sharepoint 2010 security - information technology ... · isaca jacksonville chapter meeting ... is...
TRANSCRIPT
9/19/2011
1
Securing and Auditing
SharePoint 2010 Content
September 21, 2011
ISACA Jacksonville Chapter Meeting
Timothy P. McAliley, CISA, CISM, CISSP, PMP, ITIL-F
1
Speaker Introduction:
2
� 12+ years in IT
� Currently work for Symantec and some Contract Consulting/Training
� Worked for:
– Football Fanatics (Jacksonville, FL) (High Volume e-Commerce)
– ASM Research, Inc. (Fairfax, VA) (Defense Contractor)
� Designed/Implemented:
– Change/Configuration Management Processes/Policies
– Business Continuity/Disaster Recovery Processes/Policies
– Release Management Processes/Policies
– Service Desk Operations (Incident/Problem Management)
� Production/Operations DBA for 9 years
� Information Assurance Manager for Pentagon-based System
� Florida State University Political Science Major
� Former USMC Enlisted/Former U.S. Army Commissioned Officer
9/19/2011
2
Speaker Introduction:
3
� SharePoint Experience
– Started IT Career Supporting Hummingbird Document Management
– SharePoint Portal Server 2001
• Configured /Administered
– SharePoint Portal Server 2003
• Configured /Administered
– SharePoint 2007
• Site Administrator
• Data-Tier Administrator
– SharePoint 2010
• Configured/ Administer a Visual Studio Team Foundation
SharePoint Server Portal
• Testing Contributor to Symantec SharePoint 2010 Deployment
• Designing and Implementing SharePoint 2010 Training for
Symantec Technical Support Teams
4
Obligatory Dilbert Reference
9/19/2011
3
Agenda
� What Problems Are We Trying to Address?
� SharePoint 2010 Primer & Capabilities
� Challenges for Auditors
� SharePoint Server 2010 Architecture
� Security Roles and Groups
� Securing SharePoint 2010 Information
� Best Practices
� References for more information
5
What Problems Are
We Trying to Address?
6
� Regulatory Compliance
� Content Confidentiality, Integrity,
Authorization
� Auditing and Reporting Access
� What is the architecture?
� What is being secured?
� What roles are involved in security?
9/19/2011
4
SharePoint 2010 Primer & Capabilities
� Overview
� The SharePoint Platform
� SharePoint Products and Technologies
7
SharePoint 2010 Primer & Capabilities
• SharePoint is the business collaboration platform for the enterprise and
the Internet
• SharePoint enables your enterprise to
– Deliver the best productivity experience
– Cut costs with a unified infrastructure
– Rapidly respond to business needs
• SharePoint does this by providing
capabilities
– Sites, communities, content,
search, insights and composites
9/19/2011
5
SharePoint 2010 Primer & CapabilitiesThe SharePoint Platform
Custom SolutionsMicrosoft and ISV Solutions
SharePoint Foundation
IISIdentity
Services
SQL
Server
.NET Framework
Windows Server 2008/R2
SharePoint Server
SharePoint 2010 Primer & CapabilitiesSharePoint Products and Technologies
• SharePoint Foundation 2010
• SharePoint Server 2010 for Intranet
Scenarios
– Standard or Enterprise Client Access
License
• SharePoint Server 2010 for Internet
Sites, Standard or Enterprise
• Office Web Apps
• FAST Search for SharePoint 2010
• FAST Search for SharePoint 2010 for
Internet Sites
• Search Server 2010 and Search
Server Express 2010
• Developer Tools
– Visual Studio 2010
– SharePoint Designer 2010
• Clients
– Office client applications
– SharePoint Workspace 2010
– SharePoint Mobile
• Servers
– Duet Enterprise for Microsoft
SharePoint and SAP
– Project Server
– Dynamics
Microsoft and ISV
Solutions
SharePoint Foundation
Custom Solutions
SharePoint Server
9/19/2011
6
Benefits of SharePoint
…content management and availability
11
Challenges of Managing
SharePoint 2010
…securing and auditing access…
12
9/19/2011
7
Challenges for Auditors
� Diverse, complex layers of physical and logical
architecture
� Highly integrated into nearly every aspect of the
information infrastructure
� Design elements reflect security risk trade-offs
� Inaccurate change management records
� Identification of components
� Identification and validation of security model
13
SharePoint 2010 Architecture
� Roles and Topologies in SharePoint Farms
� Logical Structure
14
9/19/2011
8
SharePoint 2010 Architecture
� Roles and Topologies in SharePoint Farms (Physical Architecture):
� Roles– Web Front-End (WFE)
– Database (SQL)
– Application Server• Central Administration
• Service Applications (SAs) such as search
• Office Web Apps
� Topologies– Single-server: all roles
– Single WFE, SQL
– Two WFEs (redundant web apps and services), SQL
– Multiple servers providing redundancy and performance optimization based on the allocation of services, SQL cluster
15
SharePoint 2010 Architecture
16
9/19/2011
9
SharePoint 2010 Architecture
17
SharePoint 2010 Architecture
18
9/19/2011
10
SharePoint 2010 Architecture
19
SharePoint 2010 Architecture
� Logical Architecture
20
Farm = Configuration Database
Services
Servers
Service Applications
Service Application DBs
Items
Web Applications
Content DBs
Site Collections
Webs
Lists
Many 2 Many
9/19/2011
11
Security Roles and Groups
21
� Administration Hierarchy
� Server or Farm Administrators
� Local Administrators
� Farm Administrators
� Service Application Administrators
� Service Administrators
� Feature Administrators
� Site Collection Administrators
� Site Administration
� Content (Document Library or List, Item)
Security Roles and Groups
22
� Active Directory Groups
� SharePoint Security Groups� Site Collection Administrators
� Owners
� Members
� Viewers
� Approvers
� Designers
� Hierarchy Managers
� Restricted Readers
� Custom
9/19/2011
12
Security Roles and Groups
23
� SharePoint Managed Accounts
� AD Accounts configured from SharePoint
� Passwords managed from SharePoint
Securing SharePoint 2010 Information
� Securing a SharePoint Farm
� Securing a Web Application
� Securing Site Collections
� Securing Sites
� Securing Lists
� Windows PowerShell Security
� Service Application Permissions
24
9/19/2011
13
Securing SharePoint 2010 InformationOverview of Site Security
25
Read
View Items
Open Items
View Items
User
Group
Security
Principals
Permissions Securable
ObjectsPermission:
Permission
Level:
Item
Document
List
Securing SharePoint 2010 InformationSite, List, and Library Security
• Site-Level Permissions– Inherit from site collection
– You can choose to break the inheritance
• List and Library Permissions– Inherit from the site
– You can choose to break the inheritance
• Use the Check Permissions tool to evaluate effective permissions for a user
Site Collection
Top-Level
Site
Site
Library/List
[Folder]
Document
or Item
9/19/2011
14
Securing SharePoint 2010 Information
27
SharePoint Farm
Web Application
Managed Path
Site Collection
Site
List
Content Item
Complex,
Layered
Hierarchy
Securing SharePoint 2010 Information
� Securing a SharePoint Farm
� Farm administrators group
� Service account configurations
� Approve/reject distribution groups
� Configure information rights management
� Configure information management policies
28
9/19/2011
15
Securing SharePoint 2010 Information
� Securing a Web Application
� Zones
� Authentication Providers
� How Zones, Web Applications, and Security Work
Together to Provide Secure Solutions
� Changing Authentication Providers for a Web
Application
� Managing Web Part Security
� Self-Service Site Creation
29
Securing SharePoint 2010 Information
� Securing Site Collections
� Custom Site Collection Policies
� Auditing Activities in a Site Collection
� Security Trimming for Navigation
� Site Collection Administrators
30
9/19/2011
16
Securing SharePoint 2010 Information
� Securing Sites
� Indexing Site and List Content
� Site Permissions and Permission Inheritance
� Important: Farm/Server Administrators not given
access by default.
31
Securing SharePoint 2010 Information
� Securing Lists
� Content Approval
� Versioning Settings
� Draft Item Security
32
9/19/2011
17
Securing SharePoint 2010 Information
� Windows PowerShell Security
� STSADM
� SharePoint PowerShell Applets
� Extremely power command line suite
� Plan carefully
� Service Application Security
33
Configuring Auditing
� Configured at the site collection level
� Records user actions for later examination
� Using audit logs to review security
9/19/2011
18
Configuring Auditing
�Auditing makes a record of all the actions you request. For
example, you can configure auditing to record all check-outs and
check-ins in a site collection.
�When you have configured auditing you can view reports that
display what users have done.
�You can use these to diagnose inappropriate permissions and
security holes.
�Auditing is configured at the site collection level.
�Use log trimming for space considerations
�Be aware of potential workload of audit log configuration
35
Best Practices
36
� Carefully Define and Document Security
Model Per Tier
� Carefully Plan Farm, Collection, and Site
Administration Permissions
� Validate Architecture Against Configuration
Management Records
� Regularly Review Audit Reports and Usage
Reports
9/19/2011
19
References for more information
Books:
37
Microsoft SharePoint 2010 Administrator's
Companion
by Bill English, Brian Alderman and Mark Ferraz
Microsoft Press © 2011 (1184 pages) Citation
ISBN:9780735627208
Microsoft SharePoint 2010 Administrator's Pocket
Consultant
by Ben Curry
Microsoft Press © 2010 (656 pages) Citation
ISBN:9780735627222
References for more information
Books:
38
SharePoint Deployment and Governance Using
COBIT 4.1: A Practical Approach
by Dave Chennault and Chuck StrainFormat: Book
ISACA 2010 (176 pages)
Professional SharePoint 2010 Administration
by Todd Klindt, Shane Young and Steve Caravajal
Wrox Press © 2010 (840 pages) Citation
ISBN:9780470533338
9/19/2011
20
References for more informationVideos/Webcasts, Training :
39
Getting Started with SharePoint Server 2010 for IT Proshttp://technet.microsoft.com/en-us/sharepoint/ee518660
SharePoint 2010 Advanced IT Professional Training http://technet.microsoft.com/en-us/sharepoint/ee518660
Security and protection for SharePoint Server 2010http://technet.microsoft.com/en-us/library/cc263215.aspx
TechNet Virtual Labs (over 30, 90 minute labs):http://technet.microsoft.com/en-us/virtuallabs/bb512933
Summary & Wrap-up
� What Problems Are We Trying to Address?
� SharePoint 2010 Primer & Capabilities
� Challenges for Auditors
� SharePoint Server 2010 Architecture
� Security Roles and Groups
� Securing SharePoint 2010 Information
� Best Practices
� References for more information
40
9/19/2011
21
Q&A?
41