| |||||
| |||||
Microsoft Windows SharePoint Services includes or takes advantage of the following elements that interact with and affect your security for Web site content:
User authentication for Windows SharePoint Services is based on Internet Information Services (IIS) authentication methods. You can use Windows SharePoint Services with the following forms of user authentication:
You choose the authentication method you want to use when you set up your Web server. You cannot change the authentication method by using the Windows SharePoint Services administration tools; you must use the Internet Information Services administration tool for your server computer to change the authentication method.
Anonymous authentication provides access to users who do not have Windows accounts on the server computer, such as Web site visitors. IIS creates the anonymous account for Web services, which is often named IUSR_computername. When IIS receives an anonymous request, it impersonates the anonymous account.
You can allow or disallow anonymous access in IIS for a particular virtual server, and allow or disallow anonymous access for a site on that virtual server by using SharePoint Central Administration. Anonymous access must be enabled in IIS before you can enable it for a Web site on that virtual server.
Basic authentication is an authentication protocol supported by most Web servers and browsers. Although Basic authentication transmits user names and passwords in easily decoded clear text, it has some advantages over more secure authentication methods, in that it works through a proxy server firewall and ensures that a Web site is accessible by almost any Web browser. If you use Basic authentication in combination with Secure Sockets Layer (SSL) security, you can help protect user names and passwords, making your user information more secure than using only Basic authentication.
Integrated Windows authentication
Integrated Windows authentication (also known as Windows NT Challenge Response) encrypts user names and passwords in a multiple transaction interaction between client and server, thus making this method more secure than Basic authentication. Disadvantages are that this method cannot be performed through a proxy server firewall, and some Web browsers, such as Netscape Navigator, do not support it. You can choose to use this authentication method and Basic authentication. Most Web browsers select the most secure option. For example, if both Basic authentication and Integrated Windows authentication are enabled, Microsoft Internet Explorer tries Integrated Windows authentication first.
Certificates authentication (SSL)
Certificates authentication (also known as Secure Sockets Layer (SSL) security) provides communications privacy, authentication, and message integrity for a TCP/IP connection. By using the SSL protocol, clients and servers can communicate in a way that prevents eavesdropping, tampering, or message forgery. With Windows SharePoint Services, SSL helps secure access across firewalls and allows more secure remote administration of Windows SharePoint Services. You can also specify that SSL be used when opening a Web site based on Windows SharePoint Services.
SharePoint administrators group
To install Windows SharePoint Services, you must be a member of the local administrators group on the server computer. This group also gives users the permissions needed to control settings on the SharePoint Central Administration pages, and to run the command-line tool Stsadm.exe. You can also identify a specific domain group to allow administration access to Windows SharePoint Services, in addition to the local administrators group. Help documentation for Microsoft SharePoint Products and Technologies refers to this domain group as the SharePoint administrators group. You can add users to this group rather than to the local administrators group, to separate administration access to Windows SharePoint Services from administration access to the local server computer.
Members of the SharePoint administrators group do not have access to the IIS metabase, so they cannot perform the following actions for Windows SharePoint Services:
Note Members of this group can create top-level Web sites and change virtual server settings.
Members of the SharePoint administrators group can perform any other administrative action using SharePoint Central Administration or the object model for Windows SharePoint Services.
Members of both the SharePoint administrators group and the local administrators group have rights to view and manage all sites created on their servers. This means that a server administrator can read documents or list items, change survey settings, delete a site, or perform any action on a site that the site administrator can perform.
Windows SharePoint Services includes site groups to help you assign particular rights to users and cross-site groups. With site groups, you do not have to control the file and folder permissions separately, or worry about keeping your local groups synchronized with your list of Web users. You use site groups to give users permissions on your Web site, and use Windows SharePoint Services administration tools to add users directly.
In effect, user management is delegated from server administrators to the site owners and administrators. Site administrators control site access and, by default, have rights to add, delete, or change site group membership for users. Inside an organization, this typically means that site administrators select users from the list of the organization's users, and grant them access to varying degrees. For example, if the Web site is for members of a particular workgroup to share documents and information, the site administrator adds members of that workgroup to the site and assigns them to the Contributor site group, so that they can add documents and update lists.
In an ISP or extranet environment, a site owner can add users and create accounts, perhaps using separate user lists for each site collection. The site administrator adds the users to the Web site and Windows SharePoint Services automatically adds the users to Microsoft Active Directory directory service.
Members of the Administrator site group for a top-level Web site can control more options than administrators of a subsite. Administrators of a top-level Web site can perform actions such as specifying settings for Web document discussions or alerts, viewing usage and quota data, and changing anonymous access settings.
Note The owner and secondary owner of a top-level Web site may be members of the Administrator site group for their site, but they are also identified separately in the configuration database as site collection owners. This owner flag can only be changed by using the Manage Site Collection Owners page in SharePoint Central Administration or by using the siteowner operation with Stsadm.exe. If you remove an owner from the Administrator site group for the site, the owner retains the owner flag in the database, and can still perform site collection administration tasks.
Securing the port used to access SharePoint Central Administration
If a malicious user gains access to the port used to access SharePoint Central Administration, he or she can potentially block other users from accessing sites, or can modify site content, or even completely disable a Web server. It is important to restrict access to the port used by SharePoint Central Administration. To do so, it is recommended that you do the following:
If you want to be able to manage Windows SharePoint Services across an Internet connection, use SSL to provide more secure communication between a client computer and the server, even across the Internet. To use SSL, you must first configure SSL in Internet Information Services (IIS), and then use the command line to configure Windows SharePoint Services.
Note When you use SSL, the URL for SharePoint Central Administration changes from http:// to https://.
It is recommended that if you do not need to provide access to SharePoint Central Administration from the Internet, you use the firewall settings to block access to the port used by SharePoint Central Administration, or to restrict access to the port to certain domains. Use the stsadm -o setadminport operation to set each server in a server farm to the same port number, and configure the firewall to help protect that port on all servers. Alternatively, you can use the IP and name restrictions feature in IIS to restrict access to specific domains. To do this, you must specify these restrictions for each virtual server to which you want to restrict access.
Use the SharePoint administrators group to control which users can access SharePoint Central Administration. Only the domain group you specify, and local administrators, can access the port used by SharePoint Central Administration. Limit the local administrator access to only a few computer operators.
When you use Integrated Windows authentication, you avoid having passwords sent in clear text, as can happen when Basic authentication is used. Basic authentication is less secure because it uses clear text.
Allowing anonymous access makes a server inherently less secure. If anonymous users can get access to a server, they can change settings or content, and their actions cannot be traced to a real user account. Anonymous access is disabled by default for the port used by SharePoint Central Administration.
Securing SQL Server connections
If you are using SQL Server instead of Microsoft SQL Server Desktop Engine (Windows) 2000 (WMSDE) for your databases, you can choose between the following two security methods for interactions between Windows SharePoint Services and database servers running SQL Server:
Note If you are using SQL Server on a separate database server from the server running Windows SharePoint Services, you must use a domain account (or the Local System or Network Service account) as the IIS application pool account. If you use a local account, it cannot access the computer running SQL Server. For the administration virtual server, the IIS application pool account must also have rights to create databases in SQL Server. If you use Local System or Network Service, you must grant the database server privileges to the machine account for the Web server computer. Application pool accounts for other virtual servers do not need database creation rights; they rely on the administration virtual server to create databases.
About Windows NT Integrated authentication
With Windows NT Integrated authentication, you use the Internet Information Services (IIS) application credentials and an application pool to connect to the SQL Server databases. The credentials are stored securely in the IIS metabase with other IIS worker processes. When Windows SharePoint Services connects to the databases, it runs under its usual process, and uses the IIS process for the connection. In a server farm deployment, you must ensure that changes to credentials are populated to all servers. For example, if the domain has a policy requiring frequent password resets, you must change the password in IIS for every server computer in the server farm.
You can have a single process for all of the virtual servers in a deployment, or you can isolate each virtual server with its own application pool. Using separate processes is more secure. For example, if you have a custom script running for one virtual server, it could potentially be written to access pages in another virtual server if they share an application pool. If they have separate application pools, the script cannot authenticate to the database across virtual servers.
About SQL Server authentication
SQL Server authentication uses an administrator account and password (often the default sa account) stored in the SQL Server database to connect between Windows SharePoint Services and the databases. This same user name and password are used for all updates to the databases, no matter which server in a server farm or virtual server on a single server or in a server farm requests the update.
Important When you use SQL Server authentication, the password for the administrator account is sent over the network, and can potentially be detected by malicious users. It is recommended that you use Windows NT Integrated authentication for connections between Windows SharePoint Services and the SQL Server databases. Also note that when you use SQL Server authentication, the user name and password you specify is available to all members of the STS_WPG group, which may include accounts associated with other applications on your server.
Windows SharePoint Services supports connectivity through firewalls. Depending on your configuration, you must ensure the firewall is open for the standard HTTP ports 80 and 443. When using a firewall, you must configure SharePoint sites with Basic authentication because Integrated Windows authentication cannot pass through a firewall.
Show All
Hide All