Presentation is loading. Please wait.

Presentation is loading. Please wait.

Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |

Published byDarrell Atkinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |"— Presentation transcript:

1 Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com

2 MOTIVATION Designing Secure SharePoint External Access

3 Why Enable internal users to access from outside Share portal access with business partners

4 How Forefront Threat Management Gateway Forefront Unified Access Gateway

5 Challenges Secure authenticated access Smooth document access from Office applications Repeated password prompts Endpoint compliance Intrusion prevention

6 AUTHENTICATION OVERVIEW Designing Secure SharePoint External Access

7 SharePoint Authentication Classic Mode Authentication NTLM or Kerberos Claims Based Authentication NTLM or Kerberos Basic ASP.NET Forms Active Directory Federation Services

8 SharePoint Authentication

9 Extending Web Applications WFE LAN Internet Intranet Web Site http://intranet Intranet Web Site http://intranet Extranet Web Site https://extranet.idtt.com Extranet Web Site https://extranet.idtt.com Web Application Content DB Web Application Content DB Kerberos Forms.PDF/.DOC Visitors READ LDAP AD

10 WINDOWS AUTHENTICATION Designing Secure SharePoint External Access

11 SharePoint Authentication External access for internal users Basic NTLM (no SSO) Kerberos (only on intranet) SSL client certificates Not suitable for external users accounts in AD possibly other access

12 SharePoint Authentication for Internal Users Basic plaintext password works from internet no SSO NTLM less secure, MD5 performance problems at 200 +/- users per WFE no SSO Kerberos secure, mutual authentication, AES, smart cards faster, smoother intranet only SSL Client Certificates the most secure, mutual authentication SSO from outside

13 Internal Users Authentication MethodSSOMutual Authentication Used from internet SecurityNotes Basicno yeslittle NTLMno yespassword hash performance problems Kerberosyes nopassword hash SSL Certificate yes private key

14 Basic Authentication with Port Forwarding

15 Simplest to deploy Less secure direct access to the farm Must use public certificates on the farm NTLM would require custom IE configuration and has performance problems

16 Basic Authentication with TMG Inspection

17 Authenticates users at the gateway level Forms authentication (cookies) Basic authentication Inspects clear HTTP plus URL filters etc. intrusion prevention signatures Automatically forwards the basic credentials Offloads SSL encryption or hides the internal certficates on the farm

18 TMG and Forms Authentication

19 TMG Inspection with Kerberos Delegation

20 SSO or smart cards and tokens No Basic authentication on the internal part SharePoint “developers” do not receive your full password Mutual authentication with client certificate No password guessing

21 UAG Inspection with Kerberos Delegation

22 TMG features plus Predefined URL and application inspections User portal access Endpoint policies and compliance

23 UAG Portal and Forms Authentication

24 Windows Authentication Recap Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance TMG can also authenticate certificates and/or use Kerberos Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”

25 SHAREPOINT 2010 FORMS AUTHENTICATION Designing Secure SharePoint External Access

26 SharePoint Forms Authentication No SSO Separate accounts for external users AD LDS, SQL DB, XML text file,... You manage the account database create accounts reset passwords

27 AD LDS Active Directory Lightweight Directory Services Standalone LDAP/S server Part of Windows Server 2008 and newer previously free download ADAM Installs on Windows 7 as well Managed manually using ADSI Edit

28 AD LDS Authentication with Port Forwarding

29 AD LDS Authentication with UAG Inspection

30 AD LDS with UAG and Certificates

31 AD LDS Authentication with UAG Inspection Pre-authenticates users at the gateway level double login prompt or certificates Predefined set of URL and application inspections User portal access Endpoint policies and compliance

32 ACTIVE DIRECTORY FEDERATION SERVICES Designing Secure SharePoint External Access

33 AD FS HTTPS/XML authentication protocol Replacement for AD trusts Free download RTW – released to web Accounts managed by Account Partner Resource Partner just accepts identity claims Requires level of management on the Account Partner part

34 AD FS Principles

35

36

37 TAKEAWAY Designing Secure SharePoint External Access

38 Takeaway Use certificates and/or Kerberos for internal users Use AD LDS for external partners without AD FS Use AD FS for larger external partners who do want to manage their own accounts Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com

39 Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!

Download ppt "Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.

Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
Implementing and Administering AD FS

Implementing and Administering AD FS
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Welcome to the Minnesota SharePoint User Group November 11 th, 2009 SharePoint 2010 Administration Wes Preston, Brian Caauwe.

Welcome to the Minnesota SharePoint User Group November 11 th, 2009 SharePoint 2010 Administration Wes Preston, Brian Caauwe.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google