Agenda SharePoint Security – What’s *IN* the box? What’s NOT in the box? How can we solve it? What is in SharePoint AV scanning API File filtering based on extension User/Group based authorization HTTP/HTTPs protocol SharePoint Security At A Glance IT administrators responsible for maintaining SharePoint face similar security and access issues: Viruses, malware and inappropriate content Publishing SharePoint Externally Remote Access and Policy Management Information Leakage Prevention Identity Management and Provisioning Forefront Identity and Security for SharePoint Protection • Server-based, multiple-engine antivirus and content filtering solution Publishing • Edge solution that secures and pre-authenticates access to specific Web applications Policy • Secure remote access gateway to Web applications such as SharePoint and networkbased resources (+ Publishing ) Prevention • Prevents leakage of sensitive information and restricts unauthorized use of confidential information within and outside the organization. Provision • Use Active Directory to built your permissions correctly and use ILM to provision and keep your ongoing administration of Active Directory easy and scalable. Protection Comprehensive Protection • Ships with and manages multiple antivirus engines • Filters files and keywords • Supports Open XML and Information Rights Management (IRM) protected docs Optimized Performance • Deeply integrated with Microsoft® Office SharePoint® Server 2007 and Windows SharePoint Services 3.0 • Scanning innovations and performance controls • Supports 32- and 64-bit servers Simplified Management • Easy to manage configuration and operation • Updates signatures automatically • Provides reporting, notifications, and alerts Multiple Engine Management Deploy single solution using multiple integrated technologies Includes all engines in base cost Run up to five engines simultaneously on any scan job A B C Messaging and Collaboration Servers D E AV-Test.org – Antimalware Leadership Response time1 (in hours) Rapid response to new threats Fail-safe protection through redundancy Diversity of antivirus engines and heuristics Less than 5 hours 5 to 24 hours More than 24 hours Single-engine solutions WildList Number Malware Name Forefront Engines Vendor A Vendor B Vendor C 10/08 10/08 10/08 10/08 10/08 10/08 10/08 10/08 10/08 11/08 11/08 11/08 11/08 11/08 11/08 11/08 11/08 11/08 11/08 12/08 12/08 12/08 12/08 12/08 12/08 12/08 agent_itw69.ex_ autorun_itw460.ex_ autorun_itw476.ex_ autorun_itw484.ex_ ircbot_itw469.ex_ onlinegames_itw593.ex_ rbot_itw2667.ex_ zbot_itw18.ex_ zbot_itw20.ex_ agent_itw77.ex_ autorun_itw486.ex_ autorun_itw490.ex_ bagle_itw199.ex_ ircbot_itw470.ex_ ircbot_itw473.ex_ rbot_itw2668.ex_ sdbot_itw2685.ex_ slenfbot_itw27.ex_ slenping_itw3.ex_ agent_itw82.ex_ ircbot_itw474.ex_ koobface_itw3.ex_ koobface_itw5.ex_ koobface_itw8.ex_ sdbot_itw2686.ex_ zbot_itw27.ex_ 0.00 0.00 0.00 0.00 0.00 66.48 0.00 0.00 0.00 0.00 0.00 0.00 10.52 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 559.63 110.42 450.77 0.00 0.00 0.00 1165.65 730.77 24.55 0.00 0.00 28.82 115.85 0.00 0.00 26.27 0.00 26.58 5.87 128.60 0.00 0.00 0.00 20.15 1245.05 218.42 0.00 1022.10 462.85 0.00 87.33 0.00 446.73 311.87 270.90 0.00 51.73 548.40 330.00 664.97 0.00 697.70 0.00 0.00 50.20 0.00 0.00 0.00 0.00 699.87 1050.40 0.00 1040.18 501.03 460.22 844.13 147.50 930.52 447.85 306.98 38.80 687.20 396.98 248.65 1031.07 0.00 1153.52 1019.77 891.80 1055.53 28.73 134.90 394.80 10.02 1000.12 1222.82 1210.87 Forefront Antivirus Scanning Forefront provides two types of scan jobs Real-Time Scan Job: Scans files being uploaded to or downloaded from SharePoint sites Works with Web browser or any other application accessing SharePoint sites Provides proactive protection Manual Scan Job: Scans all or part of SharePoint document library on demand Scans can be scheduled Can be used to scan with different engines from the ones used for real-time scanning Real-Time Scan Virus Detection Actions When Forefront detects a virus, several actions are available Skip: detect only—logs presence of virus, but does not block or delete it Not a secure setting! Can be used for testing/evaluation purposes Clean: repair document—attempts to clean the file. If file cannot be cleaned, it is blocked. Delete: block document—GOOD CHOICE! Forefront Manual Scan Job Manual Scan provides tree-view into document library All or part of the library can be set for scanning by using check boxes Settings will not include new sites by default unless the top box is checked Use Quick Scan to scan a particular part of the library File Filtering—Setting Up File Filters File filtering proactively blocks a specific range of potentially dangerous file types whether or not a signature exists Search for specific files by name, for example, “resume.doc” Files can be blocked based on size and size/type combinations Keyword Filtering Filters documents based on content criteria Identifies unwanted content within Microsoft® Office Excel®, Word, and PowerPoint® Open-XML and HTML files Filter lists can enable search for words, phrases, and sentences Forefront Security for SharePoint with SP2 includes installable keyword lists in 11 languages Forefront Security For SharePoint Protection Scenarios Microsoft® SQL Server® Back End Internet Firewall External SharePoint Users Indexing Server Malware Inappropriate Content Internal SharePoint Users Extranet Management Web Front End Management Malware Inappropriate Content AV and File filtering Forefront Identity and Security for SharePoint Protection Publishing Policy (+ Publishing ) Prevention Provision Publishing ISA Server 2006 makes it easier to provide security for corporate applications such as SharePoint Products and Technologies and Microsoft® Exchange Server when they are accessed remotely by preauthenticating users before they gain access to any published servers, inspecting encrypted traffic at the application layer, and providing automated publishing tools. Authentication Offloading Security Tasks Network Protection • Pre-authentication • Multi-factor authentication • Single sign-on (limited) • Adds encryption in front of application servers • Enables load balancing between Microsoft® Office Outlook® Web Access servers • Platform for Network Load Balancing (NLB) • Creates defense-in-depth • Stateful inspection firewall • HTTP protocol inspection Policy Single Portal for ALL access Endpoint Assessment Authentication • All Remote Access Logging and Monitoring • Compliance • Risk Management Controlled Access • Network Access Control Clean-up Customized Security Deep Application Inspection Core Benefits Simplifies Management • Centralizes access and monitoring • Wizard driven configuration • Automated policies Improves Productivity Enhances Security • Overlay granular access control • Integrated endpoint security • Expanded authentication options • Information leakage prevention • Networking security Adds Functionality • Enhances single sign-on • Integrate multi-factor auth • Allows incorporation of SSL VPN applications into portal • Allows more access from more locations • Does not require client installation • Integrates and consolidates policies Simplifies Management Wizard-driven configuration with built-in policies Single point of control for external access Create unified policies Manage access from internal and external locations Monitor and audit access in a centralized console Enhances Security Overlay granular access control to specific sites and/or features within sites Built-in endpoint security policies Expanded authentication and authorization capabilities Information leakage prevention Network security Adds Functionality Easily overlay authentication options (KCD, AD FS, Multifactor, Smartcard) Integrate additional Web and clientserver, network, applications to portal Enhanced single sign-on capabilities Integrate file share access Add password management features for external users Improves Productivity Allows access to more applications and features from more locations Does not require client installation Integrates and consolidates policies Simplified Configuration Optimizer makes publishing applications simple by: • Minimizing steps to configuration • Taking the guesswork out of administrations All policies are pre-populated and entirely customizable Updated optimizer unlocks all of the functionality in SharePoint Step 2: Step the 1: internal Provide Choose name of thethe type of application you wish to Server. Step 3: SharePoint publish. Configure the same external name on your Provide the external SharePoint Server. name. All Done! Configuration and End User Experience Forefront Identity and Security for SharePoint Protection • Server-based, multiple-engine antivirus and content filtering solution Publishing • Edge solution that secures and pre-authenticates access to specific Web applications Policy • Secure remote access gateway to Web applications such as SharePoint and networkbased resources (+ Publishing ) Prevention • Prevents leakage of sensitive information and restricts unauthorized use of confidential information within and outside the organization. Provision • Use Active Directory to built your permissions correctly and use ILM to provision and keep your ongoing administration of Active Directory easy and scalable. Active Directory Rights Management Services helps prevent the leakage of sensitive information and restricts unauthorized use of confidential information within and outside the organization. Protect Data In Storage Control Data Usage Extensible Platform Active Directory Rights Management Services augments an organization's security strategy by protecting information through persistent usage policies. These policies continue to remain with the information - whether documents, spreadsheets, presentations, and e-mail messages-no matter where it goes or how it is stored. AD RMS allows controlled access to sensitive information by applying a common set of rights through creation of Usage Policy Templates that are applied to content. This alleviates the need to recreate the usage rights settings for every file you want to protect. AD RMS-enables any application or server (for example, SharePoint) to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection. AD Rights Management Services Persistent Protection Encryption + Policy: Access Permissions Use Right Permissions Provides identity-based protection for sensitive data Controls access to information across the information lifecycle Allows only authorized access based on trusted identity Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryption Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery Information Leakage Prevention Location-based solutions protect initial access… Firewall Perimeter Access Control List Perimeter Authorized Users Authorized Users Unauthorized Users Unauthorized Users …but not usage AD Rights Management Services Capabilities 1 4 Protection and policy stay with the file Policy Portal stores file in the clear 2 5 Protection and policy stay with the file Policy Portal protects file on access 3 6 Protection and policy stay with the file Policy Archive stores file and policy in the clear Document Protection using MOSS IRM Microsoft Office SharePoint Server 2007 3 AD RMS Server 4 1 2 5 Information Author Recipient MOSS 2007 Enabling IRM Functionality Information Rights Management applied at server farm level Configuration defined on SharePoint 3.0 Central Administration MOSS can use the AD SCP to locate the AD RMS cluster, or be configured to use a specific server MOSS 2007 IRM Document Libraries Settings Document Libraries Settings MOSS 2007 Permissions and IRM Rights SharePoint rights IRM permissions Manage Permissions Manage Web Full Control Edit List Items Manage List Add and Customize Pages Edit, Copy, and Save View List Item Read All Other Rights No Mapping Account Bloat Causes Problems IT/Help desk Efficiency External user account provisioning requests Password reset requests Lifecycle management End User Productivity Provisioning latency Forgotten passwords Logon frequency Security Orphaned or inaccurate accounts Compromised passwords Unnecessary access Regulatory Compliance Privacy protection End-end auditing Repudiation Scenario: Federated Collaboration Fabrikam Research Dr. Frank Miller Contoso Pharma Daniel Weisman SharePoint Enable SharePoint to be Claims-Aware Claims Provider sts1.contoso.com Establish Trust between SharePoint and “Geneva” Server 1. Read policy 5. Send claims End User “Geneva” Framework https://docs.contoso.com Enable SharePoint to be Claims-Aware Configured SharePoint to accept tokens from Contoso “Geneva” Server Configured Contoso “Geneva” Server to issue tokens to SharePoint App Gave appropriate user access to SharePoint based on roles AD RMS, MOSS 2007 and ADFS/”Geneva” FABRIKAM Account Forest Active Directory Account Federation Server T r u s t Adam Mary F e d e r a t i o n ` Client Browser CONTOSO Resource Forest Active Directory Ordering App Access Rights: Alan: No access, does not have required group claims. Adam: Administrator level access via a group claim: Purchasing Admin Resource Fed Server & Claims-aware App AD RMS Server MOSS 2007 for Federated Collaboration SharePoint Access Rights: Adam: Full Control as a named user: [email protected] Alan: Read only via a group claim: Federated Collaboration Provision Forefront Identity Manager helps provision users and designate access rights, group membership and other user data in a more intelligent way. Build your SharePoint perms correctly using Active Directory and use FIM to keep your ongoing administration of Active Directory easy and scalable. Auto Provision User Self-Help Synchronize Identity Data Microsoft Forefront Identity Manager (FIM) 2010 enables autoprovisioning and de-provisioning based on policies and workflows that allows better management of user access to corporate applications Reduce help desk costs by providing people with self-help tools to manage routine tasks, such as creating groups, joining/leaving groups as well as changing passwords or resetting smart card PINs. ILM 2007 as well as FIM keeps identity information synchronized and consistent across a wide range of directories, databases, and proprietary identity systems by aggregating this information in a central repository Identity Management Q1 CY 2010 Today User Management Microsoft Identity Lifecycle Manager 2007 Credential Management Common Platform Connectors Delegation Workflow Logging Web Service API Access Management Policy Management Microsoft Forefront Identity Manager 2010 Identity Synchronization User Provisioning Certificate & Smartcard Management Integrated user experiences Spans user, credential, access and policy management Built on a common foundation Forefront Identity and Security for SharePoint Protection • Server-based, multiple-engine antivirus and content filtering solution Publishing • Edge solution that secures and pre-authenticates access to specific Web applications Policy • Secure remote access gateway to Web applications such as SharePoint and networkbased resources (+ Publishing ) Prevention • Prevents leakage of sensitive information and restricts unauthorized use of confidential information within and outside the organization. Provision • Use Active Directory to built your permissions correctly and use ILM to provision and keep your ongoing administration of Active Directory easy and scalable. A slide outlining the 2009 evaluation process and prizes will be provided closer to the event. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© Copyright 2024