Sec 311

Securing SharePoint Infrastructure and Technologies

Fred Baumhardt Sandeep Modhvadia

Microsoft UK – Technology Services

Agenda

About SharePoint Services- Why Secure Them

Securing SharePoint InfrastructureAuthentication and AuthorizationSecurity for IIS tierSecurity for SQL 2000 tierSharepoint and Firewalls

Sharepoint concepts:Box and Site AdministratorsSite Groups and ListsAnonymous and SharePoint Security Validation

About SharePoint Services

WSPS provides centralised easy to manage document management/storage indexing and search services

It also contains lists – contacts – tasks and discussion forums - It is a repository of useful information

Evil Hackers like central repositories of information – specially those secured by Microsoft products – which we assume aren’t secure

SharePoint Security Dependencies

The first step of securing any complex system is to secure the infrastructureSharePoint uses many Windows subsystems like IIS, AD, Networking, etc all of which have to be locked downMost attacks against SharePoint we see at Microsoft Consulting are against common subsystems in Windows – not SharePoint

Connecting to SharePoint

Client – Server Connectivity Needs to be secured – how will you do this ?

Plan authentication strategy

Plan encryption strategy – remember it invalidates all network based IDS

Where will clients connect from – secure it :VPN must be secured (5000 clients = 5000 security perimeters )

Internal Network – will sensitive documents pass unencrypted

Architecture DefencesInternet

Redundant RoutersRedundant Routers

Redundant FirewallsRedundant Firewalls

VLAN

VLANVLAN VLANVLAN VLANVLAN

Redundant Internal FirewallsRedundant Internal FirewallsSharePointSharePoint Inbound VPNInbound VPN

Infrastructure Network – Internal Active Directory

INTERNAL

Perimeter

INTERNET

BORDER

VLANVLAN VLANVLAN

Messaging Network – WSPS

VLANVLAN

Management Network – MOM, deployment

VLANVLAN

Client Network

VLANVLAN

VLANVLAN VLANVLAN

RADIUS Network Intranet Network - Web Servers

Reverse Proxy Talks to WSPS

Data Network – SQL Server Clusters

Remote datacenter

Infrastructure Network – Infrastructure Network – Perimeter Active DirectoryPerimeter Active Directory

VLANVLAN

NIC teams/2 switches

NIC teams/2 switches Intrusion Intrusion DetectionDetection

..

SharePoint VLAN

SharePoint RPC in the DMZTCP/UDP port 389 for LDAP to Directory Service TCP port 3268 for LDAP to Global Catalog Server TCP/UDP port 88 for Kerberos authentication TCP/UDP port 53 - DNSTCP port 135 - RPC endpoint mapper TCP ports 1024+ - RPC service ports (unless all DC’s Restricted)TCP 443 – SQL – unless mapped to other port

Swiss Cheesed orSwiss Cheesed orBypassed FirewallBypassed Firewall

TCP 443: HTTPSTCP 443: HTTPS

Stateful PacketStateful PacketFiltering FirewallFiltering Firewall

SharePointSharePoint

InternetInternet

TCP 443: HTTPS (WSPS)TCP 443: HTTPS (WSPS)RPC: OutlookRPC: OutlookSMTP, POP3, IMAP4SMTP, POP3, IMAP4

Back End Back End ServerServer

RPC and a bunch moreRPC and a bunch moreSQL (def TCP 1433)SQL (def TCP 1433)

Extranet - tips

Use a separate domain account for app pool for each virtual server

Use integrated windows auth for connecting to SQL

Use SSL!!!!

Make sure SQL is not directly accessible on extranet

Terminate SSL at an app inspecting device

SQL Security and WSPS

Two modes – Windows authentication or SQL Server authentication (“SA auth”)

By default, WSPS uses windows authentication. Mixed – is not as secure

SPS can be setup to use mixed authenticationThis is an install time choice, cannot change

Each content database can have unique credentials

But Database server can be brute forced by tools

Attacking SQL – to get Attacking SQL – to get SharePointSharePoint

demodemo

Protecting SharePoint

Traditional Traditional firewallfirewall

Traditional Traditional firewallfirewall

WSPSWSPSWSPSWSPSclientclientclientclient

WSPS server prompts WSPS server prompts for authentication — for authentication — any Internet user can any Internet user can access this promptaccess this prompt

SSLSSLSSLSSL

SSL tunnels through SSL tunnels through traditional firewalls traditional firewalls

because it is encrypted…because it is encrypted…

……which allows viruses which allows viruses and worms to pass and worms to pass

through undetected…through undetected…

……and infect internal servers!and infect internal servers!

ISA Server with ISA Server with Feature Pack 1Feature Pack 1ISA Server with ISA Server with Feature Pack 1Feature Pack 1

Basic authentication delegationBasic authentication delegation

ISA Server pre-authenticates ISA Server pre-authenticates users, eliminating multiple users, eliminating multiple

dialog boxes and only allowing dialog boxes and only allowing valid traffic throughvalid traffic through

URLScan for ISA ServerURLScan for ISA Server

SSL or SSL or HTTPHTTP

SSL or SSL or HTTPHTTP

SSLSSLSSLSSL

ISA Server can ISA Server can decrypt and inspect decrypt and inspect

SSL trafficSSL traffic

inspected traffic can be sent to the internal inspected traffic can be sent to the internal server re-encrypted or in the clear.server re-encrypted or in the clear.

URLScan for URLScan for ISA ServerISA Server

URLScan for ISA Server can stop URLScan for ISA Server can stop Web attacks at the network edge, Web attacks at the network edge,

even over encrypted SSLeven over encrypted SSL

InternetInternet

General SharePoint Server Hardening

Role-based HardeningOU Structure to hold SharePoint servers

Security Templates from Microsoft Systems Architecture

AD is a great Security Tool for SharePoint

Domain

DomainControllers

Servers

DomainPolicy

BaselineDC Policy

BaselineServer PolicySharePoint

IncrementalPolicy

Admins

SharePointServers

ExchangeDC

Incremental

Authentication Vs. Authorization

Authentication – the verification of identity of a person or process – handled by IIS

Authorization- determines which functions you can perform- handled by SharePoint

IIS’ authentication mechanism requires an NT account (either local or AD)

IIS uses RPC protocol to authenticate – This has serious ramifications in DMZ scenarios

IIS Security and WSPS

Two Vservers – content and admin each can have its own application pool

Each application pool can have a unique user identity

Result: One click setup= two virtual servers (admin & content) +two app pools, each owned by local machine account “Network Service”

IIS Security Web Farms

Domain account for admin vserver should be decided before install, and should have create db and security administrator rights in SQL

Domain account for admin and content virtual servers should be different. Each web front end box should have the same accounts across the farm.

Different accounts can be used, but requires manual setup.

The SharePoint Security Model

Box and SharePoint Admins

Site Collections

Permissions in SharePoint

Box & SharePoint Administrators

Two sets of admins- box admins and SharePoint Administrative Group members

SharePoint Administrative Group is defined in WSPS Central AdministrationChecks to see if the user is a box admin or in the domain group. If so, full access is granted

Four differences between abilities of box admins and SharePoint admins

Change configuration databaseChange SharePoint admin domain groupManage content pathsExtend/unextend IIS virtual servers

Site Collections

Set of logically related Sites that can be collectively managed

Each Collection has a single top level site

Individual users can be marked as Site Collection Administrators

This grants them full access to all content

Permissions can be inherited (based on Windows ACLs)

Security & Site Collections

Site collection administrators have three main responsibilities

Users and cross-site groups on the site collection

Users are rolled up at the site collection level, and can be managed there

Cross site groups are scoped to the site collection level

Quota issues for the site collection

SharePoint Security SharePoint Security ConfigurationConfiguration

demodemo

Permissions in WSPS

WSPS uses “rights” - a right is a privilege that allows a user to perform an action on the server.

Example: View Pages, Insert List Items, Change List Permissions.There are currently roughly 20 rights.Some are dependent on others. Example: Insert List Items has View List Items as a dependent.

At the IIS virtual server level there is a “rights mask”

This enables/disables rights for use on Web Site Collections within that virtual serverIs settable by box administrators and SharePoint administrators

SharePoint Authorization

Implementation is similar to NT systemWSPS specific ACLs dictate access

ACL maps a security principal (user, group, etc) to a set of rights

Windows is called for domain group resolution

Two main securable resources within WSPS that support ACLS

Lists and Webs

The Permission Model

Functions just like the Windows AD Model

Set permission by site collection – inherit to sub sites

Delegation and site creation follows similar rules – take parent or set new permissions

UK Site Collection

Marketing Site Sales Site IT Ops Site

Web Site Security

A Web Site is a set of web pages that are managed as a whole

A Web Site can have a parent web and child webs

A Web Site’s security can be either inherited from it’s parent web, or unique

Web Site Security Continued

Only principal which can have permissions directly on a web site is a Site Group

This is to encourage A-G-DL-P – set perms to groupSite Groups are scoped to an individual Web SiteWe have six Site Groups by default

can be customizedWhich Site Groups a user is a member of determine their default permissions to objects in that site (and any inherited web sites)

Membership in multiple Site Groups is possible

List Security

A list is the smallest object in scope that can be secured in the WSPSPrincipals can be site groups, cross site groups, domain groups, or individual usersRights specific to lists include view/insert/edit/deleteBy default, a list inherits it’s permissions If specific permissions are placed on a list, it’s implicitly made unique

ACLs on a unique list trump site wide ACLsEg User has read access only in general to site, but on “Announcements” list, has been given no permissions

Groups and WSPS

Three types of groups are supportedNT domain groups

Can be nested inside each other

WSPS calls NT for user resolution

Can be a member of both below types of groups

Cross site groupsScoped to the site collection

Can’t be nested within each other

Can be a member of site groups, but not NT domain groups

Site groupsScoped to an individual web site

Can’t be nested within each other

Anonymous Access

Anonymous access is limited – the most anonymous users can do is insert list items

By default, it is turned off, both at the web site level and at the IIS level

WSPS UI is sensitive to IIS setting

Setting anonymous access is done at myriad different points

IIS setting for the virtual server

On/Off switch at the web site level

Rights mask at the individual list level

SharePoint Security Validation

The one click attack uses a FORM POST from script to unknowingly submit data

Must get the target to browse to page that has script

Target never knows what script just executed

Really a web wide problem, inherent in design of scripting and cross domain browser security

WSPS addresses this with the use of a request digest for security validation

Part of every page served to client

Digest contains site secret, time, and username

Digest must be returned with each post to server in order for security validation to take place

Blocked File Types

List of file types, based off of file extension

List is done per virtual server

This is more of a convenience feature or policy “helper” then it is a true security feature

Users can rename file extension

Safe Mode Rendering

Provides a safe execution environment for SharePoint pages and Web Part Pages

Eliminates following risks:User inserting code with an infinite loop or that consumes a huge amount of memory.

User inserting references to Web Form Controls or other classes that the administrator did not approve (or have tested for scalablity or robustness).

Limits

Safe mode and the web part framework provide limits on the rendering of Web Parts

These limits are either at the virtual server level or at the assembly level.

Virtual server level limits can be set in two ways:Web.config

SharePoint Central Administration

Assembly limits are set by assigning permissions to assemblies using Code Access Security policies

SharePoint ResourcesEvaluate Windows SharePoint Services and SharePoint Portal Server 2003 Betas http://www.microsoft.com/sharepoint

Download technical documentation and Software Development Kits from our Developer Center http://msdn.microsoft.com

Find and contribute Web Parts and templates to the Web Component Directory  http://www.microsoft.com/sharepoint/webparts

Visit our community websites http://www.microsoft.com/sharepoint/community/

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.