Transcript OSP201: The Ten Immutable Laws of Microsoft SharePoint Security

OSP201
•
•
•
•
•
•
•
•
•
•
•
Security and complexity are often inversely proportional.
Security and usability are often inversely proportional.
Security is an investment, not an expense.
"Good enough" security now, is better than "perfect" security ...never
There is no such thing as "complete security" in a usable system.
A false sense of security is worse than a true sense of insecurity.
Your absolute security is only as strong as your weakest link.
Concentrate on known, probable threats.
Security is directly related to the education and ethics of your users.
Security is not a static end state, it is an interactive process.
There are few forces in the universe stronger than the desire of an individual to get his or
her job accomplished.
• You only get to pick two: fast, secure, cheap.
• In the absence of other factors, always use the most secure options available.
• Security ultimately relies - and fails - on the degree to which you are thorough. People don't
like to be thorough. It gets in the way of being done.
 Defines electrical and physical specifications
 Defines relationship between a device and its medium (Copper,
optical, radio, etc)
How data is transferred from node to node across a network.
 Wireless Networks
 Sniffers
 ARP flooding
IPsec is a suite of protocols that allows secure, encrypted communication between two
computers over an unsecured network
• IPsec has two goals: to protect IP packets and to
defend against network attacks
• Configuring IPsec on sending and receiving computers
enables the two computers to send secured data to
each other
• IPsec secures network traffic by using encryption and
data signing
• An IPsec policy defines the type of traffic that IPsec
examines, how that traffic is secured and encrypted,
and how IPsec peers are authenticated
START
Yes
No
No
Are there policies to
process?
Yes
Yes
Go to next policy
Does connection attempt
match policy conditions?
Is the remote access permission for the user
account set to Deny Access?
No
Yes
No
Reject connection
attempt
Yes
Is the remote access
permission for the user
No
account set to Allow
Access?
Is the remote access permission on
the policy set to Deny remote access
permission?
Yes
No
Reject connection
attempt
Does the connection attempt
match the user object and
profile settings?
Accept connection
attempt
http://bad.ketil.froyn.name/
http://www.example.com
Law #1: If a bad guy has unrestricted physical access to your computer, it's not your computer
anymore
Law #2: If a bad guy can persuade you to run his program on your computer, it's not your
computer anymore
Law #3: If a bad guy can view your conversation, you have just invited him to tell everyone
Law #4: If a bad guy can alter the operating system on your computer, it's not your computer
anymore
Law #5: If you allow a bad guy to upload programs to your website or network, it's not your stuff
any more
Law #6: Absolute anonymity isn't practical, in real life or on the Web
Law #7: Weak passwords trump strong security
Law #8: A computer is only as secure as the administrator is trustworthy
Law #9: Your infrastructure is only as strong as your weakest link
Law #10: Technology is not a panacea
http://northamerica.msteched.com
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn