterogeneous environments.

ü

Supports pluggable forms-based authentication (FBA) providers.

ü

Reduces management overhead and improves securely.

ü

Offers granular rights management of business assets.

ü


Links and references
Links and References

For more information about Microsoft Office SharePoint Server 2007 :

http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx

http://technet2.microsoft.com/Office/en-us/library/b28ba53d-a3e8-440f-9fcb-f592d858894a1033.mspx?mfr=true



ad