When it comes to security in SharePoint 2010 infrastructure, there are many forms that I consider.

 

The first thing we need to get out of the way is that nothing is ever completely or truly secure. People might give clever definitions of something that could be completely secure but it is a utopia, something that can be imagined but never achieved. There is always a way around or through any security precaution that we construct. Now that it’s understood that there is no perfect scenario, we can move on to some security basics that can help to build a solid foundation upon which proper mitigating of security risks can begin.

To defend against the worst, IT people attempt to adhere to three core principles of information security: confidentiality, integrity, and availability. You can learn about CIA (Confidentiality, Integrity, Availability) inside Security+. I won’t talk about CIA as I want to concentrate on SharePoint infrastructure.

cia.png

Depending on your SharePoint topology, you must consider to following components to protect your SharePoint environment.

Windows Server 2008 Domain Controller

Active Directory is the heart of Windows Server system. Why did you choose Active Directory without choosing workgroup? Perhaps I don’t need to answer because you know Active Directory. Generally, we use Active Directory group to implement user profile although we can use SharePoint group. In Active Directory, you can implement NTLM or Kerberos authentication protocol. I learned about Kerberos mechanism about a week ago and I’m very interested in it. Kerberos has a number of advantages over NTML. With NTLM, authentication is only one-way that the server authenticates the client. With Kerberos, the client can also authenticate the server ensuring that the server, that is responding to the client request, is the correct server. That’s one of advantages that Kerberos allows you to improve security.

When you consider Kerberos, you can also implement Claim-Based authentication. I read Claim-Based Identity for Windows white paper from author David Chappell. It’s easy to understand Claim-Based authentication basics. However, when I configured Claim-Based authentication in Web application then I can’t log on to the SharePoint site. I am always prompted with logon dialog even though my account is valid.  I think because I didn’t configure Kerberos in Active Directory I can’t get token.

claim.PNG
Staying inside Windows Server 2008, you might consider Windows Firewall with Advance Security. Although we need third-party firewall product, Windows Firewall with Advance Security offers you some options. For example, you want to prevent 1433 port SQL because of virus SQL Slammer. In other word, 1433 port is the target. Another example; you want to prevent Firefox browser because you expect end user uses Internet Explorer. With these examples, Windows Firewall with Advance Security can help you.

In short, you need to secure the domain controller. Active Directory must be secured when you implement security SharePoint environment.

Web Server IIS 7

When you implement n-tier, Web server is at the core  of important to security. You can consider some of the following features:

  • IP and Domain restrictions: used to restrict access to requests clients make from specific IP address ranges or domain name. This feature allows you prevent attacks from the Internet, such as Ddos, some exploit technique.
  • Request filtering: used to restrict access to requests that meet established limits and do not contain known malicious patterns. In addition, Request filtering is used to restrict access to known application content that is not meant to be served to remote clients.
  • Authentication features: IIS 7 offers multiple authentication features that you can use to determine the identity of the client making the request. These include Windows Authentication (NTLM and Kerberos), Basic Authentication, Digest Authentication….

Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are cryptographic protocols that provide secure Internet communications such as web browsing, instant messaging, e-mail, and VoIP.

According to CIA (Confidentiality, Integrity, Availability) inside Security+, I should consider Availability and then consider application pool. Isolating application pool allows you to prevent some errors in SharePoint services. One common error is 503 error service available.

SQL Server

SQL Server hosts content database, configuration database and service database. Because I’m not a SQL Server expert I just think about some key items such as permission database, encrypting data, auditing SQL Server instances and so on….

DMZ

When talking about computer security, a Demilitarized Zone (DMZ) is a special area of the network (sometimes referred to as a subnetwork) that houses servers which host information accessed by clients or other networks on the Internet. Some of these servers might include web, FTP, mail, and database computers. These servers might also be accessible to clients on the LAN. There are several ways to set up a DMZ; a common way is the 3-leg perimeter DMZ.

dmz.PNG

I have just found a useful article from
Phil Wicklund’s blog about DMZ architect for SharePoint extranet environment. 

My brother is taking an Analyzing Security course and he said that DMZ is a weak point. In other words, DMZ can be attacked via DNS, exploit technique or another. I haven’t learned about this yet.

Hardware Device

Let me say again about Availability, you should consider it and choose the right device, such as a switch or router. In addition, considering IPS/IDS is key when you deploy SharePoint outside the Internet.

ids-diagram.png

Firewall

I mentioned Windows Firewall with Advance Security but it only allows you some scenarios. You can learn Microsoft Forefront TMG because I think that these Microsoft products will work together effectively. However, if you implement high-level security, you must learn about some Firewall hardware such as Astaro, Sourcefire, Fortigate, …etc.

Antivirus program

In a SharePoint environment, you can’t avoid malicious entities such as viruses, worms, spyware from document, attached file …etc..Thus you should find third-party antivirus software such as Forefront Protection 2010 for SharePoint, Sysmantec, Norton, Kasperky …However, I appreciate Forefront Protection 2010 for SharePoint because of its features. Alternatively, the Microsoft family will work better than non-Microsoft products. At one time, I encountered a problem when I used Symantec. Symantec prevented w3wp.exe in my system which stopped my mail server from sending email to workflow participants. Therefore, let’s consider antivirus software because you can’t avoid some ambiguous problem…

fpsp10.png

Because I’m not a security expert. I've only shown some security fundamental to a SharePoint environment. I hope we can discuss the subject of security for SharePoint IT Pros so that our SharePoint environment is secured.