sec 311 securing sharepoint infrastructure and technologies fred baumhardt sandeep modhvadia...
Post on 24-Dec-2015
218 Views
Preview:
TRANSCRIPT
Sec 311
Securing SharePoint Infrastructure and Technologies
Fred Baumhardt Sandeep Modhvadia
Microsoft UK – Technology Services
Agenda
About SharePoint Services- Why Secure Them
Securing SharePoint InfrastructureAuthentication and AuthorizationSecurity for IIS tierSecurity for SQL 2000 tierSharepoint and Firewalls
Sharepoint concepts:Box and Site AdministratorsSite Groups and ListsAnonymous and SharePoint Security Validation
About SharePoint Services
WSPS provides centralised easy to manage document management/storage indexing and search services
It also contains lists – contacts – tasks and discussion forums - It is a repository of useful information
Evil Hackers like central repositories of information – specially those secured by Microsoft products – which we assume aren’t secure
SharePoint Security Dependencies
The first step of securing any complex system is to secure the infrastructureSharePoint uses many Windows subsystems like IIS, AD, Networking, etc all of which have to be locked downMost attacks against SharePoint we see at Microsoft Consulting are against common subsystems in Windows – not SharePoint
Connecting to SharePoint
Client – Server Connectivity Needs to be secured – how will you do this ?
Plan authentication strategy
Plan encryption strategy – remember it invalidates all network based IDS
Where will clients connect from – secure it :VPN must be secured (5000 clients = 5000 security perimeters )
Internal Network – will sensitive documents pass unencrypted
Architecture DefencesInternet
Redundant RoutersRedundant Routers
Redundant FirewallsRedundant Firewalls
VLAN
VLANVLAN VLANVLAN VLANVLAN
Redundant Internal FirewallsRedundant Internal FirewallsSharePointSharePoint Inbound VPNInbound VPN
Infrastructure Network – Internal Active Directory
INTERNAL
Perimeter
INTERNET
BORDER
VLANVLAN VLANVLAN
Messaging Network – WSPS
VLANVLAN
Management Network – MOM, deployment
VLANVLAN
Client Network
VLANVLAN
VLANVLAN VLANVLAN
RADIUS Network Intranet Network - Web Servers
Reverse Proxy Talks to WSPS
Data Network – SQL Server Clusters
Remote datacenter
Infrastructure Network – Infrastructure Network – Perimeter Active DirectoryPerimeter Active Directory
VLANVLAN
NIC teams/2 switches
NIC teams/2 switches Intrusion Intrusion DetectionDetection
..
SharePoint VLAN
SharePoint RPC in the DMZTCP/UDP port 389 for LDAP to Directory Service TCP port 3268 for LDAP to Global Catalog Server TCP/UDP port 88 for Kerberos authentication TCP/UDP port 53 - DNSTCP port 135 - RPC endpoint mapper TCP ports 1024+ - RPC service ports (unless all DC’s Restricted)TCP 443 – SQL – unless mapped to other port
Swiss Cheesed orSwiss Cheesed orBypassed FirewallBypassed Firewall
TCP 443: HTTPSTCP 443: HTTPS
Stateful PacketStateful PacketFiltering FirewallFiltering Firewall
SharePointSharePoint
InternetInternet
TCP 443: HTTPS (WSPS)TCP 443: HTTPS (WSPS)RPC: OutlookRPC: OutlookSMTP, POP3, IMAP4SMTP, POP3, IMAP4
Back End Back End ServerServer
RPC and a bunch moreRPC and a bunch moreSQL (def TCP 1433)SQL (def TCP 1433)
Extranet - tips
Use a separate domain account for app pool for each virtual server
Use integrated windows auth for connecting to SQL
Use SSL!!!!
Make sure SQL is not directly accessible on extranet
Terminate SSL at an app inspecting device
SQL Security and WSPS
Two modes – Windows authentication or SQL Server authentication (“SA auth”)
By default, WSPS uses windows authentication. Mixed – is not as secure
SPS can be setup to use mixed authenticationThis is an install time choice, cannot change
Each content database can have unique credentials
But Database server can be brute forced by tools
Attacking SQL – to get Attacking SQL – to get SharePointSharePoint
demodemo
Protecting SharePoint
Traditional Traditional firewallfirewall
Traditional Traditional firewallfirewall
WSPSWSPSWSPSWSPSclientclientclientclient
WSPS server prompts WSPS server prompts for authentication — for authentication — any Internet user can any Internet user can access this promptaccess this prompt
SSLSSLSSLSSL
SSL tunnels through SSL tunnels through traditional firewalls traditional firewalls
because it is encrypted…because it is encrypted…
……which allows viruses which allows viruses and worms to pass and worms to pass
through undetected…through undetected…
……and infect internal servers!and infect internal servers!
ISA Server with ISA Server with Feature Pack 1Feature Pack 1ISA Server with ISA Server with Feature Pack 1Feature Pack 1
Basic authentication delegationBasic authentication delegation
ISA Server pre-authenticates ISA Server pre-authenticates users, eliminating multiple users, eliminating multiple
dialog boxes and only allowing dialog boxes and only allowing valid traffic throughvalid traffic through
URLScan for ISA ServerURLScan for ISA Server
SSL or SSL or HTTPHTTP
SSL or SSL or HTTPHTTP
SSLSSLSSLSSL
ISA Server can ISA Server can decrypt and inspect decrypt and inspect
SSL trafficSSL traffic
inspected traffic can be sent to the internal inspected traffic can be sent to the internal server re-encrypted or in the clear.server re-encrypted or in the clear.
URLScan for URLScan for ISA ServerISA Server
URLScan for ISA Server can stop URLScan for ISA Server can stop Web attacks at the network edge, Web attacks at the network edge,
even over encrypted SSLeven over encrypted SSL
InternetInternet
General SharePoint Server Hardening
Role-based HardeningOU Structure to hold SharePoint servers
Security Templates from Microsoft Systems Architecture
AD is a great Security Tool for SharePoint
Domain
DomainControllers
Servers
DomainPolicy
BaselineDC Policy
BaselineServer PolicySharePoint
IncrementalPolicy
Admins
SharePointServers
ExchangeDC
Incremental
Authentication Vs. Authorization
Authentication – the verification of identity of a person or process – handled by IIS
Authorization- determines which functions you can perform- handled by SharePoint
IIS’ authentication mechanism requires an NT account (either local or AD)
IIS uses RPC protocol to authenticate – This has serious ramifications in DMZ scenarios
IIS Security and WSPS
Two Vservers – content and admin each can have its own application pool
Each application pool can have a unique user identity
Result: One click setup= two virtual servers (admin & content) +two app pools, each owned by local machine account “Network Service”
IIS Security Web Farms
Domain account for admin vserver should be decided before install, and should have create db and security administrator rights in SQL
Domain account for admin and content virtual servers should be different. Each web front end box should have the same accounts across the farm.
Different accounts can be used, but requires manual setup.
The SharePoint Security Model
Box and SharePoint Admins
Site Collections
Permissions in SharePoint
Box & SharePoint Administrators
Two sets of admins- box admins and SharePoint Administrative Group members
SharePoint Administrative Group is defined in WSPS Central AdministrationChecks to see if the user is a box admin or in the domain group. If so, full access is granted
Four differences between abilities of box admins and SharePoint admins
Change configuration databaseChange SharePoint admin domain groupManage content pathsExtend/unextend IIS virtual servers
Site Collections
Set of logically related Sites that can be collectively managed
Each Collection has a single top level site
Individual users can be marked as Site Collection Administrators
This grants them full access to all content
Permissions can be inherited (based on Windows ACLs)
Security & Site Collections
Site collection administrators have three main responsibilities
Users and cross-site groups on the site collection
Users are rolled up at the site collection level, and can be managed there
Cross site groups are scoped to the site collection level
Quota issues for the site collection
SharePoint Security SharePoint Security ConfigurationConfiguration
demodemo
Permissions in WSPS
WSPS uses “rights” - a right is a privilege that allows a user to perform an action on the server.
Example: View Pages, Insert List Items, Change List Permissions.There are currently roughly 20 rights.Some are dependent on others. Example: Insert List Items has View List Items as a dependent.
At the IIS virtual server level there is a “rights mask”
This enables/disables rights for use on Web Site Collections within that virtual serverIs settable by box administrators and SharePoint administrators
SharePoint Authorization
Implementation is similar to NT systemWSPS specific ACLs dictate access
ACL maps a security principal (user, group, etc) to a set of rights
Windows is called for domain group resolution
Two main securable resources within WSPS that support ACLS
Lists and Webs
The Permission Model
Functions just like the Windows AD Model
Set permission by site collection – inherit to sub sites
Delegation and site creation follows similar rules – take parent or set new permissions
UK Site Collection
Marketing Site Sales Site IT Ops Site
Web Site Security
A Web Site is a set of web pages that are managed as a whole
A Web Site can have a parent web and child webs
A Web Site’s security can be either inherited from it’s parent web, or unique
Web Site Security Continued
Only principal which can have permissions directly on a web site is a Site Group
This is to encourage A-G-DL-P – set perms to groupSite Groups are scoped to an individual Web SiteWe have six Site Groups by default
can be customizedWhich Site Groups a user is a member of determine their default permissions to objects in that site (and any inherited web sites)
Membership in multiple Site Groups is possible
List Security
A list is the smallest object in scope that can be secured in the WSPSPrincipals can be site groups, cross site groups, domain groups, or individual usersRights specific to lists include view/insert/edit/deleteBy default, a list inherits it’s permissions If specific permissions are placed on a list, it’s implicitly made unique
ACLs on a unique list trump site wide ACLsEg User has read access only in general to site, but on “Announcements” list, has been given no permissions
Groups and WSPS
Three types of groups are supportedNT domain groups
Can be nested inside each other
WSPS calls NT for user resolution
Can be a member of both below types of groups
Cross site groupsScoped to the site collection
Can’t be nested within each other
Can be a member of site groups, but not NT domain groups
Site groupsScoped to an individual web site
Can’t be nested within each other
Anonymous Access
Anonymous access is limited – the most anonymous users can do is insert list items
By default, it is turned off, both at the web site level and at the IIS level
WSPS UI is sensitive to IIS setting
Setting anonymous access is done at myriad different points
IIS setting for the virtual server
On/Off switch at the web site level
Rights mask at the individual list level
SharePoint Security Validation
The one click attack uses a FORM POST from script to unknowingly submit data
Must get the target to browse to page that has script
Target never knows what script just executed
Really a web wide problem, inherent in design of scripting and cross domain browser security
WSPS addresses this with the use of a request digest for security validation
Part of every page served to client
Digest contains site secret, time, and username
Digest must be returned with each post to server in order for security validation to take place
Blocked File Types
List of file types, based off of file extension
List is done per virtual server
This is more of a convenience feature or policy “helper” then it is a true security feature
Users can rename file extension
Safe Mode Rendering
Provides a safe execution environment for SharePoint pages and Web Part Pages
Eliminates following risks:User inserting code with an infinite loop or that consumes a huge amount of memory.
User inserting references to Web Form Controls or other classes that the administrator did not approve (or have tested for scalablity or robustness).
Limits
Safe mode and the web part framework provide limits on the rendering of Web Parts
These limits are either at the virtual server level or at the assembly level.
Virtual server level limits can be set in two ways:Web.config
SharePoint Central Administration
Assembly limits are set by assigning permissions to assemblies using Code Access Security policies
SharePoint ResourcesEvaluate Windows SharePoint Services and SharePoint Portal Server 2003 Betas http://www.microsoft.com/sharepoint
Download technical documentation and Software Development Kits from our Developer Center http://msdn.microsoft.com
Find and contribute Web Parts and templates to the Web Component Directory http://www.microsoft.com/sharepoint/webparts
Visit our community websites http://www.microsoft.com/sharepoint/community/
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
top related