AUSPC 2013 - Understanding the Five Layers of SharePoint Security
0 likes1,220 views
The document outlines best practices for securing a SharePoint environment across five layers: infrastructure, data, transport, edge, and rights management security. It provides details on configuring services accounts, enabling encryption of SQL databases, implementing Kerberos authentication, and using Active Directory rights management to restrict access to content.
AUSPC 2013 - Understanding the Five Layers of SharePoint Security
- 2. Thank you to our sponsors
- 3. Great to be back in Beautiful Australia!
- 4. • 1: Infrastructure Security • Physical Security • Best Practice Service Account Setup • Kerberos Authentication • 2: Data Security • Role Based Access Control (RBAC) • Transparent Data Encryption (TDE) of SQL Databases • 3: Transport Security • Secure Sockets Layer (SSL) from Client to Server • IPSec from Server to Server • 4: Edge Security • Inbound Internet Security (Forefront UAG) • 5: Rights Management
- 5. Layer
- 6. Service Account Name Role of Service Account Special Permissions COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs) COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate admin accounts from SP accounts. Local Admin on Database Server(s) (Generally, some exceptions apply) COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be standard admin accounts. RBAC principles apply ideally. N/A COMPANYABCSRV-SP-Search Search Account N/A COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to be crawled COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read attributes from users in domain) and ‘Replicate Directory Changes’ rights in AD. COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint Central Admin. DBCreator and Security Admin on SQL. Create and Modify contacts rights in OU used for mail. COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the Content related App Pool (Portal, MySites, etc.) Additional as needed for security. N/A
- 7. • When creating any Web Applications, USE KERBEROS. It is much more secure and also faster with heavy loads as the SP server doesn’t have to keep asking for auth requests from AD. • Kerberos auth does require extra steps, which makes people shy away from it, but once configured, it improves security considerably and can improve performance on high-load sites. • Should also be configured on SPCA Site! (Best Practice = Configure SPCA for NLB, SSL, and Kerberos (i.e. https://spca.companyabc.com)
- 8. • Use the setspn utility to create Service Principle Names in AD, the following syntax for example: • Setspn.exe -A HTTP/mysite.companyabc.com DOMAINNAMEMYSiteAppAccount • Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount • Setspn.exe -A HTTP/home.companyabc.com DOMAINNAMEHOMEAppAccount • Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount
- 9. • Use setspn to create SPNs for SQL Service Account • SPNs need to match the name that SharePoint uses to connect to SQL • Syntax similar to following: • Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB • Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433 COMPANYABCSRV-SQL-DB • MSSQLSvc = Default instance, if named instance, specify the name instead • In this example, SRV-SQL-DB is the SQL Admin account
- 10. • Required only for Excel Services and other impersonation applications. • On all SP Computer accounts and on the Application Identity accounts, check the box in ADUC to allow for delegation. • In ADUC, navigate to the computer or user account, right-click and choose Properties. • Go to the Delegation tab • Choose Trust this user/computer for delegation to any service (Kerberos)
- 11. • Go to Application Management • Choose the appropriate Web Application – click Authentication Providers • Click on the link for ‘Default’ under Zone • Change to Integrated Windows Authentication – Negotiate / Kerberos) • Run iisreset /noforce from the command prompt • If creating Web App from scratch, this step may be unnecessary if you choose Negotiate from the beginning
- 12. Layer
- 13. • Role Groups defined within Active Directory (Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc. • Role Groups added directly into SharePoint ‘Access Groups’ such as ‘Contributors,’ ‘Authors,’ etc. • Simply by adding a user account into the associated Role Group, they gain access to whatever rights their role requires. User1 User2 Role Group SharePoint Group
- 14. • SQL Server Enterprise Edition Feature • Encrypts SQL Databases Transparently, SharePoint is unaware of the encryption and does not need a key • Encrypts the backups of the database as well
- 15. • Does not encrypt the Communication Channel (IPSec can be added) • Does not protect data in memory (DBAs could access) • Cannot take advantage of SQL 2008 Backup Compression • TempDB is encrypted for the entire instance, even if only one DB is enabled for TDE, which can have a performance effect for other DBs • Replication or FILESTREAM data is not encrypted when TDE is enabled (i.e. RBS BLOBs not encrypted)
- 16. Key and Cert Hierarchy SMK encrypts the DMK for master DB Service Master KeySQL Instance Level DPAPI Encrypts SMK Data Protection API (DPAPI)Windows OS Level DMK creates Cert in master DB Database Master Keymaster DB Level Certificate Encrypts DEK in Content DB Certificatemaster DB Level DEK used to encrypt Content DB Database Encryption KeyContent DB Level
- 17. • Symmetric key used to protect private keys and asymmetric keys • Protected itself by Service Master Key (SMK), which is created by SQL Server setup • Use syntax as follows: • USE master; • GO • CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; • GO
- 18. • Protected by the DMK • Used to protect the database encryption key • Use syntax as follows: USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate' ; GO
- 19. • Without a backup, data can be lost • Backup creates two files, the Cert backup and the Private Key File • Use following syntax: USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'c:BackupCompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'c:BackupCompanyABCtdeDECert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ); GO
- 20. • DEK is used to encrypt specific database • One created for each database • Encryption method can be chosen for each DEK • Use following syntax: USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO
- 21. • Data encryption will begin after running command • Size of DB will determine time it will take, can be lengthy and could cause user blocking • Use following syntax: USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO
- 22. • State is Returned • State of 2 = Encryption Begun • State of 3 = Encryption Complete • Use following syntax: USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO
- 23. • Step 1: Create new Master Key on Target Server (Does not need to match source master key) • Step 2: Backup Cert and Private Key from Source • Step 3: Restore Cert and Private Key onto Target (No need to export the DEK as it is part of the backup) USE master; GO CREATE CERTIFICATE CompanyABCtdeCert FROM FILE = 'C:RestoreCompanyABCtdeCert.cer' WITH PRIVATE KEY ( FILE = 'C:RestoreCompanyABCtdeCert.pvk' , DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' ) • Step 4: Restore DB
- 24. Layer
- 25. • External or Internal Certs highly recommended • Protects Transport of content • 20% overhead on Web Servers • Can be offloaded via SSL offloaders if needed • Don’t forget for SPCA as well!
- 26. • By default, traffic between SharePoint Servers (i.e. Web and SQL) is unencrypted • IPSec encrypts all packets sent between servers in a farm • For very high security scenarios when all possible data breaches must be addressed
- 27. Layer
- 30. Layer
- 31. • AD RMS is a form of Digital Rights Management (DRM) technology, used in various forms to protect content • Used to restrict activities on files AFTER they have been accessed: • Cut/Paste • Print • Save As… • Directly integrates with SharePoint DocLibs
- 32. • Select Cluster Key Storage • CSP used for advanced scenarios
- 35. • By default, RMS server is configured to only allow the local system account of the RMS server or the Web Application Identity accounts to access the certificate pipeline directly • SharePoint web servers and/or Web Application Service Accounts need to be added to this security list • Add the RMS Service Group, the machine account(s) of the SharePoint Server and the Web App Identity accountswith Read and Excecute permissions to the ServerCertification.asmx file in the %systemroot%inetpubwwwroot_w mcsCertification folder on the RMS server
- 36. • RMS-enabled client, when accessing document in doclib, will access RMS server to validate credentials
- 37. • Effective permissions can be viewed from the document • The RMS client will enforce the restrictions
- 38. • Determine Security Risk for your SharePoint Environment • Identify any Regulatory Compliance Requirements for SharePoint • Determine which aspects of SharePoint need to be secured, touching on all five layers of SharePoint Security
- 39. Michael Noel Company Site: http://www.cco.com Twitter: http://twitter.com/michaeltnoel LinkedIn: http://linkedin.com/in/michaeltnoel Facebook: http://facebook.com/michaelnoel Slides: http://slideshare.net/michaeltnoel Travel blog: http://sharingtheglobe.com
- 40. Thank you to our sponsors