Securing Content

Sites that are grouped together so that the subsites can inherit the site groups from the parent sites lessen the time spent on security administration by taking advantage of security inheritance, a feature that is native to SharePoint. If you can manage the membership of the site group on one site and then use those site groups on multiple sites, the membership is more likely to be maintained, accurately and consistently, than if you are maintaining the groups in multiple sites.

You can use site security groups across a site collection to ease administration. These are the visitors, members, and owner groups SharePoint creates, or any custom groups that you define for the site collection. If a portion of your site has unique security requirements, it is a good candidate for breaking inheritance and changing the permission given to your SharePoint groups, removing one or more entirely from the site or creating and managing new/separate groups.

The following scenarios are examples of how an organization’s business needs will translate into security settings and how they are applied to SharePoint sites and features.

Team collaboration

Many organizations deploy SharePoint based on its collaboration merits alone. In a collaborative environment, it is important to determine the correct level of access for users to ensure safe collaboration without breaking some of the valuable features that support the synergistic nature of team collaboration.

SharePoint collaboration sites, or Team Sites, are generally effective for teams of 50 people or smaller. Managing security for a small set of users on an individual basis should not be too daunting; however, you may still need to allow different levels of access and manage users in groups. For example, you may have a team of engineers that require the ability to create, edit, and delete content. For the engineers you may want to add them individually to the site members group. For executives you may want to add an NT security group that already includes the executive team in the active directory to the site visitors group. Now you are managing individual users in a SharePoint group and using an active directory security group to manage visitor site access.

Securing anonymous content

If your organization requires publishing content to anonymous users on the Internet, you may want to have areas on the site that are available only to logged in or authenticated users. While anonymous users will see content published for external viewing, managing and assigning tasks and publishing of content can and should be limited to authenticated users.

Often companies will have a simple ASP.NET or HTML page as the first page accessed by anonymous users on a public internet site. SharePoint pages have to load quite a bit of code when first accessed and they make requests to the database for dynamic content, which can also take longer to render. Using a simple page as the first page accessed allows for a fast initial load and that page can point users to areas that require a login or that then take advantage of SharePoint lists and other functionality.

Enterprise portal/intranet security

Most organization’s portal taxonomies are based on their departmental structure. Users accessing the portal to perform tasks will require rights related mapped to the department they work in or that are mapped to task they are performing. For example, in Human Resources, most content will be read-only content; however, SharePoint lists and workflow can be used to manage vacation requests, benefit change requests, and other HR-related tasks.

Turning site features on and off

One way to limit and control activities on a site is to turn on only the site features that are relevant to your application. In the same way that limiting ports reduces the threat area on your server, reducing the number of available features can have a similar effect from a security perspective.

Based on the site template that you choose, SharePoint turns on the site features to support the template. You can change the site features after the site is created if you need additional features. The available site features for both MOSS and WSS are

• Team Collaboration Lists: Provides team collaboration capabilities for a site by making standard lists such as document libraries and issues.

• Mobility Shortcut URL: Provides a shortcut URL (/m) to a mobile device-accessible version of the list.

The site features available for MOSS sites only are

• Office SharePoint Server Enterprise: Features such as the Business Data Catalog, forms services, and Excel services included in the Office SharePoint Server Enterprise License.

• Slide Library: Create a slide library when you want to share slides from Microsoft Office PowerPoint, or a compatible application. Slide libraries also provide special features for finding, managing, and reusing slides.

• Translation Management Library: Create a translation management library when you want to create documents in multiple languages and manage translation tasks. Translation management libraries include a workflow to manage the translation process and provide subfolders, file versioning, and check-in/check-out.

• Document Center Enhancements: Provides tree-view navigation for a site.

• Office SharePoint Server Publishing: Office SharePoint Server Publishing

• Office SharePoint Server Standard: Features such as user profiles and search, included in the Office SharePoint Server Standard License.

To activate or deactivate site features, perform the following steps:

1.	From the Site Actions menu in the top-left corner, choose Site Settings.
2.	Click Site features from the Site Administration section.
3.	Select Activate for any features that you want to activate or deactivate for features you want to disable.

Security groups

During site creation the groups in Table 10.3 are created by default. During subsite creation, your sites inherit the same groups and their associated permissions.

Table 10.3. Default Security Groups

Group Name	Group Description
Approvers	Members of this group can edit and approve pages, list items, and documents.
Designers	Members of this group can edit lists, document libraries, and pages in the site. Designers can create master pages and page layouts in the Master Page Gallery and can change the behavior and appearance of each site in the site collection by using master pages and CSS files.
Site Members Site.	Use this group to give people contribute permissions to the SharePoint site: Test
Hierarchy Managers	Members of this group can create sites, lists, list items, and documents.
NT AUTHORITY authenticated users	All users in the Active Directory are members of the authenticated users group by default.
Quick Deploy Users	Members of this group can schedule Quick Deploy jobs.
Restricted Readers	Members of this group can view pages and documents, but cannot view historical versions or review user rights information.
Style Resource Readers	Members of this group are given read permission to the Master Page Gallery and the restricted read permission to the Style Library. By default, all authenticated users are a member of this group. To further secure this site, you can remove all authenticated users from this group or add users to this group.
Site Owners	Use this group to give people full control permissions to the SharePoint site: Test Site.
Site Visitors	Use this group to give people read permissions to the SharePoint site: Test Site.
Viewers	Members of this group can view pages, list items, and documents. If the document has a server rendering available, they can view the document using only the server rendering.

You may want to create a new group, manage it separately, and assign it permissions. To do this, you would break inheritance when you create the subsite. You can break inheritance during site creation or after the site has been created. If you break it during site creation, the groups from the parent site will not be added to your subsite.

Creating a site with unique permissions

1.	From the home page of your site where the subsite will reside, click Site Actions.
2.	Click Create Site, give your site a unique title, and fill in the description.
3.	Assign your site a unique URL in the Web Site Address section.
4.	In the Template selections section select a template for your new subsite. Figure 10.19 shows that a Team Site has been selected. Figure 10.19. New SharePoint site [View full size image]
5.	Scroll down to the Permissions section and select Use unique permissions.
6.	Click Create.
7.	On the Set Up Groups for this Site page, you can choose an existing group to manage existing permissions or create new ones; in this example you will create new ones. In the Visitors to this Site section click the Create a new group radio button.
8.	SharePoint automatically suggests group names. Tip By clicking the Add All Authenticated Users button in the “visitors to this site” section, you can give all users in your organization read access to the content stored in this site.
9.	Your screen should be similar to Figure 10.20. Click OK.

You have now created a site that has unique permissions, and security can be managed separately from your site collection.

Breaking inheritance for an existing site

If you already have a site created that requires permissions managed separately from its parent site, the following steps will break inheritance:

1.	From the home page of your site, click Site Actions.
2.	Click Site Settings, and in the Users and Permissions section, select Advanced permissions.
3.	In the list heading for permissions, choose Edit Permissions from the Actions menu, as shown in Figure 10.21. Figure 10.21. Site Permissions dialog [View full size image]
4.	The dialog box warning you that you are about to create unique permissions for this site appears. Changes made to the parent Web site permissions will no longer affect this Web site. Click OK.

Creating a new permission level

To create a new permission level, follow these steps:

1.	From the home page of your site, click Site Actions Site Settings.
2.	In the Users and Permissions group, select People and groups.
3.	In the left navigation, click Site Permissions.
4.	In the Permissions toolbar, choose Permission Levels from the Settings menu.
5.	From the Permissions Levels page, click Add a Permission Level.
6.	In the Name and Description section, type View Usage Reports as shown in Figure 10.22. Figure 10.22. Add a Permission Level [View full size image]
7.	In the Permissions section under the Site Permissions heading, check the View Usage Data box. Note By selecting View Usage Data, the other required permission levels are added automatically to be sure the user has proper access to the feature. In this example, View Pages and Open have automatically been checked.
8.	Click Create. This completes a new permission level creation.

Creating a new SharePoint group

If you find you need different rights than those available by default, creating a new permission is a way to customize and fine-tune the security access.

1.	From the home page of your site, click Site Actions Site Settings.
2.	Click Advanced permissions from the Users and Permissions section.
3.	In the Permissions list toolbar, click New.
4.	Select New Group to create the new group.
5.	In the Name and About Me Description section, type Usage Reporters in the Name text box.
6.	In the Owner section, add the appropriate user—by default the user is the user who created the site. Note The owner can modify anything about the group. Only one user can be the owner.
7.	In the Group Settings section, select who can view and edit the membership of the group.
8.	In the Membership Requests section, select whether to allow requests to join or leave this group. Warning If you select Yes for the auto-accept option, all users requesting access to this group will automatically be added.
9.	In the Give Group Permissions to this Site section, check the View Usage Reports permission level created earlier. Click Create.
10.	To edit the group settings for this group, in the People and Groups list toolbar, click Settings and click Group Settings.

Configuring list and library item security

With SharePoint 2007, you can set security for an entire list, or you can configure item-level security on the contents of your lists and libraries. This allows you to combine items in libraries that make sense for navigation and views while still preserving the security of your items.

To configure security for a list or library item, follow these steps:

1.	Left-click the item for which you want to manage permissions and choose Manage Permissions from the edit menu, as shown in Figure 10.23. Figure 10.23. Managing Permissions for a list item [View full size image]
2.	Choose Edit Permissions from the Actions menu to copy permissions from the parent list or library and to discontinue inheritance of permissions. Items inherit permissions from the parent list until this action has been taken.
3.	Choose Add Users from the New menu to add users with permissions to the item. If you want to remove users, select the users in the permissions list that you want to remove and choose Remove User Permissions from the Actions menu, as shown in Figure 10.24. Figure 10.24. Removing permissions for users on a document [View full size image] If you want to edit permissions for existing users, select the users in the permissions list that you want to modify and choose Edit User Permissions from the Actions menu.