Document 388967

Agenda
SharePoint Security – What’s *IN* the box?
What’s NOT in the box?
How can we solve it?
What is in SharePoint
AV scanning API
File filtering based on extension
User/Group based authorization
HTTP/HTTPs protocol
SharePoint Security At A Glance
IT administrators responsible for maintaining SharePoint
face similar security and access issues:
Viruses, malware and inappropriate content
Publishing SharePoint Externally
Remote Access and Policy Management
Information Leakage Prevention
Identity Management and Provisioning
Forefront Identity and Security for SharePoint
Protection
• Server-based, multiple-engine antivirus and
content filtering solution
Publishing
• Edge solution that secures and pre-authenticates
access to specific Web applications
Policy
• Secure remote access gateway to Web
applications such as SharePoint and networkbased resources
(+ Publishing )
Prevention
• Prevents leakage of sensitive information and restricts
unauthorized use of confidential information within and
outside the organization.
Provision
• Use Active Directory to built your permissions correctly and
use ILM to provision and keep your ongoing administration of
Active Directory easy and scalable.
Protection
Comprehensive
Protection
• Ships with and manages multiple antivirus engines
• Filters files and keywords
• Supports Open XML and Information Rights Management
(IRM) protected docs
Optimized
Performance
• Deeply integrated with Microsoft® Office SharePoint® Server
2007 and Windows SharePoint Services 3.0
• Scanning innovations and performance controls
• Supports 32- and 64-bit servers
Simplified
Management
• Easy to manage configuration and operation
• Updates signatures automatically
• Provides reporting, notifications, and alerts
Multiple Engine Management
Deploy single solution using multiple integrated technologies
Includes all engines in base cost
Run up to five engines simultaneously on any scan job
A
B
C
Messaging and
Collaboration Servers
D
E
AV-Test.org – Antimalware Leadership
Response time1 (in hours)
Rapid response
to new threats
Fail-safe protection
through redundancy
Diversity of antivirus
engines and heuristics
Less than 5 hours
5 to 24 hours
More than 24 hours
Single-engine solutions
WildList
Number
Malware
Name
Forefront
Engines
Vendor A
Vendor B
Vendor C
10/08
10/08
10/08
10/08
10/08
10/08
10/08
10/08
10/08
11/08
11/08
11/08
11/08
11/08
11/08
11/08
11/08
11/08
11/08
12/08
12/08
12/08
12/08
12/08
12/08
12/08
agent_itw69.ex_
autorun_itw460.ex_
autorun_itw476.ex_
autorun_itw484.ex_
ircbot_itw469.ex_
onlinegames_itw593.ex_
rbot_itw2667.ex_
zbot_itw18.ex_
zbot_itw20.ex_
agent_itw77.ex_
autorun_itw486.ex_
autorun_itw490.ex_
bagle_itw199.ex_
ircbot_itw470.ex_
ircbot_itw473.ex_
rbot_itw2668.ex_
sdbot_itw2685.ex_
slenfbot_itw27.ex_
slenping_itw3.ex_
agent_itw82.ex_
ircbot_itw474.ex_
koobface_itw3.ex_
koobface_itw5.ex_
koobface_itw8.ex_
sdbot_itw2686.ex_
zbot_itw27.ex_
0.00
0.00
0.00
0.00
0.00
66.48
0.00
0.00
0.00
0.00
0.00
0.00
10.52
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
559.63
110.42
450.77
0.00
0.00
0.00
1165.65
730.77
24.55
0.00
0.00
28.82
115.85
0.00
0.00
26.27
0.00
26.58
5.87
128.60
0.00
0.00
0.00
20.15
1245.05
218.42
0.00
1022.10
462.85
0.00
87.33
0.00
446.73
311.87
270.90
0.00
51.73
548.40
330.00
664.97
0.00
697.70
0.00
0.00
50.20
0.00
0.00
0.00
0.00
699.87
1050.40
0.00
1040.18
501.03
460.22
844.13
147.50
930.52
447.85
306.98
38.80
687.20
396.98
248.65
1031.07
0.00
1153.52
1019.77
891.80
1055.53
28.73
134.90
394.80
10.02
1000.12
1222.82
1210.87
Forefront Antivirus Scanning
Forefront provides two types of scan jobs
Real-Time Scan Job: Scans files being uploaded to or
downloaded from SharePoint sites
Works with Web browser or any other
application accessing SharePoint sites
Provides proactive protection
Manual Scan Job: Scans all or part of SharePoint
document library on demand
Scans can be scheduled
Can be used to scan with different engines from
the ones used for real-time scanning
Real-Time Scan Virus Detection Actions
When Forefront detects a virus, several actions
are available
Skip: detect only—logs presence of virus, but does
not block or delete it
Not a secure setting!
Can be used for testing/evaluation purposes
Clean: repair document—attempts to clean the file.
If file cannot be cleaned, it is blocked.
Delete: block document—GOOD CHOICE!
Forefront Manual Scan Job
Manual Scan provides tree-view
into document library
All or part of the library can be set
for scanning by using check boxes
Settings will not include new sites
by default unless the top box is
checked
Use Quick Scan to scan a particular
part of the library
File Filtering—Setting Up File Filters
File filtering proactively blocks a specific range
of potentially dangerous file types whether or
not a signature exists
Search for specific files by name, for example,
“resume.doc”
Files can be blocked based on size and size/type
combinations
Keyword Filtering
Filters documents based on content criteria
Identifies unwanted content within Microsoft®
Office Excel®, Word, and PowerPoint® Open-XML
and HTML files
Filter lists can enable search for words, phrases,
and sentences
Forefront Security for SharePoint with SP2
includes installable keyword lists in 11
languages
Forefront Security For SharePoint Protection
Scenarios
Microsoft® SQL Server® Back End
Internet
Firewall
External SharePoint
Users
Indexing Server
Malware
Inappropriate Content
Internal
SharePoint Users
Extranet
Management
Web Front End
Management
Malware
Inappropriate Content
AV and File filtering
Forefront Identity and Security for SharePoint
Protection
Publishing
Policy
(+ Publishing )
Prevention
Provision
Publishing
ISA Server 2006 makes it easier to provide security for corporate applications such as SharePoint
Products and Technologies and Microsoft® Exchange Server when they are accessed remotely by preauthenticating users before they gain access to any published servers, inspecting encrypted traffic at
the application layer, and providing automated publishing tools.
Authentication
Offloading
Security Tasks
Network
Protection
• Pre-authentication
• Multi-factor authentication
• Single sign-on (limited)
• Adds encryption in front of application servers
• Enables load balancing between Microsoft® Office
Outlook® Web Access servers
• Platform for Network Load Balancing (NLB)
• Creates defense-in-depth
• Stateful inspection firewall
• HTTP protocol inspection
Policy
Single Portal
for ALL access
Endpoint
Assessment
Authentication
• All Remote Access
Logging and
Monitoring
• Compliance
• Risk Management
Controlled
Access
• Network Access
Control
Clean-up
Customized
Security
Deep
Application
Inspection
Core Benefits
Simplifies Management
• Centralizes access and monitoring
• Wizard driven configuration
• Automated policies
Improves Productivity
Enhances Security
• Overlay granular access control
• Integrated endpoint security
• Expanded authentication options
• Information leakage prevention
• Networking security
Adds Functionality
• Enhances single sign-on
• Integrate multi-factor auth
• Allows incorporation of SSL VPN
applications into portal
• Allows more access from
more locations
• Does not require client
installation
• Integrates and
consolidates policies
Simplifies Management
Wizard-driven configuration
with built-in policies
Single point of control for
external access
Create unified policies
Manage access from
internal and external
locations
Monitor and audit access in
a centralized console
Enhances Security
Overlay granular access control to specific sites and/or features
within sites
Built-in endpoint security policies
Expanded authentication and authorization capabilities
Information leakage prevention
Network security
Adds Functionality
Easily overlay authentication options
(KCD, AD FS, Multifactor, Smartcard)
Integrate additional Web and clientserver, network, applications to portal
Enhanced single sign-on capabilities
Integrate file share access
Add password management features
for external users
Improves Productivity
Allows access to more applications and
features from more locations
Does not require client installation
Integrates and consolidates policies
Simplified Configuration
Optimizer makes publishing applications simple by:
• Minimizing steps to configuration
• Taking the guesswork out of administrations
All policies are pre-populated and entirely customizable
Updated optimizer unlocks all of the functionality in SharePoint
Step 2:
Step the
1: internal
Provide
Choose
name
of thethe type of
application
you wish to
Server.
Step 3: SharePoint
publish.
Configure the
same
external name on your
Provide
the external
SharePoint
Server.
name.
All
Done!
Configuration and End User Experience
Forefront Identity and Security for SharePoint
Protection
• Server-based, multiple-engine antivirus and
content filtering solution
Publishing
• Edge solution that secures and pre-authenticates
access to specific Web applications
Policy
• Secure remote access gateway to Web
applications such as SharePoint and networkbased resources
(+ Publishing )
Prevention
• Prevents leakage of sensitive information and restricts
unauthorized use of confidential information within and
outside the organization.
Provision
• Use Active Directory to built your permissions correctly and
use ILM to provision and keep your ongoing administration of
Active Directory easy and scalable.
Active Directory Rights Management Services helps prevent the leakage of
sensitive information and restricts unauthorized use of confidential
information within and outside the organization.
Protect Data In
Storage
Control Data
Usage
Extensible
Platform
Active Directory Rights Management Services augments an organization's
security strategy by protecting information through persistent usage policies.
These policies continue to remain with the information - whether documents,
spreadsheets, presentations, and e-mail messages-no matter where it goes or
how it is stored.
AD RMS allows controlled access to sensitive information by applying a
common set of rights through creation of Usage Policy Templates that are
applied to content. This alleviates the need to recreate the usage rights
settings for every file you want to protect.
AD RMS-enables any application or server (for example, SharePoint) to work
with AD RMS to help safeguard sensitive information. ISVs are enabled to
integrate information protection into server-based solutions such as
document and records management, e-mail gateways and archival systems,
automated workflows, and content inspection.
AD Rights Management Services
Persistent
Protection
Encryption
+
Policy:
Access Permissions
Use Right Permissions
Provides identity-based protection for sensitive data
Controls access to information across the information lifecycle
Allows only authorized access based on trusted identity
Secures transmission and storage of sensitive information wherever it goes –
policies embedded into the content; documents encrypted with 128 bit
encryption
Embeds digital usage policies (print, view, edit, expiration etc. ) in to the
content to help prevent misuse after delivery
Information Leakage Prevention
Location-based solutions protect initial access…
Firewall Perimeter
Access Control
List Perimeter
Authorized
Users
Authorized
Users
Unauthorized
Users
Unauthorized
Users
…but not usage
AD Rights Management Services
Capabilities
1
4
Protection
and policy
stay with the
file
Policy
Portal stores
file in the
clear
2
5
Protection and
policy stay
with the file
Policy
Portal
protects file
on access
3
6
Protection
and policy
stay with the
file
Policy
Archive stores
file and policy
in the clear
Document Protection using MOSS IRM
Microsoft Office
SharePoint Server
2007
3
AD RMS Server
4
1
2
5
Information Author
Recipient
MOSS 2007 Enabling IRM Functionality
Information Rights Management applied at server
farm level
Configuration defined on SharePoint 3.0 Central
Administration
MOSS can use the AD SCP to locate the AD RMS cluster,
or be configured to use a specific server
MOSS 2007 IRM Document Libraries
Settings
Document Libraries Settings
MOSS 2007 Permissions and IRM Rights
SharePoint rights
IRM permissions
Manage Permissions
Manage Web
Full Control
Edit List Items
Manage List
Add and Customize Pages
Edit, Copy, and Save
View List Item
Read
All Other Rights
No Mapping
Account Bloat Causes Problems
IT/Help desk
Efficiency
External user
account
provisioning
requests
Password reset
requests
Lifecycle
management
End User
Productivity
Provisioning latency
Forgotten
passwords
Logon frequency
Security
Orphaned or
inaccurate
accounts
Compromised
passwords
Unnecessary
access
Regulatory
Compliance
Privacy
protection
End-end
auditing
Repudiation
Scenario: Federated Collaboration
Fabrikam Research
Dr. Frank Miller
Contoso Pharma
Daniel Weisman
SharePoint
Enable SharePoint to be Claims-Aware
Claims Provider
sts1.contoso.com
Establish Trust between
SharePoint and “Geneva”
Server
1. Read policy
5. Send claims
End User
“Geneva”
Framework
https://docs.contoso.com
Enable SharePoint to be Claims-Aware
Configured SharePoint to accept tokens from
Contoso “Geneva” Server
Configured Contoso “Geneva” Server to issue
tokens to SharePoint App
Gave appropriate user access to SharePoint based
on roles
AD RMS, MOSS 2007 and ADFS/”Geneva”
FABRIKAM
Account Forest
Active Directory
Account
Federation Server
T
r
u
s
t
Adam
Mary
F
e
d
e
r
a
t
i
o
n
`
Client Browser
CONTOSO
Resource Forest
Active Directory
Ordering App Access Rights:
Alan: No access, does not have
required group claims.
Adam: Administrator level access
via a group claim:
Purchasing Admin
Resource Fed Server &
Claims-aware App
AD RMS
Server
MOSS 2007 for
Federated Collaboration
SharePoint Access Rights:
Adam: Full Control as a
named user:
[email protected]
Alan: Read only via a
group claim:
Federated Collaboration
Provision
Forefront Identity Manager helps provision users and designate access rights,
group membership and other user data in a more intelligent way. Build your
SharePoint perms correctly using Active Directory and use FIM to keep your
ongoing administration of Active Directory easy and scalable.
Auto Provision
User
Self-Help
Synchronize
Identity Data
Microsoft Forefront Identity Manager (FIM) 2010 enables autoprovisioning and de-provisioning based on policies and workflows
that allows better management of user access to corporate
applications
Reduce help desk costs by providing people with self-help tools to
manage routine tasks, such as creating groups, joining/leaving
groups as well as changing passwords or resetting smart card PINs.
ILM 2007 as well as FIM keeps identity information synchronized
and consistent across a wide range of directories, databases, and
proprietary identity systems by aggregating this information in a
central repository
Identity Management
Q1 CY 2010
Today
User
Management
Microsoft Identity
Lifecycle Manager 2007
Credential
Management
Common Platform
Connectors
Delegation
Workflow
Logging
Web Service API
Access
Management
Policy
Management
Microsoft Forefront Identity Manager 2010
Identity Synchronization
User Provisioning
Certificate & Smartcard
Management
Integrated user experiences
Spans user, credential, access and
policy management
Built on a common foundation
Forefront Identity and Security for SharePoint
Protection
• Server-based, multiple-engine antivirus and
content filtering solution
Publishing
• Edge solution that secures and pre-authenticates
access to specific Web applications
Policy
• Secure remote access gateway to Web
applications such as SharePoint and networkbased resources
(+ Publishing )
Prevention
• Prevents leakage of sensitive information and restricts
unauthorized use of confidential information within and
outside the organization.
Provision
• Use Active Directory to built your permissions correctly and
use ILM to provision and keep your ongoing administration of
Active Directory easy and scalable.
A slide outlining the 2009 evaluation process and
prizes will be provided closer to the event.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.