Module 8 Configuring and Securing SharePoint Services and Service Applications

Module Overview Securing the Enterprise SharePoint Service Securing and Isolating Web Applications Services and Service Applications

Lesson 1: Securing the Enterprise SharePoint Service Track SharePoint Installation Block SharePoint Installation Approve SharePoint Installation Approve SharePoint Installation on Clients Manage Services on the Server Overview of SharePoint Services Administrative Accounts Managed Accounts

Track SharePoint Installation Service connection points are data points in AD DS that represent the presence of a SharePoint server and farm The service connection points: Are automatically added during initial configuration Can be manually set using Windows PowerShell

Block SharePoint Installation You can block unwanted SharePoint installations in your domain by using GPOs 1.Open Group Policy Management 2.Open the appropriate GPO for editing 3.Navigate to HKLM\Software\Policies\Microsoft\Shared Tools\Web Server Extensions\14.0\SharePoint 4.Configure the value of 1 to DisableInstall

Approve SharePoint Installation Use the following steps to approve a SharePoint installation: 1.Create Group Policy security filter 2.Create a new group 3.Give the new group permissions 4.Add approved servers to the group

Approve SharePoint Installation on Clients Add clients to the approved server group Scope the GPO only to servers Create a separate GPO scoped to clients There are three options for controlling client installation in SharePoint:

Manage Services on the Server Windows Services  SharePoint Administration  SharePoint Timer service Manually start the service if it is stopped Other services should not be started manually  SharePoint Tracing  SharePoint User Code Host  SharePoint VSS Writer  SharePoint Foundation/Server Search SharePoint Services  Central Administration  System Settings  Servers: Manage services on server

Overview of SharePoint Services SharePoint Foundation  Business Data Connectivity  Usage and Health Data Collection SharePoint Server: Standard  Search Service  Profile Service SharePoint Server: Enterprise  Performance Point Service  Excel Services Office Web Apps  Excel Calculation, PowerPoint Service, Word Viewing Microsoft Project Server: Microsoft Project Web Access

Administrative Accounts Administrative accounts  Domain-level accounts used for SharePoint  Most are created during SharePoint setup Accounts  Setup User Administration  Farm Service  SharePoint Foundation 2010 Search Service  SharePoint Foundation 2010 Search Content Access

By using Central Administration, you can: Managed Accounts Manage these accounts Assign them to a service application Manage their passwords A managed account is an AD DS user account whose credentials are managed by and contained within SharePoint You can also reset all managed passwords in SharePoint simultaneously using a Windows PowerShell script

Lesson 2: Securing and Isolating Web Applications Isolation Using Application Pools Application Pool Isolation Secure Communication Using Secure Sockets Layer

Isolation Using Application Pools Why use separate application pools?  Different identities  Isolation of processes  Recycle/restart without affecting others  Throttling of resource usage Why not use separate application pools?  Administration overhead  Idle worker processes

App Pool 2 Application Pool Isolation Web App 1 Site Collection Web App 2 Site Collection App Pool 4 App Pool 5 Service Application 1 Service Application 2 Service Application 3 App Pool 1 App Pool 3

Secure Communication Using Secure Sockets Layer Then: Create and install a certificate on each server Configure sites to use SSL Before you can enable SSL, you must install AD CS

Lesson 3: Services and Service Applications SharePoint 2010: Service Application Framework Service Model Service Application Components Service Applications Service Application Connection Application Connection Groups Overview of Planning Service Applications Service Applications Types Service Applications Across Farms

SharePoint 2010: Service Application Framework Service Model Fundamental Flexible Scalable Extensible Managed within Central Administration

Service Application Components Several components make up the Service Application Framework architecture These are: Service Service application Service application connection Service application connection group Web application

Service Applications The logical instance of a shared service Each service has its own management unit: service application Service applications have:  Virtual directory in IIS  Application pool  Database(s)  Physical instance (actual process\Web service on computer)  Administrative interface (admin page) Create a service application Service application provisioning

Service Application Connection Also known as application proxy or proxy Object that a consumer uses to connect to a service app  Web Part  Object model  Internal code Used by Web app to communicate with a service app Created automatically when you create the service app Example: Search query performed by the user using Search Web Part WCF is used to connect to the application server running the Search service Application server gets data from the database and displays it for the user

Application Connection Groups IIS Web site – “SharePoint Web Services” Application pool Access Services Excel Services Application Managed Metadata User Profile Business Data Connectivity Secure Store Service Search Application pool Web application – Published Intranet Content Web application – My Site Web sites Web application – team Sites HRFacilities Team 1Team 2Team 3

Overview of Planning Service Applications Performance versus separation Isolation  App pool — process isolation  Service data  Isolation for performance of a targeted service Typical services deployed for dedicated use  Excel Services  Managed Metadata  Business Data Connectivity Build logical topology, and then determine physical topology

Service Application Types Web AnalyticsManaged Metadata User ProfileBusiness Data Connectivity Secure Store Service SearchAccess Services State Service Usage and Health Data Collection Project Server Excel Services Performance Point Services Visio Graphics Service Word Viewing Service Word Automation Services PowerPoint Service Cross-farm service application Single-farm service applications These service applications can be shared across multiple farms These service applications can be used only within a single farm Most commonly shared services

Service Applications Across Farms Makes a service application available outside the farm Certificates between two farms  Consuming farm provides to publishing farm: Root, Secure Token Service (STS) certificates  Publishing farm provides to consuming farm: Root Permissions  Application Discovery and Load Balancer Service App  Shared Service Application Publish the service application Connect to cross-farm service applications  Creates connection on consumer farm that can be added to application connection groups

Lab A: Administering SharePoint Services Exercise 1: Administering SharePoint Services Exercise 2: Administering SharePoint Windows Services Logon information Estimated time: 20 minutes

Scenario You have recently installed a new SharePoint 2010 farm. Some of the developers are complaining that they are experiencing errors because services are not running on the SharePoint server. They have asked you to ensure that all Windows and SharePoint Services have been installed and are started.

Lab B: Configuring Application Security Exercise 1: Configuring Web Application and Application Pool Security Exercise 2: Configuring Secure Sockets Layer Security Logon information Estimated time: 30 minutes

Scenario Your manager has recently installed a new SharePoint 2010 farm. When he performed the configuration of the farm, he did not use the Farm Configuration Wizard. Because he didn’t use the configuration wizard some of the service applications required by your developers were not installed. Your manager has tasked you with reviewing the installed service applications and creating the missing service applications.

Lab C: Configuring Service Applications Exercise 1: Creating a Service Application Logon information Estimated time: 30 minutes

Scenario Your company, Contoso, has adopted SharePoint 2010 for many reasons. One is its new, more optimized service application environment and another is its ability to manage metadata. You want to allow sites in the client-facing Web application to use managed metadata and keywords, but you do not want managed metadata and keyword columns in the client Web application to have visibility into terms used internally. Therefore, you must configure a separate managed metadata service for the client Web application.

Module Review and Takeaways Review Questions