sharepoint 2010 security - information technology ... · isaca jacksonville chapter meeting ... is...

9/19/2011

1

Securing and Auditing

SharePoint 2010 Content

September 21, 2011

ISACA Jacksonville Chapter Meeting

Timothy P. McAliley, CISA, CISM, CISSP, PMP, ITIL-F

1

Speaker Introduction:

2

� 12+ years in IT

� Currently work for Symantec and some Contract Consulting/Training

� Worked for:

– Football Fanatics (Jacksonville, FL) (High Volume e-Commerce)

– ASM Research, Inc. (Fairfax, VA) (Defense Contractor)

� Designed/Implemented:

– Change/Configuration Management Processes/Policies

– Business Continuity/Disaster Recovery Processes/Policies

– Release Management Processes/Policies

– Service Desk Operations (Incident/Problem Management)

� Production/Operations DBA for 9 years

� Information Assurance Manager for Pentagon-based System

� Florida State University Political Science Major

� Former USMC Enlisted/Former U.S. Army Commissioned Officer

9/19/2011

2

Speaker Introduction:

3

� SharePoint Experience

– Started IT Career Supporting Hummingbird Document Management

– SharePoint Portal Server 2001

• Configured /Administered

– SharePoint Portal Server 2003

• Configured /Administered

– SharePoint 2007

• Site Administrator

• Data-Tier Administrator

– SharePoint 2010

• Configured/ Administer a Visual Studio Team Foundation

SharePoint Server Portal

• Testing Contributor to Symantec SharePoint 2010 Deployment

• Designing and Implementing SharePoint 2010 Training for

Symantec Technical Support Teams

4

Obligatory Dilbert Reference

9/19/2011

3

Agenda

� What Problems Are We Trying to Address?

� SharePoint 2010 Primer & Capabilities

� Challenges for Auditors

� SharePoint Server 2010 Architecture

� Security Roles and Groups

� Securing SharePoint 2010 Information

� Best Practices

� References for more information

5

What Problems Are

We Trying to Address?

6

� Regulatory Compliance

� Content Confidentiality, Integrity,

Authorization

� Auditing and Reporting Access

� What is the architecture?

� What is being secured?

� What roles are involved in security?

9/19/2011

4

SharePoint 2010 Primer & Capabilities

� Overview

� The SharePoint Platform

� SharePoint Products and Technologies

7

SharePoint 2010 Primer & Capabilities

• SharePoint is the business collaboration platform for the enterprise and

the Internet

• SharePoint enables your enterprise to

– Deliver the best productivity experience

– Cut costs with a unified infrastructure

– Rapidly respond to business needs

• SharePoint does this by providing

capabilities

– Sites, communities, content,

search, insights and composites

9/19/2011

5

SharePoint 2010 Primer & CapabilitiesThe SharePoint Platform

Custom SolutionsMicrosoft and ISV Solutions

SharePoint Foundation

IISIdentity

Services

SQL

Server

.NET Framework

Windows Server 2008/R2

SharePoint Server

SharePoint 2010 Primer & CapabilitiesSharePoint Products and Technologies

• SharePoint Foundation 2010

• SharePoint Server 2010 for Intranet

Scenarios

– Standard or Enterprise Client Access

License

• SharePoint Server 2010 for Internet

Sites, Standard or Enterprise

• Office Web Apps

• FAST Search for SharePoint 2010

• FAST Search for SharePoint 2010 for

Internet Sites

• Search Server 2010 and Search

Server Express 2010

• Developer Tools

– Visual Studio 2010

– SharePoint Designer 2010

• Clients

– Office client applications

– SharePoint Workspace 2010

– SharePoint Mobile

• Servers

– Duet Enterprise for Microsoft

SharePoint and SAP

– Project Server

– Dynamics

Microsoft and ISV

Solutions

SharePoint Foundation

Custom Solutions

SharePoint Server

9/19/2011

6

Benefits of SharePoint

…content management and availability

11

Challenges of Managing

SharePoint 2010

…securing and auditing access…

12

9/19/2011

7

Challenges for Auditors

� Diverse, complex layers of physical and logical

architecture

� Highly integrated into nearly every aspect of the

information infrastructure

� Design elements reflect security risk trade-offs

� Inaccurate change management records

� Identification of components

� Identification and validation of security model

13

SharePoint 2010 Architecture

� Roles and Topologies in SharePoint Farms

� Logical Structure

14

9/19/2011

8


� Roles and Topologies in SharePoint Farms (Physical Architecture):

� Roles– Web Front-End (WFE)

– Database (SQL)

– Application Server• Central Administration

• Service Applications (SAs) such as search

• Office Web Apps

� Topologies– Single-server: all roles

– Single WFE, SQL

– Two WFEs (redundant web apps and services), SQL

– Multiple servers providing redundancy and performance optimization based on the allocation of services, SQL cluster

15


16

9/19/2011

9


17


18

9/19/2011

10


19


� Logical Architecture

20

Farm = Configuration Database

Services

Servers

Service Applications

Service Application DBs

Items

Web Applications

Content DBs

Site Collections

Webs

Lists

Many 2 Many

9/19/2011

11

Security Roles and Groups

21

� Administration Hierarchy

� Server or Farm Administrators

� Local Administrators

� Farm Administrators

� Service Application Administrators

� Service Administrators

� Feature Administrators

� Site Collection Administrators

� Site Administration

� Content (Document Library or List, Item)


22

� Active Directory Groups

� SharePoint Security Groups� Site Collection Administrators

� Owners

� Members

� Viewers

� Approvers

� Designers

� Hierarchy Managers

� Restricted Readers

� Custom

9/19/2011

12


23

� SharePoint Managed Accounts

� AD Accounts configured from SharePoint

� Passwords managed from SharePoint

Securing SharePoint 2010 Information

� Securing a SharePoint Farm

� Securing a Web Application

� Securing Site Collections

� Securing Sites

� Securing Lists

� Windows PowerShell Security

� Service Application Permissions

24

9/19/2011

13

Securing SharePoint 2010 InformationOverview of Site Security

25

Read

View Items

Open Items

View Items

User

Group

Security

Principals

Permissions Securable

ObjectsPermission:

Permission

Level:

Item

Document

List

Securing SharePoint 2010 InformationSite, List, and Library Security

• Site-Level Permissions– Inherit from site collection

– You can choose to break the inheritance

• List and Library Permissions– Inherit from the site

– You can choose to break the inheritance

• Use the Check Permissions tool to evaluate effective permissions for a user

Site Collection

Top-Level

Site

Site

Library/List

[Folder]

Document

or Item

9/19/2011

14


27

SharePoint Farm

Web Application

Managed Path

Site Collection

Site

List

Content Item

Complex,

Layered

Hierarchy


� Securing a SharePoint Farm

� Farm administrators group

� Service account configurations

� Approve/reject distribution groups

� Configure information rights management

� Configure information management policies

28

9/19/2011

15


� Securing a Web Application

� Zones

� Authentication Providers

� How Zones, Web Applications, and Security Work

Together to Provide Secure Solutions

� Changing Authentication Providers for a Web

Application

� Managing Web Part Security

� Self-Service Site Creation

29


� Securing Site Collections

� Custom Site Collection Policies

� Auditing Activities in a Site Collection

� Security Trimming for Navigation

� Site Collection Administrators

30

9/19/2011

16


� Securing Sites

� Indexing Site and List Content

� Site Permissions and Permission Inheritance

� Important: Farm/Server Administrators not given

access by default.

31


� Securing Lists

� Content Approval

� Versioning Settings

� Draft Item Security

32

9/19/2011

17


� Windows PowerShell Security

� STSADM

� SharePoint PowerShell Applets

� Extremely power command line suite

� Plan carefully

� Service Application Security

33

Configuring Auditing

� Configured at the site collection level

� Records user actions for later examination

� Using audit logs to review security

9/19/2011

18

Configuring Auditing

�Auditing makes a record of all the actions you request. For

example, you can configure auditing to record all check-outs and

check-ins in a site collection.

�When you have configured auditing you can view reports that

display what users have done.

�You can use these to diagnose inappropriate permissions and

security holes.

�Auditing is configured at the site collection level.

�Use log trimming for space considerations

�Be aware of potential workload of audit log configuration

35

Best Practices

36

� Carefully Define and Document Security

Model Per Tier

� Carefully Plan Farm, Collection, and Site

Administration Permissions

� Validate Architecture Against Configuration

Management Records

� Regularly Review Audit Reports and Usage

Reports

9/19/2011

19

References for more information

Books:

37

Microsoft SharePoint 2010 Administrator's

Companion

by Bill English, Brian Alderman and Mark Ferraz

Microsoft Press © 2011 (1184 pages) Citation

ISBN:9780735627208

Microsoft SharePoint 2010 Administrator's Pocket

Consultant

by Ben Curry

Microsoft Press © 2010 (656 pages) Citation

ISBN:9780735627222

References for more information

Books:

38

SharePoint Deployment and Governance Using

COBIT 4.1: A Practical Approach

by Dave Chennault and Chuck StrainFormat: Book

ISACA 2010 (176 pages)

Professional SharePoint 2010 Administration

by Todd Klindt, Shane Young and Steve Caravajal

Wrox Press © 2010 (840 pages) Citation

ISBN:9780470533338

9/19/2011

20

References for more informationVideos/Webcasts, Training :

39

Getting Started with SharePoint Server 2010 for IT Proshttp://technet.microsoft.com/en-us/sharepoint/ee518660

SharePoint 2010 Advanced IT Professional Training http://technet.microsoft.com/en-us/sharepoint/ee518660

Security and protection for SharePoint Server 2010http://technet.microsoft.com/en-us/library/cc263215.aspx

TechNet Virtual Labs (over 30, 90 minute labs):http://technet.microsoft.com/en-us/virtuallabs/bb512933

Summary & Wrap-up

� What Problems Are We Trying to Address?

� SharePoint 2010 Primer & Capabilities

� Challenges for Auditors

� SharePoint Server 2010 Architecture

� Security Roles and Groups

� Securing SharePoint 2010 Information

� Best Practices

� References for more information

40

9/19/2011

21

Q&A?

41

sharepoint 2010 security - information technology ... · isaca jacksonville chapter meeting ... is...

Documents