sharepoint 2007 security
DESCRIPTION
Overview slides on how to practically use the Community Kit for SharePoint Form Base Authenication from Codeplex for a website needing authorise user login in order to view secure content.TRANSCRIPT
Department of Premier & CabinetDepartment of Premier & Cabinet
SharePoint SecuritySharePoint SecurityFramework ModelFramework Model
Presented by: DPC IT – David Liong
SharePoint Security Framework Model
Presentation Contents• Introduction: What is it?Introduction: What is it?
• Overview of security modelOverview of security model
• Setting up (prior to implementation): Setting up (prior to implementation): • Security group Security group • Security permission on contents, page and sub-sitesSecurity permission on contents, page and sub-sites
• Security Feature OverviewSecurity Feature Overview
• DemoDemo
• SummarySummary
IntroductionIntroduction
SharePoint Security Framework model used for DPC & PSC is based originally from the SharePoint community group who created the CKS FBA (Community Kit for SharePoint Form Base Authentication).
CKS FBA is a open source code that uses set of .NET technologies of Web Parts, tools with SQL membership provider in managing external users account who don’t have AD and visits a public interfacing website that is either secured entirely or at partial sections of sites i.e. either at the sub-site, page or content levels.
SharePoint Security Framework Model
OverviewOverview
dsfaa
SharePoint Security Framework Model
Synchronize content
http://<intranet domain>:<port No.> http://<extranet domain> or https://
Active DirectorySQL Database
Content DB source
Security Group SetupSecurity Group Setup
SharePoint Security Framework Model
Internal (AD) and/or External Administrator
• Create SharePoint group to define roles
Site Administrators
group
Site Collection Administrators
group
SQL Database
Site ASite A Site BSite B
Maintains external users for Site A
Maintains external users for
Site B
Site ASite A Site BSite B
Maintains ALL
external users for all sites
External Users
External Members group
External Visitors group
Site ASite ACreate permission on who has access to sub-sites, page s, web-part sand
content s
SQL Database
Unable to view any users from SQL DB
Permission Security SetupPermission Security Setup
SharePoint Security Framework Model
Internal Users
• Configure who has access permission to sub-sites, pages & contents
AD & External Site
Administrators group
Site ASite A
Full control permission
rights to site
External Users
External Members group
External Visitors group
• Use target audience property for giving permission on :
i) Web Parts ii) Page• Permission level feature on sub-sites
Other AD groups
Web-part Permissions SetupWeb-part Permissions Setup
SharePoint Security Framework Model
Internal (AD) Users
• Secure certain content section of a public page(s) to certain target audience
External Users
External Members group
External Visitors group
Other AD groups (non admin)
Web Page Permissions SetupWeb Page Permissions Setup
SharePoint Security Framework Model
Internal (AD) Users
• Secure certain page(s) to certain target audience
External Users
External Members group
External Visitors group
Other AD groups (non admin)
Note: Only hide navigation URL and so unauthorized people can get to the hidden Note: Only hide navigation URL and so unauthorized people can get to the hidden page but secured content will not be displayed.page but secured content will not be displayed.
Sub-Site Permissions SetupSub-Site Permissions Setup
SharePoint Security Framework Model
Internal (AD) Users
• Secure certain page(s) to certain target audience
External Users
External Members group
External Visitors group
Other AD groups (non admin)
Note: Navigation URL is displayed but unauthorized people will get denied access Note: Navigation URL is displayed but unauthorized people will get denied access when the navigation link is click.when the navigation link is click.
Security Feature OverviewSecurity Feature Overview
SharePoint Security Framework Model
• CKS FBA has the following features:
Web-PartsWeb-Parts
Login web-part: Lock out user account after 3 invalid login attempts for external users. Site administrator will unlock user account & reset password which will notify user via email
New registration web-part: Adopts network password policy, i.e.• Must be alphanumeric characters (at least 1 upper & lower case letter and 1 digit 0-9);• Character must be at least 6 characters minimum up to 15 characters length maximum;• At least 1 non alphanumeric character
e.g. Password1! - valid
Security Feature OverviewSecurity Feature Overview
SharePoint Security Framework Model
• CKS FBA has the following features:
Web-PartsWeb-Parts
Password recovery web-part: Resets user’s password and emails the user with a temporary password.
Change password web-part: Adopts network password policy when changing old password to a new password.
User Account UI: Administrator can manage external user accounts in SharePoint.
DemoDemo
SharePoint Security Framework Model
• Add a new registered member
• Change password
• Reset password
Security ArchitectureSecurity Architecture
SharePoint Security Framework Model
• Website application outage occur will not be affected to other websites.• SQL DB server outage will affect ALL sites. However DB outage will not be an issue if Windows Live ID authentication for SharePoint is adopted.• SSL license for each independent websites (if required)
Security Feature SummariesSecurity Feature Summaries
SharePoint Security Framework Model
What CKS FBA has delivered:• Password is encrypted in SQL DB and from web interface and follows dept. password policy.
• A user has ability to request website access via website. And a record will be automatically save into SQL User List database. • Site administrator will receive an email, and can grant permission for the pending new registration request. User will then receive the login authorization email with the automatically generated password in plain text, when site administrator approves request. • New registered user can change password. • Forgotten password function sends a new password to the registered email address.
• Web interface to allow site administrator can create a new user & add user into a site group, deactivate or delete a user from site level. The record will be saved into SQL DB.
Security Feature SummariesSecurity Feature Summaries
SharePoint Security Framework Model
Some enhancements for CKS FBA in phase 2:
• Need a logout button for the log-in web part, so that external users can log out from site if SharePoint template site does not provide out of the box sign-out link. Hide login button and display user’s name after user has been authenticated.
• No website interface in SharePoint to display list of all users information for all sites from SQL database. (e.g. UI ability for Administrator to unlock a user if SQL locks user's account after 3 number of failed logon attempts before password reset can be implemented)
• FBA page locks user accounts after x number of failed logon attempts but does not make the user be aware that his/her account has been locked.
• Generate reports on which sites a specific user has access to, and which users have access to a specific site.
• Change password web-part does not validate if existing password that was entered by user is the same as the new password. Hence existing external user can retain their old password by keeping password change the same. • Send an email to users at the same time after when a user resets their passwords.
FAQFAQ
SharePoint Security Framework Model
Any Questions?