Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Secure Lync mobile Authentication
Secure SharePoint mobile connectivity
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
Implementing and Administering AD FS
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Security and Policy Enforcement Mark Gibson Dave Northey
Welcome to the Minnesota SharePoint User Group November 11 th, 2009 SharePoint 2010 Administration Wes Preston, Brian Caauwe.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Chapter 12: Additional Active Directory Server Roles
Smart Card Single Sign On with Access Gateway Enterprise Edition
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Hands-On Microsoft Windows Server 2008
Federation and Federated Identity: Part 2 Building Federated Identity Solutions with Forefront Unified Access Gateway (UAG) and ADFS v2 John Craddock Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Overview Scale out architecture Servers, services, and topology in Central Administration.
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Passwords Everywhere GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP:
What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Module 11: Securing a Microsoft ASP.NET Web Application.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Implementing Security Using Group Policy.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Module 3 Planning for Active Directory®
Module 10: Identity and Access Services in Windows Server 2008 Active Directory.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
PremierPoint Solutions Announces Significant New Features in Extranet Collaboration Manager for SharePoint 2013 R2 1888PressRelease - PremierPoint Solutions.
Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.
Secure Connected Infrastructure
What is new in security in Windows 2012 or Dynamic Access Control
Stop Those Prying Eyes Getting to Your Data
Enabling Secure Internet Access with TMG
Jim Fawcett CSE686 – Internet Programming Summer 2005
SharePoint and IIS core integration
AD FS Installation Active Directory Federation Services (AD FS) 7.1
GOPAS TechEd 2012 Kerberos Delegation
Presentation transcript:

Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |

MOTIVATION Designing Secure SharePoint External Access

Why Enable internal users to access from outside Share portal access with business partners

How Forefront Threat Management Gateway Forefront Unified Access Gateway

Challenges Secure authenticated access Smooth document access from Office applications Repeated password prompts Endpoint compliance Intrusion prevention

AUTHENTICATION OVERVIEW Designing Secure SharePoint External Access

SharePoint Authentication Classic Mode Authentication NTLM or Kerberos Claims Based Authentication NTLM or Kerberos Basic ASP.NET Forms Active Directory Federation Services

SharePoint Authentication

Extending Web Applications WFE LAN Internet Intranet Web Site Intranet Web Site Extranet Web Site Extranet Web Site Web Application Content DB Web Application Content DB Kerberos Forms.PDF/.DOC Visitors READ LDAP AD

WINDOWS AUTHENTICATION Designing Secure SharePoint External Access

SharePoint Authentication External access for internal users Basic NTLM (no SSO) Kerberos (only on intranet) SSL client certificates Not suitable for external users accounts in AD possibly other access

SharePoint Authentication for Internal Users Basic plaintext password works from internet no SSO NTLM less secure, MD5 performance problems at 200 +/- users per WFE no SSO Kerberos secure, mutual authentication, AES, smart cards faster, smoother intranet only SSL Client Certificates the most secure, mutual authentication SSO from outside

Internal Users Authentication MethodSSOMutual Authentication Used from internet SecurityNotes Basicno yeslittle NTLMno yespassword hash performance problems Kerberosyes nopassword hash SSL Certificate yes private key

Basic Authentication with Port Forwarding

Simplest to deploy Less secure direct access to the farm Must use public certificates on the farm NTLM would require custom IE configuration and has performance problems

Basic Authentication with TMG Inspection

Authenticates users at the gateway level Forms authentication (cookies) Basic authentication Inspects clear HTTP plus URL filters etc. intrusion prevention signatures Automatically forwards the basic credentials Offloads SSL encryption or hides the internal certficates on the farm

TMG and Forms Authentication

TMG Inspection with Kerberos Delegation

SSO or smart cards and tokens No Basic authentication on the internal part SharePoint “developers” do not receive your full password Mutual authentication with client certificate No password guessing

UAG Inspection with Kerberos Delegation

TMG features plus Predefined URL and application inspections User portal access Endpoint policies and compliance

UAG Portal and Forms Authentication

Windows Authentication Recap Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance TMG can also authenticate certificates and/or use Kerberos Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”

SHAREPOINT 2010 FORMS AUTHENTICATION Designing Secure SharePoint External Access

SharePoint Forms Authentication No SSO Separate accounts for external users AD LDS, SQL DB, XML text file,... You manage the account database create accounts reset passwords

AD LDS Active Directory Lightweight Directory Services Standalone LDAP/S server Part of Windows Server 2008 and newer previously free download ADAM Installs on Windows 7 as well Managed manually using ADSI Edit

AD LDS Authentication with Port Forwarding

AD LDS Authentication with UAG Inspection

AD LDS with UAG and Certificates

AD LDS Authentication with UAG Inspection Pre-authenticates users at the gateway level double login prompt or certificates Predefined set of URL and application inspections User portal access Endpoint policies and compliance

ACTIVE DIRECTORY FEDERATION SERVICES Designing Secure SharePoint External Access

AD FS HTTPS/XML authentication protocol Replacement for AD trusts Free download RTW – released to web Accounts managed by Account Partner Resource Partner just accepts identity claims Requires level of management on the Account Partner part

AD FS Principles

TAKEAWAY Designing Secure SharePoint External Access

Takeaway Use certificates and/or Kerberos for internal users Use AD LDS for external partners without AD FS Use AD FS for larger external partners who do want to manage their own accounts Ondrej Sevecek | MCM: Directory | MVP: Security |

Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.