Best Practices

• Secure your extranet with SSL encryption and always use port 443 inbound only. Using nonstandard ports does not improve security and only complicates the farm configuration. Some services will not work on nonstandard ports.

• Choose your authentication mode based on your requirements. Multi-authentication offers a seamless collaboration experience with a single URL, but users always have to choose the authentication method when entering the site. Mixed-mode authentication requires extending the web application; therefore, users may experience confusion due to multiple URLs.

• When using additional zones and extending web applications, name the web applications and URLs intelligently and intuitively.

• Don’t store confidential and secure data in an extranet.

• Use web applications for isolation, security, and confidentiality.

• Use SharePoint-specific antivirus products such as Microsoft’s Forefront Protection for SharePoint (FPSP), as opposed to traditional file-based antivirus products. Traditional antivirus products can cause problems while scanning content and don’t work properly with the SharePoint antivirus API.

• WFE servers should always be in a secured network. Seek opportunities to reduce the vulnerability surface area.

• Consider placing application servers on a private, nonroutable subnet for secure SharePoint inter-farm communication. Also, consider securing communication between SharePoint servers (interserver communication) through IPsec.

• Create one or more service application connection groups for the extranet web applications. This will ensure that only specific service applications are enabled for use by the extranet web applications.

• Use unique application pools with unique application pool accounts for all extranet web applications to ensure proper isolation.