Microsoft Office SharePoint Server 2007: Security Improvements Profound Jump.


90 views
Uploaded on:
Category: General / Misc
Description
Microsoft Office SharePoint Server 2007: Security Upgrades Profound Jump. Name 03/28/07. Plan. Greenery 2007 Security Challenges Pluggable Validation/Zones Encryption of Utilization Association Strings Focused on Substance for Secure Coordinated effort Data Rights Administration
Transcripts
Slide 1

Microsoft Office SharePoint Server 2007: Security Enhancements Deep Dive Name 03/28/07

Slide 2

Agenda MOSS 2007 Security Challenges Pluggable Authentication/Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management MOSS 2007 Customer Facing Scenario

Slide 3

Microsoft Office SharePoint Server 2007 MOSS 2007 facilitates the usage of successful security: Simplifies actualizing Internet-confronting situations (extranets). Empowers support for heterogeneous situations. Utilizes pluggable structures based verification (FBA) suppliers. Diminishes administration overhead and enhances safely. Offers granular rights administration of business resources.

Slide 4

Agenda MOSS 2007 Security Challenges Pluggable Authentication/Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management MOSS 2007 Customer Facing Scenario

Slide 5

Challenges for MOSS 2007 Security The difficulties for MOSS 2007 are to: Support confirmation for numerous distinguish administration frameworks. Give validation that maps client represents outsider applications to LOB frameworks. Design section areas for MOSS/control URL site mapping. Secure profitable application association string information. Lockdown site accumulations and limit client access over MOSS. Give customer level security of touchy data.

Slide 6

Agenda MOSS 2007 Security Challenges Pluggable Authentication/Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management MOSS 2007 Customer Facing Scenario

Slide 7

Pluggable Authentication Provider MOSS incorporates ASP .NET 2.0 pluggable verification for Windows and non-Windows. Backings delivered, Windows-based verification systems. Sets up Internet-confronting SharePoint confirmation. Empowers pluggable verification suppliers based on ASP.NET 2.0 participation construction modeling. ASP.NET 2.0 pluggable suppliers can utilize participation information stores including: Microsoft Access Oracle databases XML documents Flat content records

Slide 8

ASP .NET 2.0 Membership Provider Supports configurable catalogs in a part information store. Stores pluggable supplier certifications in the machine.config document. Greenery enrollment suppliers include: LDAP V3 registry (with MOSS) SQL Server Active Directory (ASP .NET 2.0) Pluggable participation suppliers: Inherit from the ASP.NET MembershipProvider interface; This interface acquires from the ProviderBase class .

Slide 9

Considerations for ASP .NET Authentication MOSS administrations use Windows accounts – even with a pluggable supplier. Use Windows personalities to lessen Microsoft Office customer interoperation. Validation sorts, not setting out to a Windows character, must utilize a MOSS zone. An ordered PKI foundation, for example, for smartcards commonly takes steps to a Windows character. PKI usage may oblige a MOSS zone or other design. Include a graph here Company A (Windows Authentication) Company B (Non-Windows Authentication)

Slide 10

Pluggable Single Sign-On (SSO) The MOSS SSO administration gives a scrambled back-end reserve of clients\' accreditations for mapping to associated LOB frameworks. Helps in recovering basic data through MOSS systems: Business Data Catalog (BDC) SharePoint DataView Web Parts (DVWP) Can indicate a pluggable SSO supplier, rather than SpsSsoProvider . Registers one and only SSO supplier per LOB framework at once.

Slide 11

Forms-Based Authentication Utilizes pluggable validation and part suppliers to empower Internet-style security. Bolsters a modified login procedure adapted to clients\' necessities. Shapes validation treats and verification tickets are scrambled and carefully designed. The structure character supplier, called Web SSO, can connect to an outside recognize administration framework.

Slide 12

Web Single Sign-On MOSS backings unified verification between Web SSO sellers. Utilizes a HTTP module for outer validation. Permits outside accomplices to confirm to MOSS utilizing their client certifications. Agents sign in and watchword reset to accomplices. Web SSO confirmation requires an extranet zone. Accomplice Application

Slide 13

Alternate Access Mapping (AAM) AAM guarantees inward and open URL mappings work accurately. The/MOSS URL is mapped as a matter of course, however can be stretched out to extra URLs. Substitute URLs can be mapped to one physical way, for example,/MOSS. Greenery passage focuses can utilize distinctive validation suppliers/Web application security strategies. Adjusts for distinctive areas, reverse intermediaries, and other URL redirection systems. Intranet Users http://contoso http://MOSS Extranet Users http://extranet.contoso.com

Slide 14

AAM Example Configuration Example: The/MOSS site has two AAM URLs: inside corporate clients and outer accomplices. The Intranet URL,/contoso, is mapped to: Intranet zone : Resolves to space confirmed Windows personalities. The Extranet,/extranet.contoso.com , is mapped to an alternate zone: Extranet zone : Log in is by means of Web SSO validation . Intranet Users http://contoso http://MOSS Extranet Users http://extranet.contoso.com

Slide 15

Zones Alternate Access Mapping (AAM) A zone maps various Web applications to a solitary arrangement of substance databases, permitting more prominent control over AAM. Zones utilize the AAM URL to delineate confirmation suppliers to the same physical way and MOSS content. Prescribed : Bind the zone to a verification component. Default An AAM URL that maps to a zone, not on the confirmation suppliers page, utilizes the security setting for the Default zone. Suggested : Place the most openly available URL in the Default zone, for example, intranet, Internet, custom, or extranet.

Slide 16

Zones AAM Configuration Zones influence how individuals are validated and steered through the entryway from URL section focuses. New Web applications can be reached out by indicating the zone in the Load Balancing URL area of the settings. Extranet Within every zone, tie worldwide Web application security arrangement that characterizes authorizations settings for clients in the zone.

Slide 17

Zones AAM Planning Scenario Zones Require Planning! This case situation indicates choices that the confirmation framework must make when a Web crawler endeavors to verify.

Slide 18

AAM/Global Security Policies MOSS underpins worldwide security strategies that tie strategy settings to a particular client or gathering inside of the application. Illustrations : Full get to, full read access, deny-compose get to, or deny-all entrance. Overrides the MOSS granular authorization settings, oversaw from SharePoint Central Administration interface. Tying security strategies to zones gives trusted outside clients full-read access – No manual settings are needed.

Slide 19

Agenda MOSS 2007 Security Challenges Pluggable Authentication/Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management MOSS 2007 Customer Facing Scenario

Slide 20

Encryption of Application Connection Strings Storing association string information in plain content in the web.config document makes a security helplessness. ASP.NET 2.0 usefulness can be utilized to scramble application association string information utilizing either: Windows Data Protection API (DPAPI) : Encrypts and unscrambles utilizing the MOSS server machine key. RSA encryption : Uses open key calculations, however includes proper holders for the encryption keys. Pluggable encryption suppliers can utilize distinctive encryption instruments.

Slide 21

Connection String Encryption Best Practices For MOSS 2007 and pluggable SQL Server verification supplier, encode the <connectionStrings> hub in figure content: DPAPI utilizes local machine key encryption for either a virtual index or a physical registry. Utilize the accompanying orders: Encrypt the association strings hub determining the area parameter:

Slide 22

Connection String Encryption Best Practices (proceeded) After execution, the hubs of touchy data are supplanted by all around framed XML figure values: This pluggable model can bolster custom encryption suppliers to oversee figure content for pertinent MOSS setup records. Contemplations : Encryption utilizing the nearby machine key can just utilize the arrangement hub on the MOSS server on which it was made. On the off chance that a gatecrasher got entrance to the server and recovered the machine key, they could unscramble the association string. Unscrambling causes a minor application execution hit.

Slide 23

Agenda MOSS 2007 Security Challenges Pluggable Authentication/Zones Encryption of Application Connection Strings Targeted Content for Secure Collaboration Information Rights Management MOSS 2007 Customer Facing Scenario

Slide 24

Targeted Content for Secure Collaboration MOSS ECM Common Services control access to put away data. Lockdown licenses clients to get to the approved data just: Binds a personality to a particular article – from a site accumulation to a report or rundown. Implements granular access controls and unequivocal enrollment to a thing. Denies get to and alters the UI to demonstrate open things just.

Slide 25

Item Level Security (ILS)/Secured Objects (SO) Scales MOSS object authorizations from site accumulations to individual articles. Takes into account consent legacy from guardian to tyke objects. 33 default consents can be doled out to a client or SharePoint bunch. Authorizations can be indicated on occasion things, for example, an Events list. Returned indexed lists can guide back to the security setting of the client. These controls trim the UI to the selective client setting.

Slide 26

Permission Management Architecture Sets authorizations for SharePoint clients, gatherings, and space bunches. Default gatherings include: Owners (get full control) Visitors (get supporter rights) Members (get read right

Recommended
View more...