This article can also be found in the Premium Editorial Download "SharePoint Insider: Managing documents by content type."
Download it now to read this article plus other related content.
When it comes to securing SharePoint Server, decisions are best made during the planning stages of SharePoint deployment because it's difficult to retroactively apply security policies. When formulating security strategies, focus on three key areas: access control, application security and content security.
Practical compromise through access control
The main way to secure SharePoint is through access control. SharePoint allows users to create and manage their own groups, but there are ways to control them. The IT department can create Active Directory roles within SharePoint groups so only those authorized to use AD management tools can grant and change access permissions.
Centralized access management leads to greater control and more efficiency, but it also slows down users when they are creating their own structures and granting access to them. A practical compromise is to control access to top-level department sites and enterprise-wide sites from Active Directory and IT but to have areas in SharePoint where users can create ad hoc sites and grant access to them themselves.
These areas would then be man- aged using policies and quotas. For example, if a SharePoint site is not accessed for 90 days, the administrator would be asked whether to keep it or delete it. Those sites can also have size limits where administrators would be notified by email if they reach 80%of capacity.With that, no more content could be added when they reach 100%.
Protect performance with application security
Application security policies protect against denial-of-service attacks and anything that might compromise the performance or stability of the SharePoint Server platform. For the first layer of protection, apply the principles of least privilege during installation to the service accounts Share- Point uses to run the application.
To complete this process, follow the steps outlined in TechNet's Plan for administrative and service accounts (Office SharePoint Server), which provides requirements and recommendations for configuring administrative and service accounts.
One thing to remember is that SharePoint Server can be added to and customized because it is, at its core, an ASP.NET application. There are many ways code or markup changes can interfere with the system. Clear policies at the start will ensure that SharePoint remains as secure as possible.
Once again, apply the principles of least privilege here. Custom code needs execute permission to run, and this is a high-level privilege. Here are three ways to provide this level:
- You could edit the virtual server's web.config file from minimal to medium or full. This is not recommended because it allows too much latitude to the code.
- You can install the assemblies in the GAC, or global assembly cache. This provides very
high privileges, but there is no way to control what the code can do and what it cannot
The solution is custom policy files, which are difficult to implement but are the most secure way to deploy assemblies. To learn more about code access security, review Microsoft Windows SharePoint Services and Code Access Security.
- You can use SharePoint Designer, which is a free productivity tool that has many benefits, but it can create security headaches because sites can become inaccessible. It can, however, be locked down at a number of levels by removing specific permissions within SharePoint.
Policies guide content security
Securing SharePoint's content requires policies that dictate how, where and who can publish and share content and for what audience. For example, some companies may restrict employees from having blogs to control how they share sensitive information with the public.
Although policy restrictions may make it clear to employees that unauthorized sharing is prohibited, you may want to be more proactive by creating channels that do allow information to be shared but in a way that means it is vetted and approved first. To create channels that restrict viewing before content is approved, use approval workflows.
It’s important to note that even though “audiences” can be defined to target what content can be viewed, they do not secure it. Anyone can still access information as long as he or she has the appropriate access rights.
Business conditions and circumstances change all the time, so security policies must be reviewed and improved regularly to keep in step with business needs. SharePoint allows users and developers to be in control. They need clear rules that allow maximum freedom and maintain security, stability and—most important—performance.
About the author:
Stephen Cummins is founder of www.spsfaq.com and a SharePoint consultant. Cummins has been a SharePoint Most Valuable Professional for the past seven years. He lives in Kildare, Ireland, with his wife, daughter, two dogs and an ever-changing number of goldfish. Cummins is a globally known expert with experience delivering Microsoft enterprise technology into complex environments. His core technologies are SharePoint Server,Windows SharePoint Services, Search Server, IIS, SQL Server,Windows Server, Office, InfoPath and Microsoft Project Server.
This was first published in June 2009