Welcome.
Microsoft Services
helps businesses
around the world
maximize their
investment in
Microsoft products
and technologies.
SharePoint
Lockdown: Security
and BI
Chris Conte
Premier Field Engineer
25 Feb 2014
OBJECTIVE
The Threat
Understand the
basics of
SharePoint Security
and an overview of
good practices for
securing a sensitive
data environment
Authentication & STS
Authorization
Applying Permissions
SQL Server
Call to Action
2
Distrust and caution are the
parents of security.
– Benjamin Franklin
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided
after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
3
Authentication Providers
Classic = BAD!
CMA (Classic-Mode)
CBA (Claims Based Authentication)
SAML (Security Assertion Markup Language)
FBA (Forms-Based Authentication)
Name
Email
Job Title
STS (Security Token Service)
Authorization not
Authentication
Membership and
Role Providers
User Permissions
Permission level
Limited Access
Description
Allows access to shared resources in the Web site so that the users can
access an item within the site. Designed to give users access to a
specific list, document library, folder, list item, or document, without
giving them access to the entire site. Cannot be customized or deleted.
Read
View pages, list items and download documents.
Contribute
View, add, update, and delete items in the existing lists and document
libraries.
Design
View, add, update, delete, approve, and customize items or pages in the
Web site.
Full Control
Allows full control of the scope.
•
•
•
•
•
Permissions included by default
View Application Pages
Browse User Information
Use Remote Interfaces
Use Client Integration Features
Open
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Limited Access permissions, plus:
View Items
Open Items
View Versions
Create Alerts
Use Self-Service Site Creation
View Pages
Read permissions, plus:
Add Items
Edit Items
Delete Items
Delete Versions
Browse Directories
Edit Personal User Information
Manage Personal Views
Add/Remove Personal Web
PartsUpdate Personal Web Parts
Approve permissions, plus:
Manage Lists
Add and Customize Pages
Apply Themes and Borders
Apply Style Sheets
All permissions
Applying Permissions
Groups (and Nesting)
Farm Admins (Web App / Policy)
Site Collection Inheritance
SharePoint Group
AD Group
User
SQL Server Security
Security starts with code, then patching
Separate roles of SQL Server engine, reporting services, ETL, etc.
Separate accounts for Engine, Agent, SSIS, SSRS, etc.
Limit access, use AD groups, use SQL Roles
Do not turn on unnecessary components under SP_CONFIGURE
Auditing, log transfer, ACS
Encryption of DBs, IPSec
Secured backups/media
BPA, STIG/Hardening
Remember, with enough time and resources, nothing is hack-proof, only resistant. All we can do is
harden and monitor
Governance
Who Does the Security Work?
How we handle SharePoint Security
Who is responsible for Authentication?
Group Management?
Privilege user requirements?
Determining appropriate data storage?
New Web Application/Site Collection/Site/Library/List
Anonymous, what does that mean?
Reporting (PowerShell)
Search AD
$strFilterStart = “(&(objectCategory=group)(cn=“
$strFilterEnd = “))”
$strFilterDisplayName = “filter”
$strFilter = $strFilterStart + $strFilterDisplayName + $strFilterEnd
Write-Host $strFilter
objDomain = New-Object System.DirectoryServices.DirectoryEntry
objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = “SubTree”
$PropList = “name”
Foreach ($i in $PropList)
{
$objSearcher.PropertiesToLoad.Add($i)}
$objResults = $objSearcher.FindAll()
Foreach ($objResult in $objRestults)
{
$objResult}
Reporting (PowerShell)
Pull Farm Permissions
$webApps = Get-SPWebApplication –Identity http://URL/
foreach($webApp in $webApps)
{
“Web Application = “ + $webApp >> e:\test.csv
$SPSites = Get-SPSite –WebApplication $webApp}
foreach($SPSite in $SPSites)
{
“Scanning Site” >> e:\test.csv
“Site = ” + $SPSite >> e:\test.csv
“Owner = ” + $SPSite.owner >> e:\test.csv
“Secondary Owner = “ + $SpSite.SecondaryContact >> e:\test.csv
$SPWebs = Get-SPWeb –site $SPSite –Limit All
foreach($SPWeb in $SPWebs)
{
“SPWeb = “ + $SPWeb >> e:\test.csv
“Permissions Below” >> e:\test.csv
$SPWebRoleAssignments >> e:\test.csv
“Finished Scanning “ + $SPWeb >> e:\test.csv}
$Groups = $SPSite.RootWeb.sitegroups
foreach ($Group in $Groups)
{
“” >> e:\test.csv
“Group “ + $Group.Name >> e:\test.csv
foreach ($User in $Group.users)
{
“user: “ + $user.name >> e:\test.csv}}}}
Reporting (PowerShell)
PowerShell Basics\extras
•
•
•
•
•
•
Add-PSSnapin Microsoft.SharePoint.Powershell –ea 0
Write-host to troubleshoot
| FL
Get-help
Get-command
This is an exert that can be added to pulling farm permissions for additional details under SPWeb
$RoleAssignments = $SPWeb.roleassignments
foreach ($roleAssignment in $RoleAssignments)
{foreach ($RoleDefinitionBinding in $RoleAssignment.Roledefinitionbinding)
{if ($RoleDefinitionBinding –eq “fullmask”)
{$roleAssignment
$GroupName = $RoleAssignment.member
}}}
$groups = $SPSite.RootWeb.SiteGroups
Foreach ($group in $groups)
{if($group.name –eq $groupname)
{ $Group.name
foreach ($user in $group.users)
{$user.name}
}}
Call To Action
Use Service Accounts
Start a Governance Plan; Create Policy and Process
Inventory – Organize
Get Help – Get Your Help Trained
KPIs – You need them
Contact
Chris Conte
Premier Field Engineer
(813) 494-4849
chris.conte@microsoft.com
www.microsoft.com/microsoftservices
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided
after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION