Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Published byOscar Lyons Modified over 8 years ago

Similar presentations

Presentation on theme: "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"— Presentation transcript:

1 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |

2 Designing Secure SharePoint External Access

3 Why Enable internal users to access from outside Share portal access with business partners

4 How Forefront Threat Management Gateway Forefront Unified Access Gateway

5 Challenges Secure authenticated access Smooth document access from Office applications Repeated password prompts Endpoint compliance Intrusion prevention

6 Designing Secure SharePoint External Access

7 SharePoint Authentication Classic Mode Authentication NTLM or Kerberos Claims Based Authentication NTLM or Kerberos Basic ASP.NET Forms Active Directory Federation Services

8 SharePoint Authentication

9 Extending Web Applications WFE LAN Internet Intranet Web Site http://intranet Extranet Web Site https://extranet.idtt.com Web Application Content DB Kerberos Forms.PDF/.DOC Visitors READ LDAP AD

10 Extending Web Applications

11 Designing Secure SharePoint External Access

12 SharePoint Authentication External access for internal users Basic NTLM (no SSO) Kerberos (only on intranet) SSL client certificates Not suitable for external users accounts in AD possibly other access

13 SharePoint Authentication for Internal Users Basic plaintext password works from internet no SSO NTLM less secure, MD5 performance problems at 200 +/- users per WFE no SSO Kerberos secure, mutual authentication, AES, smart cards faster, smoother intranet only SSL Client Certificates the most secure, mutual authentication SSO from outside

14 Internal Users Authentication MethodSSOMutual Authentication Used from internet SecurityNotes Basicno yeslittle NTLMno yespassword hashperformance problems Kerberosyes nopassword hash SSL Certificate yes private key

15 Basic Authentication with Port Forwarding

16 Simplest to deploy Less secure direct access to the farm Must use public certificates on the farm NTLM would require custom IE configuration and has performance problems

17 Basic Authentication with TMG Inspection

18 Authenticates users at the gateway level Forms authentication (cookies) Basic authentication Inspects clear HTTP plus URL filters etc. intrusion prevention signatures Automatically forwards the basic credentials Offloads SSL encryption or hides the internal certficates on the farm

19 TMG and Forms Authentication

20 TMG Inspection with Kerberos Delegation

21 SSO or smart cards and tokens No Basic authentication on the internal part SharePoint “developers” do not receive your full password Mutual authentication with client certificate No password guessing

22 UAG Inspection with Kerberos Delegation

23 TMG features plus Predefined URL and application inspections User portal access Endpoint policies and compliance

24 UAG Portal and Forms Authentication

25 Windows Authentication Recap Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance TMG can also authenticate certificates and/or use Kerberos Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”

26 Designing Secure SharePoint External Access

27 SharePoint Forms Authentication No SSO Separate accounts for external users AD LDS, SQL DB, XML text file,... You manage the account database create accounts reset passwords

28 AD LDS Active Directory Lightweight Directory Services Standalone LDAP/S server Part of Windows Server 2008 and newer previously free download ADAM Installs on Windows 7 as well Managed manually using ADSI Edit

29 AD LDS User Accounts

30 AD LDS Authentication with Port Forwarding

31 AD LDS Authentication with UAG Inspection

32 AD LDS with UAG and Certificates

33 AD LDS Authentication with UAG Inspection Pre-authenticates users at the gateway level double login prompt or certificates Predefined set of URL and application inspections User portal access Endpoint policies and compliance

34 Designing Secure SharePoint External Access

35 AD FS HTTPS/XML authentication protocol Replacement for AD trusts Free download RTW – released to web Accounts managed by Account Partner Resource Partner just accepts identity claims Requires level of management on the Account Partner part

36 AD FS Principles

37

38

39 Designing Secure SharePoint External Access

40 Takeaway Use certificates and/or Kerberos for internal users Use AD LDS for external partners without AD FS Use AD FS for larger external partners who do want to manage their own accounts

41 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |

Download ppt "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.

Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.
Implementing and Administering AD FS

Implementing and Administering AD FS
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Welcome to the Minnesota SharePoint User Group November 11 th, 2009 SharePoint 2010 Administration Wes Preston, Brian Caauwe.

Welcome to the Minnesota SharePoint User Group November 11 th, 2009 SharePoint 2010 Administration Wes Preston, Brian Caauwe.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Chapter 12: Additional Active Directory Server Roles

Chapter 12: Additional Active Directory Server Roles

Similar presentations

Ads by Google