Live from SharePoint Conference 2012.
Authentication & Authorization
SharePoint supports the following authentication types:
- Windows
- NTLM
- Kerberos
- Basic
- Anonymous
- Digest
- FBA
- LDAP
- SQL
- ASP.Net membership provider
- SAML Token based authentication
- ADFS
- 3rd party identity provider
- LDSP
- Windows Azure Access Control Services
- OAuth
Authentication means verification of claim; SharePoint do not do authentication.
Authorization means verification of permission; SharePoint do.
So authentication precedes authorization.
Authentication can be broken but not authorization, or at least it’s more complicated.
Claims
Fundamentals:
- Identity
- Claim: attribute of the identity
- Token: binary representation of identity
- Relying Party (aka RD): users token
- Secure Token Service (STS): issuer of token
Claims augmentation is the ability to intercept the incoming claims and transform to outgoing claims and/or add additional attribute before output.
OAuth
OAuth enables user to approve an application to act on their behalf without sharing their user name and password.
It is used only for access token; this is not use for authentication neither used for sign in tokens.
This can be used in a specific site, specific resource or for a defined duration.
Permissions are based on trust and request trust levels as part of the application.
Application types:
- Cloud hosted (such as Azure)
- SharePoint hosted
- Provider hosted (IIS)
OAuth for server to server:
- compliant service such as Lync or Exchange 2013
- SharePoint 2013 contains local ‘server to server’ STS
- Online Services use an instance of Windows Azure ACS for Authentication token
Protecting Content
- Location based
- URL Path classification
- Taxonomy Classification
- Only show data based on tagged taxonomy
- Permission based
- Security Group
- Role
- Claims Attribute based
- user has “x” associated to them
- custom code solution, this means Claims Augmentation
- Request Management Service (new to SharePoint 2013)
- specific blocking based on parameter
- Encryption
- RMS
- Claims based
- Baseline Security
- File and drives
- BitLocker & EFS
- Protection storage Location Only
- SQL Encryption
- Content Database Specific
- No restoring of database without Private Key
Protecting Infrastructure
Still have prescribed approaches
- Really based around server roles more than actual server members
At the Edge/Perimeter level
- Stop to publish Windows loging prompt to the Internet
- Utilize Firewall technology, such ForeFront TMG/UAG
- Use multi factor authentication
- Load balanced the traffic
Protecting the web application
- Block the standard SQL server ports
- Configure SQL database instance to listen on a non standard port
- Configure SQL aliases
- By pass the actual server name
- Implement windows firewall policies
- Implement firewall layer between server layers
- Run ‘Best Practice Security Analyzer’
- Utilize GPO
- Utilize Claims attributes
Compliance
- Regulation Requirements
- Content Compliance
- Retention Policies
- Information Audit Policies
- Site Policies
Protection
Who are we protecting against?
- Staff
- Vendors
- Partners
- Anonymous
Protection is only is goof as what you implement.
Misconfiguration is your number one enemy.