Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive - PowerPoint PPT Presentation

bernad
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive PowerPoint Presentation
Download Presentation
Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive

play fullscreen
1 / 38
Download Presentation
Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive
336 Views
Download Presentation

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive Name 03/28/07

  2. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  3. Microsoft Office SharePoint Server 2007 • MOSS 2007 eases the implementation of effective security: • Simplifies implementing Internet-facing environments (extranets). • Enables support for heterogeneous environments. • Uses pluggable forms-based authentication (FBA) providers. • Reduces management overhead and improves securely. • Offers granular rights management of business assets.

  4. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  5. Challenges for MOSS 2007 Security • The challenges for MOSS 2007 are to: • Support authentication for multiple identify management systems. • Provide authentication that maps user accounts for third-party applications to LOB systems. • Configure entry locations for MOSS/control URL site mapping. • Protect valuable application connection string data. • Lockdown site collections and restrict user access over MOSS. • Provide client-level protection of sensitive information.

  6. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  7. Pluggable Authentication Provider • MOSS integrates ASP .NET 2.0 pluggable authentication for Windows and non-Windows. • Supports shipped, Windows-based authentication methods. • Sets up Internet-facing SharePoint authentication. • Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture. • ASP.NET 2.0 pluggable providers can employ membership data stores including: • Microsoft Access • Oracle databases • XML files • Flat text files

  8. ASP .NET 2.0 Membership Provider • Supports configurable directories in a member data store. • Stores pluggable provider credentials in the machine.config file. • MOSS membership providers include: • LDAP V3 directory (with MOSS) • SQL Server • Active Directory (ASP .NET 2.0) • Pluggable membership providers: • Inherit from the ASP.NET MembershipProvider interface; • This interface inherits from the ProviderBase class.

  9. Considerations for ASP .NET Authentication • MOSS services use Windows accounts – even with a pluggable provider. • Use Windows identities to reduce Microsoft Office client interoperation. • Authentication types, not resolving to a Windows identity, must use a MOSS zone. • A mandated PKI infrastructure such as for smartcards typically resolves to a Windows identity. • PKI implementation may require a MOSS zone or other configuration. Add a diagram here Company A (Windows Authentication) Company B (Non-Windows Authentication)

  10. Pluggable Single Sign-On (SSO) • The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems. • Aids in retrieving critical information through MOSS mechanisms: • Business Data Catalog (BDC) • SharePoint DataView Web Parts (DVWP) • Can specify a pluggable SSO provider, instead of SpsSsoProvider. • Registers only one SSO provider per LOB system at a time.

  11. Forms-Based Authentication • Utilizes pluggable authentication and role providers to enable Internet-style security. • Supports a customized login process geared to users' needs. • Forms authentication cookies and authentication tickets are encrypted and tamper-proof. • The form identity provider, called Web SSO, can plug into an external identify management system.

  12. Web Single Sign-On • MOSS supports federated authentication between Web SSO vendors. • Employs an HTTP module for external authentication. • Allows external partners to authenticate to MOSS using their user credentials. • Delegates log in and password reset to partners. • Web SSO authentication requires an extranet zone. Partner Application

  13. Alternate Access Mapping (AAM) • AAM ensures internal and public URL mappings work correctly. • The //MOSS URL is mapped by default, but can be extended to additional URLs. • Alternate URLs can be mapped to one physical path such as //MOSS. • MOSS entry points can use different authentication providers / Web application security policies. • Compensates for different domains, reverse proxies, and other URL redirection mechanisms. Intranet Users http://contoso http://MOSS Extranet Users http://extranet.contoso.com

  14. AAM Example Configuration • Example: The //MOSS site has two AAM URLs: internal corporate users and external partners. • The Intranet URL, //contoso, is mapped to: • Intranet zone: Resolves to domain-authenticated Windows identities. • The Extranet, //extranet.contoso.com , is mapped to a different zone: • Extranet zone: Log in is via Web SSO authentication. Intranet Users http://contoso http://MOSS Extranet Users http://extranet.contoso.com

  15. Zones Alternate Access Mapping (AAM) • A zone maps multiple Web applications to a single set of content databases, allowing greater control over AAM. • Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content. • Recommended: Bind the zone to an authentication mechanism. Default • An AAM URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone. • Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet.

  16. Zones AAM Configuration • Zones affect how people are authenticated and routed through the portal from URL entry points. • New Web applications can be extended by specifying the zone in the Load Balancing URL section of the settings. Extranet • Within each zone, bind global Web application security policy that defines permissions settings for users in the zone.

  17. Zones AAM Planning Scenario • Zones Require Planning! This example scenario shows decisions that the authentication system must make when a Web crawler attempts to authenticate.

  18. AAM / Global Security Policies • MOSS supports global security policies that bind policy settings to a specific user or group within the application. • Examples: Full access, full read access, deny-write access, or deny-all access. • Overrides the MOSS granular permission settings, managed from SharePoint Central Administration interface. • Binding security policies to zones gives trusted external users full-read access – No manual settings are required.

  19. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  20. Encryption of Application Connection Strings • Storing connection string data in plain text in the web.config file creates a security vulnerability. • ASP.NET 2.0 functionality can be used to encrypt application connection string data using either: • Windows Data Protection API (DPAPI): Encrypts and decrypts using the MOSS server machine key. • RSA encryption: Uses public key algorithms, but adds appropriate containers for the encryption keys. • Pluggable encryption providers can use different encryption tools.

  21. Connection String Encryption Best Practices • For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the <connectionStrings> node in cipher text: • DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands: • Encrypt the connection strings node specifying the section parameter:

  22. Connection String Encryption Best Practices (continued) • After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values: • This pluggable model can support custom encryption providers to manage cipher text for relevant MOSS configuration files. • Considerations: • Encryption using the local machine key can only use the configuration node on the MOSS server on which it was created. • If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string. • Decryption causes a minor application performance hit.

  23. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  24. Targeted Content for Secure Collaboration • MOSS ECM Common Services control access to stored information. • Lockdown permits users to access the authorized information only: • Binds an identity to a specific object – from a site collection to a document or list. • Enforces granular access controls and explicit membership to an item. • Denies access and adjusts the UI to show accessible items only.

  25. Item Level Security (ILS) / Secured Objects (SO) • Scales MOSS object permissions from site collections to individual objects. • Allows for permission inheritance from parent to child objects. • 33 default permissions can be assigned to a user or SharePoint group. • Permissions can be specified on event items, such as an Events list. • Returned search results can map back to the security context of the user. • These controls trim the UI to the exclusive user context.

  26. Permission Management Architecture • Sets permissions for SharePoint users, groups, and domain groups. • Default groups include: • Owners (get full control) • Visitors (get contributor rights) • Members (get read rights) • Custom groups can be created and managed by site collection. • Group membership is consistent within the site collection. • Custom groups are reusable across different project sites.

  27. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  28. Information Rights Management (IRM) • Protects sensitive information at the client level, even when business information is taken offline. • This may be essential in order for companies to deal with regulations, such as privacy legislation including: • California Senate Bill No. 1386 • Sarbanes-Oxley Act (SOX Compliance) • Health Insurance Portability and Accountability Act (HIPAA) • Other government and regulatory requirements

  29. MOSS 2007 and IRM • Server-side IRM integrates with MOSS repositories through the WRM framework. • IRM imposes access restrictions at the document level: “no matter where it is stored or who tries to open it”. • Common IRM permits authorized viewing or printing only. • A “protector” is used to provide IRM functionality. Several are installed with MOSS. • A protector manages the encryption process for all files types stored in MOSS. • The MOSS application architecture supports pluggable protectors for other file types.

  30. IRM Scenarios • Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector. • IRM extended scenarios include: • User credential verification after a certain time period • Disallow user upload of assets that so not use IRM. • Schedule an expiration tag to drop the restriction policy. • Bind to a global organization IRM permission policy

  31. IRM Requirements • Ensure that all the requirements are met in the MOSS environment: • Windows Rights Management (WRM) Services Client on MOSS Web servers. • Microsoft Rights Management Services (RMS) connectivity to the MOSS Web servers. • RMS server for MOSS assimilates through SharePoint Central Administration, either: • By using the default in Active Directory • Specifying the location

  32. IRM Implementation • IRM works directly with SharePoint data store structures such as document libraries to maintain permissions: • A user navigates to an IRM-enabled document library and attempts to download a document. • MOSS binds roles to the document library for the documents. • MOSS protector encrypts the document and adds an issuance license.Result: 1:1 mapping between MOSS and document permissions. • SharePoint roles for the document translate into IRM permission levels on the document. • The document is encrypted locally for offline protection.

  33. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  34. Scenario:Back-to-Back Perimeter with Content Publishing • Example: Back-to-back perimeter topology that hosts static content. • Identity Manager permits SharePoint authentication of external users.

  35. Summary Allows for the easyimplementation of Internet-facingenvironments (extranets). ü Built to enable support for heterogeneous environments. ü Supports pluggable forms-based authentication (FBA) providers. ü Reduces management overhead and improves securely. ü Offers granular rights management of business assets. ü

  36. Links and References For more information about Microsoft Office SharePoint Server 2007 : http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx http://technet2.microsoft.com/Office/en-us/library/b28ba53d-a3e8-440f-9fcb-f592d858894a1033.mspx?mfr=true

  37. Questions and Answers