Module 8 Configuring and Securing SharePoint Services and Service Applications.

Module 8

Configuring and Securing SharePoint

Services and Service Applications

Module Overview

• Securing the Enterprise SharePoint Service

• Securing and Isolating Web Applications

• Services and Service Applications

Lesson 1: Securing the Enterprise SharePoint Service

• Track SharePoint Installation

• Block SharePoint Installation

• Approve SharePoint Installation

• Approve SharePoint Installation on Clients

• Manage Services on the Server

• Overview of SharePoint Services

• Administrative Accounts

• Managed Accounts

Track SharePoint Installation

Service connection points are data points in AD DS that represent the presence of a SharePoint server and farmService connection points are data points in AD DS that represent the presence of a SharePoint server and farm

The service connection points:

•Are automatically added during initial configuration

•Can be manually set using Windows PowerShell

Block SharePoint Installation

You can block unwanted SharePoint installations in your domain by using GPOsYou can block unwanted SharePoint installations in your domain by using GPOs

1. Open Group Policy Management2. Open the appropriate GPO for editing3. Navigate to HKLM\Software\Policies\Microsoft\Shared

Tools\Web Server Extensions\14.0\SharePoint 4. Configure the value of 1 to DisableInstall

Approve SharePoint Installation

Use the following steps to approve a SharePoint installation:Use the following steps to approve a SharePoint installation:

1. Create Group Policy security filter2. Create a new group3. Give the new group permissions 4. Add approved servers to the group

Approve SharePoint Installation on Clients

Add clients to the approved server group

Scope the GPO only to servers

Create a separate GPO scoped to clients

There are three options for controlling client installation in SharePoint:There are three options for controlling client installation in SharePoint:

Manage Services on the Server

• Windows Services

SharePoint Administration

SharePoint Timer service

• Manually start the service if it is stopped

• Other services should not be started manually

SharePoint Tracing

SharePoint User Code Host

SharePoint VSS Writer

SharePoint Foundation/Server Search

• SharePoint Services

Central Administration System Settings Servers: Manage services on server

Overview of SharePoint Services

• SharePoint Foundation Business Data Connectivity

Usage and Health Data Collection

• SharePoint Server: Standard Search Service

Profile Service

• SharePoint Server: Enterprise Performance Point Service

Excel Services

• Office Web Apps Excel Calculation, PowerPoint Service, Word Viewing

• Microsoft Project Server: Microsoft Project Web Access

Administrative Accounts

• Administrative accounts

Domain-level accounts used for SharePoint

Most are created during SharePoint setup

• Accounts

Setup User Administration

Farm Service

SharePoint Foundation 2010 Search Service

SharePoint Foundation 2010 Search Content Access

By using Central Administration, you can:

Managed Accounts

Manage these accounts

Assign them to a service application

Manage their passwords

A managed account is an AD DS user account whose credentials are managed by and contained within SharePointA managed account is an AD DS user account whose credentials are managed by and contained within SharePoint

You can also reset all managed passwords in SharePoint simultaneously using a Windows PowerShell scriptYou can also reset all managed passwords in SharePoint simultaneously using a Windows PowerShell script

Lesson 2: Securing and Isolating Web Applications

• Isolation Using Application Pools

• Application Pool Isolation

• Secure Communication Using Secure Sockets Layer

Isolation Using Application Pools

• Why use separate application pools?

Different identities

Isolation of processes

Recycle/restart without affecting others

Throttling of resource usage

• Why not use separate application pools?

Administration overhead

Idle worker processes

App Pool 2

Application Pool Isolation

App Pool 4 App Pool 5

App Pool 1 App Pool 3

Secure Communication Using Secure Sockets Layer

Then:

Create and install a certificate on each server

Configure sites to use SSL

Before you can enable SSL, you must install AD CS Before you can enable SSL, you must install AD CS

Lesson 3: Services and Service Applications

• SharePoint 2010: Service Application Framework Service Model

• Service Application Components

• Service Applications

• Service Application Connection

• Application Connection Groups

• Overview of Planning Service Applications

• Service Applications Types

• Service Applications Across Farms

SharePoint 2010: Service Application Framework Service Model

• Fundamental

• Flexible

• Scalable

• Extensible

• Managed within Central Administration

Service Application Components

Several components make up the Service Application Framework architectureSeveral components make up the Service Application Framework architecture

These are:

•Service

•Service application

•Service application connection

•Service application connection group

•Web application

Service Applications

• The logical instance of a shared service

Each service has its own management unit: service application

• Service applications have:

Virtual directory in IIS

Application pool

Database(s)

Physical instance (actual process\Web service on computer)

Administrative interface (admin page)

• Create a service application

• Service application provisioning

Service Application Connection

• Also known as application proxy or proxy

• Object that a consumer uses to connect to a service app

Web Part

Object model

Internal code

• Used by Web app to communicate with a service app

• Created automatically when you create the service app

• Example:

Application Connection Groups

IIS Web site – “SharePoint Web Services”

Application poolAccess

ServicesExcel

Services Application

Managed Metadata

User Profile

Business Data Connectivity

Secure Store Service

Search

Application pool Application pool

Web application – Published Intranet Content

Web application – My Site Web sites

Web application – team Sites

http://Fabrikam

HR Facilities

http://my

http://my/personal

http://team

Team 1 Team 2 Team 3

Overview of Planning Service Applications

• Performance versus separation

• Isolation

App pool—process isolation

Service data

Isolation for performance of a targeted service

• Typical services deployed for dedicated use

Excel Services

Managed Metadata

Business Data Connectivity

• Build logical topology, and then determine physical topology

Service Application Types

Web Analytics

Managed Metadata

User Profile Business Data Connectivity

Secure Store Service

Search

Access Services

State Service

Usage and Health Data Collection

Project Server

Excel Services

PerformancePoint

Services

Visio Graphics Service

Word Viewing Service

Word Automation

Services

PowerPoint Service

Cross-farm serviceapplication

Single-farm serviceapplications

These service applications can be shared across multiple farms

These service applications can be used only within a single farm

Most commonly shared services

Service Applications Across Farms

• Makes a service application available outside the farm

• Certificates between two farms

Consuming farm provides to publishing farm: Root, Secure Token Service (STS) certificates

Publishing farm provides to consuming farm: Root

• Permissions

Application Discovery and Load Balancer Service App

Shared Service Application

• Publish the service application

• Connect to cross-farm service applications

Creates connection on consumer farm that can be added to application connection groups

Lab A: Administering SharePoint Services

• Exercise 1: Administering SharePoint Services

• Exercise 2: Administering SharePoint Windows Services

Logon information

Estimated time: 20 minutes

Scenario

You have recently installed a new SharePoint 2010 farm. Some of the developers are complaining that they are experiencing errors because services are not running on the SharePoint server. They have asked you to ensure that all Windows and SharePoint Services have been installed and are started.

Lab B: Configuring Application Security

• Exercise 1: Configuring Web Application and Application Pool Security

• Exercise 2: Configuring Secure Sockets Layer Security

Logon information

Estimated time: 30 minutes

Scenario

Your manager has recently installed a new SharePoint 2010 farm. When he performed the configuration of the farm, he did not use the Farm Configuration Wizard. Because he didn’t use the configuration wizard some of the service applications required by your developers were not installed. Your manager has tasked you with reviewing the installed service applications and creating the missing service applications.

Lab C: Configuring Service Applications

• Exercise 1: Creating a Service Application

Logon information

Estimated time: 30 minutes

Scenario

Your company, Contoso, has adopted SharePoint 2010 for many reasons. One is its new, more optimized service application environment and another is its ability to manage metadata. You want to allow sites in the client-facing Web application to use managed metadata and keywords, but you do not want managed metadata and keyword columns in the client Web application to have visibility into terms used internally. Therefore, you must configure a separate managed metadata service for the client Web application.

Module Review and Takeaways

• Review Questions