Upload
bert-johnson
View
2.782
Download
2
Embed Size (px)
DESCRIPTION
Presentation titled "Securing the SharePoint Platform" presented by Bert Johnson at SharePoint Saturday Chicago
Citation preview
Bert JohnsonSharePoint Architect and MCM - PointBridge
Securing the SharePoint Platform
2 | SharePoint Saturday Chicago 2011
Bert Johnson SharePoint Architect with PointBridge Solutions Microsoft Certified Master – SharePoint Server 2010
Twitter: @SPBert Event Hashtag: #SPSChicago
Email: [email protected] Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
3 | SharePoint Saturday Chicago 2011
About PointBridge By The Numbers:
Founded in 2004 250+ SharePoint projects 350,000+ hours of SharePoint experience 30,000+ monthly blog hits
2010 Microsoft Midwest District Award for Best Customer Experience 2009 Microsoft Central US Partner of the Year 2009 SharePoint Conference Award: Multi-Solution Capability 2008 Global Partner of the Year finalist: Citizenship 2007 Microsoft US Partner of the Year: SharePoint One of 35 Microsoft National Systems Integrators One of 15 members of Microsoft Partner Advisory Council for
SharePoint
4 | SharePoint Saturday Chicago 2011
Agenda The Importance of SharePoint Security Facets of SharePoint Security Resources Q & A
The Importance of SharePoint Security
6 | SharePoint Saturday Chicago 2011
What is SharePoint? SharePoint is:
“A site-provisioning engine”
No really, SharePoint is: A website A series of databases An application platform
SharePoint touches: Your network Your Active Directory Your LOB Systems
SharePoint is a platform with a large attack surface
7 | SharePoint Saturday Chicago 2011
SharePoint is Everywhere Over 20,000 new SharePoint seats have been added every
day for 5 years Over 1,500 high profile websites on SharePoint SharePoint is becoming increasingly “business critical”
SharePoint is commonly used for Intranets Extranets Internet Sites Application platforms
8 | SharePoint Saturday Chicago 2011
Types of Security Threats Threats we’re going to explore today:
Data disclosure / theft Data loss System downtime
Types of attacks: Cross-site scripting (XSS) Cross-site request forgery (CSRF) Clickjacking Privilege escalation “Man in the middle” / replay attacks SQL injection
If it’s a threat to other websites or databases, it’s a threat to SharePoint
9 | SharePoint Saturday Chicago 2011
Software Security in the News March 17 – RSA SecureID Compromised March 24 - Comodo Security Breach April 4 - Epsilon Data Leak April 12 - Largest Microsoft Patch Tuesday April 20 – PlayStation Network Hack May 30 – LulzSec (PBS, Sony, NHS, etc.) June 9 – Citigroup Accounts Accessed
* Concise history of recent Sony hackshttp://attrition.org/security/rants/sony_aka_sownage.html
Facets of SharePoint Security
Example:They keep piling up!
12 | SharePoint Saturday Chicago 2011
Planning for Security
13 | SharePoint Saturday Chicago 2011
Planning for Security Plan personas and define permission
matrices Understand content and security contexts Determine authentication, SSO, and
federation goals Use the SharePoint 2010 upgrade as an
opportunity to apply governance Don’t expect the default settings to protect
you
Example:How’d you build that?
15 | SharePoint Saturday Chicago 2011
Anonymous Access Carefully decide if SharePoint is the right platform for
anonymous access Especially consider implications for public blogs and
wikis Always use the site lockdown feature
“Get-SPFeature viewformpageslockdown” Further restrict pages using web.config or UAG Add SharePoint to your website security testing Don’t lock out the /_layouts path altogether
Example:I don’t think we’ve met…
17 | SharePoint Saturday Chicago 2011
Authentication and Directory Security Synchronize only the AD users relevant for
social features Don’t bring confidential information into
user profiles Understand the impacts of third-party
federation Track and block rogue SharePoint
installations with “Service Connection Points”
Develop a password change / managed account strategy
Example:Private audience?
19 | SharePoint Saturday Chicago 2011
Content Security Audiences are not security
Search content rollups make bypassing audiences simple
Item-level permissions / broken permission inheritance should be the exception, not the rule
Avoid using policies to override permissions
PDFs = Pretty Dangerous Files Consider Information Rights Management
and auditing
Example:The man in the middle…
21 | SharePoint Saturday Chicago 2011
Network Security Always use SSL for authenticated access Firewall all nonessential public ports Host all servers on the same vLAN Use IPSec for geo-distributed
communication Be aware of “loopback check” implications
22 | SharePoint Saturday Chicago 2011
Network Security
Example:I’m with him…
24 | SharePoint Saturday Chicago 2011
Application Security Never expose SharePoint’s application tier
to the internet Don’t host Central Administration on a
web front-end Isolate service accounts and use standard
naming conventions Use multiple IIS application pools (but not
too many) Never use CNames
Example:Thanks for the backup!
26 | SharePoint Saturday Chicago 2011
Database Security Isolate SharePoint databases from other
systems Minimize the SQL surface area by disabling
unneeded features Consider SQL 2008 “Transparent Data
Encryption” Performance impact, backup size
impact, and file stream impacts Don’t leave SharePoint backups within the
content database or on web-front ends
Example:Your health is showing.
28 | SharePoint Saturday Chicago 2011
Connected System Security Remove the X-HealthScore,
MicrosoftSharePointTeamServices, and other identifying headers
Leverage the Secure Store Service for safely accessing external systems via BCS
Avoid reliance on Flash content Consider ForeFront UAG endpoint security Set policies regarding data being stored
offline
Example:Could you do this for me?
30 | SharePoint Saturday Chicago 2011
Custom Development Security Build security testing into the SDLC for all
custom and third-party components Take advantage of CAS policies and the
ULS logs Utilize sandbox solutions whenever
possible Minimize use of
RunWithElevatedPrivilege() With SharePoint 2010, Javascript is now
the biggest threat
Example:You don’t want this help…
32 | SharePoint Saturday Chicago 2011
Security Maintenance and Monitoring If running WSS/MOSS, patch to October 2010 CU or install
MS10-039 Keep SharePoint, Windows, and SQL patched to latest
service packs Deploy server-side virus protection Use Systems Center Operations Manager with SP health
rules to monitor for performance spikes or errors related to attacks
Build security assessments and spot checks into other SharePoint maintenance plans Familiarize self with “Site Permissions > Check
Permissions”
Resources
34 | SharePoint Saturday Chicago 2011
Resources Downloadable book: Security for Office SharePoint Server
2007 http://technet.microsoft.com/en-us/library/cc262619(offi
ce.12).aspx Locking down Office SharePoint Server sites
http://technet.microsoft.com/en-us/library/ee191479(office.12).aspx
Plan for and design security http://technet.microsoft.com/en-us/library/cc262331(offi
ce.12).aspx Bert Johnson security blogs
http://blogs.pointbridge.com/Blogs/Johnson_Bert/
Q & A
36 | SharePoint Saturday Chicago 2011
Bert Johnson SharePoint Architect with PointBridge Solutions Microsoft Certified Master – SharePoint Server 2010
Twitter: @SPBert Event Hashtag: #SPSChicago
Email: [email protected] Blog: http://blogs.pointbridge.com/Blogs/Johnson_Bert/
37 | SharePoint Saturday Chicago 2011
Housekeeping Please remember to submit your session
evaluation forms after each session you attend to increase your chances at the raffle
Follow SharePoint Saturday Chicago on Twitter @spschicago and hashtag #spschicago
Thanks to Our Sponsors!
Gold
Silver
Sponsors
Premier
Bronze