Upload
owen-west
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Module Overview
• Securing the Enterprise SharePoint Service
• Securing and Isolating Web Applications
• Services and Service Applications
Lesson 1: Securing the Enterprise SharePoint Service
• Track SharePoint Installation
• Block SharePoint Installation
• Approve SharePoint Installation
• Approve SharePoint Installation on Clients
• Manage Services on the Server
• Overview of SharePoint Services
• Administrative Accounts
• Managed Accounts
Track SharePoint Installation
Service connection points are data points in AD DS that represent the presence of a SharePoint server and farmService connection points are data points in AD DS that represent the presence of a SharePoint server and farm
The service connection points:
•Are automatically added during initial configuration
•Can be manually set using Windows PowerShell
Block SharePoint Installation
You can block unwanted SharePoint installations in your domain by using GPOsYou can block unwanted SharePoint installations in your domain by using GPOs
1. Open Group Policy Management2. Open the appropriate GPO for editing3. Navigate to HKLM\Software\Policies\Microsoft\Shared
Tools\Web Server Extensions\14.0\SharePoint 4. Configure the value of 1 to DisableInstall
Approve SharePoint Installation
Use the following steps to approve a SharePoint installation:Use the following steps to approve a SharePoint installation:
1. Create Group Policy security filter2. Create a new group3. Give the new group permissions 4. Add approved servers to the group
Approve SharePoint Installation on Clients
Add clients to the approved server group
Scope the GPO only to servers
Create a separate GPO scoped to clients
There are three options for controlling client installation in SharePoint:There are three options for controlling client installation in SharePoint:
Manage Services on the Server
• Windows Services
SharePoint Administration
SharePoint Timer service
• Manually start the service if it is stopped
• Other services should not be started manually
SharePoint Tracing
SharePoint User Code Host
SharePoint VSS Writer
SharePoint Foundation/Server Search
• SharePoint Services
Central Administration System Settings Servers: Manage services on server
Overview of SharePoint Services
• SharePoint Foundation Business Data Connectivity
Usage and Health Data Collection
• SharePoint Server: Standard Search Service
Profile Service
• SharePoint Server: Enterprise Performance Point Service
Excel Services
• Office Web Apps Excel Calculation, PowerPoint Service, Word Viewing
• Microsoft Project Server: Microsoft Project Web Access
Administrative Accounts
• Administrative accounts
Domain-level accounts used for SharePoint
Most are created during SharePoint setup
• Accounts
Setup User Administration
Farm Service
SharePoint Foundation 2010 Search Service
SharePoint Foundation 2010 Search Content Access
By using Central Administration, you can:
Managed Accounts
Manage these accounts
Assign them to a service application
Manage their passwords
A managed account is an AD DS user account whose credentials are managed by and contained within SharePointA managed account is an AD DS user account whose credentials are managed by and contained within SharePoint
You can also reset all managed passwords in SharePoint simultaneously using a Windows PowerShell scriptYou can also reset all managed passwords in SharePoint simultaneously using a Windows PowerShell script
Lesson 2: Securing and Isolating Web Applications
• Isolation Using Application Pools
• Application Pool Isolation
• Secure Communication Using Secure Sockets Layer
Isolation Using Application Pools
• Why use separate application pools?
Different identities
Isolation of processes
Recycle/restart without affecting others
Throttling of resource usage
• Why not use separate application pools?
Administration overhead
Idle worker processes
Secure Communication Using Secure Sockets Layer
Then:
Create and install a certificate on each server
Configure sites to use SSL
Before you can enable SSL, you must install AD CS Before you can enable SSL, you must install AD CS
Lesson 3: Services and Service Applications
• SharePoint 2010: Service Application Framework Service Model
• Service Application Components
• Service Applications
• Service Application Connection
• Application Connection Groups
• Overview of Planning Service Applications
• Service Applications Types
• Service Applications Across Farms
SharePoint 2010: Service Application Framework Service Model
• Fundamental
• Flexible
• Scalable
• Extensible
• Managed within Central Administration
Service Application Components
Several components make up the Service Application Framework architectureSeveral components make up the Service Application Framework architecture
These are:
•Service
•Service application
•Service application connection
•Service application connection group
•Web application
Service Applications
• The logical instance of a shared service
Each service has its own management unit: service application
• Service applications have:
Virtual directory in IIS
Application pool
Database(s)
Physical instance (actual process\Web service on computer)
Administrative interface (admin page)
• Create a service application
• Service application provisioning
Service Application Connection
• Also known as application proxy or proxy
• Object that a consumer uses to connect to a service app
Web Part
Object model
Internal code
• Used by Web app to communicate with a service app
• Created automatically when you create the service app
• Example:
Application Connection Groups
IIS Web site – “SharePoint Web Services”
Application poolAccess
ServicesExcel
Services Application
Managed Metadata
User Profile
Business Data Connectivity
Secure Store Service
Search
Application pool Application pool
Web application – Published Intranet Content
Web application – My Site Web sites
Web application – team Sites
http://Fabrikam
HR Facilities
http://my
http://my/personal
http://team
Team 1 Team 2 Team 3
Overview of Planning Service Applications
• Performance versus separation
• Isolation
App pool—process isolation
Service data
Isolation for performance of a targeted service
• Typical services deployed for dedicated use
Excel Services
Managed Metadata
Business Data Connectivity
• Build logical topology, and then determine physical topology
Service Application Types
Web Analytics
Managed Metadata
User Profile Business Data Connectivity
Secure Store Service
Search
Access Services
State Service
Usage and Health Data Collection
Project Server
Excel Services
PerformancePoint
Services
Visio Graphics Service
Word Viewing Service
Word Automation
Services
PowerPoint Service
Cross-farm serviceapplication
Single-farm serviceapplications
These service applications can be shared across multiple farms
These service applications can be used only within a single farm
Most commonly shared services
Service Applications Across Farms
• Makes a service application available outside the farm
• Certificates between two farms
Consuming farm provides to publishing farm: Root, Secure Token Service (STS) certificates
Publishing farm provides to consuming farm: Root
• Permissions
Application Discovery and Load Balancer Service App
Shared Service Application
• Publish the service application
• Connect to cross-farm service applications
Creates connection on consumer farm that can be added to application connection groups
Lab A: Administering SharePoint Services
• Exercise 1: Administering SharePoint Services
• Exercise 2: Administering SharePoint Windows Services
Logon information
Estimated time: 20 minutes
Scenario
You have recently installed a new SharePoint 2010 farm. Some of the developers are complaining that they are experiencing errors because services are not running on the SharePoint server. They have asked you to ensure that all Windows and SharePoint Services have been installed and are started.
Lab B: Configuring Application Security
• Exercise 1: Configuring Web Application and Application Pool Security
• Exercise 2: Configuring Secure Sockets Layer Security
Logon information
Estimated time: 30 minutes
Scenario
Your manager has recently installed a new SharePoint 2010 farm. When he performed the configuration of the farm, he did not use the Farm Configuration Wizard. Because he didn’t use the configuration wizard some of the service applications required by your developers were not installed. Your manager has tasked you with reviewing the installed service applications and creating the missing service applications.
Lab C: Configuring Service Applications
• Exercise 1: Creating a Service Application
Logon information
Estimated time: 30 minutes
Scenario
Your company, Contoso, has adopted SharePoint 2010 for many reasons. One is its new, more optimized service application environment and another is its ability to manage metadata. You want to allow sites in the client-facing Web application to use managed metadata and keywords, but you do not want managed metadata and keyword columns in the client Web application to have visibility into terms used internally. Therefore, you must configure a separate managed metadata service for the client Web application.