SharePoint – Security Data and Compliance

Live from SharePoint Conference 2012.


Authentication & Authorization

SharePoint supports the following authentication types:

  • Windows
    • NTLM
    • Kerberos
    • Basic
    • Anonymous
    • Digest
  • FBA
    • LDAP
    • SQL
    • ASP.Net membership provider
  • SAML Token based authentication
    • ADFS
    • 3rd party identity provider
    • LDSP
    • Windows Azure Access Control Services
  • OAuth

Authentication means verification of claim; SharePoint do not do authentication.

Authorization means verification of permission; SharePoint do.

So authentication precedes authorization.

Authentication can be broken but not authorization, or at least it’s more complicated.





  • Identity
  • Claim: attribute of the identity
  • Token: binary representation of identity
  • Relying Party (aka RD): users token
  • Secure Token Service (STS): issuer of token


Claims augmentation is the ability to intercept the incoming claims and transform to outgoing claims and/or add additional attribute before output.



OAuth enables user to approve an application to act on their behalf without sharing their user name and password.

It is used only for access token; this is not use for authentication neither used for sign in tokens.

This can be used in a specific site, specific resource or for a defined duration.

Permissions are based on trust and request trust levels as part of the application.

Application types:

  • Cloud hosted (such as Azure)
  • SharePoint hosted
  • Provider hosted (IIS)


OAuth for server to server:

  • compliant service such as Lync or Exchange 2013
  • SharePoint 2013 contains local ‘server to server’ STS
  • Online Services use an instance of Windows Azure ACS for Authentication token


Protecting Content

  • Location based
    • URL Path classification
  • Taxonomy Classification
    • Only show data based on tagged taxonomy
  • Permission based
    • Security Group
    • Role
  • Claims Attribute based
    • user has “x” associated to them
    • custom code solution, this means Claims Augmentation
  • Request Management Service (new to SharePoint 2013)
    • specific blocking based on parameter
  • Encryption
    • RMS
      • Claims based
      • Baseline Security
    • File and drives
      • BitLocker & EFS
      • Protection storage Location Only
    • SQL Encryption
      • Content Database Specific
      • No restoring of database without Private Key


Protecting Infrastructure

Still have prescribed approaches

  • Really based around server roles more than actual server members


At the Edge/Perimeter level

  • Stop to publish Windows loging prompt to the Internet
  • Utilize Firewall technology, such ForeFront TMG/UAG
  • Use multi factor authentication
  • Load balanced the traffic

Protecting the web application

  • Block the standard SQL server ports
  • Configure SQL database instance to listen on a non standard port
  • Configure SQL aliases
    • By pass the actual server name
  • Implement windows firewall policies
  • Implement firewall layer between server layers
  • Run ‘Best Practice Security Analyzer’
  • Utilize GPO
  • Utilize Claims attributes



  • Regulation Requirements
  • Content Compliance
    • Retention Policies
    • Information Audit Policies
    • Site Policies



Who are we protecting against?

  • Staff
  • Vendors
  • Partners
  • Anonymous

Protection is only is goof as what you implement.

Misconfiguration is your number one enemy.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.