Best Practices for Security and Governance in SharePoint 2013

Antonio MaioProtiviti, Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP

Best Practices for Security and Governance in SharePoint 2013

Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2

© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.

About Protiviti

INDIA (3)

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

• 2,500+ professionals

• 1,000+ clients

• 70+ offices

• Over 20 countries in the Americas, Europe and Asia-Pacific

Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.


GoalInform and Educate on Key SharePoint Security Features

Illustrate the Importance of Establishing Strong Governance


What do we know about Security and Governance?• Security is critical in government and military deployments• It’s a critical consideration in business• Requires good planning• Requires good awareness of SharePoint capabilities• Requires knowledge of what SharePoint cannot do

• Yet… Security and Governance are still often an after thought for many deployments


What Drives our Information Security Needs?• Information Security comes down to 2 or 3 drivers

– Protecting Your Investments(intellectual property, digital assets, competitive advantage…)

– Reducing Your Liability(avoid compliance violations, fines/sanctions, reputation issues…)

– Public Safety or Mission Success(protect classified information, mission plans, reputation issues…)

– Public Health(health records, health insurance, insurance fraud/theft…)


What Drives our Information Security Needs?• How does this affect us as SharePoint people?

– How We Deploy SharePoint– Control Access– Assign Roles– Establish Repeatable/Predictable Process– Regulatory Compliance Standards– Auditing & Reporting Obligations


Information Governance

Ignorance is not always bliss… it’s problematic!

… Why?


Information Governance• Governance means setting out the structures, people,

policies, procedures and controls implemented to manage information and support an organization's immediate and future requirements:– Regulatory– Legal– Risk– Administrative– Environmental– Operational


Governance and SharePoint• SharePoint as a platform which offers services to your

organization’s users

• Governance for the SharePoint platform means:• Managing existing services in a predictable way• Deploying new services in a predictable way• Providing a clear set of guidelines for usage and administration

• Achieve Strong Governance for SharePoint:1. Develop a Governance Plan

• Cross functional - Identifies ownership for business and technical teams• Regulatory, risk, legal, admin, environmental, organizational Needs

2. Establish a Governance Team• Include stakeholders from across the organization


Define Information Architecture/Structures

(Includes Metadata Taxonomy)

Confidential

Developing a SharePoint Governance Plan - Key Areas to Focus

Define Security Controls/Groups, Permissions and Roles for Assigning

Permissions

Define Roles, Responsibilities, Authority

Determine Training Needs; Plan to Educate User

Community

Define Rules for Site Creation, Management, Decommissioning

SharePoint Security


SharePoint Deployment• Plan your Deployments and Necessary User Accounts• Use Least Privileged Accounts• Review SharePoint deployment guide before you install

• SharePoint is a web application built on top of SQL Server– Best practice: to use specific user accounts for specific purposes with

least privileges

• Benefits: Separation of Concerns– Multiple points of redundancy– Targeted auditing of account usage– Minimize the risk of compromised accounts


Deployment User Accounts• Use 3 Different Deployment Accounts (at minimum)

SQL Server Service Account Setup User Account SharePoint Farm Account

Assign to MSSQLSERVER and SQLSERVERAGENT services when installing SQL Server(ex. domain\SQL_service)

Used to install SharePoint, run Product Config Wizard, install patches/update

Used to run the SharePoint farm; not just for database access (ex. domain\sp_farm_user)

No special domain permissions - given required rights in SQL Server during SQL setup

Login with this when running setup (ex. domain\sp_setup_user)

After Product Config Wizard run, prompted to provide the Database Access Account – this is the all powerful farm account

Must be local admin on each server in SharePoint farm (except SQL Server if its different box)

Given ownership of Config database - also configures several SharePoint services (ex. timer service) to use this as its identity

Before starting SharePoint setup, assign the securityadmin and dbcreator roles in SQL


Deployment User Accounts• Use 3 Different Deployment Accounts (at minimum)

SQL Server Service Account Setup User Account SharePoint Farm Account

• Should all be AD domain accounts (user accounts)

• Do not use personal admin account, especially for Setup User Account

• Configure central email account for all managed accounts


Authentication• Determine that users are who they say they are (via login)

• Configured on each web app• Multiple authentication methods per web app

• SharePoint 2010 Options• Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)• Claims Based Authentication• Forms Based Authentication available - through Claims Based Auth.

– UI configuration options only available in UI upon web app creation– To convert non-claims based web app to claims will require PowerShell

• SharePoint 2013 Options• Claims Based Authentication - default• Classic Mode Deprecated - Configuration UI has been removed

(Only configurable through PowerShell)


Authorization• Determine if users have access to specific information

objects and which level of access are they granted

• Accomplished through Permissions in SharePoint• Allow you to secure any information object or container• Apply to items, documents, folders, lists, libraries, sites• Do not apply to individual column field values

• Assigning Permissions Includes• The information object or container in question• The user, group or claim that is granted access• The permission level we are granting as part of that access


Permission Examples: Users and Groups

• Finance AD Group has Full Control on Library A

• ProjectXContractor SP Group has Read access on site B

• Antonio.Maio AD user has Contribute access on Document C

User or Group(also called a ‘Principle’)

Permission Level(collection of permissions)

Information Object(item or container)


Permission Examples: Claims• Remember: Claims are trusted attributes about a user• May assign a Claim as part of a permission to an object

or container (like a user or group)

• ‘SecurityClearance=Secret’ has Full Control access on Document X

• ‘ITARCleared=True’ has Read access on Library Y

• ‘EmploymentStatus=FTE’ has Contribute access on Site Z


Users Interacting with Permissions








Inherited Permission Model• Hierarchical permission model• Permissions are inherited from

level above• Can break inheritance and apply

unique permissions• Manual process• Permissive Model

SharePoint Farm

Web Application

Site Collection Site Collection

Site Site

Library List

Document

Web Application

Item

Site

DocumentDocument

Item

Demo Members SharePoint Group EditDemo Owners SharePoint Group Full ControlDemo Visitors SharePoint Group Read

Finance Team Domain Group EditSenior Mgmt Domain Group Full Control

Research Team Domain Group Full ControlSenior Mgmt Domain Group Full Control

Research Team Domain Group Full ControlSenior Mgmt Domain Group Full ControlAntonio.Maio Domain User Full Control


Permissions and Security Scopes• Every time permission inheritance

is broken a new security scope is created

• Security Scope is made of up principles: • Domain users/groups• SharePoint users/groups• Claims

• Be aware of “Limited Access”

• Limitations• Security Scopes (50K per list)• Size of Scope (5K per scope)

Microsoft SharePoint Boundaries and Limits:http://technet.microsoft.com/en-us/library/cc262787.aspx

http://technet.microsoft.com/en-us/library/cc262787.aspx

http://technet.microsoft.com/en-us/library/cc262787.aspx


Information Architecture and Metadata• Information Architecture – The structural design of your

information sharing environment• Organization and Storage• Identification• Retention• Business sensitivity and confidentiality• …

• Metadata can provide important insight into what type of information you have in SharePoint

• Recommended: Use Metadata to Classify information and Identify its Sensitivity


Standardized Metadata


Standardized Metadata• Implement Standardized Metadata Fields across libraries/lists

• Library or List Level• Site Column Level• Managed Metadata Service (across Site Collection or Farm)

• Ensure users are adding metadata when adding/editing information (mandatory fields)

• Be aware of situations where SharePoint doesn’t request metadata (multi-file upload, explorer view)

• Keep it Simple: Limit sensitivity classification to 3 or 4 labels– Public, Confidential, Restricted, Highly Restricted– Low Business Impact, Moderate Business Impact, High Business Impact– Unclassified, Confidential, Secret, Top Secret

• Educate, Educate, Educate: What does each label mean/impact?


Recap• Develop a SharePoint Governance Plan with Key Stakeholders

• Ignorance is not bliss… it’s problematic!

• Understand the type of information you have• Develop an information architecture• Understand the risks to that information: accidental, insider and external threats• Use Metadata to identify sensitivity• Educate end users on significance of sensitivities – make them part of the solution

• Deploying SharePoint with Appropriate Least Privileged Accounts

• Determine your Authentication and Authorization Needs• Understand how permissions work• Plan for how permissions are given and managed

• Understand SharePoint Security Features• Others: Web App Policies, Anonymous Users, Information Rights Management, Privileged

Users , Event Auditing

Antonio MaioProtiviti, Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP

Thank You!

Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2

Best Practices for Security and Governance in SharePoint 2013

Business

sharepoint sharepoint

protiviti consulting

equal opportunity employer

sharepoint platform

sharepoint people

protiviti india

strong governance

governance team