Enterprise Security Options in MOSS2007

8/10/2019 Enterprise Security Options in MOSS2007

1/49

ENTERPRISE SECURITY OPTIONS IN AMICROSOFT SHAREPOINT SERVER 2007 (MOSS

2007) ENVIRONMENT

Dr. Umesh Varma

SECR 5080

September 14, 2009

(49 Pages)

Version 3.0: September 14, 2009

Presented by: Mr. J. Michael Mauldwin


2/49


3/49

MAUDLWIN 3 of 47

TABLE OF CONTENTS

TITLE PAGE i

DISCLAIMER 2

TABLE OF CONTENTS 3

LIST OF FIGURES 4

RESEARCH METHODOLOGY 5

INTRODUCTION 6

SECURITY BASICS 11

PROBLEM STATEMENT 18

APPLICATIONS SECURITY OPTIONS 21

Windows Server 2008 21

Microsoft Office SharePoint Server 2007 24

Windows Sequel Server 2008 34

CONCLUSION 39

Appendix A: Security Options and Definitions for Windows Server 2008 40

Appendix B: Security Tools and Definitions for Windows Server 2008 (R2) 42

Appendix C: Security Features in SQL Server 2005 44

RESOURCES 48

BIBLIOGRAPHY 49


4/49

MAUDLWIN 4 of 47

LIST OF FIGURES

Figure 01: The Bulls -eye Model 9

Figure 02: MOSS 2007 Site Collection 25

Figure 03: Fine Grained Permissions 29

Figure 04: Reliability-Confidentiality-Integrity 35

Figure 05: SQL05 Encryption 38


5/49

MAUDLWIN 5 of 47

RESEARCH METHODOLGY

The methodology utilized to conduct research for this project was derived from

multiple professional sources including those produced by Microsoft Corporation and

utilized in pursuit of active management security activities in an enterprise level

SharePoint 2007 deployment utilizing the defined applications. Where required, credit

has been given to the authors of those sources stated in the bibliography at the end of

this paper and as referenced throughout this paper. No attempt at plagiarism has been

made and if any has occurred is purely coincidental. Additionally, the writer has drawn

upon personal knowledge and experience as well.The format of this paper coincides with the installation of the defined software and

applications and while intricate definitions and in-depth discussions were not utilized in

support of this writing, a broad overview of security options available out of the box

pertaining to the operating system and associated applications and their ability to

function in a collaborative environment has been covered as you will see.

All security options discussed are managed via a central administration control

panel per application and for the operating system as well. Although the word

enterprise, as used in the title of this paper, does not frequently populate this paper,

the reader should understand that the available security options for both the operating

system and the applications are available for use in both standard and enterprise

architecture construction.


6/49

MAUDLWIN 6 of 47

INTRODUCTION

In todays world, IT professionals require more tools to fight security threats and

protect organizational assets used for critical applications than any time in the past.

Because organizational websites and Portals are increasingly exposed to unauthorized

access, administrators must properly secure them from both external and internal

threats. The first step in securing an organizations confidential data begins with the

establishment of a strong information security program and the supporting policies

which provide adequate security measures to safeguard the data.

The authors purpose in writing this paper is to provide a broad yet definitive

example of the enterprise level security options available in support of a Microsoft Office

SharePoint Server 2007 (MOSS 2007), multi-classified and multi- access level

environment. The author does not intend, nor imply, that these are the only security

measures which can be implemented, but merely those options which are available as

out of the box (OOTB) options to any organization from which a foundation of a solid

information security program can be developed.

The security options for the following system and application software will be

discussed: Microsoft Server 2008 (SVR08), Microsoft SharePoint Server 2007 (MOSS

2007), and SQL Server 2005 (SQL05). Although a virtual environment could be utilized

to further enhance the security of the network, a virtual environment will not be part of

this papers discussion as there are more than sufficient amounts of information to

populate not only this paper, but many more as well. MOSS 2007 requires a server

operating system in order to operate. Therefore, SVR08 will be utilized to provide the


7/49

MAUDLWIN 7 of 47

system foundation, acting as the operating system or OS. 1 The SQL05 application

provides the database functionality required by MOSS 2007 since database replication

is not inherent within the SharePoint application.

Each of the applications and the OS identified has OOTB security capabilities that

are selectable during installation and / or during / after setup. These security protocols

provide sufficient security capabilities for use for the majority of the organizations

employing MOSS 2007 in both INTRANET and EXTRANET facing portals. 2 It should be

recognized, and anticipated, that all security measures are vulnerable to attack by a

dedicated individual wishing to penetrate an established security barrier and in order toenter a secured network . Research should be conducted by the project team, with final

approval being issued by the CSO and possibly the CIO, regarding the security

protocols to be implemented and if additional measures will be taken that are not parts

of the MOSS 2007 installation configuration. An example would be the installation of

Internet Security Acceleration (ISA) Server which provides an additional security layer

for any server which ahs internet facing connectivity (EXTRANET). Hence, a Secure

Internet Router Protocol SIPR) network would not require ISA SVR, specifically on a

government C4IS network, whereas a Non-secure Internet Router Protocol (NIPR)

network could utilize ISA since it does have connectivity to the internet. 3

Prior to implementing any security measure/s or policy/ies, it is paramount that a

complete and in-depth survey of the existing portal network be conducted in order to

perform a thorough requirements analysis. This analysis will support the identification

1 Microsoft Server 2003 or 2005 could also be utilized as the OS as well.2 An EXTRANET has access to the internet. An INTRANET has no access to the internet and is therefore moresecure.3 Command, Control, Communications, and Computers Information Systems (C4IS).


8/49

MAUDLWIN 8 of 47

and development of the clients List of Requirements which in turn will assist in defining

the majority of the security requirements for upgrading the existing, or the establishment

of new, security protocols and / or policies. The terms Protocol, Policy and Measure

which have already be utilized above deserve a short explanation to better understand

their definitions.

Security protocols are also known as an Information Security Protocols or ISPs (Not

to be confused with Internet Service Providers ). ISPs generally support the actual

content and infrastructure of the security policies themselves. These protocols must be

up to date and of course meet the needs of the organization. Although ISPs can bepurchased as Commercial Off The Shelf (COTS) products, an organization will most

likely customize their ISPs, COTS ISPs, or both to meet their unique requirements

rather than merely utilize COTS ISPs since they are generic and highly subject to

exploitation by hackers. Customization is not more than the process of procuring a set

of existing policies and tailoring these policies to meet specific needs of the

organization. There is little sen se in re -inventing the wheel so this is considered to be

a Best Practice (Whitman & Mattord, 2004).

Security policies are the foundations of the security program. A quality information

security program begins and ends with its policies. When properly developed and

implemented, policies enable the information security program to function almost

seamlessly within a workplace. While policies are the least expensive means of control

to execute, they are most often the most difficult to implement. The role of policy and its

relationship to the security program is best depicted using the Bulls -eye Model (See


9/49

MAUDLWIN 9 of 47

Figure 01 below). Finally, a security policy sets the strategic direction, scope, and tone

for all of the organizations sec urity efforts (Whitman & Mattord, 2004).

Figure 01: The Bulls -eye Model

Security Measures are those actions taken to implement security policies or a

security program, regardless of whether that action is active or passive in nature. Active

security measures include activities such as annual and semi-annual training, denial of

portable electronic items in the workplace (I.e. thumb drives, portable HDs, etc),

scanning of documents and files upon upload, authenticating user IDs, etc. Passive

measures include all background applications designed to identify malware, spyware,

unauthorized scripting, auto updates, virus scans executed through central

administration, etc When com bined, these measures all support the security policies,

which in turn provide the basis for an organizations security program.

Based on the information already discussed, the next item of importance is that ofsystem configuration. Configuration is of critical concern when establishing a single

server or a server farm. For the purpose of this paper the server array is immaterial.

What we will concern ourselves with is the OS and two applications that, when


10/49

MAUDLWIN 10 of 47

combined, provide us with a MOSS 2007 environment. Since there is a requirement to

load the applications in a specific order if they are to function correctly, the security

capabilities will be discussed in the same order.

MICROSOFT SERVER 2008 (SVR08)

- Includes Internet Information Security 7.0 (IIS 7)

MICROSOFT ACTIVE DIRECTORY (AD)

.NET FRAMEWORK 3.5 (.NET)

MICROSOFT SHAREPOINT SERVER 2007 (MOSS 2007)

MICROSOFT SEQUAL SERVER 2005 (SQL05)During the installation it should be noted that certain OOTB default security

protocols can create conflicts with other applications. If the Requirements Analysis was

done correctly, the Security Requirements List will identify the desired, if not the actual,

protocols that should be implemented during the installation process. It is often better to

implement one specific protocol rather than a multitude for the same issue. However,

the determination should always be based on any client situational specific

requirements.


11/49

MAUDLWIN 11 of 47

SECURITY BASICS

Before we discuss the development of a Problem Statement whose purpose s to

define a Security Policy, we must first understand the basics of Information Security. In

addition to the security requirements, a security policy should include, if applicable, e-

mail communication, the transfer of information and corporate website access along

with web facing servers (EXTRANET) between customers, affiliates and users. An

organization must also pay particular attention to the following areas: data protection,

compliance, threats, analysis of cost and benefits, confidentiality, integrity, availability,

accountability, recovery, responsibilities, enforcement, education and configuration.(Whitman & Mattord, 2004)

An Information Security Policy should also define the methods for protecting data

within the organization as well as confidentiality, data integrity and availability,

accountability and responsibility, and security issues that each and every employee

must be aware of. Additionally, compliance must be addressed and guidelines must be

established for anyone with access to organizational data or sites.

Threats can be defined as, but not limited to, Viruses, Denial of Service Attacks,

Unauthorized log-ins and access, loss of data assurance and/or integrity, theft,

tampering, and/or loss of power due to sabotage or natural events, to name just a few.

Cost and Benefit Analysis is defined by several risk situations due to loss: The

calculated cost per minute of the e-commerce server being down, the calculated cost

per minute of the network being down, the calculated cost of removing a virus from a

single PC, the cost for removing a virus from all organizational machines, the calculated


12/49

MAUDLWIN 12 of 47

cost per user per day of e-mail capabilities being down, and the calculated cost of

confidential corporate information getting into the hands of a competitor.

In order to adhere to the principles of confidentiality, an organization must ensure

that its physical location is secure and access is restricted to authorized personnel using

some means of physical security devices such as combination locks, Cipher locks,

access cards, or a combination of all three. The use of firewalls, which separate the

organizations computer environment from the internet , is a widely accepted best

practice and separate accounts and passwords for each authorized user in the network

must be established and should remain confidential. These passwords must beenforced by the server account policies which specifies things such as passwords must

contain two special characters (i.e. @$^), two lower case and two upper case letters,

and two numbers. The policy should also dictate how long the password string shall be,

how often it should be changed, and a historical password archive per user should be

maintained so that the same password is not repeatedly used. The policy should also

identify server permissions that restrict users not only to accessing their own files but

also their group files based on access permissions. 128-bit encryption should be utilized

prior to transferring data over any public conveyance, or perhaps even within an

EXTRANET. It is a best practice to use a password-protected screen saver as well.

Along with 128-bit encryption an organization may impose additional encryption

services concerning its proprietary information such as PGP encryption. Policies should

also cover the location and protection of databases for proprietary and financial records

of an organization and may even require the network to be located not only on a

separate server but a separate network not accessible to the internet. Policies may


13/49

MAUDLWIN 13 of 47

even go so far as to deny the use of e-mail on financial servers or highly classified

proprietary servers. Finally, the computer systems and servers located behind an

organizations firewall should not use modem connections but should be tied into the

network via LAN or an authorized dial-in server in order to provide a more secure

environment.

The integrity of a system becomes paramount if it is to survive the onslaught of daily

attacks to which it most surely will be subjected, in one manner or another. Access to

data files and administrative applications should be limited to primary and alternate

administrators. Integrity also applies to the transference of data and ensuring it has notbeen tampered with. Additionally, without exception, users should only have read

access to system files, if they are permitted to view them at all. All data uploads should

be logged by the server and an anti-virus application should scan not only all uploaded

data files, but all disks, drives, incoming IP traffic, and any document containing macros.

The policy should not fail to address unapproved software installation on any system

without authorization from the Chief Information Officer (CIO) or his/er designee.

The security policy must also define the availability of the network to the organization

such as user authentication and uninterruptible power supplies (UPS). Servers, e-mail,

FTP, and HTTP capabilities must be available 24 x 7 x 365. Because of this access

availability, the network should also have proxy services which permit authorized users

to access the network from outside of the firewall. Gateway authentication at the firewall

to gain access may be required in order to access data bases via specific IP addresses.

Finally, maintenance personnel must be identified so as to bolster the repair and limit


14/49

MAUDLWIN 14 of 47

downtime should the server should experience any issues (Microsoft Corporation,

2009).

The security policy must identify as well as provide a definitive explanation of the

responsibilities pertaining to accountability. Items which should be addressed include

the logging of all security events relating to security, and the logging of all confidential

accesses. Confidential data transfers must be authenticated between the server and the

user. The policy may require digital signatures when transferring certain types of data. A

software log should also be maintained for all software which is installed on servers and

workstations as well as a list of approved software for each. The architecture, design,and internal / external connections should also be logged to provide accountability.

In the unfortunate event that a server goes down, the security policy must establish

a recovery plan. This plan should include the frequency of backups, both incremental

and full as well as how often will data be archived and where will they be stored. It

should also designate the type of file services workstations will utilize to store

organizational data that the server would otherwise backup. In order to facilitate a

responsive recovery plan, workstations must have a standardized configuration

throughout each department with includes authorized software applications and

configurations. Ghost images of system installation formats should be maintained by the

information security office and should be the standardized image utilized on all

workstations, should an operating system require reinstallation. Reconfiguration of

hardware should not be available to employees.

Responsibilities for individual employees should also be defined by the security

policy. For example, employees must comply with the information security policy; even


15/49

MAUDLWIN 15 of 47

as technology changes and everyone must put forth their best effort to protect

organizational data. Each employee should backup any data they feel is important

which is not stored on the server, such as the information stored on the employees

hard drive. All software must be used in accordance with legitimate software licenses

and organizational computers should not be used for personal purposes, just as

organizational e-mail should not be used for communications other than work related.

Employees are typically restricted from transmitting fraudulent, obscene, or harassing

materials. Finally, it should be identified that employees are prohibited from transmitting

anything to anyone who may have the intent of not only disrupting work, but ofcompromising the organizations information security.

The best security policy is as useless as the paper it is printed on unless it defines

how it will be enforced. As an example, if an organizational abuse(s) is reported then it

must be investigated, immediately. Employees should be aware that their electronic files

may be accessed at any time and if policies have been violated, the em ployees

privileges may be restricted or revoked. Additionally, in order to better enforce security

policies, resources should be periodically audited to ensure that only approved software

and computer configurations comply with policies.

A security policy cannot be expected to be enforced if the employees of the

organization are not aware of its existence. Therefore, education becomes the key to

the dissemination of the written policy. Education should include employee training

conducted on a semi-annual and annual basis along with publishing and distribution of a

hard copy of the security policies.


16/49

MAUDLWIN 16 of 47

Earlier, computer configuration was mentioned along with enforcement. Networks

generally consist of workstations which require access to the internet, servers providing

front-end and back-end as well as storage, shared printers, and numerous other pieces

of hardware, software, and other assorted peripherals. Firewalls are normally utilized by

organizations between the internet and their EXTRANET. A generally accepted best

practice is for e-mail applications to support optional PGP encryption and anti-virus

software should be installed throughout the computer environment. Data the

organization has deemed as confidential or proprietary and which is being transferred

between computers should be encrypted using 128-bit encryption in order to protect thedata. Any peripherals attached to the network should have their default passwords

changed. Likewise, if an organization desires to transmit attachments, such as pictures,

then all network peripherals must be SNMP compliant. The security policy should

address how print cartridges are destroyed rather than thrown away. Likewise should a

classified network printer require servicing, policies should define who can work on it as

all printers and copiers have a resident and residual memory from which data can be

removed.

Whitmann and Mattord provide a very useful guide relating to the components that

an Enterprise Information Security Policy, or EISP, should contain. 4

Statement of Purpose

Information Technology Security Elements

Need for Information Technology Security

Information Technology Security Responsibilities and Roles

4 For a complete definition of these components see page 111 of their book, MANAGEMENT OF INFORMATIONSECURITY, 2004.


17/49

MAUDLWIN 17 of 47

Reference to Other Information Technology Standards and Guidelines

Now that we have discussed what a security policy consists of we will now look at

the various security options associated with SVR08, MOSS 2007, and SQL05. These

three pieces of software, when installed and utilized jointly, comprise a Microsoft Office

SharePoint Portal environment. Again, this paper will focus on each application based

on where it falls within the installation process.


18/49

MAUDLWIN 18 of 47

PROBLEM STATEMENT

In a MOSS 2007 environment, supported by SVR08 and SQL05, there are many

security options which may be enabled in order to provide a secure operating

environment. 5 Both applications, to include the OS, provides its own independent

protocols and internal OOTB policies which can be implemented during installation, as

well as after installation. Regardless of Microsofts best intentions and highly capable

software developers, security conflicts exist between the applications even though they

have been developed to interact in a collaborative environment together (Varma, 2009).

Issues were identified and discussed following an in- depth survey andRequirements Analysis of an existing SIPRNET portal. Subsequently, the following

security problems were identified:

1. The constant turn-over of individuals has led to the establishment of permissions

groups and permissions are granted by group affiliation. Section webmasters

have created new groups based upon inherent permissions. It is not known

which individuals in the groups actually still require access or which groups

should be deleted.

2. Groups are used to grant permissions and no individual user permissions can be

granted as Active Directory was not utilized to create the groups.

3. The current systems did not take global access into consideration when it was

constructed. Therefore, only local EndUsers can access any of the information

contained on the portal or the site IMOs utilize Anonymous access.

5 No systems or application can be considered completely secure as there is always an entrance waiting to beexploited when found.


19/49

MAUDLWIN 19 of 47

4. Aggressive actions undertaken to clean up the current portal and its access

permissions which have been met with fierce feedback since most staff sections

are accustomed to working in the current environment and do not want anything

to change. The current portal layout displays no uniformity and document/user

access is not considered secure.

5. There has been no established or published administrative policies that assist in

the administration of the current portal.

6. Existing portal does not facilitate information recovery or search. Repositories

are not being utilized and information is randomly uploaded with no specificnaming conventions or metadata requirements.

7. The CEO is concerned that his organizations collaborative and informational

sharing between EndUsers and headquarters is not being fully exploited in order

to assist the warfighter on an acceptable level.

8. Information is stored in libraries, pers. HD, off site.

9. Multiple copies of the same document located at multiple locations; all

accessible by clientele. (Which is most current?)

10. Documents are incorrectly classified and current locations violate IS policies.

11. Information is stored in libraries, pers. HD, off site.

12. Multiple copies of the same document located at multiple locations; all

accessible by clientele. (Which is most current?).

13. Documents are incorrectly classified and current locations violate IS policies.

14. SharePoint Administrator will have administrator privileges over the entire site

collection.


20/49

MAUDLWIN 20 of 47

15. Policies and regulations will be updated and incorporated into the Portal.

16. No written SharePoint Policy (SPP).


21/49

MAUDLWIN 21 of 47

APPLICATIONS SECURITY OPTIONS

Windows Server 2005 . This application is the foundation of a MOSS 2007

environment since it assumes the role of the operating system or OS. 6 All of the OOTB

SVR08 security options can be utilized with MOSS 2007 with little more than mouse

click confirmation during installation. Microsoft has an add-on for SVR08 known as the

Installation Security Compliance Management Toolkit (SCMT), which is designed to

greatly enhance the ease of ensuring information security compliance by recommending

hundreds of Group Policy settings which can be used in support of an organizations

security program. SCMT can be deployed as either Enterprise or Specialized Security-Limited Functionality (SSLF). The SSLF settings are not intended for the majority of

organizations as its security options are designed more for security rather than

functionality. Therefore, the organizations scope of operations and security analysis

should determine whether or not a SCMT deployment is desired based on the

organizations emphasis on either security or functionality, but not both. Additionally, for

the purpose of this paper, SCMT will not be utilized as it has nine known issues that

have not been corrected to date, including 29 sub-issues with MS Office 2007, 58 sub-

issues dealing with non-synchronization of data collected by the Windows Management

Instrumentation Repository, incorrect domain signatures and updates, incorrect

monitoring results as defined by certain OS versions, etc.. (Microsoft Corporation,

2009).

SVR08 is a fairly stable OS and has many security options that make it a viable

advisory in the security world, with both Active and Passive security operations

6 Windows Server 2003 can also be utilized but the operational performance gained from technologicaladvancements over the past five years will be lost to some degree.


22/49

MAUDLWIN 22 of 47

available. The majority of its options may be activated during the installation or they may

be activated by utilizing the Administrators account at the central administration console

following installation.

Passive security options run in the background and are not apparent to the user, or

the administrator(s), once activated. Active monitoring of these passive options,

however, should be the responsibility of the Administrator(s) and should also be defined

within the security policy. Resource and data file protection is critical if a system is to

perform correc tly and the organizations assets are to be protected. SVR08 provides

several forms of protection OOTB such as the Authorization Manager which assists incontrolling the system s resources and the available access to them. Since system

applications require resources to execute, SVR08 utilizes the Applications Locker, or

AppLocker, to control all server applications. The AppLocker is also a new feature in the

Windows 7 OS recently released. Denying random access to data requires that an

organizations confid ential data be encrypted. To facilitate this SVR08 incorporates

BitLocker Drive Encryption which permits the encryption of all data stored on the

system, although it does not function with NTFS formatted storage volumes. If you are

using a NTFS volume there is no need to fret. SVR08 can utilize its built-in Encrypting

File System, or EFS, as a means to encrypt NTFS volumes. All of these passive

measures can be activated within a MOSS 2007 environment without any conflict

arising between the OS or the MOSS 2007 application (Microsoft Corporation, 2009).

SVR08 also provides more User Interface (UI) through its use of Security Auditing,

SA. SA is one of the most effective and powerful tools in the SVR08 inventory to assist

in the maintenance of a portal environment. When properly configured, SA should


23/49

MAUDLWIN 23 of 47

identify both failed and successful attacks that pose a threat to the network, its

resources, or any other data or peripheral identified a valuable during the organizations

risk assessment. Additionally, SVR08 utilizes the Security Configuration Wizard, SCW,

which reduces the attack surface by guiding policy development based upon the

functionality of the server role(s) specified by various security policies.

User access is controlled by the User Account Control (UAC). This is a security

component controlled by the administrator and allows the administrator to enter a

specific set of credentials during a non-administrator's user session in order perform

required administrative tasks.7

Security policies must be flexible in order to adjust for the fluidity of change, not only

in employees, but in relation to technological advancements as well. Administrators can

configure security policies using SVR08s Server Security Policy Management which

allows the configuration of rules that the OS must follow when determining what

permissions to grant following a request for access of resources.

Authentication is an area of widespread scrutiny. SVR08 has two options

concerning authentication: Windows Authentication and Kerberos. By default, SVR08

uses a set of authentication protocols including negotiate, Kerberos, NTLM, Transport

Layer Security/Secure Socket Layer (TLS/SSL), and Digest. All of these are part of an

extensive security framework. There are several instances where several of these

protocols are combined to form authentication packages that provide a more

collaborative and detailed security architecture. Together, the packages and various

protocols permit authentication of users, computers, and services known as the

7 Also known as Remote Administrative Log-in or RAL.


24/49

MAUDLWIN 24 of 47

Authentication Process. This process, when executed and confirmed, permits

authorized users and services to utilize the system resources in a more secure

environment (Microsoft Corporation, 2009).

In April of 2008, Microsoft released an update to the security tools supporting

SVR08. These tools included tools such as the Extended Security Update Inventory

Tool, Malicious Software Removal Tool, Baseline Security Analyzer Tool, Security

Assessment Tool, and an update to the Microsoft Threat Analysis & Modeling Tool to

v2.1.2. 8 It is highly recommended that this security tool update be utilized.

Additionally, there have been many White Papers released on SVR08 but Microsoftpublished an Info Paper on March 19, 2009 which is very informative and covers a wide

variety of security topics. Threats and Vulnerabilities Mitigation highlights new features

and technologies that provide layered defenses against malicious software threats and

intrusions through a strategy of prevention, isolation, and recovery. Secure

Configuration Assessment and Management provide additional tools to administer

security throughout a layered defense as well as manage potential and known threats.

Identity Management, Access Control, and Information Protection provide a central

management capability for credentialing which allow only authorized users access to

system resources and devices (Microsoft Corporation, 2009).

Microsoft Office SharePoint Server 2007 (MOSS 2007). MOSS 2007 has many

security protocols and abilities which can be utilized as stand-alone or as an interactive

component of a sophisticated security network. The author will not attempt to cover

every aspect of this applications security abilities . Rather, we will graze over those

8 A complete listing and description of the updated Tool release for SVR08 can be found at Appendix 2


25/49

MAUDLWIN 25 of 47

believed to be most important which provide depth regarding what options are available

for securing both sites and content as well as how structural security at the Web

Application level is accomplished.

First, however, MOSS 2007s hierarchy must be defined. A Web Application is

single instance of MOSS 2007 such as an organizations Portal or Website. An

organization maintains its own set of information security policies and compliance

requirements for each Web Application. A Web Application is comprised of one or more

Sites. When there is more than one Site, it is referred to as a Site Collection - multiple

web pages within one website (Cardarelli & Bisciotti, 2006). Sites located beneath eachprimary site are called sub-sites. (See figure 02).

Figure 02: MOSS 2007 Site Collection.

There are several factors which must be considered when planning for the security

of a SharePoint Web Application. These factors include, but are by no means

conclusive: Site Security Planning, permission levels and groups to use, defining any

custom permission levels and/or groups, Security Groups vice Anonymous Access, and


26/49

MAUDLWIN 26 of 47

administration hierarchy (Cardarelli & Bisciotti, 2006). While a term paper could be

written for each of these topics individually, comments will be restricted to the basic

information as specific selections are not within the scope of this paper.

Site security is most readily controlled by assigning permissions to users and

groups for specific objects such as lists, libraries, sites, or items. Planning for site

security involves decisions regarding things such as how much do you wish to control

permissions to certain objects and how will users be assigned and managed and what

objects need to be securable and at what level? Although many organizations use a

combination of Active Directory and MOSS 2007 to manage their user accounts, we willspecifically focus on MOSS 2007 assignments for the moment.

MOSS 2007, unlike SharePoint Server 2003 (SPS 2003), has the built-in capability

to create and manage its own users and groups accounts internally. Groups at the site

collection level contain users. Permission Levels contain permissions. Until a Group is

assigned a Permission Level for a specific site or object, the group has no permissions

and therefore cannot access any object.

Regardless of whether or not MOSS 2007 or Active Directory (AD) 9 account

management is used, there are five elements regarding site security which must be

considered (Office IT and Servers User Assistance, Microsoft Corporation, 2008): 10

1) Individual user permissions. These permissions grant an individual to

perform specific actions.

9 Active Directory is a separate application which facilitates the establishment and management of users andgroups within a network. This application enhances MOSS 2007 User/Group Accounts and provides an additionallayer of security that should be incorporated in the overall architecture of the portal devel opment, in the writersopinion. It must be installed following SVR08 and prior to MOSS 2007 and SQL05.10 These five elements are copied from the White Paper (Office IT and Servers User Assistance, MicrosoftCorporation, 2008).


27/49

MAUDLWIN 27 of 47

2) Permission levels. These are pre-defined sets of permissions which grant a

user or group to perform a specific related action.

3) User. A person with a user account which can be authenticated by the

server using a pre-defined authentication method.

4) Group. A group of users. A group can be a Windows Security Group or it

can be a SharePoint group such as Site Owners, Site Members, or Site Visitors.

5) Securable Object. Site, list, library, folder, document, or items are all

securable objects. By default, permissions for a securable Object (list, library, folder,

document, or item) are inherited from the parent site or parent list or library.However, anyone assigned a permission level which includes management rights

can change the permissions for that securable object.

Individual users or groups can have different permission levels for different

securable objects on the same or different sites and/or sub-sites. 11 Access

permissions, whenever possible, should be assigned to groups and then the groups

should be given access permissions based on Least Privilege Administration

requirements. 12 If at all possible, granting individual user permissions should avoided

as it is very difficult to maintain user accounts in larger organizations. Individuals should

be added to a user group which provides adequate permissions to complete any action

required. The three default permission groups within MOSS 2007 are Visitors,

Members, Owners (Pyles, et al., 2007). It is a best practice to add an

ADMINISTRATORS group to the default groups in order to provide individual site

11 A sub-site is a child site created from a parent site.12 Least Privilege Administration is a recommended security practice in which only the minimum privileges neededto accomplish a specific tasks are granted.


28/49

MAUDLWIN 28 of 47

administrators the ability to leverage additional administrative actions in support of the

site and its sub-sites that are not included in the permission levels of default the default

groups. 13

The VISITORS group has Read Only permissions while the MEMBERS group

permissions permit its users to view, add, update, and delete information on a site or

within an object. The OWNERS group retains nearly full control of the site with Design

privileges which permit members of this group to view, add, update, delete, approve,

and customize a site including all of its contents, but permissions do not include the

ability to delete the site. Site Deletion and advanced administrative permissions are onlypermitted to those with Administrative permissions, such as the ADMINISTRATORS

group. Only ADMINSTRATORS and OWNERS have the ability to assign users to

groups and update permissions. By default, each sub-site inherits the permissions of its

parent site. These groups are assigned access permissions to objects on each site and

granted permissions based upon the parent (top) site (Pyles, et al., 2007).

It is possible to isolate certain objects due to their criticality to an organization within

an object. However, there are times when individual object permissions are required

and parent inheritance is not desired for security reasons. Therefore, under these

circumstances Fine grained permissions are available. Fine Grained permissions refer

to permission levels that are granted only to specific individuals and which are based

upon an item being identified by the organization as a confidential object. In other

words, the objects security requires more precise control which will further limit not only

13 This is a common practice and provides administrative rights only to the site it is granted. For example: A salesdepartment would have an administrative group created named Sales -Admin, while the Toy department wouldbe Toy -Admin. This maintains acce ss limitations based upon the Least Privilege Administration.


29/49

MAUDLWIN 29 of 47

access to the object but what actions users can execute. If Fine Grained permissions

are used, permissions will no longer be inherited from the parent site. While this has the

ability to further secure an object, it also creates issues of maintaining updated access

permissions because the permissions assigned to a group within MOSS 2007 cannot be

updated at a central location any longer, but must be maintained at the objects location

(Office IT and Servers User Assistance, Microsoft Corporation, 2008).

Figure 03: Fine Grained Permissions

If Fine Grained permissions are not sufficient, MOSS 2007 has the ability to further

secure items such as individual files through the use of Individual Permission Levels, or

IPLs. For example, within a document library which has already been assigned Fine

Grained access permissions, individual files may be assigned IPLs which further restrict


30/49

MAUDLWIN 30 of 47

who can access the file apart from those who have restricted access to the library

through Fine Grained permissions. Like Fine Grained permissions, once IPLs have

been utilized for a file within an object, the entire object no longer inherits parent

permissions, nor do any files located within it. Fine Grained or IPLs should be minimized

because their assignment breaks the ability to maintain permissions from a single

location (English, 2007).

One additional security option available in MOSS 2007 that can be used to

completely isolate and protect confidential data is known as Rights Management

Services, RMS. RMS does not control who can access the data but what can be donewith the data once accessed. For example, it can be viewed but not printed, saved,

copied, e-mailed, or shared in any way. This severely limits the actions that can be

performed. Because RMS has the ability to deny actions that are normally associated

with data that can be viewed, it privatizes the data based upon user selections (English,

2007).

The assignment of specific permissions to SharePoint groups provides a much

more secure environment by administering single group permissions for multiple users

from one location rather than attempting to maintain multiple user permissions at

multiple object locations. When MOSS 2007 User/Group accounts are used in

conjunction with AD Users and Group accounts, the time spent managing authorized

users and system resources is greatly reduced. This is due to the majority of the MOSS

2007 accounts being maintained at Site level by the site administrator, which permits

the SharePoint Portal administrator additional time to focus on the overall administration

of the entire Portal through Central Administration (English, 2007).


31/49

MAUDLWIN 31 of 47

Although the numbers of permission levels are limited, administrators still have the

capability to define custom permission levels. This should be avoided if possible as it

will create an administrative nightmare if it gets out of hand. The fewer groups and

permission levels that must be managed the better. Administrators should always

attempt to utilize existing groups and permission levels when possible.

Of serious concern and requiring serious attention is the decision as to whether or

not to permit access to Anonymous users or restrict access to authenticated users only.

If the Portal is an INTRANET, meaning that it does not access the internet, then

Anonymous user access should not be utilized since every authorized user will have anestablished account in AD or within MOSS 2007. If, however, the Portal is an

EXTRANET, meaning it has internet connectivity, Anonymous access should be

considered.

The desired architecture, if Anonymous access is required, is to employ multiple

front-end servers. A single server should be emplaced as a web facing server running a

streamlined organizational Portal structure, which contains only informative

organizational data (Non confidential), to handle internet traffic and one which is

completely accessible to anonymous users. An internet facing server should run the ISA

Server application and should always utilize SSL for encryption. With internet facing

servers, it is also highly recommended to block all public access to your back-end SQL

SVR server. This can be accomplished by blocking TCP 1433 on any firewall and router

and using IPSec to encrypt all data moving from or to the front-end server. Blocking

TCP 1433 also denies vulnerability access such as the Slammer worm (English,

2007).


32/49

MAUDLWIN 32 of 47

Regardless of the type of authentication used, Single Sign On (SSO) authentication

is recommended because it enables users to access multiple system resources without

having to provide authentication credentials more than once, thus saving system

resource utilization and facilitating functionality. SSO maintains a set of credentials for

the application identities (AppIDs) of all resources stored in the MOSS 2007 SSO

database. A security layer checks user credentials against multiple individual listings for

an AppID which is stored in the SSO database. These Individual user mappings are

useful if you need Log-in information about individual user s access to shared system

resources (Office IT and Servers User Assistance, Microsoft Corporation, 2008).Organizational data and the actual enterprise level Portal should be installed on a

separate front-end server which is not accessible to the internet. 14 If the security policy

dictates that employees are authorized to access the internet, then the policy should

address specific instances, workstations, activities, times, etc. At no time should an

INTRANET workstation be accessible to the internet as this opens the doorway for

attack.

SVR08 and MOSS 2007 are designed to function hand in hand along with MS

Office 2007. Because so much information and data can be complied and tracked using

Excel workbooks, MOSS 2007 includes an optional security protocol entitled Excel

Services which is an enterprise-class application which allows users to share and

collaborate with shared Excel Workbooks securely. This is one of the highlights of

MOSS 2007 s Business Intelligence. This option provides the primary method to control,

security, and management to access Excel workbooks in a MOSS 2007 enterprise

14 Best Practice.


33/49

MAUDLWIN 33 of 47

environment. Therefore, if an organization relies on sharing Excel items such as pivot

tables, charts, and graphs then Excel Services facilitates the interactive rendering of

shared Excel components within business intelligence dashboards. For example, all

shared workbooks can be accessed from a central location and from within a secure

environment while providing owners the ability to lock workbooks in order to protect data

integrity. At the same time Excel Services provides owner level control of how the

workbook can be accessed and what actions can be taken with it (Office IT and Servers

User Assistance, Microsoft Corporation, 2008). 15 When using Excel Services, data can

also be protected by using Internet Protocol Security (IPsec) or Secure Sockets Layer(SSL).

It is recommended that Integrated Windows authentication be utilized with Excel

Services which is an integrated authentication method using traditional Windows

authentication and the newer Kerberos authentication . However, for authentication

from front-end Web servers to application servers running Excel Calculation Services,

and from Excel Calculation Services to external data sources it recommended to enable

constrained Kerberos delegation (Office IT and Servers User Assistance, Microsoft

Corporation, 2008).

MOSS 2007 also utilizes .NET 3.5, another form of authentication, at the application

level rather than at the OS level. Applications authentication reduces processing power

and allows for more scalability of the network. Additionally, MOSS 2007 supports

ASP.NET provider model with allows authentication to any database which utilizes

15 The Office SharePoint Server Security White Paper contains very detailed directions for implementing ExcelServices (Office IT and Servers User Assistance, Microsoft Corporation, 2008)


34/49

MAUDLWIN 34 of 47

pluggable authentication by means stand-alone databases. This permits the storage of

EXTRANET accounts in locations other than within the internal Active Directory. It is not

the purpose of this paper to expand the discussion into .NET3.5 as it easily can be

discussed in another paper.

Internet Information Services v.7 (IIS 7) is another security enhancement that

Microsoft has incorporated as part of the SVR08 foundation (English, 2007). IIS 7 has

simplified its security management in an effort to make it easier for the administrator not

only to conduct task and delegation activities but there are also significant changes to

the authentication and authorization capabilities. Several security enhancements havebeen included in this version of IIS not previously available and administrators should

familiarize themselves with these new security options and incorporate them into the

organizations information security policies (Microsoft IIS7 Team, 2009) s.

Although a more thorough discussion of IIS 7 capabilities is warranted, there is an

insufficient allocation of time to delve into each of ISS 7s enhancements over previous

versions, or to address its utilization in a MOSS 2007 environment. The reader should

be aware of its inclusion with SVR08 default installation and also that there are more

security options available to further enhance a secure network environment.

Although there are many more security options available in MOSS 2007 such as

location, design considerations, hosting, Partner webs, Content databases, inclusions

for URL paths, etc, it is not feasible to attempt to cover them within the confines of this

paper. Therefore, we will move on to the next topic of discussion, SQL SVR 2005.

Sequel Server 2005 (SQL05). SQL05 provides a security enabled back-end support

platform for standard and enterprise class databases wherein all of the Portal


35/49

MAUDLWIN 35 of 47

information is stored accessed. SQL05 security capabilities focus on three key areas:

Reliability, Confidentiality, and Integrity ( See figure 04 ). In order to maintain this focus

there are eleven key security features which SQL05 employs.

Figure 04: Reliability-Confidentiality-Integrity

In order to keep up with a rapidly changing environment SQL05 features Automated

Software Updates. This feature is built into Windows Updates which detects any

instance of SQL05 and based upon its scan analysis and permissions, can

automatically install particular patches (Microsoft Corporation, 2007).


36/49

MAUDLWIN 36 of 47

Administrators can reduce data vulnerabilities by reducing the surface area of each

database through use of the Surface Area Configuration tool which manages

connections and various other services including analysis services, remote connections,

full-text search services, SQL Server browser services, anonymous connection, linked

objects, user-defined functions, CLR integration, SQL Mail, and native XML Web

services. All of these services are accessible through a centralized graphical interface

(GI). (Microsoft Corporation, 2007).

SQL05, like SQL08, utilizes a strong Password enforcement policy which

significantly reduces the likelihood of security breaches. SQL05 policies supportcomplex passwords, dictates minimum password length, specifies character

combinations, as well as supports password expiration. Windows Secure Password

policies can also be applied to SQL05 to provide enhanced password security for all of

its accounts

Role-based access provides administrators the ability to manage Server Agent

services. The executions of certain administrative tasks are simplified, such as Server

Integration Services (SSIS), through the use of multiple proxy accounts. SQL05 limits

creation of a multitude of administrative activities which in turn provide a more robust

security environment.

Metadata accessibility is more secure than in previous SQL versions through the

use of Catalog Security. Several different views are available which restrict a user s

ability to view only those items s/he has permission to access. Additionally, SQL05 has

the ability to identify certain tasks for execution. By identifying these execution tasks,

SQL05 authenticates a user requested action against the owners created execution


37/49

MAUDLWIN 37 of 47

module (task) in order to proceed with the action. Alternatively, an alternative to the

execution module is the Signing Feature which operates in the same fashion but is

associated with a signature which is added by the owner (Microsoft Corporation, 2007).

Much like MOSS 2007 access permissions, SQL05 uses User Schema (Scheme)

Separation which simplifies the management of large databases by providing the

flexibility in assigning permissions. 16 By using this option, administrators can grant

permissions to each individual object contained in the schema and / or any object added

to it in the future. Also, like MOSS 2007, SQL05 employs Least Privileges Access which

greatly enhances the security of all stored data. As with SVR08, SQL05 provides data encryption for information contained within

each database. SQL05 can use third party encryption certificate authority or the server

can generate one itself. Much like Kerberos Key Distribution Center (KDC) and SSO,

SQL05 maintains certificate stores which manage both symmetric and asymmetric keys

by using algorithms such as 2-key Triple Data Encryption System (3DES), Advanced

Encryption Standard (AES), Data Encryption System (DES), RC2, and Rivest Shamir

Adleman (RSA). This management process is based on the key hierarchy rooted in

SQL05s Service Master Key (SMK), which is encrypted with a combination of machine

and service keys. All asymmetric keys have both a private and public key pair. Data is

encrypted via the public key and can only be decrypted with the private key. Symmetric

keys utilize a single key that both encrypts and decrypts (Microsoft Corporation, 2007).

16 A Schema is a collection of database objects that form a namespace (I.e.: Server. Database. Schema. Object).


38/49

MAUDLWIN 38 of 47

FIGURE 05: SQL05 Encryption

Finally, SQL05 has the ability to capture event occurrences and log them for future

analysis. Specifically, the Capture to Data Definition Language (DDL) Activities function.

Certain events at the server and database level trigger certain reactive responses by

SQL05. As the SQL05 responds to these events, the events are logged. This becomes

important for auditing and enhancing security.


39/49

MAUDLWIN 39 of 47

CONCLUSSION

Although the there is no actual secure network, there are steps that can be taken

to make it less vulnerable (Varma, 2009). These security options can be employed not

only to protect enterprise levels resources, but also to protect small business assets as

well. By employing, monitoring, and maintaining the many security features available in

SVR08, MOSS 2007, and SQL05 an organization can orchestrate a defense-in-depth"

approach to safeguard and align the three core elements of its security program:

fundamentals, threat and vulnerability mitigation, and identity and access control.

Microsoft has attempted to meet the IT professionals needs to fight security threats

and to protect organizational resources by producing a security enhanced package

which works jointly to provide an OOTB capability protecting confidential data in

response to the ever increasing information security threat. This capability provides the

foundation with which an organization may establish and enforce its information security

program.


40/49

MAUDLWIN 40 of 47

APPENDIX A: Security Options and Definitions for Windows Server 2008 (R2)

The following security options are available in Windows Server 2008 (R2):

AppLocker. Authorization Manager is a Microsoft Management Console (MMC)

snap-in that can help provide effective control of access to resources.

Authorization Manager. The AM is a Microsoft Management Console (MMC) snap-

in which helps provide control and access to system resources.

BitLocker Drive Encryption. BitLocker allows you to encrypt all data stored on the

Windows operating system volume and configured data volumes, and by using aTrusted Platform Module (TPM), it can also help ensure the integrity of early startup

components

Encrypting File System. Encrypting File System (EFS) is a core encryption

technology that enables you to encrypt files stored on NTFS volumes.

Kerberos. Kerberos is an authentication mechanism used to verify the identity of a

user or host.

Security Auditing. Security auditing is one of the most powerful tools to help

maintain the security of your system. Auditing should identify attacks, either successful

or not, that pose a threat to your network, or attacks against resources that you have

determined to be valuable in your risk assessment.

Security Configuration Wizard. Security Configuration Wizard (SCW) is an attack-

surface reduction tool that guides administrators in creating security policies based on

the minimum functionality required for a server's role or roles.


41/49

MAUDLWIN 41 of 47

Server Security Policy Management. Security policy is the configurable set of rules

that the operating system follows when determining the permissions to grant in

response to a request for access to resources.

User Account Control. User Account Control (UAC) is a security component that

allows an administrator to enter credentials during a non-administrator's user session to

perform occasional administrative tasks. UAC also can also require administrators to

specifically approve administrative actions or applications before they are allowed to

run.

Windows Authentication. The Windows operating system implements a default setof authentication protocols, including Negotiate, Kerberos, NTLM, Transport Layer

Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible

architecture. In addition, some protocols are combined into authentication packages.

These protocols and packages enable authentication of users, computers, and services;

the authentication process, in turn, enables authorized users and services to access

resources in a secure manner.
http://technet.microsoft.com/en-us/library/cc731416%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc755284%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc755284%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc731416%28WS.10%29.aspx


42/49

MAUDLWIN 42 of 47

APPENDIX B: Security Tools and Definitions for Windows Server 2008 (R2)

Tool name Type Description

AccessChk Identity and Access Control

AccessChk is a command-line tool that identifies

what permissions or access levels a user or grouphas. AcessChk returns permissions to files,directories, registry keys, global objects, andWindows services.

AccessEnum Identity and Access Control

AccessEnum is a command-line tool thatidentifies which users and groups have access toa specific file or folder.

Auditpol

SecureConfiguration

Assessment andManagement

Auditpol is a command-line tool that displaysinformation about and performs functions tomanipulate audit policies.

ExtendedSecurity UpdateInventory Tool

Threats andVulnerabilitiesMitigation

The Extended Security Update Inventory tooldetermines if any SMS client computers needsecurity updates that are not detectable by usingMicrosoft Baseline Security Analyzer (MBSA).This tool is available from the Microsoft DownloadCenter.

Icacls

SecureConfiguration

Assessment and

Management

Icacls is a command-line tool that displays ormodifies discretionary access control lists(DACLs) on specified files, and applies storedDACLs to files in specified directories. Icacls.exe

replaces the Cacls.exe tool for viewing andediting DACLs.

MaliciousSoftwareRemoval Tool


The Malicious Software Removal Tool checkscomputers running Windows Vista, Windows XP,Windows 2000, or Windows Server 2003 forinfections by specific, prevalent malicioussoftware and helps remove any infection found.

MicrosoftBaselineSecurity

Analyzer Tool

Threats andVulnerabilities

Mitigation

Microsoft Baseline Security Analyzer (MBSA) isan easy-to-use tool designed for the ITprofessional that helps small-sized and medium-sized businesses determine their security state in

accordance with Microsoft securityrecommendations and offers specific remediationguidance.

MicrosoftSecurity

AssessmentTool


The Microsoft Security Assessment Tool providesinformation and recommendations about bestpractices to help enhance security within your ITinfrastructure.
http://go.microsoft.com/fwlink/?LinkId=108512http://go.microsoft.com/fwlink/?LinkId=108513http://go.microsoft.com/fwlink/?LinkId=108513http://technet.microsoft.com/en-us/library/cc731451%28WS.10%29.aspxhttp://go.microsoft.com/fwlink/?LinkId=86406http://go.microsoft.com/fwlink/?LinkId=86406http://go.microsoft.com/fwlink/?LinkId=86406http://go.microsoft.com/fwlink/?LinkId=86406http://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspxhttp://go.microsoft.com/fwlink/?LinkID=74359http://go.microsoft.com/fwlink/?LinkID=74359http://go.microsoft.com/fwlink/?LinkID=74359http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkId=86189http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkID=74362http://go.microsoft.com/fwlink/?LinkID=74359http://go.microsoft.com/fwlink/?LinkID=74359http://go.microsoft.com/fwlink/?LinkID=74359http://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspxhttp://go.microsoft.com/fwlink/?LinkId=86406http://go.microsoft.com/fwlink/?LinkId=86406http://go.microsoft.com/fwlink/?LinkId=86406http://technet.microsoft.com/en-us/library/cc731451%28WS.10%29.aspxhttp://go.microsoft.com/fwlink/?LinkId=108513http://go.microsoft.com/fwlink/?LinkId=108512


43/49

MAUDLWIN 43 of 47

Microsoft Threat Analysis &Modeling v2.1.2


The Microsoft Threat Analysis & Modeling toolallows non security subject matter experts toenter already known information includingbusiness requirements and applicationarchitecture, which is then used to produce a

feature-rich threat model.

SecurityConfigurationWizard

SecureConfiguration

Assessment andManagement

The Security Configuration Wizard (SCW)determines the minimum functionality required fora server's role or roles and disables functionalitythat is not required. SCW is included withWindows Server 2008 and can be accessed from

Administrative Tools and Server Manager.

ShareEnum Identity and Access Control

ShareEnum is a command-line tool that identifiesthe security settings of print and file shares. Itshows administrators potential security problemsarising from security that is too low.

WindowsSysinternals

Identity and Access Control

The Windows Sysinternals Web site includesadvanced system utilities and technicalinformation to help you manage, troubleshoot,and diagnose your Windows systems andapplications.
http://go.microsoft.com/fwlink/?LinkId=86405http://go.microsoft.com/fwlink/?LinkId=86405http://go.microsoft.com/fwlink/?LinkId=86405http://go.microsoft.com/fwlink/?LinkId=86405http://technet.microsoft.com/en-us/library/cc731515%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc731515%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc731515%28WS.10%29.aspxhttp://go.microsoft.com/fwlink/?LinkId=108514http://go.microsoft.com/fwlink/?LinkId=108514http://go.microsoft.com/fwlink/?LinkId=86409http://go.microsoft.com/fwlink/?LinkId=86409http://go.microsoft.com/fwlink/?LinkId=86409http://go.microsoft.com/fwlink/?LinkId=86409http://go.microsoft.com/fwlink/?LinkId=86409http://go.microsoft.com/fwlink/?LinkId=108514http://technet.microsoft.com/en-us/library/cc731515%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc731515%28WS.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc731515%28WS.10%29.aspxhttp://go.microsoft.com/fwlink/?LinkId=86405http://go.microsoft.com/fwlink/?LinkId=86405http://go.microsoft.com/fwlink/?LinkId=86405


44/49

MAUDLWIN 44 of 47

APPENDIX C: Security Features in SQL Server 2005

Key Features

The table below provides an overview of the security features in SQL Server 2005.

Feature Description

Off by Default

To reduce the SQL Server 2005 surface area tounauthorized access after initial installation, a number ofservices have been turned off or set for manual start-up sono inadvertent access is granted. Services that are off bydefault include the Microsoft .NET Framework, ServiceBroker network connectivity, and HTTP connectivity for

Analysis Services. Services that require manual interventionto start include SQL Server Agent, Full Text Search, andIntegration Services, which can all be reset for automaticstart-up.

Surface Area Reductionand Advanced Security

SQL Server 2005 provides rich security features to protectdata and network resources. It is much easier to achieve asecure installation of the software, because all but the mostessential features are either not installed by default ordisabled if they are installed. SQL Server provides plenty oftools to configure the server. Its authentication features

make it harder to get access to a server running SQL Serverby integrating more closely with Windows authentication andprotecting against weak or old passwords. Granting andcontrolling what a user can do when authenticated is farmore flexible with granular permissions.

Surface AreaConfiguration

SQL Server 2005 includes the SQL Server Surface AreaConfiguration Tool, which provides an intuitive graphicaluser interface (GUI) for configuring the server. Running thistool should be your first task after installing SQL Server. The

tool opens with a brief explanation of its purpose, and a linkto documentation. It includes a link to configure services andprotocols and another to configure other features.

Granular permissioncontrol

Permissions to perform a variety of database tasks havebeen made more granular to narrow the scope of rights thatmust be granted. This principle of least privileges helps


45/49

MAUDLWIN 45 of 47

ensure that database users have sufficient rights to do theirtasks but only their tasks. The need to grant broadadministrative rights to perform routine maintenance taskshas also been significantly decreased.

Separation of users andschema

SQL Server 2005 simplifies security administration byseparating the implicit link between users and the databaseobjects that they own. For example, in earlier versions ofSQL Server, if you wanted to remove a user, you had to firstdrop or reassign ownership of all database objects that theuser owned, which significantly complicated the process andpotentially impacted a large number of applications. With thenew model, dropping users does not require an applicationchange.

Enforced passwordpolicy for standardlogins

Administrators are able to specify Microsoft Windows stylepolicies on standard logins so that a consistent policy isapplied across all accounts in the domain.

Execution context onmodules

SQL Server 2005 allows you to specify a context underwhich statements in a module execute. This feature alsoacts as an excellent mechanism for granular permissionmanagement.

Data DefinitionLanguage (DDL)triggers

With SQL Server 2005 you are able to specify triggers onDDL operations, providing a supplemental mechanism forauditing DDL actions.

Native Encryption

SQL Server 2005 supports encryption capabilities within thedatabase itself, fully integrated with a key managementinfrastructure. By default, client/server communications areencrypted. To centralize security assurance, server policycan be defined to reject unencrypted communications.

Clusteringauthentication

SQL Server 2005 clustering supports Kerberosauthentication on a virtual server. Administrators are able tospecify Microsoft Windows style policies on standard loginsso that a consistent policy is applied across all accounts inthe domain.


46/49

MAUDLWIN 46 of 47

Multiple proxy accounts SQL Server Agent supports multiple proxy accounts (oneper job subsystem).

No dependency on theLocal SecurityAuthority (LSA)database

SQL Server Agent no longer requires access to the LSA touse proxy accounts. Therefore, SQL Server Agent no longerrequires the service to run as a local administrator for it to beenabled.

SQL Profiler no longerrequires systemadministrator rights

A new permission is available in SQL Server 2005 thatallows users who do not have system administrator rights torun SQL Profiler.

Analysis servercommunicationencryption with server-defined policies

By default, client/server communications are encrypted. Tocentralize security assurance, server policy can be defined

to reject unencrypted communications.

Granular administrativeroles for Analysisserver

More administrative permissions are available in SQL Server2005. In addition to online analytical processing (OLAP)administrators, database administrators are able to possessadministrative permissions within the context of an individualdatabase. New permissions on objects enable users to seethe object definition (without being able to access the objectitself) and to process an object.

SQL Server Agent jobroles

SQL Server Agent has been enhanced to support assigningrights over jobs in a granular fashion.

New tools and Help files

A set of new deployment tools and documentation helpsensure that SQL Server 2005 can be securely deployed intoan existing SQL Server topology or a new installation. Thesetools provide a step-by-step approach by giving detailedinformation, analyzing the existing topology, checking forprerequisites, recommending a configuration setting, andvalidating each step.

Improved auditingcapability for AnalysisServices

SQL Server 2005 Analysis Services includes new auditingcapabilities integrated with SQL Profiler.

Security bulletins Microsoft will publish security bulletins and patches asappropriate for SQL Server 2005. These bulletins help you


47/49

MAUDLWIN 47 of 47

understand and assess potential threats to your existingenvironments, and how to neutralize those threats.

Microsoft InternetInformation Services(IIS) Lockdown Wizard

If you plan to deploy SQL Server 2005 on a Windows 2000Server platform, the IIS Lockdown Wizard is a powerful toolfor securing your Web server environment. IIS LockdownWizard works by turning off features that are unnecessary inyour environment, thereby reducing the exposed potentialsurface available to attack. To provide defense in multiplelayers of protection against attackers, a tool calledURLScan , with customized templates for each supportedserver role, is integrated into the IIS Lockdown Wizard.If you are deploying SQL Server 2005 on a Windows Server2003 platform, the IIS Lockdown Wizard is integrated into IIS

6.0.
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asphttp://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asphttp://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asphttp://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asphttp://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asphttp://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asphttp://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp


48/49

MAUDLWIN 48 of 47

Resources

The following resources are provided to assist in developing solutions in a MicrosoftOffice SharePoint 2007 environment:

Attend a free webcast or chat (http://www.microsoft.com/sql/community/webcasts.aspx)Building Custom Search WebParts with Integrated SAP NetWeaver Portal Search forMicrosoft Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkId=100413&clcid=0x409)Business Data Catalog Authentication (http://go.microsoft.com/fwlink/?LinkID=100498&clcid=0x409)Configure single sign-on (http://go.microsoft.com/fwlink/?LinkId=95570&clcid=0x409)

Enterprise Search Architecture in Microsoft Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=100497&clcid=0x409)Integrating Microsoft Office SharePoint Server 2007 and SAP (http://go.microsoft.com/fwlink/?LinkId=91026)Integration of SAP Business Server Pages (SAP BSP) in SharePoint 2007 (http://go.microsoft.com/fwlink/?LinkId=95579&clcid=0x409)Microsoft Office SharePoint Server 2007 SDK (http://go.microsoft.com/fwlink/?LinkID=82788&clcid=0x409)Microsoft/SAP Alliance

(http://go.microsoft.com/fwlink/?LinkId=95574&clcid=0x409)Plan for single-sign on (http://go.microsoft.com/fwlink/?LinkId=95569&clcid=0x409)Product Overview Whitepaper (http://www.microsoft.com/sql/2005/productinfo/overview.mspx)Resources for Interoperability with Microsoft Office SharePoint Server 2007 (http://go.microsoft.com/fwlink/?LinkID=95865&clcid=0x409)SQL Server Homepage (http://www.microsoft.com/sql)
http://www.microsoft.com/sql/community/webcasts.aspxhttp://www.microsoft.com/sql/community/webcasts.aspxhttp://go.microsoft.com/fwlink/?LinkId=100413&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=100413&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=100413&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=100498&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=100498&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95570&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95570&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=100497&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=100497&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=91026http://go.microsoft.com/fwlink/?LinkId=91026http://go.microsoft.com/fwlink/?LinkId=95579&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95579&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=82788&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=82788&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95574&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95574&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95569&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95569&clcid=0x409http://www.microsoft.com/sql/2005/productinfo/overview.mspxhttp://www.microsoft.com/sql/2005/productinfo/overview.mspxhttp://go.microsoft.com/fwlink/?LinkID=95865&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=95865&clcid=0x409http://www.microsoft.com/sqlhttp://www.microsoft.com/sqlhttp://www.microsoft.com/sqlhttp://go.microsoft.com/fwlink/?LinkID=95865&clcid=0x409http://www.microsoft.com/sql/2005/productinfo/overview.mspxhttp://go.microsoft.com/fwlink/?LinkId=95569&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95574&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=82788&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95579&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=91026http://go.microsoft.com/fwlink/?LinkID=100497&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=95570&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=100498&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=100413&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=100413&clcid=0x409http://www.microsoft.com/sql/community/webcasts.aspx


49/49

MAUDLWIN 49 of 47

Bibliography

Cardarelli, M., & Bisciotti, N. (2006, April 7). Microsoft Office SharePoint Server 2007 Security Model .Retrieved September 2, 2009, from msdn.com/sharepoint:http://blogs.msdn.com/sharepoint/archive/2006/04/07/570939.aspx

English, B. (2007). Microsoft Office SharePoint Server 2007: Administrator's Compnaion. Redmond:Microsoft Press.

Microsoft Corporation. (2007, February 16). Microsoft SQL Server 2005: Security Enhanced DatabasePlatform. White Paper . Redmond, Virginia: Microsoft Corporation.

Microsoft Corporation. (2009, March 19). Secure Windows Server 2008. Retrieved September 4, 2009,from technet.microsoft.com: http://technet.microsoft.com/en-us/library/cc725998%28WS.10%29.aspx

Microsoft Corporation. (2009, April 16). Security and Protection. Retrieved September 07, 2009, fromtechnet.microsoft.com: http://technet.microsoft.com/en-us/library/dd723678%28WS.10%29.aspx

Microsoft Corporation. (2009, February). Security Compliance Management Toolkit Release Notes. Retrieved September 05, 2009, from Microsoft.com: http://go.microsoft.com/fwlink/?LinkId=103573

Microsoft IIS7 Team. (2009, May 27). IIS7 Security. Retrieved September 9, 2009, from learn.iis.net:http://learn.iis.net/page.aspx/139/iis7-security-improvements/

Office IT and Servers User Assistance, Microsoft Corporation. (2008, July). Office SharePoint ServerSecurity. White Paper . Redmond,, Virginia: Microsoft Corporation.

Pyles, J., Buechler, C. M., Fox, B., Gordon, M., Lotter, M., Medero, J., et al. (2007). SharePoint 2007: TheDefinitive Guide. Sebastopol: O'Reilly Media, Inc.

Varma, Dr. Umesh. (2009, April 23). Classroom lecture. (ITM 5600, Lecture)

Whitman, M. E., & Mattord, H. J. (2004). Management of Information Security. Boston: Thomson CourseTechnology.