1 / 38

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive. Name 03/28/07. Agenda. MOSS 2007 Security Challenges Pluggable Authentication / Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management

bernad
Download Presentation

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive Name 03/28/07

  2. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  3. Microsoft Office SharePoint Server 2007 • MOSS 2007 eases the implementation of effective security: • Simplifies implementing Internet-facing environments (extranets). • Enables support for heterogeneous environments. • Uses pluggable forms-based authentication (FBA) providers. • Reduces management overhead and improves securely. • Offers granular rights management of business assets.

  4. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  5. Challenges for MOSS 2007 Security • The challenges for MOSS 2007 are to: • Support authentication for multiple identify management systems. • Provide authentication that maps user accounts for third-party applications to LOB systems. • Configure entry locations for MOSS/control URL site mapping. • Protect valuable application connection string data. • Lockdown site collections and restrict user access over MOSS. • Provide client-level protection of sensitive information.

  6. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  7. Pluggable Authentication Provider • MOSS integrates ASP .NET 2.0 pluggable authentication for Windows and non-Windows. • Supports shipped, Windows-based authentication methods. • Sets up Internet-facing SharePoint authentication. • Enables pluggable authentication providers built on ASP.NET 2.0 membership architecture. • ASP.NET 2.0 pluggable providers can employ membership data stores including: • Microsoft Access • Oracle databases • XML files • Flat text files

  8. ASP .NET 2.0 Membership Provider • Supports configurable directories in a member data store. • Stores pluggable provider credentials in the machine.config file. • MOSS membership providers include: • LDAP V3 directory (with MOSS) • SQL Server • Active Directory (ASP .NET 2.0) • Pluggable membership providers: • Inherit from the ASP.NET MembershipProvider interface; • This interface inherits from the ProviderBase class.

  9. Considerations for ASP .NET Authentication • MOSS services use Windows accounts – even with a pluggable provider. • Use Windows identities to reduce Microsoft Office client interoperation. • Authentication types, not resolving to a Windows identity, must use a MOSS zone. • A mandated PKI infrastructure such as for smartcards typically resolves to a Windows identity. • PKI implementation may require a MOSS zone or other configuration. Add a diagram here Company A (Windows Authentication) Company B (Non-Windows Authentication)

  10. Pluggable Single Sign-On (SSO) • The MOSS SSO service provides an encrypted back-end cache of users' credentials for mapping to connected LOB systems. • Aids in retrieving critical information through MOSS mechanisms: • Business Data Catalog (BDC) • SharePoint DataView Web Parts (DVWP) • Can specify a pluggable SSO provider, instead of SpsSsoProvider. • Registers only one SSO provider per LOB system at a time.

  11. Forms-Based Authentication • Utilizes pluggable authentication and role providers to enable Internet-style security. • Supports a customized login process geared to users' needs. • Forms authentication cookies and authentication tickets are encrypted and tamper-proof. • The form identity provider, called Web SSO, can plug into an external identify management system.

  12. Web Single Sign-On • MOSS supports federated authentication between Web SSO vendors. • Employs an HTTP module for external authentication. • Allows external partners to authenticate to MOSS using their user credentials. • Delegates log in and password reset to partners. • Web SSO authentication requires an extranet zone. Partner Application

  13. Alternate Access Mapping (AAM) • AAM ensures internal and public URL mappings work correctly. • The //MOSS URL is mapped by default, but can be extended to additional URLs. • Alternate URLs can be mapped to one physical path such as //MOSS. • MOSS entry points can use different authentication providers / Web application security policies. • Compensates for different domains, reverse proxies, and other URL redirection mechanisms. Intranet Users http://contoso http://MOSS Extranet Users http://extranet.contoso.com

  14. AAM Example Configuration • Example: The //MOSS site has two AAM URLs: internal corporate users and external partners. • The Intranet URL, //contoso, is mapped to: • Intranet zone: Resolves to domain-authenticated Windows identities. • The Extranet, //extranet.contoso.com , is mapped to a different zone: • Extranet zone: Log in is via Web SSO authentication. Intranet Users http://contoso http://MOSS Extranet Users http://extranet.contoso.com

  15. Zones Alternate Access Mapping (AAM) • A zone maps multiple Web applications to a single set of content databases, allowing greater control over AAM. • Zones use the AAM URL to map different authentication providers to the same physical path and MOSS content. • Recommended: Bind the zone to an authentication mechanism. Default • An AAM URL that maps to a zone, not on the authentication providers page, uses the security setting for the Default zone. • Recommended: Place the most publicly-accessible URL in the Default zone, such as intranet, Internet, custom, or extranet.

  16. Zones AAM Configuration • Zones affect how people are authenticated and routed through the portal from URL entry points. • New Web applications can be extended by specifying the zone in the Load Balancing URL section of the settings. Extranet • Within each zone, bind global Web application security policy that defines permissions settings for users in the zone.

  17. Zones AAM Planning Scenario • Zones Require Planning! This example scenario shows decisions that the authentication system must make when a Web crawler attempts to authenticate.

  18. AAM / Global Security Policies • MOSS supports global security policies that bind policy settings to a specific user or group within the application. • Examples: Full access, full read access, deny-write access, or deny-all access. • Overrides the MOSS granular permission settings, managed from SharePoint Central Administration interface. • Binding security policies to zones gives trusted external users full-read access – No manual settings are required.

  19. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  20. Encryption of Application Connection Strings • Storing connection string data in plain text in the web.config file creates a security vulnerability. • ASP.NET 2.0 functionality can be used to encrypt application connection string data using either: • Windows Data Protection API (DPAPI): Encrypts and decrypts using the MOSS server machine key. • RSA encryption: Uses public key algorithms, but adds appropriate containers for the encryption keys. • Pluggable encryption providers can use different encryption tools.

  21. Connection String Encryption Best Practices • For MOSS 2007 and pluggable SQL Server authentication provider, encrypt the <connectionStrings> node in cipher text: • DPAPI uses native machine key encryption for either a virtual directory or a physical directory. Use the following commands: • Encrypt the connection strings node specifying the section parameter:

  22. Connection String Encryption Best Practices (continued) • After implementation, the nodes of sensitive information are replaced by well-formed XML cipher values: • This pluggable model can support custom encryption providers to manage cipher text for relevant MOSS configuration files. • Considerations: • Encryption using the local machine key can only use the configuration node on the MOSS server on which it was created. • If an intruder gained access to the server and retrieved the machine key, they could decrypt the connection string. • Decryption causes a minor application performance hit.

  23. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  24. Targeted Content for Secure Collaboration • MOSS ECM Common Services control access to stored information. • Lockdown permits users to access the authorized information only: • Binds an identity to a specific object – from a site collection to a document or list. • Enforces granular access controls and explicit membership to an item. • Denies access and adjusts the UI to show accessible items only.

  25. Item Level Security (ILS) / Secured Objects (SO) • Scales MOSS object permissions from site collections to individual objects. • Allows for permission inheritance from parent to child objects. • 33 default permissions can be assigned to a user or SharePoint group. • Permissions can be specified on event items, such as an Events list. • Returned search results can map back to the security context of the user. • These controls trim the UI to the exclusive user context.

  26. Permission Management Architecture • Sets permissions for SharePoint users, groups, and domain groups. • Default groups include: • Owners (get full control) • Visitors (get contributor rights) • Members (get read rights) • Custom groups can be created and managed by site collection. • Group membership is consistent within the site collection. • Custom groups are reusable across different project sites.

  27. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  28. Information Rights Management (IRM) • Protects sensitive information at the client level, even when business information is taken offline. • This may be essential in order for companies to deal with regulations, such as privacy legislation including: • California Senate Bill No. 1386 • Sarbanes-Oxley Act (SOX Compliance) • Health Insurance Portability and Accountability Act (HIPAA) • Other government and regulatory requirements

  29. MOSS 2007 and IRM • Server-side IRM integrates with MOSS repositories through the WRM framework. • IRM imposes access restrictions at the document level: “no matter where it is stored or who tries to open it”. • Common IRM permits authorized viewing or printing only. • A “protector” is used to provide IRM functionality. Several are installed with MOSS. • A protector manages the encryption process for all files types stored in MOSS. • The MOSS application architecture supports pluggable protectors for other file types.

  30. IRM Scenarios • Example: Shows how a user requests a rights-managed document from a MOSS 2007 integrated IRM protector. • IRM extended scenarios include: • User credential verification after a certain time period • Disallow user upload of assets that so not use IRM. • Schedule an expiration tag to drop the restriction policy. • Bind to a global organization IRM permission policy

  31. IRM Requirements • Ensure that all the requirements are met in the MOSS environment: • Windows Rights Management (WRM) Services Client on MOSS Web servers. • Microsoft Rights Management Services (RMS) connectivity to the MOSS Web servers. • RMS server for MOSS assimilates through SharePoint Central Administration, either: • By using the default in Active Directory • Specifying the location

  32. IRM Implementation • IRM works directly with SharePoint data store structures such as document libraries to maintain permissions: • A user navigates to an IRM-enabled document library and attempts to download a document. • MOSS binds roles to the document library for the documents. • MOSS protector encrypts the document and adds an issuance license.Result: 1:1 mapping between MOSS and document permissions. • SharePoint roles for the document translate into IRM permission levels on the document. • The document is encrypted locally for offline protection.

  33. Agenda • MOSS 2007 Security Challenges • Pluggable Authentication / Zones • Encryption of Application Connection Strings • Targeted Content for Secure Collaboration • Information Rights Management • MOSS 2007 Customer Facing Scenario

  34. Scenario:Back-to-Back Perimeter with Content Publishing • Example: Back-to-back perimeter topology that hosts static content. • Identity Manager permits SharePoint authentication of external users.

  35. Summary Allows for the easyimplementation of Internet-facingenvironments (extranets). ü Built to enable support for heterogeneous environments. ü Supports pluggable forms-based authentication (FBA) providers. ü Reduces management overhead and improves securely. ü Offers granular rights management of business assets. ü

  36. Links and References For more information about Microsoft Office SharePoint Server 2007 : http://www.microsoft.com/technet/technetmag/issues/2007/01/Security/default.aspx http://technet2.microsoft.com/Office/en-us/library/b28ba53d-a3e8-440f-9fcb-f592d858894a1033.mspx?mfr=true

  37. Questions and Answers

More Related