Transcript Web Application Security

IW316
Securing SharePoint Technology
Joel Oleson
http://blogs.msdn.com/joelo
Sr. Technical Product Manager
Microsoft Corporation
Agenda
• Site Collection and below…
–Demo: Site Permissions and Item level
security
• Web App Security
–Demo: Web Application Policies
• Farm Security
–Demo: Forms based authentication
• Summary
• Q/A
Site and List Security
Data Protection
Item Level Security and Security Trimming
– Permissions from site collections
to individual objects.
– Default permission inheritance
from parent to child objects.
– 33 default permissions can be
assigned to a user or SharePoint
group.
– Permissions can be specified on
items
– Returned search results can map
back to the security context of the
user.
– These controls trim the UI to the
exclusive user context.
Permission Management Architecture
– Sets permissions for SharePoint
users, groups, and domain
groups.
– Default groups include:
• Owners (get full control)
• Visitors (get contributor rights)
• Members (get read rights)
– Custom groups can be created
and managed by site collection.
– Group membership is consistent
within the site collection.
– Custom groups are reusable
across different project sites.
Site Permissions and Item level security
Demo
Solution Deployment
Information Rights Management (IRM)
– Protects sensitive information at the client level, even when
business information is taken offline.
– This may be essential in order for companies to deal with
regulations, such as privacy legislation
– Ensure that all the requirements are met in the environment:
• Windows Rights Management (WRM) Services Client on
MOSS Web servers.
• Microsoft Rights Management Services (RMS) connectivity to
the SharePoint farm.
• Configuration enabled in SharePoint Central Administration
then configured in the list or library
SharePoint List and Library IRM integration
– IRM integrates with lists through the rights management
framework.
– IRM imposes access restrictions : “no matter where it is stored or
who tries to open it”.
– Common IRM policy permits authorized viewing or printing only.
– A “protector” is used to provide IRM functionality. Several are
installed with MOSS.
– A protector manages the encryption process for all files types
stored in MOSS.
– The architecture supports pluggable protectors for other file types.
IRM Scenarios
– Example: Shows how a user
requests a rights-managed
document from a MOSS 2007
integrated IRM protector.
– IRM extended scenarios include:
• User credential verification after a
certain time period
• Disallow user upload of assets that
so not use IRM.
• Schedule an expiration tag to drop
the restriction policy.
• Bind to a global organization IRM
permission policy
IRM Implementation
– IRM works directly with SharePoint data store structures such as
document libraries to maintain permissions:
User Downloads
Documents
•
•
•
•
•
Match Role to
Document Library
Document Encrypted:
Issuance License
Added
Permissions Carry
Locally Offline
A user navigates to an IRM-enabled document library and
attempts to download a document.
binds roles to the document library for the documents.
protector encrypts the document and adds an issuance license.
Result: 1:1 mapping between item and document permissions.
SharePoint roles for the document translate into IRM permission
levels on the document.
The document is encrypted locally for offline protection.
Content/Audience Targeting
• Web Part/Content targeting to
– Global Audience (SSP Audience Configuration)
Based on
• Active directory attributes
• Pluggable ASP.NET Membership provider attributes
• Profile Attributes
Compiled in a recurring Timer Job
• SharePoint Groups – Groups defined based users and groups in
Site permissions levels
• Distribution/Security Groups
• My Site secure location targeting
• NOTE: Targeting does not equal permissions or rights
Secure Collaboration
– Common Services control access
to stored information.
– Lockdown permits users to
access the authorized information
only:
User Interface
Microsoft
Office
Web
Browser
Third Party
Applications
ECM Components
Record
Management
Forms
Management
Web Content
Management
Document
Management
• Binds an identity to a specific object
– from a site collection to a
document or list.
• Enforces granular access controls
and explicit membership to an item.
• UI shows accessible items only.
Microsoft Office Sharepoint Server 2007
Workflow
Metadata
Policy
Library
Services
IRM
Collaboration
Security
Search
Common Services
Unified Storage Architecture
WEB APPLICATION SECURITY
Authentication and Authorization
Pluggable Authentication Provider
– MOSS integrates ASP .NET 2.0
pluggable authentication for
Windows and non-Windows.
– Supports shipped, Windowsbased authentication methods.
– Sets up Internet-facing
SharePoint authentication.
– Enables pluggable authentication
providers built on ASP.NET 2.0
membership architecture.
– ASP.NET 2.0 pluggable providers
can employ membership data
stores including:
• LDAP Directories
• SQL Database
• Oracle or other ADO.NET/ODBC
Compliant data sources
• XML files or Flat text files
Display Login Page
Login
Membership Class
ValidateUser Method
Membership Provider
Authentication
Access a Data Source
(Custom Schema
Custom Storage)
Validate Credentials
(Custom Behavior)
ASP .NET 2.0 Membership Provider
– Supports configurable directories
in a member data store.
– Stores pluggable provider
credentials in the machine.config
file.
– Membership providers include:
• LDAP V3 directory (with MOSS)
• SQL Server
• Active Directory (ASP .NET 2.0)
ProviderBase
MembershipProvider
– Pluggable membership providers:
• Inherit from the ASP.NET
MembershipProvider interface;
• This interface inherits from the
ProviderBase class.
<x>MembershipProvider
Considerations for ASP .NET Authentication
– Authentication types, not
resolving to a Windows identity,
must use a zone.
– A mandated PKI infrastructure
such as for smartcards typically
resolve to a Windows identity.
– PKI implementation may require a
zone or other configuration.
Company A
(Windows
Authentication)
• Browser clients only
– Search crawler must use
Windows
– Office client interaction degraded
• Forms & Windows accounts
– Forms user not same as
Windows user
Company B
(Non-Windows
Authentication)
Pluggable Single Sign-On (SSO)
– The MOSS SSO service provides
an encrypted back-end cache of
users' credentials for mapping to
connected LOB systems.
– Aids in retrieving critical
information through MOSS
mechanisms:
• Business Data Catalog (BDC)
• SharePoint DataView Web Parts
(DVWP)
– Can specify a pluggable SSO
provider, instead of
SpsSsoProvider.
– Registers only one SSO provider
per LOB system at a time.
BDC
Web Parts
Search
Lists
User
Profiles
Custom
Component
s
Shared Service Provider (SSP)
WS Proxy
Web service
LOB System
SAP Seibel, Peoplesoft
ADO.NET
Web service
LOB System
SAP Seibel, Peoplesoft
BDC
Metadata
Forms-Based Authentication
– Utilizes pluggable authentication and role providers to enable
Internet-style security.
– Supports a customized login process geared to users' needs.
– Forms authentication cookies and authentication tickets are
encrypted and tamper-proof.
– The form identity provider, called Web SSO, can plug into an
external identify management system.
FBA Web Single Sign-On
– Employs an HTTP module for
external authentication.
– Allows external partners to
authenticate using their user
credentials.
– Delegates log in and password
reset to provider.
– Web SSO authentication requires
an extranet zone.
Partner Application
Alternate Access Mappings
– Provides internal and external URL mappings work correctly.
– The URL is mapped by default, but can be extended to additional
URLs.
– Alternate URLs can be mapped to one physical path
– Zones can use different authentication providers / Web application
security policies.
AAM
MOSS Site
– Compensates for different
Mappings
application domains, reverse proxies,
and other URL redirection mechanisms.
Intranet
Users
http://contoso
http://MOSS
Extranet
Users
http://extranet.con
toso.com
Zones in Alternate Access Mapping (AAM)
– A zone maps Web application to a single set of content
databases, allowing greater control over AAM.
– Zones use the AAM URL to map different authentication providers
to the same physical path and MOSS content.
– Recommended: Bind the zone to an authentication mechanism.
Default
•
URL that maps to a zone, not on the authentication providers page,
uses the security setting for the Default zone.
•
Recommended: Place the most publicly-accessible URL in the
Default zone, such as intranet, Internet, custom, or extranet.
SharePoint Web App Security Policies
Central enforced permissions for all sites in the web application
GRANT and DENY
Bound to web application/zone
Scenarios
Full read – search crawling accounts, auditors, legal compliance
Deny all – security control, regulatory compliance
Deny write – extranet lockdown
Overrides the granular item level permission settings, managed
from SharePoint Central Administration interface.
Microsoft Confidential
Web Application Policies
Demo
Solution Deployment
Encryption of Application Connection Strings
– Storing connection string data in plain text in the web.config file
creates a security vulnerability.
– ASP.NET 2.0 functionality can be used to encrypt application
connection string data using either:
• Windows Data Protection API (DPAPI): Encrypts and decrypts
using the MOSS server machine key.
• RSA encryption: Uses public key algorithms, but adds
appropriate containers for the encryption keys.
– Pluggable encryption providers can use different encryption tools.
Connection String Encryption Best Practices
– For MOSS 2007 and pluggable SQL Server authentication
provider, encrypt the <connectionStrings> node in cipher text:
– DPAPI uses native machine key encryption for either a virtual
directory or a physical directory. Use the following commands:
– Encrypt the connection strings node specifying the section
parameter:
Connection String Encryption Best Practices
(continued)
– After implementation, the nodes of sensitive information are
replaced by well-formed XML cipher values:
–
– This pluggable model can support custom encryption providers to
manage cipher text for relevant MOSS configuration files.
– Considerations:
• Encryption using the local machine key can only use the
configuration node on the server on which it was created.
• If an intruder gained access to the server and retrieved the
machine key, they could decrypt the connection string.
• Decryption causes a minor application performance hit.
Shared Service Considerations
• BDC is available to all web apps consuming from
the SSP where it is configured
• Without security trimmers
–Notes search results are not trimmed
–BDC Search Results are not security Trimmed
• WSS Search results are trimmed to site
collection by scope, ensure sites are secured
appropriately
Active Directory Federation Services
ADFS – Active Directory Federation Services – includes non
trusted federated web services authentication model. Works with
browser based functions.
Not recommended with rich client requirements
Understand - “Enable Client Integration”
Matches Office client’s behavior for some
FBA providers
Microsoft Confidential
SERVER and FARM SECURITY
Architectural Considerations and Lockdown
Secure by Default
• Anonymous disabled by default
• Sites secured to site creator
• Server administrators no access to content web apps
• Permissions changes audited
• Self Service not enabled by default
LOCK IT DOWN!
• Configure Firewall Rules lock down to most restrictive w/
acceptable level of usability (i.e. outbound HTTP
– Consider RSS/XML web part requirements
• Secure client communication with trusted SSL certificates (128bit
HTTPS)
• IP Sec – Require or Request: Secure communication between
servers and DCs
– Careful with NLB and clients (MAC/Unix)
• Enable Kerberos Authentication (Intranet) *Careful with NLB
• SQL SSL encrypted Traffic + Non Standard Port
• Configure Central Admin on App server
• IP Restrict traffic to Central Admin and SSP App Pools (IIS)
• Configure Deny Policies on Content/Admin Web Apps for
Applicable Groups/Domains
• Configure ISA Secure Publishing
Forefront Security for SharePoint
Protects MOSS 2007 and WSS 3.0
Virus Protection for Document Libraries
Integrates scan engines from eight industry
leading vendors
Real-time scanning of documents uploaded
and downloaded from document library
Manual and scheduled scanning of
document library
SQL
Document
Library
Document
SharePoint
Server
Document
Content Filtering Policy Enforcement
File filtering to block documents from
being posted based on name match,
file type or file extension
Content filtering by keywords within
documents for inappropriate words and phrases
Users
SharePoint API integration
• Utilizes the SharePoint Virus API to scan files during upload and
download
– Optimized for performance in a SQL environment
• Files are not rescanned if engines have
not been updated
• Up to ten simultaneous scanning threads to help ensure users
are not delayed waiting for documents to scan
• Automatic integration with SharePoint Information Rights
Management (IRM) to scan protected files on the fly
Secure Web Publishing with ISA
Single sign-on for multiple
resource access
NEW
NEW
Improved idle-based timeouts for session mgmt
Enhanced certificate
administration
NEW
NEW
Authentication delegation
(NTLM, Kerberos)
Exchange & SharePoint
publishing tools
NEW
NEW
LDAP authentication for
Active Directory
Web publishing load
balancing
NEW
NEW
Customized logon forms for
most devices & apps
NEW
NEW
Smartcards & one-time
password support
Fast, Secure Access
Efficient Management
Integrated Security
Automatic translation of
embedded internal links
External
Web
Server
ISA 2006
User
Exchange
Intranet
Web
Server
DMZ
Internal
Network
Internet
SharePoint
Administrator
HEAD
QUARTER
S
Active
Directory
35
Extranet Architecture Example
Authoring -> Production
Content Deployment
Intranet, Extranet, Internet
2 Farms, 3 SSPs
TechNet: Plan Logical Architecture
Architecture Considerations
• Why more than 1 Farm?
– Application/Customization SLAs, Licensing (Internet vs. Intranet
CAL), Isolation (No Scale)
• Why more than 1 SSP?
– Isolation and Service Needs
• Why more than 1 App Pool?
– Security Isolation, Memory and CPU isolation, Auth requirements
• Why more than 1 Site Collection?
– Separation/delegation of ownership, quotas, ability to split across
databases
• Why keep them together?
– Global Navigation, Inheritance of style/Master page, Security
inheritance, Query web parts, Site Collection policy and content
types enforcements
Database Considerations
• Databases can be pre-created and then used to be created for
content databases
• SQL Security, rights and roles should be scrutinized employ least
priviledged access considerations
• Config
– Contains list of all servers, site collections, web apps, web parts,
solutions (Most critical db in farm from availability )
• Content database
– Contains all data, blobs, sites webs, etc… (Most Sensitive,
• Search & SSP Dbs
– Optimize… High Disk I/O contains configuration & search property
and profile store (index/query - index on disk)
Protocols
• All protocols are HTTP-based
– HTTP/S: Browser sessions
– SOAP/Web Services: Editing from Office Applications, Web
Services & Indexing
– RSS: All lists can be viewed this way
– FP-RPC: SharePoint Designer, Usage
– Web-DAV: Explorer View, Web Client Access
– XMLHTTPRequest - Forms
Additional Architectural Considerations
• Windows Servers – (SCW) Security
Configuration Wizard (verify)
• IIS – Certificate management, IP restrictions
• SQL – Use windows auth vs. SQL security
• Manage domain accounts
Firewall Ports
In/Out
From
Port
To
Inbound
ALL (as applicable)
TCP 80 or 443
ISA Web Pub or
WFE
Inbound
All SharePoint Server
(Depends on Central
Admin config)
Office Server Web Services, TCP 56737,
SSL 56738
Central Admin
/SSP Admin
Server
Inbound
Index
TCP 80 or 443
WFE
Outbound
ALL SharePoint Svrs
(Based on Auth)
DS (TCP 445)
RPC (TCP 135)
DNS (UDP 53)
Kerberos (UDP 88)
LDAP/S (UDP 389/636)
DC/DNS (LDAP)
Outbound/(Inbound WFE (alerts or mail
if applicable)
enabled list)
SMTP (TCP 25)
SMTP/MAIL
Outbound
ALL SharePoint Svrs
SQL (TCP 1433) or SSL custom port
SQL
Outbound
WFE (Search Request)
Query, NBT (TCP/UDP 137, 138,139) or
Direct-hosted SMB (TCP/UDP 445)
Query
Outbound
Index (Propagation)
Query NBT (TCP/UDP 137, 138,139) or
Direct-hosted SMB (TCP/UDP 445)
Query
Outbound
WFE (SSO)
RPC for SSO – (TCP 135), plus random high APP Servers
ports (Dynamic RPC) or restricted
Security Summary
Site and List Security
Information Rights Management Integration
Information Policies – auditing, expiration
Item Level Security
Barcodes and Labels, extensibility for signatures
Content Approval, Workflows
Web Application Security
Forms-Based Authentication and Single Sign-on
Active Directory Federation Services (ADFS)
Search – security trimmed search results
Publishing through Internet Security and Acceleration Server
(ISA) and Intelligent Application Gateway (IAG)
Server and Farm Security
Pluggable Authentication – Pluggable Authentication Provider
Security Policies; Major and minor versions, Web Application
IIS IP restrictions, Windows 2003 R2 SCW to Lock down server
Summary
Allows for the easy implementation of Internet-facing
 environments and extranets.
Built to enable support for heterogeneous
 environments.
Supports pluggable forms-based authentication (FBA)
 providers.
Reduces management overhead and improves
 securely.
 Offers granular rights management of business assets.
Guidance for a More Secure Infrastructure
SharePoint Team Security Related Posts
http://blogs.msdn.com/sharepoint/archive/tags/Security/default.aspx
TechNet Securing Your Sites, Servers, and Server Hardening
http://technet2.microsoft.com/Office/en-us/library/763613ac-83f4-424e-99d032efd0667bd91033.mspx?mfr=true
7 New Features that Enhance Security in SharePoint
http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx
Security and Protection for Office SharePoint Server 2007
http://technet2.microsoft.com/Office/en-us/library/6cc7cbec-bbb8-4473-83a265149e932e901033.mspx?mfr=true
TechNet Webcast: SharePoint Security from Service Accounts to
Item-Level Access
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=enUS&EventID=1032313270&CountryCode=US
Forefront Security for SharePoint
http://www.microsoft.com/forefront/serversecurity/sharepoint/default.mspx