Sec 311 Securing SharePoint Infrastructure and Technologies Fred Baumhardt Sandeep Modhvadia Microsoft UK – Technology Services

Agenda About SharePoint Services- Why Secure Them Securing SharePoint Infrastructure Authentication and Authorization Security for IIS tier Security for SQL 2000 tier Sharepoint and Firewalls Sharepoint concepts: Box and Site Administrators Site Groups and Lists Anonymous and SharePoint Security Validation

About SharePoint Services WSPS provides centralised easy to manage document management/storage indexing and search services It also contains lists – contacts – tasks and discussion forums - It is a repository of useful information Evil Hackers like central repositories of information – specially those secured by Microsoft products – which we assume aren’t secure

SharePoint Security Dependencies The first step of securing any complex system is to secure the infrastructure SharePoint uses many Windows subsystems like IIS, AD, Networking, etc all of which have to be locked down Most attacks against SharePoint we see at Microsoft Consulting are against common subsystems in Windows – not SharePoint

Connecting to SharePoint Client – Server Connectivity Needs to be secured – how will you do this ? Plan authentication strategy Plan encryption strategy – remember it invalidates all network based IDS Where will clients connect from – secure it : VPN must be secured (5000 clients = 5000 security perimeters ) Internal Network – will sensitive documents pass unencrypted

Architecture Defences Internet Redundant Routers Redundant Firewalls VLAN VLANVLANVLAN Redundant Internal Firewalls SharePoint Inbound VPN Infrastructure Network – Internal Active Directory INTERNALINTERNAL PerimeterPerimeter INTERNETINTERNET BORDERBORDER VLANVLAN Messaging Network – WSPS VLAN Management Network – MOM, deployment VLAN Client Network VLAN VLANVLAN RADIUS NetworkIntranet Network - Web Servers Reverse Proxy Talks to WSPS Data Network – SQL Server Clusters Remote data center Infrastructure Network – Perimeter Active Directory VLAN NIC teams/2 switches Intrusion Detection. SharePoint VLAN

SharePoint RPC in the DMZ TCP/UDP port 389 for LDAP to Directory Service TCP port 3268 for LDAP to Global Catalog Server TCP/UDP port 88 for Kerberos authentication TCP/UDP port 53 - DNS TCP port RPC endpoint mapper TCP ports RPC service ports (unless all DC’s Restricted) TCP 443 – SQL – unless mapped to other port Swiss Cheesed or Bypassed Firewall TCP 443: HTTPS Stateful Packet Filtering Firewall SharePoint Internet TCP 443: HTTPS (WSPS) RPC: Outlook SMTP, POP3, IMAP4 Back End Server RPC and a bunch more SQL (def TCP 1433)

Extranet - tips Use a separate domain account for app pool for each virtual server Use integrated windows auth for connecting to SQL Use SSL!!!! Make sure SQL is not directly accessible on extranet Terminate SSL at an app inspecting device

SQL Security and WSPS Two modes – Windows authentication or SQL Server authentication (“SA auth”) By default, WSPS uses windows authentication. Mixed – is not as secure SPS can be setup to use mixed authentication This is an install time choice, cannot change Each content database can have unique credentials But Database server can be brute forced by tools

Attacking SQL – to get SharePoint demo demo

Protecting SharePoint Traditional firewall WSPSWSPS clientclient WSPS server prompts for authentication — any Internet user can access this prompt SSLSSL SSL tunnels through traditional firewalls because it is encrypted… …which allows viruses and worms to pass through undetected… …and infect internal servers! ISA Server with Feature Pack 1 Basic authentication delegation ISA Server pre-authenticates users, eliminating multiple dialog boxes and only allowing valid traffic through URLScan for ISA Server SSL or HTTP SSLSSL ISA Server can decrypt and inspect SSL traffic inspected traffic can be sent to the internal server re-encrypted or in the clear. URLScan for ISA Server URLScan for ISA Server can stop Web attacks at the network edge, even over encrypted SSL Internet

General SharePoint Server Hardening Role-based Hardening OU Structure to hold SharePoint servers Security Templates from Microsoft Systems Architecture AD is a great Security Tool for SharePoint

Authentication Vs. Authorization Authentication – the verification of identity of a person or process – handled by IIS Authorization- determines which functions you can perform- handled by SharePoint IIS’ authentication mechanism requires an NT account (either local or AD) IIS uses RPC protocol to authenticate – This has serious ramifications in DMZ scenarios

IIS Security and WSPS Two Vservers – content and admin each can have its own application pool Each application pool can have a unique user identity Result: One click setup= two virtual servers (admin & content) +two app pools, each owned by local machine account “Network Service”

IIS Security Web Farms Domain account for admin vserver should be decided before install, and should have create db and security administrator rights in SQL Domain account for admin and content virtual servers should be different. Each web front end box should have the same accounts across the farm. Different accounts can be used, but requires manual setup.

The SharePoint Security Model Box and SharePoint Admins Site Collections Permissions in SharePoint

Box & SharePoint Administrators Two sets of admins- box admins and SharePoint Administrative Group members SharePoint Administrative Group is defined in WSPS Central Administration Checks to see if the user is a box admin or in the domain group. If so, full access is granted Four differences between abilities of box admins and SharePoint admins Change configuration database Change SharePoint admin domain group Manage content paths Extend/unextend IIS virtual servers

Site Collections Set of logically related Sites that can be collectively managed Each Collection has a single top level site Individual users can be marked as Site Collection Administrators This grants them full access to all content Permissions can be inherited (based on Windows ACLs)

Security & Site Collections Site collection administrators have three main responsibilities Users and cross-site groups on the site collection Users are rolled up at the site collection level, and can be managed there Cross site groups are scoped to the site collection level Quota issues for the site collection

SharePoint Security Configuration demo demo

Permissions in WSPS WSPS uses “rights” - a right is a privilege that allows a user to perform an action on the server. Example: View Pages, Insert List Items, Change List Permissions. There are currently roughly 20 rights. Some are dependent on others. Example: Insert List Items has View List Items as a dependent. At the IIS virtual server level there is a “rights mask” This enables/disables rights for use on Web Site Collections within that virtual server Is settable by box administrators and SharePoint administrators

SharePoint Authorization Implementation is similar to NT system WSPS specific ACLs dictate access ACL maps a security principal (user, group, etc) to a set of rights Windows is called for domain group resolution Two main securable resources within WSPS that support ACLS Lists and Webs

The Permission Model Functions just like the Windows AD Model Set permission by site collection – inherit to sub sites Delegation and site creation follows similar rules – take parent or set new permissions

Web Site Security A Web Site is a set of web pages that are managed as a whole A Web Site can have a parent web and child webs A Web Site’s security can be either inherited from it’s parent web, or unique

Web Site Security Continued Only principal which can have permissions directly on a web site is a Site Group This is to encourage A-G-DL-P – set perms to group Site Groups are scoped to an individual Web Site We have six Site Groups by default can be customized Which Site Groups a user is a member of determine their default permissions to objects in that site (and any inherited web sites) Membership in multiple Site Groups is possible

List Security A list is the smallest object in scope that can be secured in the WSPS Principals can be site groups, cross site groups, domain groups, or individual users Rights specific to lists include view/insert/edit/delete By default, a list inherits it’s permissions If specific permissions are placed on a list, it’s implicitly made unique ACLs on a unique list trump site wide ACLs Eg User has read access only in general to site, but on “Announcements” list, has been given no permissions

Groups and WSPS Three types of groups are supported NT domain groups Can be nested inside each other WSPS calls NT for user resolution Can be a member of both below types of groups Cross site groups Scoped to the site collection Can’t be nested within each other Can be a member of site groups, but not NT domain groups Site groups Scoped to an individual web site Can’t be nested within each other

Anonymous Access Anonymous access is limited – the most anonymous users can do is insert list items By default, it is turned off, both at the web site level and at the IIS level WSPS UI is sensitive to IIS setting Setting anonymous access is done at myriad different points IIS setting for the virtual server On/Off switch at the web site level Rights mask at the individual list level

SharePoint Security Validation The one click attack uses a FORM POST from script to unknowingly submit data Must get the target to browse to page that has script Target never knows what script just executed Really a web wide problem, inherent in design of scripting and cross domain browser security WSPS addresses this with the use of a request digest for security validation Part of every page served to client Digest contains site secret, time, and username Digest must be returned with each post to server in order for security validation to take place

Blocked File Types List of file types, based off of file extension List is done per virtual server This is more of a convenience feature or policy “helper” then it is a true security feature Users can rename file extension

Safe Mode Rendering Provides a safe execution environment for SharePoint pages and Web Part Pages Eliminates following risks: User inserting code with an infinite loop or that consumes a huge amount of memory. User inserting references to Web Form Controls or other classes that the administrator did not approve (or have tested for scalablity or robustness).

Limits Safe mode and the web part framework provide limits on the rendering of Web Parts These limits are either at the virtual server level or at the assembly level. Virtual server level limits can be set in two ways: Web.config SharePoint Central Administration Assembly limits are set by assigning permissions to assemblies using Code Access Security policies

SharePoint Resources Evaluate Windows SharePoint Services and SharePoint Portal Server 2003 Betas Download technical documentation and Software Development Kits from our Developer Center Find and contribute Web Parts and templates to the Web Component Directory Visit our community websites

Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.