spca2013 - sharepoint insanity demystified

Download SPCA2013 - SharePoint Insanity Demystified

Post on 09-May-2015




0 download

Embed Size (px)


SharePoint Insanity Demystified


  • 1.Resources http://technet.microsoft.com/en-us/library/ee662513.aspxhttp://technet.microsoft.com/en-us/library/cc678863.aspx

2. SQL Server service: SQL_Service, * SQL administrator: SQL_Admin SharePoint Administrator and Setup User: SP_Admin SharePoint Farm Service: SP_Farm Application pool accounts SP_WebApps SP_MySiteApp * SP_ServiceApps *Default content access (crawl) account: SP_Crawl, * User Profile Synchronization account: SP_UserSync Object cache accounts: SP_CacheSR, SP_CacheSU 3. SQL Database Engine service account: SQL_Service SQL service ownership account: SQL_Admin Resources http://technet.microsoft.com/en-us/library/ms144228.aspx http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docxSQL Agent service account: SQL_Agent 4. SharePoint Administrator and Setup User Used by a service admin to perform bit-level changesUnique, generic SharePoint administrative account Not your normal user or admin account 5. Domain user account AdministratorSQL privileges PowerShell privileges 6. SharePoint Farm Service Used for highly privileged SharePoint servicesDomain user account SharePoint assigns permissions automatically 7. Extra privileges: UPS Before provisioning User Profile Synchronization Service 1. Add SP_Farm to local Administrators 8. CollabIntranetWSS_CONTENT_APPLICATION_POOLS roleExtranet 9. Web and service application pool accounts Domain user accounts Register as managed accounts in the SharePoint farm Assigned as the application pool identityPermissions required depend on the web app or service application 10. My Site web application SP_MySiteAppAccount for each application pool to isolate access 11. SharePoint Search default content access account Domain user account Requires read permission to indexed content sources Configure SP_Crawl before creating web appsAssign Read permission to all other indexed content sourcesCreate additional content access accounts 12. SharePoint User Profile Synchronization Domain user account Requires Replicating Directory Changes permission on domain 13. Object cache accounts See http://technet.microsoft.com/en-us/library/ff758656.aspx Note: this is not the same as BLOB cache or remote BLOB store. This has to do with versions & drafts 14. Office Web Apps (2013) Secure Store 15. SharePoint Automation: SP_Automation Rights required to perform automated tasks 16. SharePoint Enterprise Administrator: SP_EnterpriseAdmin Least privilege not always possibleSQL Administrator Local Administrators Farm Administrators Disabled until needed 17. Each farm needs its own set of accounts naming convention SP_Farm SP_Farm_Dev SP_Farm_TestWhy? 18. Account permissions and security settings in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc678863.aspxConfigure object cache user accounts in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/ff758656.aspx 19. Import-CSV $filename | New-ADUser -Path $ou PassThru | Set-ADAccountPassword -Reset NewPassword (ConvertToSecureString AsPlaintext $password Force) -PassThru | Enable-ADAccount Write-Host "Complete" 20. What is a service account? The #1 problem with service accounts is. PASSWORD CHANGES Service account password is changed Painful! Result Admins set Password never expires 21. In a nutshell Register a managed accountUse a managed account 22. Manual Password Change for a managed account Benefits Does not require any delegation in Active Directory CHANGE PASSWORD 23. Automatic Password Change for an individual managed accountBenefits 24. Use them Configure automatic password management Know the limitations 25. SQL alias SQL Alias SQLSERVER01.contoso.com= NYSQL05.contoso.com today = NYSQLCLUSTER.contoso.com tomorrow = NYSQLCLUSTER.newcompany.com next yearConfigure a SQL alias CLICONFG.exe on each SharePoint server in the farmDo not Fake it out with a DNS record KerberosConsider tiers of aliases to support SQL scaling Content Databases: SQLSPCONTENT Search Databases: SQLSPSEARCH Service Application Databases: SQLSPSERVICES 26. workflows security SQL Content DatabasemetadataDocumentBLOBBinary Large Object (BLOB) 27. Content Databases TempDBModel Monitor Measure Modify 28. Content DatabaseSite CollectionItems per CDB*Conditions apply: Performance, DR, HA 29. workflows security SQL Content DatabasemetadataDocumentBLOBs 30. workflowsSQL Content Databasesecurity metadataDocumentBLOBs CloudShareNASSAN 31. BLOB EBSRBS 32. Reduced storage cost Increased performance real world workload http://www.microsoft.com/en-us/download/details.aspx?id=14726 significant improvementnoise about performance externalize collaborative content at 1MBAccess to features of the underlying storage platform Business rules to determine what gets 33. Office documentsNon-Office documents 34. Reduces I/O between web server and SQL server Potential reduction in storage of Office document versionsNon-Office document formats dont benefit as much/at all Does not reduce storage in multiple-location scenarios 35. Shreds on new/modified document, not on upgrade Cannot currently be turned offOverall system performance may be degraded 36. Shredded storage means no RBS in collab scenarios Use RBS for tiered storage management for archives Requires an RBS Provider 37. Move to different location, keep in SharePointMove to different storage tier, keep in SharePoint Move out of SharePoint entirely 38. Randy Williams Jeremy Thake Gary Lapointe Chris Givens Andrew Connell Spence Harbar Jason Himmelstein Todd Baginski Scot Hillier Susan Hanley Matt McDermott Eric Shupps Paul SwiderShane Young Todd Klindt Wictor Wiln Asif Rehmani Rob Bogue Agnes Molnar Steve Fox Mirjam van Olst Jasper Oosterveld Michael Noel 39. http://tiny.cc/danholmepresentations http://tiny.cc/danholmearticles http://tiny.cc/danholmebooksdan.holme@intelliem.com @danholme