Chapter 15. Implementing and Validating SharePoint Security

Microsoft SharePoint Server 2013 was built to be a robust, capable, and scalable environment. Along with SharePoint’s capabilities comes the responsibility to secure its vital components, protecting them from attacks and data loss. Fortunately, SharePoint allows for a wide range of security functionality, features, and tools to properly secure a SharePoint farm. Knowledge of these capabilities is a must for a SharePoint administrator.

This chapter focuses on the aspects of information security that an organization can implement to protect information stored in a SharePoint environment. This includes server-level security from a network operating system (OS) and web services perspective, Active Directory integration, firewall and access to intranet and extranet information, file-level security for information stored and indexed on non-SharePoint-managed data stores, file-level security for information stored within a SharePoint-managed data store, user-level security for access to SharePoint data, and administrative controls to monitor and manage user and access security.

In addition, tools and services useful for securing SharePoint such as Internet Protocol Security (IPsec), Active Directory Rights Management Services (AD RMS), and others are covered to provide for enhanced security.

Enabling Kerberos is not a complex task, but there is a great deal of confusion about how to set it up. In simple terms, the most critical step is in the creation of a service principal name (SPN) that is associated with the account that runs as the application pool identity account for the web application. That SPN should match the exact name that users use to connect to the site. For example, if your web application is home.companyabc.com and the application pool identity service account that is used for that web application is COMPANYABCSVC_SPWA_Home, the following syntax is used to log in as a domain admin and on a domain controller, as shown in Figure 15.1:

Click here to view code image

Setspn.exe -A HTTP/home.companyabc.com COMPANYABCSVC_SPWA_Home

Create additional SPNs for any other names that will be used for SharePoint. In Figure 15.1, the additional flat name of home is added as an SPN as well. This is by far the most critical step when enabling Kerberos.

The second, and often forgotten step when enabling Kerberos, is to ensure that Kerberos is also enabled between the SharePoint web role servers and the SQL instance that runs SharePoint. To do this, create an SPN associated with the SQL Service account. For example, if your SQL instance is MSSQLSvc/spsql:1433 (the default instance running on the default port on SQL Server SPSQL) and your SQL Service account is SVC_SQL, you run the following command on a domain controller while logged in as a domain admin:

Click here to view code image

Setspn.exe  -A MSSQLSvc/spsql:1433 COMPANYABCSVC_SQL

These first two steps (along with the final step of actually enabling the web application for Kerberos) are all that you need to do to get base Kerberos functionality up and running. For scenarios that require delegation of Kerberos to other applications like Excel Services, however, you must complete an additional step. The application pool identity account must be set to allow delegation. You can do this from within the Active Directory Users and Computers tool by right-clicking the account, choosing Properties, selecting the Delegation tab, and choosing Trust This User/Computer for Delegation to Any Service (Kerberos only), as shown in Figure 15.2.

If the web application is not already configured for Kerberos, you must now turn Kerberos on from within SharePoint Central Administration. To do so, go to Application Management, Manage Web Application, choose the web application, and then click Authentication Providers. Click the Default link under Zone, and then change to Integrated Windows Authentication—Negotiate / (Kerberos), as shown in Figure 15.3.

The advantage to RBAC security is that if a user changes roles, he just needs to be removed from one group and added to another. This also makes it easier to audit if someone has gone outside the boundaries of his or her role.

For security and compliance reasons, it may become necessary to enforce data encryption of the SQL databases. Within SQL Server 2008 R2 and SQL Server 2012 Enterprise Edition, Microsoft includes a new feature known as Transparent Data Encryption (TDE) that allows for this type of functionality.

Encryption of SharePoint databases using SQL TDE is covered in detail in Chapter 17, “Safeguarding Confidential Data in SharePoint 2013.”

You can purchase SSL certificates from a third-party service or autogenerate them using Active Directory Certificate Services (AD CS), a concept discussed in more detail in later sections of this chapter.

Configuring IPsec is covered in step-by-step detail later in this chapter.

Use of edge security solutions for SharePoint is covered in Chapter 14, “Protecting SharePoint with Advanced Edge Security Solutions.”

Use of AD RMS in a SharePoint farm is covered in detail in Chapter 17.

Arising from these ideas is the concept of security through isolation. SharePoint servers running on an isolated network segment, for example, are highly secure compared to those directly located on the Internet. The following section deals with approaches to isolate users via security boundaries in SharePoint. Each option further isolates users and increases the security offered. With the increased security comes decreased functionality, however. The functional needs of an organization must be weighed against the security needs.

This model, although the most functional, is also the weakest in security. Administrators in parent sites can seize access, and users are subject to potential cross-site script attacks in this design, which limits its security.

Deploying users into separate site collections goes even further down the path of security and scalability. Separate site collections can be more easily scaled out than separate sites because each host can theoretically host millions of sites, if required. Both of these models are still vulnerable to cross-site scripting attacks, however. If a site is vulnerable to this type of activity, a more secure model may be needed.

If you do this, each site collection can be associated with a separate application pool. Each application pool is logically separate from the others and is theoretically not subject to failure if another one goes down or becomes corrupt. This setup also helps to further secure the SharePoint data because users are on separate physical processes from each other.

The ultimate security boundary for interconnected networks is to simply disconnect them from each other. It goes without saying that the most secure SharePoint farm is the one connected to an isolated network. Some major disadvantages apply to this, however, because access from any other location becomes impossible.

Physical security is a must for any organization because it is the most common cause of security breaches. Despite this fact, many organizations have loose levels, or no levels, of physical security for their mission-critical servers. An understanding of what is required to secure the physical and login access to a server is a must.

Most hardware manufacturers also include mechanisms for locking out some or all the components of a server. Depending on the other layers of security deployed, it may be wise to use these mechanisms to secure a server environment.

1. Choose Start, All Programs, Administrative Tools, Local Security Policy.

2. In the left pane, navigate to Security Settings, Local Policies, User Rights Assignment.

3. Double-click Allow Log On Locally.

4. Remove any users or groups that do not need access to the server, as shown in Figure 15.4. Click OK when finished.

The enforcement of SQL Server security should be one of the most important tasks SQL Server database administrators commit themselves to. Furthermore, to properly ensure that vulnerabilities are minimized, SQL Server security should be a part of both the test and production SQL Server systems.

Equally important, as a result of continuous advancements made by Microsoft, SQL Server 2008 R2/2012 have significant enhancements to the security model of the database platform, which now provides more precise and flexible control resulting in tighter security. Some of the features that have been enhanced include the advanced security of surface area reduction, data encryption, native encryption, authentication, granular permissions, and user and schema separations. These advancements contribute to Microsoft’s Trustworthy Computing initiative that defines the steps necessary to help support secure computing.

At present, numerous SQL Server security best practices are applicable when deploying SharePoint. The following sections discuss some of these best practices.

SQL Server continues to support two modes for validating connections and authenticating access to database resources: Windows authentication and SQL Server authentication. Both authentication methods provide the SharePoint application access to SQL Server and its resources, such as the SharePoint farm and content databases.

Even though SQL Server can now enforce policies such as SQL Server account password complexity, password expiration, and account lockouts, Windows authentication mode is still the recommended alternative for controlling access to SQL Server. The added advantage of Windows authentication is that AD provides an additional level of protection with the Kerberos protocol, and administration is reduced by leveraging AD groups when providing access to SQL Server.

None: Disables auditing so no events are logged

Successful Logins Only: Audits all successful login attempts

Failed Logins Only: Audits all failed login attempts

Both Failed and Successful Logins: Audits all login attempts

Security auditing is set to Failed Logins Only by default. It is a best practice to configure security auditing to capture both failed and successful logins. At the very least, security auditing should be set to Failed Logins Only. As a result, failed logins can be saved, viewed, and acted upon.

Application of a security template is straightforward and can be accomplished by applying a template directly to an OU, site, or domain via a Group Policy Object (GPO). Security templates can prove enormously useful in making sure that all servers have the proper security applied, but they come with a large caveat. Often, the settings defined in a template can be made too strict, and security templates that are too strong for a server can break application or network functionality. Therefore, you must test all security template settings before deploying them to production.

The need to make information unusable if intercepted is the basis for all transport-level encryption. Considerable effort goes into both sides of this equation: Security specialists develop schemes to encrypt and disguise data, and hackers and other security specialists develop ways to forcefully decrypt and intercept data. The good news is that encryption technology has developed to the point that properly configured environments can secure their data with a great deal of success, as long as the proper tools are used. SharePoint’s operating system, Windows Server, offers much in the realm of transport-level security, and deploying some or many of the technologies available is highly recommended to properly secure important data. This is particularly true for SharePoint content, because without transport-level security, the data sent between critical SharePoint systems, such as the communications between SharePoint web role servers and SQL database role servers, is unencrypted and can be intercepted.

Transport-level security in Windows Server uses multiple levels of authentication, encryption, and authorization to provide an enhanced degree of security on a network. The configuration capabilities supplied with Windows Server allow for the establishment of several layers of transport-level security.

PKI is a useful and often critical component of a SharePoint design. The PKI concepts can be used to create certificates to encrypt traffic to and from SharePoint virtual servers to the Internet. Using SSL, encryption is a vital method of securing access to a SharePoint site and should be considered as part of any SharePoint farm that enables access from the Internet.

Public key, or asymmetrical, encryption uses a combination of two keys mathematically related to each other. The first key, the public key, is widely available and can be used to encrypt the information. The second key, the private key, is kept closely guarded and is used to decrypt the information. The integrity of the public key is ensured through certificates. The asymmetric approach to encryption ensures that the private key does not fall into the wrong hands and only the intended recipient is able to decrypt the data.

Certificates are used for multiple functions, such as the following:

Secured SharePoint site access

Secured email

Web-based authentication

IPsec

Code signing

Certification hierarchies

Certificates are signed using information from the subject’s public key, along with identifier information such as name, email address, and so on, and a digital signature of the certificate issuer, known as the certificate authority (CA).

You can install certificate services for Windows Server as one of the following CA types:

Enterprise root CA: The root of a certificate chain that is also incorporated into an AD domain and can be used to automatically enroll clients and systems with certificates.

Enterprise subordinate CA: Must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise.

Standalone root CA: The root of a hierarchy that is not related to the enterprise domain information. Multiple standalone CAs can be established for particular purposes. An enterprise subordinate CA can be created from a standalone root CA, which is often the case in security situations where the root needs to be on a workgroup system, not a domain member.

Standalone subordinate CA: A standalone subordinate CA receives its certificate from a standalone root CA and can then be used to distribute certificates to users and computers associated with that standalone CA.

Smartcards have obvious advantages over standard forms of authentication. It is no longer possible to simply steal or guess someone’s username and password in this scenario because the username that allows access to SharePoint can be entered only via the unique smartcard. If stolen or lost, the smartcard can be immediately deactivated and the certificate revoked. Even if a functioning smartcard were to fall into the wrong hands, the PIN would still need to be used to properly access the system. Layering security in this fashion is one reason why smartcards are fast becoming a more accepted way to integrate the security of certificates and PKI into organizations.

IPsec is often considered to be one of the best ways to secure the traffic generated in an environment and is useful for securing all SharePoint farm servers in high-risk Internet access scenarios and also in private network configurations for an enhanced layer of security. Without a technology such as IPsec, communications between farm members can be intercepted and their contents easily defined.

Several functional IPsec deployments are available, and some of the more promising ones are actually built in to the network interface cards (NICs) of each computer, performing encryption and decryption without the operating system knowing what is going on. Aside from these alternatives, Windows Server includes a robust IPsec implementation by default, which can be configured to use a PKI certificate network or the built-in Kerberos authentication provided by AD on Windows Server.

Data privacy: All information sent from one SharePoint machine to another is thoroughly encrypted by such algorithms as 3DES, which effectively prevent the unauthorized viewing of sensitive data.

Data integrity: The integrity of IPsec packets is enforced through Encapsulating Security Payload (ESP) headers, which verify that the information contained within an IPsec packet has not been tampered with.

Anti-replay capability: IPsec prevents streams of captured packets from being re-sent, known as a replay attack, blocking such methods of obtaining unauthorized access to a system by mimicking a valid user’s response to server requests.

Per-packet authenticity: IPsec uses certificates or Kerberos authentication to ensure that the sender of an IPsec packet is actually an authorized user.

NAT transversal: The Windows Server implementation of IPsec now allows for IPsec to be routed through current Network Address Translation (NAT) implementations, a concept defined more thoroughly in the following sections.

Diffie-Hellman 2048-bit key support: Nearly unbreakable, Diffie-Hellman 2048-bit key lengths are supported in the Windows Server IPsec implementation, essentially ensuring that the IPsec key cannot be cracked.

The procedure outlined in the following sections illustrates the setup of a simple IPsec policy between two SQL servers that hold SharePoint farm databases (SQL01 and SQL02.) The OS on both servers is Windows Server 2012, but the following steps are very similar for Windows Server 2008 R2.

To view the current status of any IPsec policies, including the ones that are created in this procedure, the IPsec Security Monitor Microsoft Management Console (MMC) snap-in on SQL01 needs to be opened. The MMC snap-in can be installed and configured as follows:

1. Open PowerShell and type mmc into the PowerShell dialog box. Click OK when complete.

2. In MMC, choose File, Add/Remove Snap-In.

3. Scroll down and select IP Security Policy Management and click Add.

4. Select Local Computer and click Finish.

5. Scroll down and select IP Security Monitor; then click the Add button, followed by the OK button.

6. Both the IP Security Policies and the IP Security Monitor MMC snap-in should now be visible, as shown in Figure 15.5. Click OK.

7. In MMC, expand to Console RootIP Security MonitorSQL01.

8. Right-click SQL01 and choose Properties.

9. Change the Auto Refresh setting from 45 seconds to 5 seconds or less. Click OK when finished. You can then use the MMC IP Security Monitor console to view IPsec data.

1. From the MMC console set up in the previous section, as shown in Figure 15.6, right-click IP Security Policies on Local Computer, and then click Create IP Security Policy.

2. Click Next at the Welcome Wizard.

3. Give a name to the IP security policy, such as SharePoint IP Security Policy, and click Next to continue.

4. Do not check the box to activate the default response rule, but do click Next to continue. The default response rule is only used for down-level systems.

5. Leave the Edit Properties check box marked and click the Finish button.

6. In the Security Rules dialog box, click Add.

7. Click Next to continue.

8. At the Tunnel Endpoint dialog box, choose that the rule does not specify a tunnel, and click Next to continue.

9. In the Network Type dialog box, choose All Network Connections and click Next to continue.

10. In the IP Filter List dialog box, click Add to add an IP filter.

11. Give a name to the IP filter, and then click Add.

12. Click Next at the Welcome Wizard.

13. Leave the Mirrored check box checked and click Next to continue.

14. For Source Address, leave the default at Any IP Address and click Next.

15. For Destination Address, leave the default at Any IP Address and click Next.

16. For Protocol, leave the default at Any, shown in Figure 15.7, and click Next.

17. Click Finish at the Completion Wizard for the IP filter.

18. Tick the circle for the filter list just created, and then click Next to continue.

19. Under Filter Action, click Add to create a filter action.

20. At the Welcome Wizard, click Next to continue.

21. Enter a name and description for the filter action and click Next.

22. Choose Negotiate Security, shown in Figure 15.8, and click Next to continue.

23. Select Do Not Allow Unsecured Communication and click Next to continue. Note that if you have servers that do not support IPsec, you may have to choose the less-secure option to allow unsecured communications in some cases.

24. In the IP Traffic Security dialog box, choose the security method of Integrity and Encryption and click Next to continue.

25. Click Finish.

26. Tick the circle for the filter action just created, as shown in Figure 15.9, and click Next to continue.

27. Select Kerberos v5 authentication and click Next to continue.

28. Click Finish to complete the wizard.

29. The Security Policy Settings should look similar to what is shown in Figure 15.10. Click OK to close the dialog box.

30. From within the IP Security Policies MMC snap-in, choose the SharePoint security policy just created, right-click it, and choose Assign.

31. Repeat on additional SharePoint servers in the farm.

A quick look at the IP security monitor that was established in MMC on SQL01 shows that IPsec traffic has been initialized and is logging itself. Traffic statistics, such as those shown in Figure 15.11, should therefore be shown. All communications between the two servers are now highly encrypted and secured.

These default IPsec policies are useful in establishing ad hoc IPsec between SharePoint clients on a network but are limited in their scope. Enterprise-wide IPsec policies can be accomplished through the use of group policies, but proper planning of an enterprise IPsec implementation is necessary to effectively secure an entire environment using custom IPsec policies.

Using a layered approach to security with SharePoint, it becomes possible to deploy multiple lines of defense against hackers, scripts, or snoops. SharePoint combines its integrated security with the security capabilities of the Windows Server operating system and the lockdown capabilities of the Baseline Security Analyzer, allowing for robust file security and physical security. All these options make SharePoint a formidable product, ready-for-enterprise deployment.

In addition, transport-level security in the form of IPsec can greatly secure interserver communications between SharePoint farm members, reducing the risk of data being intercepted and exposed.

Use a layered approach to security, with more than one mechanism in place to deter attackers.

After validating in a prototype environment, use the latest patches and updates on SharePoint servers to further protect the server against attack.

Use SSL certificates on any SharePoint traffic that traverses a public network such as the Internet.

Use an internal PKI deployment with AD CS to generate SSL certificates for SharePoint if third-party certificates are not being used.

Physically secure SharePoint servers behind locked doors and in secure locations.

Highly consider the use of IPsec to encrypt traffic between SharePoint servers.

Design SharePoint with isolation approaches to security in mind.

Use Server Security templates to secure the Windows Server operating system that SharePoint runs on, but ensure that the security settings are tested in advance.

Restrict login access to SharePoint servers.

Consider the use of PKI smartcards for user authentication to SharePoint.

Limit anonymous access to SharePoint farms that do not contain any proprietary information.

Limit console logins on SharePoint servers to select administrators.

Enable password and account lockout policies on SharePoint servers.