Security Improvements in SharePoint Server 2007

Security Improvements in SharePoint Server 2007

Joel Oleson

Secure by Default

Secure by default, with flexible information management policies for compliant solutions. That’s a good description of what administrators will find when server administrators assume they have access to all the content. Not the case anymore. The out of the box deployment is secure and locked down by default. An administrator trying to access random sites will find they *can't* get in. A server administrator who wants to be the farm administrator would need to access the central administration and leverage either the new web application policies to explicitly allow them rights. These powerful policies can be used to temporarily allow read access to legal or rights to the support organization. These among other configurations and changes can easily be captured and reported by the enhanced logging, auditing, and reporting capabilities in Microsoft Office SharePoint Server 2007.

SharePoint Sites are Designed for Secure Intranets, Extranets, and Internet sites.

Intranet

Intranet deployments designed to host sensitive corporate assets often require compliance requirements, life cycle management, legal holds for example can now be handled by the records repository site a site template designed for records retention. Information Management Policies such as auditing, expiration, and enforcement of bar codes. Auditing allows the capture of common tasks such as deletions, viewing, moving, copying, editing allowing the site or list owner the ability to get granular reports in excel pivot reports right from their site. No longer does the site administrator need to contact IT to get the reports on who accessed, modified, or deleted that key document. Mentioning deletion, one of the most requested features, the recycle bin provides both the feature you’d expect in a recycle bin by capturing files, list items, folders, and all lists including entire document libraries. In addition, the retention of those recycle bins is configured by default at a 30 day retention with quotas controlled by the farm administrator. Beyond the retention of the end user recycle bin, a second stage recycle bin known as the site collection recycle bin is designed for capturing a restoring files deleted out of the end user recycle bin. Information Rights Management Policies for sensitive data can be configured to ensure that data taken out of the environment.

Site Permissions Management

Site permissions management has been simplified and streamlined. When you create your site, by default it is locked to the creator. To help the site creator to quickly begin working, a screen comes up with three permissions levels, visitors the read only group, members the equivalent of contributors aka read/write group, and owners those that are the site administrators and those responsible for site permissions, rights to create lists and sites below this site. The simplified people picker, integrated with Microsoft Active Directory with a powerful search interface for searching across user attributes. This people picker is easily extended to include additional forests.

Extranet and Remote Employee Access

Extranets environments are known for being designed to be a place where a company can securely work with partners were it is both secured from the corporation intranet and secured from the Internet. Web application policies again come to play in this environment to create deny policies where one partner may have rights to one web application and denied to another where a competitor may be collaborating with the corporation. Thus locking down an application beyond the IIS IP restrictions, becomes easy. One challenge for extranets is commonly a user management issue. How does one manage internal access, partner access for multiple partners in a sensitive environment? SharePoint Server 2007 ships with an LDAP provider and has support for .NET pluggable authentication and membership providers. Thus if your internal users are on active directory and you have your users in a database, these users can collaborate on the same content. Investments the company has made in third party directories can now be leveraged. Security infrastructure and extranet and corporate security policies can much more easily be integrated. Something that came late in the previous version was designed as fundamental from the beginning. SSL termination, SSL bridging, and secure web publishing with hardware load balancers or security devices is a key topology. This does require that the path retain the same structure but hostnames for example can be abstracted.

Extranet Integration

A number of Microsoft servers, software and partners have secure solutions for SharePoint Products & Technologies. ISA 2006 for example has a number of great enhancements that increase the security of the deployment or solution, constrained delegation, load balancing, and filtering. Out of the box SharePoint offers file type and size blocking. Although these features can block common executables and scripts. Antivirus scanning interfaces are designed to be extended by an antivirus engine. Microsoft FrontBridge offers inbound and outbound antivirus scanning, content filtering. Exchange Server 2007 in addition to inbound routing from Outlook managed folders has some incredible options for extranets and remote employee scenarios. Users sending links to each other can be frustrating when the intranet portal is inaccessible externally. Features in Exchange 2007 allow administrators to map intranet paths to be fetched by the exchange server honoring the permissions of the logged on user allowing those internal links to work externally. When combined with ISA 2006 secure web publishing users can open lists and libraries right from the email.

Internet Enhancements

A new and key scenario for Office SharePoint Server 2007 is Internet sites. Staged environments, where you have a development environment, test, staging, can actually be in separate forests ensuring secure isolation between environments. Publishing between environments enables incredible solutions while keeping security at top of mind. One such scenario might mandate authoring happen on an internal AD based environment with publishing to a separate forms based authentication and anonymous access or to multiple anonymous farms with geographical distribution of farms. Disk and Memory based Cache profiles for anonymous and authenticated users or even custom profiles allow granular configuration on sites to cache elements that should be reducing round trips to SQL.

Whether you’re building a secure intranet library with sensitive documents, a DMZ based extranet deployment, or high scale internet environment, you’ll be pleased to find SharePoint Server is a rock solid platform with open authentication and membership providers and rich and flexible auditing and compliance capabilities.