SharePoint security - Part 1: Introduction
I think everyone is aware of the high role of the security system in enterpise systems. Such systems are central repositories of organization information. This allows you to submit documents of the organization in a structured way, simplify their search. Depending on the type of system (CRM, ERP, ECM), information may be implied:
- information about employees;
- customer contact details;
- contracts and other important documents;
- reports and statistics;
- financial information.
Having access to this information by third parties can lead to serious consequences. Therefore, the main task of any security system is to protect against unauthorized access, as well as ensuring the integrity and availability of information.
Things would seem obvious and understandable, everyone understands the importance of security in industrial-level software products, but in fact the security of the implemented solutions does not always turn out to be at the proper level. . There are several reasons for this, I think.
')
The first and obvious reason is a certain complexity of the systems, due to their scale. From this you can not get anywhere. Systems of this kind usually consist of many components that interact with each other. It certainly leaves its mark on the security system - usually for each such connection it is necessary to consider the security issue: create and configure accounts, distribute rights, configure encryption, etc.
Systems of this size are often closely integrated with components of the operating system and third-party programs. This requires that administrators who implement and maintain such systems have serious knowledge backed up by experience. The dry theory is not enough in the case of any systems and technologies, in the case of enterprise systems - all the more. And finding administrators with experience in implementing and maintaining such systems is not easy.
The second reason, which is usually little thought about - is the lack of security planning prior to the implementation of the system. And this step is very important. Many security problems are related to the fact that they begin to deal with it after the system is installed. Often, the default settings are applied during installation, and they do not take into account the fact that they rarely meet the requirements of any particular organization. And each case requires individual consideration.
The reasons for the lack of security planning are often pushing deadlines for the delivery of the project (with more attention focused on the business component). However, there are cases when the cause is “holy faith” in the universality of the default settings and their applicability for a particular case.
SharePoint is an enterprise system, so the topics covered above also apply to it. The purpose of this article series is to gather together basic information about the security system of this Microsoft product.
The information contained in the articles is relevant for the following versions of SharePoint: Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0
Security in SharePoint is implemented at several logical levels (the term defense-in-depth is often used in Microsoft articles). To create fully-fledged and secure portals and applications, a clear understanding of the security system at each level is essential.
SharePoint includes many components and supports easy integration with third-party products, but primarily represents a platform for web applications. By web application platform, I mean a system for simply creating and configuring intranet portals and their components: pages, input forms, workflows, a search engine, forums, blogs, wiki, etc…
In addition to the intranet, SharePoint applications also allow you to create regular web sites with anonymous access and free registration, as well as extranet solutions. This is also reflected in the SharePoint security system, in particular in the choice of authentication and encryption method.
A distinctive feature of SharePoint is its maximum flexibility in the distribution of rights to create, delete, view objects and other operations. Rights can be granted as a group of users, as well as a specific user and for a particular document. The illiterate distribution of rights to objects can lead to “security holes”, which can lead to system hacking and information loss in the future. Therefore, it is necessary to clearly know and understand how the system of distribution of rights, roles, as well as the purpose and rights of the built-in user groups are organized.
SharePoint is also known for its ability to integrate with third-party applications, systems, databases, which certainly affects the security system. For readability, the article is divided into several parts.
As noted above, an important point is the advance planning of security, competent selection of accounts for services. These issues, as well as a general description of the security architecture will be discussed in the second part of the article.
Often, when setting up security for SharePoint and other systems of a similar level, the focus is on protecting the system from unauthorized access from outside. However, in addition to this, it is worth paying attention to the differentiation of access rights for already authorized users. This topic is discussed in the third part of the article. It explains the basics of SharePoint site security: roles, groups, rights, levels of rights, and describes the standard user groups.
The fourth part of the article will look at the SharePoint Security API. The article will contain examples of code for creating, deleting users, their rights, groups, assigning access rights to objects. The issues of role inheritance and impersonation using code will also be considered.
SharePoint is known for its ability to expand functionality by developing custom descriptions of lists, content types, workflows, forms, and the final web parts. The Internet is full of articles on this issue, but unfortunately only a small part of them covers security issues when developing your own components. The fifth part of the article will try to consecrate this question as precisely as possible. A detailed description of CAS (Code Access Security), levels of trust and Safe Controls will be given. There will also be information about what accounts SharePoint services are launched under (workflows, event listeners, timer jobs).
It would be desirable, however, to note that the article will provide far from all the information on the issue of SharePoint security. Therefore, the text and at the end of each article will provide links to resources where a detailed description of a particular issue can be found.
PS In spite of the “wateriness” of this introduction, subsequent articles will be technical in nature and will be mainly intended for SharePoint administrators of servers and programmers who develop applications for SharePoint and use its API.
Comments, comments and healthy criticism are welcome. Thanks for attention.
- information about employees;
- customer contact details;
- contracts and other important documents;
- reports and statistics;
- financial information.
Having access to this information by third parties can lead to serious consequences. Therefore, the main task of any security system is to protect against unauthorized access, as well as ensuring the integrity and availability of information.
Things would seem obvious and understandable, everyone understands the importance of security in industrial-level software products, but in fact the security of the implemented solutions does not always turn out to be at the proper level. . There are several reasons for this, I think.
')
The first and obvious reason is a certain complexity of the systems, due to their scale. From this you can not get anywhere. Systems of this kind usually consist of many components that interact with each other. It certainly leaves its mark on the security system - usually for each such connection it is necessary to consider the security issue: create and configure accounts, distribute rights, configure encryption, etc.
Systems of this size are often closely integrated with components of the operating system and third-party programs. This requires that administrators who implement and maintain such systems have serious knowledge backed up by experience. The dry theory is not enough in the case of any systems and technologies, in the case of enterprise systems - all the more. And finding administrators with experience in implementing and maintaining such systems is not easy.
The second reason, which is usually little thought about - is the lack of security planning prior to the implementation of the system. And this step is very important. Many security problems are related to the fact that they begin to deal with it after the system is installed. Often, the default settings are applied during installation, and they do not take into account the fact that they rarely meet the requirements of any particular organization. And each case requires individual consideration.
The reasons for the lack of security planning are often pushing deadlines for the delivery of the project (with more attention focused on the business component). However, there are cases when the cause is “holy faith” in the universality of the default settings and their applicability for a particular case.
SharePoint is an enterprise system, so the topics covered above also apply to it. The purpose of this article series is to gather together basic information about the security system of this Microsoft product.
The information contained in the articles is relevant for the following versions of SharePoint: Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0
Security in SharePoint is implemented at several logical levels (the term defense-in-depth is often used in Microsoft articles). To create fully-fledged and secure portals and applications, a clear understanding of the security system at each level is essential.
SharePoint includes many components and supports easy integration with third-party products, but primarily represents a platform for web applications. By web application platform, I mean a system for simply creating and configuring intranet portals and their components: pages, input forms, workflows, a search engine, forums, blogs, wiki, etc…
In addition to the intranet, SharePoint applications also allow you to create regular web sites with anonymous access and free registration, as well as extranet solutions. This is also reflected in the SharePoint security system, in particular in the choice of authentication and encryption method.
A distinctive feature of SharePoint is its maximum flexibility in the distribution of rights to create, delete, view objects and other operations. Rights can be granted as a group of users, as well as a specific user and for a particular document. The illiterate distribution of rights to objects can lead to “security holes”, which can lead to system hacking and information loss in the future. Therefore, it is necessary to clearly know and understand how the system of distribution of rights, roles, as well as the purpose and rights of the built-in user groups are organized.
SharePoint is also known for its ability to integrate with third-party applications, systems, databases, which certainly affects the security system. For readability, the article is divided into several parts.
As noted above, an important point is the advance planning of security, competent selection of accounts for services. These issues, as well as a general description of the security architecture will be discussed in the second part of the article.
Often, when setting up security for SharePoint and other systems of a similar level, the focus is on protecting the system from unauthorized access from outside. However, in addition to this, it is worth paying attention to the differentiation of access rights for already authorized users. This topic is discussed in the third part of the article. It explains the basics of SharePoint site security: roles, groups, rights, levels of rights, and describes the standard user groups.
The fourth part of the article will look at the SharePoint Security API. The article will contain examples of code for creating, deleting users, their rights, groups, assigning access rights to objects. The issues of role inheritance and impersonation using code will also be considered.
SharePoint is known for its ability to expand functionality by developing custom descriptions of lists, content types, workflows, forms, and the final web parts. The Internet is full of articles on this issue, but unfortunately only a small part of them covers security issues when developing your own components. The fifth part of the article will try to consecrate this question as precisely as possible. A detailed description of CAS (Code Access Security), levels of trust and Safe Controls will be given. There will also be information about what accounts SharePoint services are launched under (workflows, event listeners, timer jobs).
It would be desirable, however, to note that the article will provide far from all the information on the issue of SharePoint security. Therefore, the text and at the end of each article will provide links to resources where a detailed description of a particular issue can be found.
PS In spite of the “wateriness” of this introduction, subsequent articles will be technical in nature and will be mainly intended for SharePoint administrators of servers and programmers who develop applications for SharePoint and use its API.
Comments, comments and healthy criticism are welcome. Thanks for attention.
Source: https://habr.com/ru/post/78012/
All Articles