SharePoint Security - Part 1: Introduction

    I think everyone is aware of the high role of security in enterpise systems. Such systems are the central repositories of the organization’s information. This allows you to present the organization’s documents in a structured form, to simplify their search. Depending on the type of system (CRM, ERP, ECM), information can mean:
    - information about employees;
    - customer contact information;
    - contracts and other important documents;
    - reports and statistics;
    - financial information.

    Access to this information by third parties can lead to serious consequences. Therefore, the main task of any security system is to protect against unauthorized access, as well as ensuring the integrity and accessibility of information.

    Things would seem obvious and understandable, everyone understands the importance of security in industrial-grade software products, but in reality the security of implemented solutions is far from always at the proper level . It seems to me that there are several reasons for this.

    The first and obvious reason is the complexity of the systems, due to their scale. There is no getting away from this. Systems of this kind usually consist of many components that interact with each other. This certainly leaves its mark on the security system - usually for each such connection it is necessary to consider the security issue: create and configure accounts, grant rights, configure encryption, etc.

    Systems of this size are often closely integrated with components of the operating system and third-party programs. This requires that the administrators who implement and maintain such systems have serious knowledge backed up by experience. Dry theory is not enough in the case of any systems and technologies, in the case of enterprise systems - even more so. And finding administrators with experience implementing and supporting such systems is not easy.

    The second reason that is usually thought of little is the lack of security planning before the implementation of the system. And this step is very important. Many security problems are related to the fact that they begin to deal with it after the system is installed. Often during installation, the default settings are applied, while not taking into account the fact that they rarely satisfy the requirements of a particular organization. And each case requires individual consideration.

    The reasons for the lack of security planning are often the tight deadlines for the delivery of the project (with more emphasis on the business component). However, there are cases when the reason is the “holy faith” in the universality of the default settings and their applicability for a particular case.

    SharePoint is an enterprise system, so the topics discussed above also apply to it. The goal of this series of articles is to bring together the basic security information for this Microsoft product.

    The information in the articles is relevant for the following versions of SharePoint: Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0

    Security in SharePoint is implemented at several logical levels (the term defense-in-depth is often used in Microsoft articles). To create fully-fledged and secure portals and applications, a clear understanding of the security system at each level is necessary.

    SharePoint includes many components and supports easy integration with third-party products, but is primarily a platform for web applications. By a web application platform, I mean a system for easily creating and configuring intranet portals and their components: pages, input forms, workflows, search engine, forums, blogs, wiki, etc. ...

    In addition to intranet applications, SharePoint also allows you to create regular Internet sites with anonymous access and free registration, as well as extranet solutions. This is also reflected in the SharePoint security system, in particular in the choice of authentication and encryption methods.

    A distinctive feature of SharePoint is its maximum flexibility in the distribution of rights to create, delete, view objects and other operations. Rights can be granted both to a group of users and to a specific user and for a specific document. Illiterate distribution of rights to objects can lead to “security holes”, which can lead to hacking of the system and loss of information in the future. Therefore, it is necessary to clearly know and understand how the system of distribution of rights and roles is arranged, and also to know the purpose and rights of the built-in user groups.

    SharePoint is also known for its ability to integrate with third-party applications, systems, databases, which certainly affects the security system. For convenience, the information in the article is divided into several parts.

    As noted above, an important point is the advance planning of security, proper selection of accounts for services. These issues, as well as a general description of the security architecture will be discussed in the second part of the article.

    Often, when configuring the security of SharePoint and other systems of this level, the main focus is on protecting the system from unauthorized access from the outside. However, in addition to this, it is worth paying attention to the delimitation of access rights for already authorized users. This topic is discussed in the third part of the article. It explains the basics of securing SharePoint sites: roles, groups, rights, rights levels, and describes standard user groups.

    The fourth part of this article will cover the SharePoint Security API. The article will contain code examples on creating, deleting users, their rights, groups, and assigning access rights to objects. The issues of role inheritance and impersonation using code will also be considered.

    SharePoint is known for its ability to expand functionality by developing custom descriptions of lists, content types, workflows, forms, and the final web parts. The Internet is full of articles on this issue, but unfortunately only a small part of them touch upon security issues when developing your own components. The fifth part of the article will try to cover this issue in more detail. A detailed description of CAS (Code Access Security), trust levels and Safe Controls will be given. It will also provide information on which accounts run SharePoint services (workflows, event listeners, timer jobs).

    However, I would like to note that the article will not provide all the information on the issue of SharePoint security. Therefore, the text and at the end of each article will provide links to resources where a detailed description of a particular issue can be found.

    PS Despite the “watery nature” of this introduction, the following articles will be technical in nature and will be primarily intended for administrators of SharePoint servers and programmers who develop applications for SharePoint and use its API.

    Comments, comments and healthy criticism are welcome. Thanks for attention.

    Also popular now: