1. Platinum Sponsor Gold Sponsors

2. Michael NoelSHAREPOINT SECURITY IN AN INSECURE WORLDUNDERSTANDING THE FIVE LAYERS OF SHAREPOINT SECURITY 3. MICHAEL NOELAuthor of SAMS Publishing titles SharePoint 2007 Unleashed, the upcoming SharePoint 2010 Unleashed, SharePoint 2003 Unleashed, Teach Yourself SharePoint 2003 in 10 Minutes, Windows Server 2008 R2 Unleashed, Exchange Server 2010 Unleashed, ISA Server 2006 Unleashed, and many other titles .Partner at Convergent Computing (www.cco.com / +1(510)444-5700) San Francisco, U.S.A. based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security 4. SHAREPOINT SECURITYLAYERS OF SECURITY IN A SHAREPOINT ENVIRONMENT 1: Infrastructure Security Physical Security Best Practice Service Account Setup Kerberos Authentication 2: Data Security Role Based Access Control (RBAC) Transparent Data Encryption (TDE) of SQL Databases Antivirus 3: Transport Security Secure Sockets Layer (SSL) from Client to Server IPSec from Server to Server 4: Edge Security Inbound Internet Security (Forefront UAG/TMG) 5: Rights Management 5. INFRASTRUCTURESECURITYLayer 6. LAYER 1: INFRASTRUCTURE SECURITY SAMPLE LIST OF SERVICE ACCOUNTSService Account NameRole of Service Account Special PermissionsCOMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)COMPANYABCSRV-SP-SQL SQL Service Account(s) Should be separate Local Admin on Database Server(s)admin accounts from SP accounts.(Generally, some exceptions apply)COMPANYABCSRV-SP-FarmSharePoint Farm Account(s) Can also beN/Astandard admin accounts. RBAC principles applyideally.COMPANYABCSRV-SP-SearchSearch AccountN/ACOMPANYABCSRV-SP-Content Default Content Access AccountRead rights to any external data sources to becrawledCOMPANYABCSRV-SP-ProfDefault Profiles Access Account Member of Domain Users (to be able to readattributes from users in domain) and ReplicateDirectory Changes rights in AD.COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for DBCreator and Security Admin on SQL.SharePoint Central Admin. Create and Modify contacts rights in OUused for mail.COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the Content N/Arelated App Pool (Portal, MySites, etc.) Additionalas needed for security. 7. LAYER 1: INFRASTRUCTURE SECURITY ENABLE KERBEROS When creating any Web Applications in Classic-mode, USE KERBEROS.It is much more secure and also faster with heavy loads as the SP serverdoesnt have to keep asking for auth requests from AD. Kerberos auth does require extra steps, which makes people shy awayfrom it, but once configured, it improves security considerably and canimprove performance on high-load sites. Should also be configured on SPCA Site! (Best Practice = ConfigureSPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com) 8. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 1: CREATE THE SERVICE PRINCIPAL NAMES Use the setspn utility to create Service Principle Names in AD, thefollowing syntax for example: Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAMEMYSiteAppAccount Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount Setspn.exe -A HTTP/home.companyabc.com DOMAINNAMEHOMEAppAccount Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount 9. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 2: ENABLE KERBEROS BETWEEN SP AND SQL Use setspn to create SPNs for SQL Service Account SPNs need to match the name that SharePoint uses toconnect to SQL (Ideally SQL Alias, more on this later) Syntax similar to following: Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB Setspn.exe A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABCSRV-SQL-DB MSSQLSvc = Default instance, if named instance, specify the nameinstead In this example, SRV-SQL-DB is the SQL Admin account 10. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 3: ALLOW ACCOUNTS TO DELEGATE (OPTIONAL) Required only for ExcelServices and otherimpersonation applications. On all SP Computer accountsand on the Application Identityaccounts, check the box inADUC to allow for delegation. In ADUC, navigate to the computer or user account, right- click and choose Properties. Go to the Delegation tab Choose Trust this user/computer for delegation to any service (Kerberos) 11. LAYER 1: INFRASTRUCTURE SECURITY KERBEROS STEP 4: ENABLE KERBEROS ON WEB APPLICATION Go to Application Management Authentication Providers Choose the appropriate Web Application Click on the link for Default under Zone Change to Integrated Windows Authentication - Kerberos(Negotiate) Run iisreset /noforce from the command prompt If creating Web App from scratch, this step may be unnecessary ifyou choose Negotiate from the beginning 12. DATA SECURITY Layer 13. LAYER 2: DATA SECURITYROLE BASED ACCESS CONTROL (RBAC) Role Groups defined within Active Directory (Universal Groups) i.e. Marketing, Sales, IT, etc. Role Groups added directly into SharePoint Access Groupssuch as Contributors, Authors, etc. Simply by adding a user account into the associated Role Group,they gain access to whatever rights their role requires.User1 RoleSharePoint Group GroupUser2 14. LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) SQL Server 2008 and 2008 R2 Enterprise Edition Feature Encrypts SQL Databases Transparently, SharePoint isunaware of the encryption and does not need a key Encrypts the backups of the database as well (c) 2011 Microsoft. All rights 15. LAYER 2: DATA SECURITY TDE VS. CELL LEVEL ENCRYPTION Available with either SQL 2005 or SQL 2008 Encrypts individual cells in a database Requires a password to access the cell Requires that columns be changed from their original datatype to varbinary Advantage is that only specific info is encrypted Disadvantage is that you cannot use this for SharePointDatabases (c) 2011 Microsoft. All rights 16. LAYER 2: DATA SECURITY TDE VS. FILE LEVEL ENCRYPTION Two forms, older Encrypting File System (EFS) andBitlocker EFS encrypts data at the File Level Bitlocker encrypts data at the Volume Level Bitlocker Encrypts every file on the disk, not just databasefiles Could be used together with TDE(c) 2011 Microsoft. All rights 17. LAYER 2: DATA SECURITY SQL TRANSPARENT DATA ENCRYPTION (TDE) LIMITATIONS Does not encrypt the Communication Channel (IPSec can beadded) Does not protect data in memory (DBAs could access) Cannot take advantage of SQL 2008 Backup Compression TempDB is encrypted for the entire instance, even if only oneDB is enabled for TDE, which can have a peprformance effectfor other DBs Replication or FILESTREAM data is not encrypted when TDEis enabled (i.e. RBS BLOBs not encrypted) (c) 2011 Microsoft. All rights 18. Key and OS Level HierarchyWindows CertData Protection API (DPAPI)DPAPI Encrypts SMK SQL Instance Level Service Master KeySMK encrypts the DMK for master DBmaster DB Level Database Master KeyDMK creates Cert in master DBmaster DB Level CertificateCertificate Encrypts DEK in Content DBContent DB LevelDatabase Encryption Key DEK used to encrypt Content DB (c) 2011 Microsoft. All rights reserved. 19. LAYER 2: DATA SECURITY SQL TDE STEP 1: CREATING THE DATABASE MASTER KEY (DMK) Symmetric key used to protect private keys and asymmetrickeys Protected itself by Service Master Key (SMK), which iscreated by SQL Server setup Use syntax as follows: USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = CrypticTDEpw4CompanyABC; GO(c) 2011 Microsoft. All rights 20. LAYER 2: DATA SECURITY SQL TDE STEP 2: CREATING THE TDE CERTIFICATE Protected by the DMK Used to protect the database encryption key Use syntax as follows: USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = CompanyABC TDE Certificate ; GO(c) 2011 Microsoft. All rights 21. LAYER 2: DATA SECURITY SQL TDE STEP 3: BACKUP THE MASTER KEY Without a backup, data can be lost Backup creates two files, the Cert backup and the Private Key File Use following syntax:USE master;GOBACKUP CERTIFICATE CompanyABCtdeCert TO FILE =c:BackupCompanyABCtdeCERT.cerWITH PRIVATE KEY (FILE = c:BackupCompanyABCtdeDECert.pvk,ENCRYPTION BY PASSWORD = CrypticTDEpw4CompanyABC! );GO (c) 2011 Microsoft. All rights 22. LAYER 2: DATA SECURITY SQL TDE STEP 4: CREATING THE DATABASE ENCRYPTION KEY (DEK) DEK is used to encrypt specific database One created for each database Encryption method can be chosen for each DEK Use following syntax: USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO (c) 2011 Microsoft. All rights 23. LAYER 2: DATA SECURITY SQL TDE STEP 5: ENABLE TDE ON THE DATABASE(S) Data encryption will begin after running command Size of DB will determine time it will take, can be lengthyand could cause user blocking Use following syntax: USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO (c) 2011 Microsoft. All rights 24. LAYER 2: DATA SECURITY SQL TDE STEP 6: MONITOR THE TDE ENCRYPTION PROGRESS State is Returned State of 2 = Encryption Begun State of 3 = Encryption Complete Use following syntax: USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO (c) 2011 Microsoft. All rights 25. LAYER 2: DATA SECURITYSQL TDE: RESTORING A TDE DATABASE TO ANOTHER SERVER Step 1: Create new Master Key on Target Server (Does not need to match source master key) Step 2: Backup Cert and Private Key from Source Step 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part ofthe backup) USE master; GO CREATE CERTIFICATE CompanyABCtdeCert FROM FILE = C:RestoreCompanyABCtdeCert.cer WITH PRIVATE KEY ( FILE = C:RestoreCompanyABCtdeCert.pvk , DECRYPTION BY PASSWORD = CrypticTDEpw4CompanyABC! ) Step 4: Restore DB(c) 2011 Microsoft. All rights 26. (c) 2011 Microsoft. All rights 27. LAYER 2: DATA SECURITYSHAREPOINT ANTIVIRUS 28. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS VSAPI Realtime scanning only uses the VSAPI Realtime Scan Settings are Administered through theSharePoint Central Admin Tool Realtime Options are grayed out in the ForeFront Admin Console 29. LAYER 2: DATA SECURITY SHAREPOINT ANTIVIRUS: FPS KEYWORD AND FILE FILTERING Look for specifickeywords (sensitivecompanyinfo, profanity, etc.) Block Simply detect and notify Create Filter List Add Keywords, eithermanually or bulk as linesin a text file 30. LAYER 2: DATA SECURITYSHAREPOINT ANTIVIRUS: FPS PROFANITY FILTERS New Profanity lists in 11 languagesavailable in SP2 (Run KeywordInstaller.msi to install) Import the lists into FF from ProgramFilesMicrosoft ForefrontSecuritySharePointDataExampleKeywords 31. TRANSPORT SECURITY Layer 32. LAYER 3: TRANSPORT SECURITY CLIENT TO SERVER: USING SECURE SOCKETS LAYER (SSL) ENCRYPTION External or Internal Certs highly recommended Protects Transport of content 20% overhead on Web Servers Can be offloaded via SSL offloaders if needed Dont forget for SPCA as well! 33. LAYER 3: TRANSPORT SECURITY SERVER TO SERVER: USING IPSEC TO ENCRYPT TRAFFIC By default, traffic between SharePoint Servers (i.e.Web and SQL) is unencrypted IPSec encrypts all packets sent between servers in afarm For very high security scenarios when all possibledata breaches must be addressed 34. EDGE SECURITYLayer 35. LAYER 4: EDGE SECURITYFOREFRONT UNIFIED ACCESS GATEWAY (UAG) 2010 36. LAYER 4: EDGE SECURITYUAG COMPARISON WITH FOREFRONT TMGCapabilityTMG 2010 UAG 2010Publish Web applications using HTTPSXXPublish internal mobile applications to roaming mobile devicesXXLayer 3 firewallXX*Outbound scenarios supportXX*Array support XGlobalization and administration console localization XWizards and predefined settings to publish SharePoint sites and ExchangeXXWizards and predefined settings to publish various applicationsXActive Directory Federation Services (ADFS) supportXRich authentication (for example, one-time password, forms-based, smart card) XXApplication protection (Web application firewall) BasicFullEndpoint health detectionXInformation leakage prevention XGranular access policy XUnified Portal X 37. RIGHTS MANAGEMENTLayer 38. LAYER 5: RIGHTS MANAGEMENT ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES (AD RMS) AD RMS is a form of Digital Rights Management (DRM)technology, used in various forms to protect content Used to restrict activities on files AFTER they have beenaccessed: Cut/Paste Print Save As Directly integrates with SharePoint DocLibs 39. LAYER 5: RIGHTS MANAGEMENT HOW AD RMS WORKS1.On first use, authors receiveclient licensor certificate fromRMS server2.Author creates content andassigns rights3.File is distributed torecipient(s)4.Recipient opens file, andtheir RMS client contactsserver for user validation andto obtain a license5.Application opens the fileand enforces the restrictions 40. LAYER 5: RIGHTS MANAGEMENT INSTALLING AD RMS KEY STORAGE Select Cluster Key Storage CSP used for advanced scenarios 41. LAYER 5: RIGHTS MANAGEMENTINSTALLING AD RMS CREATING THE CLUSTER NAME 42. LAYER 5: RIGHTS MANAGEMENTINSTALLING AD RMS USING AN SSL CERT FOR TRANSPORT ENCRYPTION 43. LAYER 5: RIGHTS MANAGEMENTALLOWING SHAREPOINT TO USE AD RMS By default, RMS server is configured to onlyallow the local system account of the RMSserver or the Web Application Identityaccounts to access the certificate pipelinedirectly SharePoint web servers and/or WebApplication Service Accounts need to beadded to this security list Add the RMS Service Group, the machineaccount(s) of the SharePoint Server and theWeb App Identity accountswith Read andExcecute permissions to theServerCertification.asmx file in the%systemroot%inetpubwwwroot_wmcsCertification folder on the RMS server 44. LAYER 5: RIGHTS MANAGEMENT CLIENT ACCESSING AD RMS DOCUMENTS RMS-enabled client, when accessing document in doclib,will access RMS server to validate credentials 45. LAYER 5: RIGHTS MANAGEMENT CLIENT ACCESSING AD RMS DOCUMENTS Effective permissionscan be viewed from thedocument The RMS client willenforce the restrictions 46. Thank you to our Sponsors Gold Sponsors Silver SponsorsBronze Sponsors 47. Michael Noel Twitter: @MichaelTNoelwww.cco.comSlides: slideshare.net/michaeltnoel