slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive PowerPoint Presentation
Download Presentation
Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive

Loading in 2 Seconds...

play fullscreen
1 / 38

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive - PowerPoint PPT Presentation


  • 327 Views
  • Uploaded on

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive. Name 03/28/07. Agenda. MOSS 2007 Security Challenges Pluggable Authentication / Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive' - bernad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive

Name

03/28/07

agenda
Agenda
  • MOSS 2007 Security Challenges
  • Pluggable Authentication / Zones
  • Encryption of Application Connection Strings
  • Targeted Content for Secure Collaboration
  • Information Rights Management
  • MOSS 2007 Customer Facing Scenario
microsoft office sharepoint server 2007
Microsoft Office SharePoint Server 2007
  • MOSS 2007 eases the implementation of effective security:
    • Simplifies implementing Internet-facing environments (extranets).
    • Enables support for heterogeneous environments.
    • Uses pluggable forms-based authentication (FBA) providers.
    • Reduces management overhead and improves securely.
    • Offers granular rights management of business assets.
agenda1
Agenda
  • MOSS 2007 Security Challenges
  • Pluggable Authentication / Zones
  • Encryption of Application Connection Strings
  • Targeted Content for Secure Collaboration
  • Information Rights Management
  • MOSS 2007 Customer Facing Scenario
slide5

Challenges for MOSS 2007 Security

  • The challenges for MOSS 2007 are to:
      • Support authentication for multiple identify management systems.
      • Provide authentication that maps user accounts for third-party applications to LOB systems.
      • Configure entry locations for MOSS/control URL site mapping.
      • Protect valuable application connection string data.
      • Lockdown site collections and restrict user access over MOSS.
      • Provide client-level protection of sensitive information.
agenda2
Agenda
  • MOSS 2007 Security Challenges
  • Pluggable Authentication / Zones
  • Encryption of Application Connection Strings
  • Targeted Content for Secure Collaboration
  • Information Rights Management
  • MOSS 2007 Customer Facing Scenario
pluggable authentication provider
Pluggable Authentication Provider
  • MOSS integrates ASP .NET 2.0 pluggable authentication for Windows and non-Windows.
  • Supports shipped, Windows-based authentication methods.
  • Sets up Internet-facing SharePoint authentication.
  • Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture.
  • ASP.NET 2.0 pluggable providers can employ membership data stores including:
    • Microsoft Access
    • Oracle databases
    • XML files
    • Flat text files
asp net 2 0 membership provider
ASP .NET 2.0 Membership Provider
  • Supports configurable directories in a member data store.
  • Stores pluggable provider credentials in the machine.config file.
  • MOSS membership providers include:
    • LDAP V3 directory (with MOSS)
    • SQL Server
    • Active Directory (ASP .NET 2.0)
  • Pluggable membership providers:
    • Inherit from the ASP.NET MembershipProvider interface;
    • This interface inherits from the ProviderBase class.
considerations for asp net authentication
Considerations for ASP .NET Authentication
  • MOSS services use Windows accounts – even with a pluggable provider.
  • Use Windows identities to reduce Microsoft Office client interoperation.
  • Authentication types, not resolving to a Windows identity, must use a MOSS zone.
  • A mandated PKI infrastructure such as for smartcards typically resolves to a Windows identity.
  • PKI implementation may require a MOSS zone or other configuration.

Add a diagram here

Company A

(Windows Authentication)

Company B

(Non-Windows Authentication)

pluggable single sign on sso
Pluggable Single Sign-On (SSO)
  • The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems.
  • Aids in retrieving critical information through MOSS mechanisms:
    • Business Data Catalog (BDC)
    • SharePoint DataView Web Parts (DVWP)
  • Can specify a pluggable SSO provider, instead of SpsSsoProvider.
  • Registers only one SSO provider per LOB system at a time.
forms based authentication
Forms-Based Authentication
  • Utilizes pluggable authentication and role providers to enable Internet-style security.
  • Supports a customized login process geared to users' needs.
  • Forms authentication cookies and authentication tickets are encrypted and tamper-proof.
  • The form identity provider, called Web SSO, can plug into an external identify management system.
web single sign on
Web Single Sign-On
  • MOSS supports federated authentication between Web SSO vendors.
  • Employs an HTTP module for external authentication.
  • Allows external partners to authenticate to MOSS using their user credentials.
  • Delegates log in and password reset to partners.
  • Web SSO authentication requires an extranet zone.

Partner Application

alternate access mapping aam
Alternate Access Mapping (AAM)
  • AAM ensures internal and public URL mappings work correctly.
  • The //MOSS URL is mapped by default, but can be extended to additional URLs.
  • Alternate URLs can be mapped to one physical path such as //MOSS.
  • MOSS entry points can use different authentication providers / Web application security policies.
  • Compensates for different domains, reverse proxies, and other URL redirection mechanisms.

Intranet

Users

http://contoso

http://MOSS

Extranet

Users

http://extranet.contoso.com

aam example configuration
AAM Example Configuration
  • Example: The //MOSS site has two AAM URLs: internal corporate users and external partners.
  • The Intranet URL, //contoso, is mapped to:
    • Intranet zone: Resolves to domain-authenticated Windows identities.
  • The Extranet, //extranet.contoso.com , is mapped to a different zone:
    • Extranet zone: Log in is via Web SSO authentication.

Intranet

Users

http://contoso

http://MOSS

Extranet

Users

http://extranet.contoso.com

zones alternate access mapping aam
Zones Alternate Access Mapping (AAM)
  • A zone maps multiple Web applications to a single set of content databases, allowing greater control over AAM.
  • Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content.
  • Recommended: Bind the zone to an authentication mechanism.

Default

  • An AAM URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone.
  • Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet.
zones aam configuration
Zones AAM Configuration
  • Zones affect how people are authenticated and routed through the portal from URL entry points.
  • New Web applications can be extended by specifying the zone in the Load Balancing URL section of the settings.

Extranet

  • Within each zone, bind global Web application security policy that defines permissions settings for users in the zone.
zones aam planning scenario
Zones AAM Planning Scenario
  • Zones Require Planning!

This example scenario shows decisions that the authentication system must make when a Web crawler attempts to authenticate.

aam global security policies
AAM / Global Security Policies
  • MOSS supports global security policies that bind policy settings to a specific user or group within the application.
  • Examples: Full access, full read access, deny-write access, or deny-all access.
  • Overrides the MOSS granular permission settings, managed from SharePoint Central Administration interface.
  • Binding security policies to zones gives trusted external users full-read access – No manual settings are required.
agenda3
Agenda
  • MOSS 2007 Security Challenges
  • Pluggable Authentication / Zones
  • Encryption of Application Connection Strings
  • Targeted Content for Secure Collaboration
  • Information Rights Management
  • MOSS 2007 Customer Facing Scenario
encryption of application connection strings
Encryption of Application Connection Strings
  • Storing connection string data in plain text in the web.config file creates a security vulnerability.
  • ASP.NET 2.0 functionality can be used to encrypt application connection string data using either:
    • Windows Data Protection API (DPAPI): Encrypts and decrypts using the MOSS server machine key.
    • RSA encryption: Uses public key algorithms, but adds appropriate containers for the encryption keys.
  • Pluggable encryption providers can use different encryption tools.
connection string encryption best practices
Connection String Encryption Best Practices
  • For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the <connectionStrings> node in cipher text:
  • DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands:
  • Encrypt the connection strings node specifying the section parameter:
connection string encryption best practices continued
Connection String Encryption Best Practices (continued)
  • After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values:
  • This pluggable model can support custom encryption providers to manage cipher text for relevant MOSS configuration files.
  • Considerations:
    • Encryption using the local machine key can only use the configuration node on the MOSS server on which it was created.
    • If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string.
    • Decryption causes a minor application performance hit.
agenda4
Agenda
  • MOSS 2007 Security Challenges
  • Pluggable Authentication / Zones
  • Encryption of Application Connection Strings
  • Targeted Content for Secure Collaboration
  • Information Rights Management
  • MOSS 2007 Customer Facing Scenario
targeted content for secure collaboration
Targeted Content for Secure Collaboration
  • MOSS ECM Common Services control access to stored information.
  • Lockdown permits users to access the authorized information only:
    • Binds an identity to a specific object – from a site collection to a document or list.
    • Enforces granular access controls and explicit membership to an item.
    • Denies access and adjusts the UI to show accessible items only.
item level security ils secured objects so
Item Level Security (ILS) / Secured Objects (SO)
  • Scales MOSS object permissions from site collections to individual objects.
  • Allows for permission inheritance from parent to child objects.
  • 33 default permissions can be assigned to a user or SharePoint group.
  • Permissions can be specified on event items, such as an Events list.
  • Returned search results can map back to the security context of the user.
  • These controls trim the UI to the exclusive user context.
permission management architecture
Permission Management Architecture
  • Sets permissions for SharePoint users, groups, and domain groups.
  • Default groups include:
    • Owners (get full control)
    • Visitors (get contributor rights)
    • Members (get read rights)
  • Custom groups can be created and managed by site collection.
  • Group membership is consistent within the site collection.
  • Custom groups are reusable across different project sites.
agenda5
Agenda
  • MOSS 2007 Security Challenges
  • Pluggable Authentication / Zones
  • Encryption of Application Connection Strings
  • Targeted Content for Secure Collaboration
  • Information Rights Management
  • MOSS 2007 Customer Facing Scenario
information rights management irm
Information Rights Management (IRM)
  • Protects sensitive information at the client level, even when business information is taken offline.
  • This may be essential in order for companies to deal with regulations, such as privacy legislation including:
    • California Senate Bill No. 1386
    • Sarbanes-Oxley Act (SOX Compliance)
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Other government and regulatory requirements
moss 2007 and irm
MOSS 2007 and IRM
  • Server-side IRM integrates with MOSS repositories through the WRM framework.
  • IRM imposes access restrictions at the document level: “no matter where it is stored or who tries to open it”.
  • Common IRM permits authorized viewing or printing only.
  • A “protector” is used to provide IRM functionality. Several are installed with MOSS.
  • A protector manages the encryption process for all files types stored in MOSS.
  • The MOSS application architecture supports pluggable protectors for other file types.
irm scenarios
IRM Scenarios
  • Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector.
  • IRM extended scenarios include:
    • User credential verification after a certain time period
    • Disallow user upload of assets that so not use IRM.
    • Schedule an expiration tag to drop the restriction policy.
    • Bind to a global organization IRM permission policy
irm requirements
IRM Requirements
  • Ensure that all the requirements are met in the MOSS environment:
    • Windows Rights Management (WRM) Services Client on MOSS Web servers.
    • Microsoft Rights Management Services (RMS) connectivity to the MOSS Web servers.
    • RMS server for MOSS assimilates through SharePoint Central Administration, either:
      • By using the default in Active Directory
      • Specifying the location
irm implementation
IRM Implementation
  • IRM works directly with SharePoint data store structures such as document libraries to maintain permissions:
  • A user navigates to an IRM-enabled document library and attempts to download a document.
  • MOSS binds roles to the document library for the documents.
  • MOSS protector encrypts the document and adds an issuance license.Result: 1:1 mapping between MOSS and document permissions.
  • SharePoint roles for the document translate into IRM permission levels on the document.
  • The document is encrypted locally for offline protection.
agenda6
Agenda
  • MOSS 2007 Security Challenges
  • Pluggable Authentication / Zones
  • Encryption of Application Connection Strings
  • Targeted Content for Secure Collaboration
  • Information Rights Management
  • MOSS 2007 Customer Facing Scenario
scenario back to back perimeter with content publishing
Scenario:Back-to-Back Perimeter with Content Publishing
  • Example: Back-to-back perimeter topology that hosts static content.
  • Identity Manager permits SharePoint authentication of external users.
summary
Summary

Allows for the easyimplementation of Internet-facingenvironments (extranets).

ü

Built to enable support for heterogeneous environments.

ü

Supports pluggable forms-based authentication (FBA) providers.

ü

Reduces management overhead and improves securely.

ü

Offers granular rights management of business assets.

ü

links and references
Links and References

For more information about Microsoft Office SharePoint Server 2007 :

http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx

http://technet2.microsoft.com/Office/en-us/library/b28ba53d-a3e8-440f-9fcb-f592d858894a1033.mspx?mfr=true