Best practices for security and governance in share point 2013 published
Microsoft SharePoint provides features and capabilities enabling you to secure access, control authentication and authorize access to information. Choosing the capabilities to make use of, configuring them and understanding their impact can be a complex tax. In this session you will learn about the key security features available in Microsoft SharePoint 2013 and the best practices for using them. The sessions begin by talking about the business reasons that organizations need to consider when security their SharePoint content, and it will then review specific capabilities and options in detail with recommendations. Well also review various governance best practices and how they relate to SharePoint security capabilities. Throughout the session, youll hear examples from large commercial enterprise, government and military and about the best practices they use to secure their content within SharePoint.
1. Best Practices for Security and Governance in SharePoint 2013 Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP Email: Antonio.email@example.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: 0 @AntonioMaio2 2. Welcome to Houston TechFest Thank you for being a part of the 8th Annual Houston TechFest! Please turn off all electronic devices or set them to vibrate. If you must take a phone call, please do so in the lobby so as not to disturb others. Thanks to our Diamond Sponsors: 1 3. 2 4. What Drives our Information Security Needs? Information Security comes down to 2 or 3 drivers 4 Protecting Your Investments (intellectual property, digital assets, competitive advantage) Reducing Your Liability (avoid compliance violations, fines/sanctions, reputation issues) Public Safety or Mission Success (protect classified information, mission plans, reputation issues) Public Health (health records, health insurance, insurance fraud/theft) 5. What Drives our Information Security Needs? How does this affect us as SharePoint people? How We Deploy SharePoint Control Access Assign Roles and Permissions Establish Repeatable/Predictable Process Regulatory Compliance Standards Auditing & Reporting Obligations 5 6. SharePoint Deployment Plan your Deployments and Necessary User Accounts Use Least Privileged Accounts Review SharePoint deployment guide before you install SharePoint is a web application built on top of SQL Server Best practice: to use specific user accounts for specific purposes with least 6 privileges Benefits: Separation of Concerns Targeted auditing of account usage Multiple points of redundancy Minimize the risk of compromised accounts 7. Deployment User Accounts Use 3 Different Deployment Accounts (at minimum) SQL Server Service Account Setup User Account SharePoint Farm Account 7 Assign to MSSQLSERVER and SQLSERVERAGENT services when installing SQL Server (ex. domainSQL_service) Used to install SharePoint, run Product Config Wizard, install patches/update Used to run the SharePoint farm; not just for database access (ex. domainsp_farm_user) No special domain permissions - given required rights in SQL Server during SQL setup Login with this when running setup (ex. domainsp_setup_user) After Product Config Wizard run, prompted to provide the Database Access Account this is the all powerful farm account Must be local admin on each server in SharePoint farm (except SQL Server if its different box) Given ownership of Config database - also configures several SharePoint services (ex. timer service) to use this as its identity Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL 8. Deployment User Accounts At least 3 Different Deployment Accounts SQL Server Service Account Setup User Account SharePoint Farm Account Should all be AD domain accounts Do not use personal admin account, especially for Setup User Account Test and Production environments should have different accounts Configure central email account for all managed accounts 8 9. Authentication Determine that users are who they say they are typically via login 9 SharePoint 2010 Options Classic Mode Authentication (Integrated Auth, NTLM, Kerberos) Claims Based Authentication Forms Based Authentication - through Claims Based Auth. UI configuration options only available in UI upon web app creation To convert non-claims based web app to claims will require PowerShell SharePoint 2013 Options Claims Based Authentication - default Classic Mode Deprecated - Configuration UI has been removed (Only configurable through PowerShell) 10. Authorization Determine if users have access to specific information objects and which level of access are they granted Accomplished through Permissions in SharePoint Allow you to secure any information object or container Apply to items, documents, folders, lists, libraries, sites Do not apply to individual column field values, social fields Assigning Permissions Includes The information object or container in question The user, group or claim that is granted access The permission level we are granting as part of that access 10 11. Permission Examples 11 Users, Groups or Claims Finance AD Group has Full Control on Library A ProjectContractors SP Group has Read access on site B John.Smith AD user has Contribute access on Document C SecurityClearance=Secret has Full Control access on Document X EmploymentStatus=FTE has Contribute access on Site Z User, Group, or Claim (also called a Principle) Permission Level (collection of permissions) Information Object (item or container) 12. Users Interacting with Permissions 12 13. Users Interacting with Permissions 13 14. Users Interacting with Permissions 14 15. Users Interacting with Permissions 15 16. Inherited Permission Model 16 Hierarchical permission model Permissions are inherited from level above Can break inheritance and apply unique permissions Manual process Permissive Model SharePoint Farm Web Application Site Collection Site Collection Site Site Site Library List Document Web Application Item Document Document Item Demo Members SharePoint Group Edit Demo Owners SharePoint Group Full Control Demo Visitors SharePoint Group Read Finance Team Domain Group Edit Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Research Team Domain Group Full Control Senior Mgmt Domain Group Full Control Antonio.Maio Domain User Full Control 17. Permissions and Security Scopes 17 Every time permission inheritance is broken a new security scope is created Security Scope is made of up principles: Domain users/groups SharePoint users/groups Claims Be aware of Limited Access Limitations Security Scopes (50K per list) Size of Scope (5K per scope) Microsoft SharePoint Boundaries and Limits: http://technet.microsoft.com/en-us/library/cc262787.aspx 18. Information Architecture and Metadata Information Architecture The structural design of your information sharing environment Organization and Storage Identification Retention Business sensitivity and confidentiality Metadata can provide important insight into what type of information you have in SharePoint Recommended: Use Metadata to Classify information and Identify its Sensitivity 18 19. Standardized Metadata 19 20. Standardized Metadata Implement Standardized Metadata Fields across sites, libraries, lists Library or List Level Site Column Level Managed Metadata Service (across Site Collection or Farm) Ensure users are adding metadata when adding/editing information 20 (mandatory fields) Be aware of situations where SharePoint doesnt request metadata (multi-file upload, explorer view) Keep it Simple: Limit sensitivity classification to 3 or 4 labels Public, Confidential, Restricted, Highly Restricted Low Business Impact, Moderate Business Impact, High Business Impact Unclassified, Confidential, Secret, Top Secret Educate, Educate, Educate: What does each label mean/impact? 21. Information Governance Governance means setting out the structures, people, policies, procedures and controls to manage information and support an organization's immediate and future requirements for that information: 21 Regulatory Compliance Legal Risk Administrative Environmental Operational 22. Information Governance Ignorance is not always bliss its problematic! 22 23. Governance and SharePoint SharePoint as a platform which offers services to your 23 organizations users Governance for the SharePoint platform means: Managing existing services in a predictable way Understanding how to deploy new services in a predictable way Providing a clear set of guidelines for usage and administration Achieve Strong Governance for SharePoint: 1. Establish a Governance Team Include stakeholders from across the organization 2. Develop a Governance Plan Cross functional - Identifies ownership for business and technical teams Regulatory, risk, legal, admin, environmental, organizational Needs 24. Developing a SharePoint Governance Plan Key Areas to Focus Define Information Architecture/Structures (Includes Metadata Taxonomy) 24 Confidential Define Security Controls/Groups, Permissions and Roles for Assigning Permissions Define Roles, Responsibilities, Who has authority? Determine Training Needs; Plan to Educate User Community Define Rules for Site Creation, Management, Decommissioning 25. Conclusion Develop a SharePoint Governance Plan with Key Stakeholders Ignorance is not bliss its problematic! Understand the type of information you have Develop an information architecture Understand the risks to that information: accidental, insider and external threats Use Metadata to identify sensitivity Educate end users on significance of sensitivities make them part of the solution Deploying SharePoint with Appropriate Least Privileged Accounts Determine your Authentication and Authorization Needs Understand how permissions work Plan for how permissions are given and managed Understand SharePoint Security Features Others: Web App Policies, Anonymous Users, Information Rights Management, Privileged 25 Users , Event Auditing 26. Please Leave Feedback During Q&A 26 If you leave session feedback and provide contact information in the survey, you will be qualified for a prize Scan the QR Code to the right or go to http://bit.ly/1p13f3n 27. Thanks to all our Sponsors! 27