Microsoft Corporation Published: April 2009 Author: Microsoft Office System and Servers Team (o12ITdx@microsoft.com)
Abstract
This guide provides planning recommendations for deploying Windows SharePoint Services 3.0 in an extranet environment. It discusses the extranet topologies that are supported and details the hardening requirements for servers within an extranet environment. The audiences for this guide include information architects, IT generalists, and program managers who are planning to make Windows SharePoint Services 3.0 sites accessible from the Internet. The content in this book is a copy of selected content in the Windows SharePoint Services technical library (http://go.microsoft.com/fwlink/?LinkId=81199) as of the publication date. For the most current content, see the technical library on the Web.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
iii
Contents
Planning an Extranet Environment for Windows SharePoint Services.....................................1 Abstract.............................................................................................................................. 1 Contents................................................................................................................................... v Getting Help............................................................................................................................ vii Plan for redundancy................................................................................................................. 1 About redundancy.................................................................................................................... 1 Define server redundancy requirements...................................................................................1 Plan for a limited server deployment........................................................................................ 2 Plan for a minimum level of server redundancy........................................................................3 Four-server farm................................................................................................................ 3 Five-server farm................................................................................................................. 3 Three-server farm.............................................................................................................. 4 Choosing a baseline server farm topology...............................................................................5 Plan front-end Web server redundancy....................................................................................5 Plan search server redundancy................................................................................................ 6 Plan database server redundancy............................................................................................ 6 Select a baseline topology........................................................................................................ 7 Design extranet farm topology.................................................................................................. 8 About extranet environments.................................................................................................... 8 Planning for extranet environments.......................................................................................... 9 Edge firewall topology............................................................................................................ 13 Back-to-back perimeter topology............................................................................................ 14 Split back-to-back topology..................................................................................................... 15 Plan authentication methods.................................................................................................. 17 About authentication............................................................................................................... 17 Supported authentication methods.........................................................................................17 Configure authentication......................................................................................................... 19 Plan authentication for crawling content.................................................................................28 Planning zones for your authentication design.................................................................31 Choose methods of authentication allowed in your environment............................................32 Worksheet.............................................................................................................................. 38 Plan authentication settings for Web applications..................................................................40 Plan authentication settings.................................................................................................... 40 Authentication type........................................................................................................... 40 Anonymous access.......................................................................................................... 41 Client integration.............................................................................................................. 42 v
Settings for ASP.NET forms authentication and Web SSO..............................................46 Plan authentication exclusions............................................................................................... 46 Worksheet.............................................................................................................................. 47 Plan security hardening for extranet environments.................................................................48 Network topology.................................................................................................................... 48 Domain trust relationships...................................................................................................... 49 Communication with server-farm roles...................................................................................52 Communication with infrastructure server roles......................................................................54 Active Directory communication between network domains...................................................55 Plan security hardening for server roles within a server farm.................................................57 About security hardening........................................................................................................ 57 Application server recommendations......................................................................................59 Secure communication with the Microsoft SQL Server database...........................................59 Blocking the standard SQL Server ports..........................................................................60 Configuring SQL Server database instances to listen on a nonstandard port..................60 Configuring SQL client aliases.........................................................................................60 Hardening steps............................................................................................................... 61 File and Printer Sharing service requirements........................................................................65 Service requirements for e-mail integration............................................................................66 Windows SharePoint Services services.................................................................................66 Accounts and groups.............................................................................................................. 67 Web.config file........................................................................................................................ 67 Secure snapshot additions..................................................................................................... 68 Plan security for an external secure collaboration environment..............................................73 Protect back-end servers........................................................................................................ 73 Secure client-server communication.......................................................................................73 Secure the Central Administration site....................................................................................74 Secure design checklist.......................................................................................................... 74 Plan security hardening for server roles.................................................................................75 Plan secure configurations for Windows SharePoint Services features.................................75 Plan security for an external anonymous access environment...............................................76 Protect back-end servers........................................................................................................ 76 Configure anonymous access................................................................................................ 77 Secure the Central Administration site....................................................................................77 Disable incoming e-mail......................................................................................................... 77 Secure design checklist.......................................................................................................... 77 Plan security hardening for server roles.................................................................................78 Plan secure configurations for Windows SharePoint Services features.................................78
vi
Getting Help
Every effort has been made to ensure the accuracy of this book. This content is also available online in the Office System TechNet Library, so if you run into problems you can check for updates at: http://technet.microsoft.com/office If you do not find your answer in our online content, you can send an e-mail message to the Microsoft Office System and Servers content team at: o12ITdx@microsoft.com If your question is about Microsoft Office products, and not about the content of this book, please search the Microsoft Help and Support Center or the Microsoft Knowledge Base at: http://support.microsoft.com
vii
This article describes the options for scaling out redundant server roles included in a Windows SharePoint Services 3.0 farm. After reading this article, you will be able to identify and record the redundancy options that are appropriate for the environment. For more information about availability, see Plan for availability (http://technet.microsoft.com/enus/library/cc748832.aspx).
About redundancy
The term redundancy is often misinterpreted to be synonymous with availability. While these concepts are related, they are not the same. Redundancy refers to the use of multiple servers in a load-balanced environment for any of several purposes, such as to improve farm performance, to scale out to accommodate additional users, and to improve availability. Availability is a more specialized concept that refers to a multiple-server environment that is designed to accept connections and operate normally even when one or more of the servers in the farm are not operational. Therefore, availability implies redundancy, and additionally implies a failover mechanism and several other possible characteristics. A redundant system, however, might not be highly available. This article describes how to implement redundant servers in an Windows SharePoint Services 3.0 farm.
By the end of this section, you will be able to decide if you need to build expandable capacity into the server deployment topology by deploying redundant servers (three or more servers), or if it makes sense for the organization to plan for a limited server deployment that has no redundant servers.
Limited-use purposes include the following: Installing Windows SharePoint Services 3.0 for evaluation purposes. Deploying Windows SharePoint Services 3.0 for a limited purpose (such as for a single department) or for a limited number of users. The recommended starting point for most Windows SharePoint Services 3.0 deployments is at least two server computers: Server 1: Front-end Web server and search server computer Server 2: Dedicated SQL Server computer
If you have determined that you do not require server redundancy in the environment, you can now go to the following article to complete the next planning step: Plan for performance and capacity (http://technet.microsoft.com/en-us/library/cc288124.aspx ). The completion of this 2
planning step will determine the total number of servers recommended for the server deployment plan. You do not need to read the rest of this article.
Four-server farm
The smallest server farm that builds in redundancy consists of four servers: Servers one and two: Web servers. Search is installed on one of the Web servers. Servers three and four: Clustered or mirrored database server.
Five-server farm
The most common redundant server farm topology introduces a middle tier and consists of five server computers. Servers one and two: Web servers. Server three: Search. Servers four and five: Clustered or mirrored database server.
This topology optimizes the performance of the front-end Web server computers by offloading search to a dedicated server computer.
Three-server farm
There is another alternative for deploying fewer servers. With a three server farm, you must choose which of the server roles to make redundant: either the Web server role or the database server role. By adding the third server to the Web tier, you achieve redundancy of the Web server role. The search role can either be installed on either Web server. While availability is limited, this topology increases the overall performance of the small farm. Use this topology when performance is more important than data redundancy.
By adding a third server to the database tier, you can help ensure availability of critical data. Plan to use this small-farm topology when availability of your data is critical but temporary loss of user access is acceptable.
Most organizations require redundancy at the Web tier. There are a small number of scenarios in which a three-server farm with one server running the Web server role makes sense. The next step is to plan which load balancing technology to implement. Windows SharePoint Services 3.0 supports two methods of load balancing: Software, such as Network Load Balancing (NLB) services in the Microsoft Windows Server 2003 operating system. NLB runs on the front-end Web servers, and uses TCP/IP to route requests. Because NLB (and other software load balancing solutions) runs on the frontend Web servers, it uses the front-end Web system resources, and thereby reduces the resources you can use for serving Web pages. However, the impact on system resources is not great, and a software solution can handle up to 32 front-end Web servers. For more 5
information about NLB services in Windows Server 2003, see Network Load Balancing Clusters (http://technet.microsoft.com/en-us/library/cc759510.aspx ). For more information about NLB services in Windows Server 2008, see Network Load Balancing (http://technet.microsoft.com/en-us/library/cc732855.aspx). Hardware, such as a router or a switch box. Load balancing hardware uses the network to direct Web site traffic between the front-end Web servers. Load balancing hardware is more expensive to set up than software, but it does not affect resources on the front-end Web server resources. Windows SharePoint Services 3.0 can be used with any load balancing hardware. We recommend that you set the load balancing affinity to None to improve availability. If you have a custom topology requirement, you may want to configure the affinity differently. Although not recommended, there is a third method of load balancing, round-robin load balancing with Domain Name System (DNS). Round-robin DNS load balancing can use significant resources on the front-end Web servers, is slower than either load balancing software or hardware, and is not recommended for use with Windows SharePoint Services 3.0. Also, roundrobin DNS load balancing does not take session load into account when routing a user to a server, which can lead to a server being overloaded.
The database server role affects the availability of your solution more than any other role. If a Web server or an application server fails, these roles can quickly be restored or redeployed. However, if a database server fails, your solution depends on restoring the database server. This can potentially include rebuilding the database server and then restoring data from the backup media. In this case, you can potentially lose any new or changed data dating back to the last backup job, depending on how SQL Server 2005 is configured. Additionally, the solution will be completely unavailable for the time it takes to restore the database server role.
This article can be used with the following model: Extranet Topologies for SharePoint Products and Technologies (http://go.microsoft.com/fwlink/?LinkID=73153&clcid=0x409 ).
External partners
External partners can participate in business processes and collaborate with employees of your organization. You can use an extranet to help enhance the security of data in the following ways: Apply appropriate security and userinterface components to isolate partners and to segregate internal data. Authorize partners to use only sites and data that are necessary for their contributions. Restrict partners from viewing other partners data. You can optimize processes and sites for partner collaboration in the following ways: Enable employees of your organization and partner employees to view, change, add, and delete content to promote successful results for both companies. Configure alerts to notify users when content changes or to start a workflow.
Customers
Makes sites available to customers: Provide anonymous access to information about your business. Allow clients to log on and participate in a workflow.
Windows SharePoint Services 3.0 provides flexible options for configuring extranet access to sites. You can provide Internet-facing access to a subset of sites on a server farm or make all content on a server farm accessible from the Internet. You can host extranet content inside your corporate network and make it available through an edge firewall, or you can isolate the server farm inside a perimeter network.
Plan network edge technology In each topology, the network edge technology illustrated is one or both of the following products from the Microsoft Forefront Edge suite of products: Microsoft Internet Security and Acceleration (ISA) Server and Intelligent Application Gateway (IAG) 2007. For more information about these Microsoft Forefront Edge products, see the following resources: ISA Server home page (http://go.microsoft.com/fwlink/?LinkId=86495&clcid=0x409 ) Network Concepts in ISA Server 2006 (http://go.microsoft.com/fwlink/? LinkId=86497&clcid=0x409) Intelligent Application Gateway home page (http://technet.microsoft.com/enus/library/cc287908.aspx) Intelligent Application Gateway 2007 technical library (http://technet.microsoft.com/enus/library/cc303240.aspx) Note: You can substitute a different network edge technology. IAG Server provides these additional features: Information leakage prevention: No residues are left on the client computer, and all cache, temporary files, and cookies are deleted. Endpoint, health-based authorization: Administrators can define an access policy that is based not only on the identity of the user and the information that is exposed but also on the condition of the client computer. Access SharePoint sites from Outlook Web Access: Users can access SharePoint sites from links sent in e-mail through Outlook Web Access. IAG provides the link translation for links that refer to internal URLs. Unified portal: Upon logon, IAG presents to each user the list of SharePoint sites and other applications that are available and authorized for that user. The following table summarizes the difference between the servers.
Capability
ISA 2006
IAG 2007
Publish Web applications using HTTPS Publish internal mobile applications to roaming mobile devices Layer 3 firewall Outbound scenarios support Array support Globalization and administration 10
X X
X X
X X X X
X* X*
Capability
ISA 2006
IAG 2007
console localization Wizards and predefined settings to publish SharePoint sites and Exchange Wizards and predefined settings to publish various applications Active Directory Federation Services (ADFS) support Rich authentication (for example, one-time password, forms-based, smart card) Application protection (Web application firewall) Endpoint health detection Information leakage prevention Granular access policy Unified Portal * Supported by ISA, which is included with IAG 2007. Plan for authentication and logical architecture In addition to choosing or designing an extranet topology, you will need to design an authentication strategy and logical architecture to enable access to the intended users outside the internal network and to secure sites and content on the server farm. For more information, see the following articles: Plan for authentication (http://technet.microsoft.com/en-us/library/cc288627.aspx) Logical architecture sample design: collaboration sites (http://technet.microsoft.com/enus/library/cc835621.aspx) Plan domain trust relationships When the server farm is located inside a perimeter network, this network requires its own Active Directory directory service infrastructure and domain. Typically, a perimeter domain and a corporate domain are not configured to trust each other. However, if you configure a one-way trust, in which the perimeter domain trusts the corporate domain, you can use Windows authentication to authenticate both internal and remote employees by using corporate domain credentials. Another option is to authenticate employees using forms authentication or Web single sign-on (SSO). You can also use these methods to authenticate against an internal domain directory service. 11 X X X
X X X
Basic
Full X X X X
The following table summarizes these authentication options and indicates whether a trust relationship is required.
Scenario Description
Windows authentication
If the perimeter domain trusts the corporate network domain, you can authenticate both internal and remote employees by using their corporate domain credentials. You can use forms authentication and Web SSO to authenticate both internal employees and remote employees against an internal Active Directory environment. For example you can use Web SSO to connect to Active Directory Federation Services (ADFS). Using forms authentication or Web SSO does not require a trust relationship between domains. However, several features of Windows SharePoint Services 3.0 might not available, depending on the authentication provider. For more information about features that might be affected when forms authentication or Web SSO is used, see Plan authentication settings for Web applications.
For more information about configuring a one-way trust relationship in an extranet environment, see Plan security hardening for extranet environments. Plan for availability The extranet topologies described in this article are intended to illustrate: Where a server farm is located within an overall network. Where each of the server roles is located within an extranet environment.
This article is not intended to help you plan which server roles you need to deploy or how many servers for each role you need to deploy to achieve redundancy. After you determine how many server farms are required for your environment, use the following article to plan the topology for each server farm: Plan for redundancy.
12
Plan for security hardening After you have designed your extranet topology, use the following resources to plan for security hardening: Plan security hardening for server roles within a server farm Plan security hardening for extranet environments
Advantages Simplest solution that requires the least amount of hardware and configuration. Entire server farm is located within the corporate network. Single point of data: Data is located within the trusted network. Data maintenance occurs in one place.
Single farm used for both internal and external requests ensures that all authorized users view the same content. Internal user requests are not passed through a proxy server.
Disadvantages Results in a single firewall that separates the corporate internal network from the Internet.
13
This topology has the following characteristics: All hardware and data reside in the perimeter network. The server farm roles and network infrastructure servers can be separated across multiple layers. Combining the network layers can reduce the complexity and cost. Each layer can be separated by additional routers or firewalls to ensure that only requests from specific layers are allowed. Requests from the internal network can be directed through the internal-facing ISA server or routed through the public interface of the perimeter network. Advantages Content is isolated to a single farm on the extranet, simplifying sharing and maintenance of content across the intranet and the extranet. External user access is isolated to the perimeter network. If the extranet is compromised, damage is potentially limited to the affected layer or to the perimeter network. By using a separate Active Directory infrastructure, external user accounts can be created without affecting the internal corporate directory. Disadvantages Requires additional network infrastructure and configuration.
14
In the preceding illustration: The search server is hosted inside the perimeter network. This option is illustrated by the blue server inside the dashed line. Search servers can optionally be deployed inside the corporate network, with the database servers. This option is illustrated by the gray server inside the dashed line. If you deploy search servers inside the corporate network with the database servers, you must also have an Active Directory environment to support these servers (illustrated as gray servers inside the corporate network). If the server farm is split between the perimeter network and the corporate network with the database servers located inside the corporate network, a domain trust relationship is required if Windows accounts are used to access SQL Server. In this scenario, the perimeter domain must trust the corporate domain. If SQL authentication is used, a domain trust relationship is not required. For more information about configuring accounts for this topology, see "Domain trust relationships" in the following article: Plan security hardening for extranet environments. To optimize search performance and crawling, place the search server role inside the corporate network with the database servers. You can also add the Web server role to a search server 15
inside the corporate network and configure this Web server for dedicated use by the search role for content crawling. If you place Web servers in the perimeter network and the search role inside the corporate network, you must configure a one-way trust relationship in which the perimeter network domain trusts the corporate network domain. This one-way trust relationship is required in this scenario to support inter-server communication within the farm, regardless of whether you are using Windows authentication or SQL authentication to access SQL Server. Advantages Advantages of the split back-to-back topology include the following: Computers running SQL Server are not hosted inside the perimeter network. Farm components both within the corporate network and the perimeter network can share the same databases. With a separate Active Directory infrastructure, external user accounts can be created without affecting the internal corporate directory. Disadvantages Complexity of the solution is greatly increased. Intruders who compromise perimeter network resources might gain access to farm content stored in the corporate network by using the server farm accounts. Inter-farm communication is typically split across two domains.
16
This article describes the authentication methods that are supported by Windows SharePoint Services 3.0. After reading this article, you will be able to: Understand how authentication is implemented in Windows SharePoint Services 3.0. Identify the authentication methods that are appropriate for your environment.
About authentication
Authentication is the process of validating a user's identity. After a user's identity is validated, the authorization process determines which sites, content, and other features the user can access. In Windows SharePoint Services 3.0, the authentication process is managed by Internet Information Services (IIS). After IIS performs authentication of users, the security features in Windows SharePoint Services 3.0 perform the authorization process. For more information about implementing Windows SharePoint Services 3.0 authorization, see Plan site and content security (http://technet.microsoft.com/en-us/library/cc288189.aspx ). Planning for authentication is important not only to protect your solution by validating users' identities, but also to secure user credentials over the network.
Using two or more methods of authentication for accessing partner applications (for example, connecting to your partner company's identity management system for authenticating partner employees while using Windows authentication methods to authenticate your internal employees). Participating in federated identity management systems. The following table lists the supported authentication methods:
Authentication method Description Examples
Windows
Kerberos (Integrated Windows) NTLM (Integrated Windows) ASP.NET forms Windows SharePoint Services 3.0 adds support for identity management systems that are not based on Windows by integrating with the ASP.NET forms authentication system. ASP.NET authentication enables Windows SharePoint Services 3.0 to work with identity management systems that implement the MembershipProvider interface. You do not need to rewrite the security administration pages or manage shadow Active Directory directory service accounts. Windows SharePoint Services 3.0 supports federated authentication through Web SSO vendors. Web SSO enables SSO in environments that include services running on disparate platforms. You do not need to manage separate Active Directory accounts. Lightweight Directory Access Protocol (LDAP) SQL database or other database Other ASP.NET-based forms authentication solutions
Active Directory Federation Services (AD FS) Other identity management systems
18
Authentication of system accounts ASP.NET forms authentication and Web SSO can be used to authenticate only user accounts. The process accounts used to connect to Microsoft SQL Server database software and run the Web farm must be Windows accounts, even when using alternative methods of authentication to authenticate users. Windows SharePoint Services 3.0 supports SQL Server authentication and local computer process accounts for farms that are not running Active Directory. For example, you can implement local accounts by using identical user names and passwords across all servers within a farm.
Configure authentication
Although configuring Windows authentication is a straightforward process, configuring authentication to use ASP.NET forms or Web SSO requires more planning. This section provides a summary of how authentication is configured in Windows SharePoint Services 3.0. This information will help you understand how to put together an authentication strategy for your solution and determine who in your organization needs to be involved in planning for authentication.
19
Configure authentication for SharePoint Web applications Authentication in Windows SharePoint Services 3.0 is configured at the SharePoint Web application level. The following diagram illustrates a Windows SharePoint Services server farm that is configured to host sites for multiple companies. Authentication is configured separately for each company.
When you initially create or extend a Web application, you are presented with a limited number of authentication options (Kerberos, NTLM, and anonymous). If you are using one of these methods, you can configure authentication when you create or extend the Web application.
20
The following illustration shows the limited authentication choices that are available when you initially create or extend a Web application:
However, if you are using different authentication settings, select the default authentication options, and then configure authentication after the Web application is created or extended. (To do so, in Central Administration, on the Application Management page, in the Application Security section, select Authentication providers, and then click the zone to open the Edit Authentication page.) The settings that are configured on this page depend on the type of authentication that is selected: Windows, forms, or Web SSO.
21
Depending on the authentication choices that you select in Central Administration, additional configuration might be necessary. The following table summarizes the configuration steps based on the authentication method. This table also indicates if specialized roles in addition to SharePoint Administrator are needed.
Authentication method Additional configuration Specialized roles
22
Authentication method
Additional configuration
Specialized roles
Certificates
1. Select Windows authentication in Central Administration. 2. Configure IIS for certificate authentication. 3. Enable Secure Sockets Layer (SSL). 4. Obtain and configure certificates from a certification authority (CA).
None 1. Configure the Web application to use Kerberos authentication. 2. Configure a Service Principal Name (SPN) for the domain user account that is used for the application pool identity (application pool process account). 3. Register the SPN for the domain user account in Active Directory.
Forms
1. Register the membership provider in the Web.config file for the SharePoint Web application. 2. Register the role manager in the Web.config file for the SharePoint Web application (optional). 3. Register the membership provider in the Web.config file for the Central Administration site.
ASP.NET developer
23
Authentication method
Additional configuration
Specialized roles
Web SSO
In addition to configuration steps required for ASP.NET forms authentication, register an HTTP module for the Web SSO provider.
ASP.NET developer
Connect to identity management systems that are external or not based on Windows To use ASP.NET forms or Web SSO to authenticate users against an identity management system that is not based on Windows or that is external, you must register the membership provider in the Web.config file. In addition to registering a membership provider, you can register a role manager as well. Windows SharePoint Services 3.0 uses the standard ASP.NET role manager interface to gather group information about the current user. Each ASP.NET role is treated like a domain group by the authorization process in Windows SharePoint Services 3.0. You register role managers in the Web.config file the same way you register membership providers for authentication. If you want to manage membership user or roles from the Central Administration site, you can optionally register the membership provider and the role manager in the Web.config file for the Central Administration site (in addition to registering these in the Web.config file for the Web application that hosts the content). Ensure that the membership provider name and role manager name that you registered in the Web.config file is the same as the name that you entered in the Central Administration Authentication.aspx page. If you do not enter the role manager in the Web.config file, the default provider specified in the machine.config file might be used instead. For example, the following string in a Web.config file specifies a SQL membership provider: <membership defaultProvider="AspNetSqlMembershipProvider"> For additional information about using ASP.NET forms authentication to connect to a SQL Server authentication provider, see Authentication samples (http://technet.microsoft.com/enus/library/cc288259.aspx). Finally, if you are using Web SSO to connect to an external identity management system, you must also register an HTTP module for the Web SSO. An HTTP module is an assembly that is called on every request made to your application. HTTP modules are called as part of the ASP.NET request pipeline. For more information, see Introduction to HTTP Modules (http://go.microsoft.com/fwlink/?LinkId=77954&clcid=0x409 ).
24
Integrating with ASP.NET forms authentication places additional requirements on the authentication provider. In addition to registering the various elements in the Web.config file, the membership provider, role manager, and HTTP module must be programmed to interact with Windows SharePoint Services 3.0 and ASP.NET methods, as indicated in the following table:
Category Description
Membership provider
To work with Windows SharePoint Services 3.0, the membership provider must implement the following methods: GetUser (String) Windows SharePoint Services 3.0 calls this method to resolve user names during invitations and to get the user's display name. GetUserNameByEmail Windows SharePoint Services 3.0 calls this method to resolve user names in invitations. FindUsersByName, FindUsersByEmail Windows SharePoint Services 3.0 calls these methods to populate the user picker control on the Add Users page. If the membership provider does not return any users, the picker will not function and administrators will need to type the user name or e-mail address in the Add User text box.
Role manager
The role manager must implement the following methods: RoleExists Windows SharePoint Services 3.0 calls this method during invitations to verify that a role name exists. GetRolesForUser Windows SharePoint Services 3.0 calls this method at access check to gather the roles for the current user. GetAllRoles Windows SharePoint Services 3.0 calls this method to populate the group and role picker. If the role provider does not return any groups or roles, the Windows SharePoint Services 3.0 picker will not function and the administrator will need to type the name of the role in the Add User text box.
25
Category
Description
HTTP module
The HTTP module must handle the following events: AuthenticateRequest This event is called when ASP.NET is ready to authenticate the user. The Web SSO module must unpack the user's authentication cookie and set the HttpContext.User object with the identity of the current user. EndRequest This is the last event in the ASP.NET pipeline. This event is called just before returning the code to the client. The Web SSO module must capture 401 responses coming from Windows SharePoint Services 3.0 and turn these into an appropriate 302 redirect for authentication to the Web SSO logon server.
Enabling Anonymous Access You can enable anonymous access for a Web application in addition to configuring a more secure authentication method. With this configuration, administrators of sites within the Web application can choose to allow anonymous access. If anonymous users want to gain access to secured resources and capabilities, they can click a logon button to submit their credentials.
26
Using different authentication methods to access a site You can configure Web applications in Windows SharePoint Services 3.0 to be accessed by up to five different authentication methods or identity management systems. The following figure illustrates a partner application that is configured to be accessed by users from two different identity management systems. Internal employees are authenticated by using one of the standard Windows authentication methods. Employees of the partner company are authenticated against their own company's identity management system.
To configure a Web application to be accessed by two or more different authentication systems, you must configure additional zones for the Web application. Zones represent different logical paths of gaining access to the same physical application. With a typical partner application, employees of a partner company access the application through the Internet, while internal employees access the application directly through the intranet. To create a new zone, extend the Web application. On the Extend Web Application to Another IIS Web Site page, in the Load Balanced URL section, specify the URL and zone type. The zone type is simply a category name applied to the zone and does not affect the configuration of the zone.
27
After extending the Web application, you can configure a separate authentication method for the new zone. The following figure shows the Authentication Providers page for a Web application that is configured by using two different zones. The default zone is the zone used by internal employees. The Internet zone is configured for partner access and uses ASP.NET forms to authenticate partner employees against the partner identity management system.
28
The crawler polls the zones in the following order: Default zone Intranet zone Internet zone Custom zone Extranet zone
The following figure shows the decisions that are made by the authentication system when the crawler attempts to authenticate:
29
The following table describes the actions associated with each callout in the figure:
Callout Action
Crawler attempts to authenticate by using the default zone. Note: The crawler always attempts to use the default zone first when attempting to authenticate for a particular Web application.
If the zone is configured for NTLM, the crawler is authenticated and proceeds to the authorization phase. If the zone is configured for basic, digest, or Kerberos authentication, authentication fails and the crawler does not attempt to authenticate by using another zone. This means the content is not crawled. If there are no more zones in the polling order, authentication fails and the content is not crawled. Crawler attempts to authenticate by using the next zone in the polling order.
If you configure the default zone to use an authentication method that the crawler does not support for example, forms authentication or Web SSO you must create at least one additional zone and configure this zone to use NTLM authentication. Consider the following scenario. Authentication scenario The farm administrator creates a Web application and configures it to use forms authentication. Because the farm administrator wants the content in the Web application to be crawled and indexed, and because she knows that the crawler requires a zone configured with NTLM, the farm administrator extends the Web application and configures the intranet zone to use NTLM. When the crawler attempts to authenticate by using the default zone, the authentication system determines that the crawler and the zone are not configured to use the same authentication method. Because the zone is not configured for basic, digest, or Kerberos authentication and there is at least one additional zone in the polling order, the crawler attempts to authenticate by using the intranet zone. Because the intranet zone is configured to use NTLM and the crawler also uses NTLM, authentication succeeds. 30
In addition to properly configuring the authentication method, you must ensure that the crawler is authorized to crawl content within the Web application. To do this, you must ensure that the credentials used for the content access account have the Full Read permission level or higher on the Web application that you want to crawl. Farm administrators can use the Policy for Web Application page in Central Administration to create a policy that gives the content access account the Full Read permission level on a particular Web application. Crawling host-named site collections The process and rules illustrated in the previous figure do not apply to host-named site collections. This is because host-named site collections are available only through the default zone. If you do not configure the default zone to use NTLM when deploying host-named site collections, you must configure an alternate method for the index component to access content. For more information about crawling host-named site collections that are not configured for NTLM authentication, see the following articles: Prepare to crawl host-named sites that use forms authentication Prepare to crawl host-named sites that use basic authentication
31
Use the Authentication methods worksheet (http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409) to identify which authentication methods you are willing to support in your environment and to record your decisions and recommendations for each. This worksheet will be used when planning authentication methods for individual Web applications in Windows SharePoint Services 3.0.
Recommendations for specific security environments Your choice of authentication methods will primarily be driven by the security context of your application. The following table provides recommendations based on the most common security environments:
Environment Considerations
Internal intranet
At a minimum, protect user credentials from plain view. Integrate with the user management system that is implemented in your environment. If Active Directory is implemented, use the Windows authentication methods built into IIS.
32
Environment
Considerations
Configure a separate zone for each partner company that connects to the site. Use Web SSO to authenticate against each partners own identity management system. This eliminates the need to create accounts in your own identity management system and also ensures that contributor identities continue to be maintained and validated by partner employers. If a contributor is no longer employed by a partner company, the contributor cannot continue to gain access to your partner application. Enable anonymous access (no authentication) and allow ReadOnly permissions for users who connect from the Internet. If you want to provide targeted or role-based content, you can use ASP.NET forms authentication to register users by using a simple database of user names and roles. Use the registration process to identify users by role (such as doctor, patient, or pharmacist). When users log on, your site can present content that is specific to the user role. In this scenario, authentication is not used to validate credentials or to limit who can access the content; the authentication process simply provides a method of targeting content.
External anonymous
Recommendations and tradeoffs for authentication methods Understanding the advantages, recommendations, and tradeoffs for each specific authentication method can help you to determine which methods to use in your environment. The following table highlights the recommendations and tradeoffs for each authentication method. For more information about each of the Windows authentication methods supported by IIS, see IIS Authentication (http://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409 ).
Authentication method Advantages and recommendations Tradeoffs
Windows
Authenticate by using your existing Active Directory accounts. Simplify user management. Take advantage of Active Directory groups when configuring Windows SharePoint Services 3.0 authorization. Avoid writing custom code.
Each of the methods has its own associated pros and cons. Some IIS authentication protocols are not supported by all Web browsers.
33
Authentication method
Tradeoffs
ASP.NET forms
Set up Windows SharePoint Services 3.0 in an environment that does not use Active Directory (does not require Windows accounts). Authenticate against two or more different identity management systems when creating partner applications. Implement a custom authentication scheme using arbitrary criteria. Authenticate users coming from the Internet.
Requires customization of the Web.config file. Subject to replay attacks for the lifetime of the cookie, unless using SSL Transport Layer Security (TLS).
Web SSO
Implement Windows SharePoint Services 3.0 in an environment that uses federated authentication to secure digital identities across organizations and security environments. Implement Windows SharePoint Services 3.0 in an environment that provides SSO to services running on disparate platforms, including environments that do not use Active Directory. Take advantage of AD FS. Authenticate against two or more different identity management systems when creating partner applications.
Requires an existing federated authentication system. Requires customization of the Web.config file. AD FS requires SSL. Other SSO systems might have other requirements.
34
Management of user identity information How user credentials and other identity information is processed and used by Windows SharePoint Services 3.0 can influence your decision about which of the authentication options is best for your intended purpose. This section details how user identity information is processed in the following categories: Binary IDs How user binary identifiers (IDs) are created or used by Windows SharePoint Services 3.0. Caching The process of retaining a user's identity for a period of time to avoid repeating the authentication process for each request. Role and group membership In addition to determining who users are, the authentication process also determines which groups or roles a user belongs to. This information is used during the authorization process to determine which actions a user has permissions to perform. For the purpose of authorization, Windows SharePoint Services 3.0 treats Active Directory groups and ASP.NET roles as the same type of entity. The following table details how Windows SharePoint Services 3.0 manages user binary IDs, cached user data, and role and group membership data depending on which authentication method is used:
Item Windows authentication ASP.NET forms and Web SSO
Binary IDs
Windows SharePoint Services 3.0 uses the Windows security identifier (SID). User credentials are cached and managed by IIS, Internet Explorer, and Windows. Windows maintains the list of Active Directory domain groups the user belongs to in the access token. Windows SharePoint Services 3.0 uses information stored in the access token.
Windows SharePoint Services 3.0 creates a unique binary ID by combining the provider name with the user name. ASP.NET uses an encrypted cookie to keep the user's credentials for the duration of a session. When a role manager is registered, Windows SharePoint Services uses the standard role manager interface to gather group information about the current user. Each ASP.NET role is treated like a domain group by the authorization process. ASP.NET can cache the roles the user belongs to in a cookie, depending on the settings that are configured in the Web.config file.
Caching
35
Management of user accounts Understanding how Windows SharePoint Services 3.0 handles typical user account management tasks can also influence which authentication method you choose. Generally, users who are members of an authentication provider in one zone can manage accounts across all zones as long as they are granted permissions. The information in the following list applies regardless of which authentication method is implemented: Adding and inviting new users You can add or invite a new user from any zone and all authentication methods that are configured if the membership provider and role manager are registered in the current Web.config file. When you add a new user, Windows SharePoint Services 3.0 resolves the user name against the following sources in the following order: The UserInfoList table stored by Windows SharePoint Services 3.0. User information will be in this list if users have already been added to another site. The authentication provider that is configured for the current zone. For example, if a user is a member of the authentication provider that is configured for the default zone, Windows SharePoint Services 3.0 first checks this associated membership provider. All other authentication providers. Deleting users User accounts are marked as deleted in the Windows SharePoint Services 3.0 database. However, the user record is not removed. Some user account management behaviors within Windows SharePoint Services 3.0 differ, depending on the authentication provider. The following table highlights several common user account tasks that differ depending on the authentication method that is implemented:
Task Windows authenticated accounts ASP.NET formsauthenticated and Web SSO-authenticated accounts
Windows SharePoint Services 3.0 validates user identities by using Active Directory.
Windows SharePoint Services 3.0 calls the membership provider and the role manager to verify that the user and roles exists. You must delete the old account name and then add the new account name. Permissions cannot be migrated.
Updated user names are automatically recognized by Windows SharePoint Services 3.0. New entries are not added to the UserInfoList table.
36
Task
Logging on
If Integrated Windows authentication (Kerberos or NTLM) is used and the browser is configured to automatically log on, users do not need to manually log on to SharePoint sites. By default, Internet Explorer is configured to automatically log on to intranet sites. If a logon is required (for example, sites that require a different set of credentials), users are prompted only for a user name and password. However, if basic authentication is used, or the user is using a browser that is not configured to automatically log on, users might be prompted for logon credentials when they access a SharePoint site.
Windows SharePoint Services 3.0 provides a standard logon page for use with forms authentication. This page includes the following fields: user name, password, sign in automatically (to persist the cookie). You can create your own logon page to add additional logon controls (for example, create a new account, or reset password).
Browser support Not all browsers work with each of the authentication methods that are supported. Before selecting authentication methods to allow in your environment, determine which browsers you need to support. Then, determine which authentication methods are supported by the browsers. Internet Explorer works with each of the supported authentication methods. Additional browsers that are supported by Windows SharePoint Services 3.0 include: Netscape 8.0 Netscape 7.2 Mozilla 1.7.12 Firefox 1.5 Safari 2.02
37
Worksheet
Use the following worksheet to record which authentication methods are appropriate for your environment: Authentication methods worksheet (http://go.microsoft.com/fwlink/? LinkId=77970&clcid=0x409) The following table represents an example of a completed worksheet:
Authentication method Allow Don't allow Notes and recommendations
Anonymous Basic Digest Certificates NTLM (Integrated Windows) Kerberos (Integrated Windows) x
x x x x "Use NTLM for all department sites except finance." "Use Kerberos authentication for sites with a high security service level agreement." "Use forms authentication to allow partner company access to sites hosted in the partner extranet. We currently allow authentication against the following identity management systems: Active Directory, LDAP. Work with Sidney Higa to develop authentication settings for use with forms authentication."
ASP.NET forms
38
Authentication method
Allow
Don't allow
Web SSO
"Use this method for partner applications only if a partner company is participating in federated identity management systems. See David Jones for more information."
Additional Notes:"Work with Denise Smith to sign off on all authentication settings for SharePoint Web applications prior to implementing."
39
This article discusses the authentication configuration settings that need to be planned for individual Web applications in Windows SharePoint Services 3.0. Use this article with the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/? LinkID=73334&clcid=0x409.) Complete a separate worksheet for each of the following elements that are a part of your solution design in Windows SharePoint Services 3.0: New or extended Web applications in Windows SharePoint Services 3.0. Additional zones within a Web application (other than the default zone). Include zones that are created for the search account. Use completed worksheets with Deploy and configure SharePoint sites [Windows SharePoint Services].
Authentication type
Select the method that you want to use. If you are planning to allow anonymous access instead of implementing an authentication method listed in this section, select Windows authentication. If you select Windows, specify the Windows authentication method in the IIS Authentication Settings section of the Edit Authentication page. If you select Forms or Web single sign on, the options on the Edit Authentication page change to allow you to enter the membership provider name and the role manager name. 40
If you want to use Certificate authentication or Kerberos authentication, review the following table to identify the additional configuration steps required to configure these methods.
Authentication method Additional configuration Specialized roles
Certificates
1. Select Windows authentication in Central Administration. 2. Configure Internet Information Services (IIS) for certificates. 3. Enable Secure Sockets Layer (SSL). 4. Obtain and configure certificates from a certification authority (CA).
1. Select Kerberos authentication in Central Administration. 2. Configure a Service Principal Name (SPN) for the domain user account that is used for the application pool identity (application pool process account). 3. Register the SPN for the domain user account in Active Directory.
IIS administrator
Worksheet action
Record the additional configuration necessary in the Additional Configuration section of the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409 ).
Anonymous access
Indicate whether anonymous access is allowed. If you selected Forms or Web single sign-on in the Authentication Type section, select the Enable anonymous access check box. 41
Client integration
You can disable client integration, which removes features that start client applications. This is the optimal configuration for some scenarios, such as publishing read-only content to the Web for anonymous access. Additionally, if you select ASP.NET forms authentication or Web Single SignOn (SSO) authentication, client integration is set to No by default. Notes Client integration is disabled by default when you use forms-based authentication. This is because client integration does not natively support forms-based authentication. You might be able to use many client integration features with forms-based authentication, and there are workarounds available to implement varying levels of client integration functionality with forms-based authentication. However, if published workarounds are inadequate, or if you find unexpected issues using workarounds, we do not provide support and there are no product changes to address these issues. If you plan to use client integration with forms-based authentication, you must fully test any available solutions or workarounds to determine if the performance and functionality are acceptable in your environment. Product Support can provide commercially reasonable support to help you troubleshoot published workarounds. Expected behaviors when client integration is disabled When client integration is disabled, sites behave in the following ways: Links that start client applications are not visible. Documents are opened in the browser. Documents cannot be opened by client applications. Users cannot edit documents on the site directly from the client applications. However, users can download the document, edit the document locally, and then upload the document. The following table lists specific menu commands and features that are not available when client integration is disabled.
Category Command or feature that is unavailable
Toolbars
New document Work in Microsoft Office Outlook Open in Windows Explorer Export to spreadsheet Open with Database Program
Edit in Microsoft Office applications such as Word and Excel. Explorer view Create an Access view
42
Category
Picture libraries
Slide libraries
Other
Behaviors of specific authentication methods In addition to the deployment scenario (such as publishing read-only content), the choice of authentication method might determine how to configure client integration. Some authentication methods behave differently with client applications. In some cases, the behavior depends on whether client browsers are configured to use persistent cookies or session cookies.
43
The following table summarizes the potential behaviors of client integration when used with specific authentication methods.
Authentication method Behavior
Basic
Users are prompted to enter their credentials each time they access a document. Other features might also require that they enter their credentials again. If the following conditions are true, a persistent cookie is created: The authentication provider supports persistent cookies. The user clicks Sign me in automatically when they log in. The persistent cookie is shared by all applications that use the same cookie store and the user can open documents in the client applications. The persistent cookie is created with a default time-out value of 30 minutes. This value can be changed by adding or updating the time-out parameter in the forms node in the Web.config file. For example: <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" timeout="100" /> When the cookie expires, client integration stops working. If users are in a browser, they will be prompted to re-enter credentials. If the authentication provider does not support persistent cookies or the user did not click Sign me in automatically when they logged in, a session cookie is used. A session cookie is only accessible by the browser. The user will not be able to open document directly in the client applications. If the authentication provider does not provide support for persistent cookies or if persistent cookies are not allowed in your environment, turn off client integration. For example, Active Directory Federation Services (AD FS) does not provide support for persistent cookies.
Anonymous
When opening a document, users are repeatedly prompted for their credentials. If they click Cancel in the authentication dialog box 10 times, the site might open the document by using the client application. Because of this poor experience, it is recommended that client integration be turned off for anonymous access scenarios.
44
Using the Windows Vista operating system with Internet Explorer 7 In Windows Vista, Internet Explorer 7 includes an additional security feature called protected mode. By default, protected mode is enabled for the Internet, Intranet, and Restricted Sites zones. Because this feature places persistent cookies in a location that prevents sharing across applications, client integration does not work as intended. To configure Internet Explorer 7 to work with client integration, do one of the following: Disable protected mode. If protected mode is enabled, add SharePoint sites to the Trusted sites zone in Internet Explorer. For information about disabling protected mode, see "Configuring Protected Mode" in Understanding and Working in Protected Mode Internet Explorer (http://go.microsoft.com/fwlink/? LinkId=78098&clcid=0x409). Testing client integrations settings If you are uncertain about how to configure the client integration setting, test the results in a test environment before deploying sites into production. If this setting is changed after it is applied, sites and client applications might behave unusually.
Worksheet action
On the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409), in the Enable Client Integration section, select Yes or No.
45
On the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409 ), enter the following two types of information: Name The name of the membership provider, role manager, and HTTP module (if applicable). These names appear in the Central Administration site. Web.config configuration Paste the appropriate configuration strings into the worksheet. These strings can be copied from the worksheet into the Web.config files when the Web application is deployed. Ensure that the MembershipProvider name and RoleManager name you registered in the Web.config file is the same as the name that you entered in the Central Administration authentication.aspx page. If you do not enter the role manager in the Web.config file, the default provider specified in the machine.config file might be used instead. For example, the following string in a Web.config file specifies a SQL membership provider: <membership defaultProvider="AspNetSqlMembershipProvider"> For more information about requirements for membership providers and role managers, see "Connect to identity management systems that are not based on Windows or that are external" in Plan authentication methods.
46
If you are implementing ASP.NET forms authentication or Web SSO and you plan to add virtual directories below these Web sites, you need to decide whether you want these excluded virtual directories to inherit the ASP.NET forms authentication or Web SSO settings.
Worksheet action
On the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409), indicate whether excluded virtual directories will be added in IIS beneath the Web site that corresponds to this Web application in Windows SharePoint Services 3.0. If excluded virtual directories will be added, indicate whether authentication settings should be inherited. Use the following procedure to configure IIS so authentication settings are not inherited. Configure IIS so authentication settings are not inherited 1. Add a new IIS virtual directory beneath the IIS Web site that corresponds to the applicable Web application or zone in Windows SharePoint Services 3.0. 2. In IIS Manager, right-click the new virtual directory, and then click Properties. 3. Click the Virtual Directory tab. 4. Click Create (this makes the virtual directory an application). 5. Click Configuration. 6. Select the wildcard application maps, and then click Remove. 7. Click Yes, and then click OK. 8. Create a new Web.config file at the root of the new virtual directory file system path, and add the following entries: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <configuration> <system.web> <httpModules> <clear /> </httpModules> <httpHandlers> <clear /> </httpHandlers> </system.web> </configuration>
Worksheet
Use the following worksheet to plan and record configuration settings for each of your Web applications in Windows SharePoint Services 3.0. Web application authentication settings worksheet (http://go.microsoft.com/fwlink/? LinkID=73334&clcid=0x409)
47
This article details the hardening requirements for an extranet environment in which a Windows SharePoint Services 3.0 server farm is placed inside a perimeter network and sites are available from the Internet or from the corporate network.
Network topology
The hardening guidance in this article can be applied to many different extranet configurations. The following figure shows an example implementation of a back-to-back perimeter network topology that illustrates the server and client roles across an extranet environment.
The purpose of the figure is to articulate each of the possible roles and their relationship to the overall environment. The Central Administration site can be installed to either a Web server or to the Search server (pictured). The routers illustrated can be exchanged for firewalls.
48
Description
Corporate domain accounts are used for all Windows SharePoint Services 3.0 service and administration accounts, including application pool accounts. A one-way trust relationship, in which the perimeter network trusts the corporate network, is required.
Windows SharePoint Services 3.0 accounts are configured in the following ways: SQL authentication is used for every database that is created. All other administration and service accounts are created as domain accounts in the perimeter network. Web servers and search servers are joined to the perimeter network. A trust relationship is not required but can be configured to support client authentication against an internal domain controller. Note: If search servers reside in the corporate domain, a one-way trust relationship, in which the perimeter network trusts the corporate network, is required.
Setup
Windows authentication
SQL authentication
Services 3.0 administration and service accounts are created in the corporate domain. Web servers and application servers are joined to the perimeter network. A trust relationship is established in which the perimeter domain trusts the corporate domain.
created as SQL login accounts in SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio. These accounts must be created before the creation of any Windows SharePoint Services 3.0 databases, including the configuration database and the SharePoint_AdminContent database. You must use the Psconfig command-line tool to create the configuration database and the AdminContent database. You cannot use the SharePoint Products and Technologies Configuration Wizard to create these databases. In addition to using the -user and -password parameters to specify the server farm account, you must use the -dbuser and -dbpassword parameters to specify SQL authentication accounts. You can create additional content databases in Central Administration by selecting the SQL authentication option. However, you must first create the SQL login accounts in SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio. Secure all communication with the database servers using SSL. Ensure that ports used for communication with SQL Server remain open between the perimeter network and the corporate network
50
Windows authentication
SQL authentication
Additional information
The one-way trust relationship allows the Web servers and application servers that are joined to the extranet domain to resolve accounts that are in the corporate domain.
SQL login accounts are encrypted in the registry of the Web servers and application servers. The server farm account is not used to access the configuration database and the SharePoint_AdminContent database. The corresponding SQL login accounts are used instead.
The information in the preceding table assumes the following: Both the Web servers and the application servers reside in the perimeter network. All accounts are created with the least privileges necessary, including the following recommendations: Separate accounts are created for all administrative and service accounts. No account is a member of the Administrators group on any computer, including the server computer that hosts SQL Server. For more information about Windows SharePoint Services 3.0 accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc288210.aspx). For more information about creating databases by using the Psconfig command-line tool, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (http://technet.microsoft.com/en-us/library/cc288944.aspx).
51
Callout
Client access (including Information Rights Management (IRM) and search queries), one or more of the following: TCP port 80 TCP/SSL port 443 Custom ports
File and printer sharing service Either of the following: Direct-hosted server message block (SMB) (TCP/UDP 445) Recommended NetBIOS over TCP/IP (TCP/UDP ports 137, 138, 139) Disable if not used
52
Callout
Search crawling Depending on how authentication is configured, SharePoint sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content. This configuration can result in custom ports. TCP port 80 TCP/Secure Sockets Layer (SSL) port 443 Custom ports
Database communication: TCP/SSL port 1433 (default) for default instance (customizable) TCP/SSL random port for named instances (customizable)
Communication between administrator workstations and Central Administration The Central Administration site can be installed on any Web server or the search server. Configuration changes that are made through the Central Administration site are communicated to the configuration database. Other server roles in the farm pick up configuration changes that are registered in the configuration database during their polling cycles. Consequently, the Central Administration site does not introduce any new communication requirements to other server roles in the server farm. However, depending on which server you deploy the Central Administration site to, be sure to enable access from administrator workstations. The following figure includes the communication from an administrator workstation to the Central Administration site and the configuration database.
53
The following table describes the ports and protocols that are required for communication to and from the Central Administration site.
Callout Ports and protocols
Central Administration site One or more of the following: TCP port 80 TCP/SSL port 443 Custom ports
Database communication: TCP/SSL port 1433 (default) for default instance (customizable) TCP/SSL random port for named instances (customizable)
TCP/UDP 445 (directory services) TCP/UDP 88 (Kerberos authentication) Lightweight Directory Access Protocol (LDAP)/LDAPS ports 389/636 by default, customizable
X X X
X X
X X
The Web servers require the use of LDAP/LDAPS ports only if LDAP authentication is configured.
54
DNS server The following table lists the port requirements for inbound connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory domain controller and the DNS server.
Item Web Server Search Server Database Server
DNS, TCP/UDP 53
SMTP service E-mail integration requires the use of the Simple Mail Transport Protocol (SMTP) service using TCP port 25 on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail (inbound connections). For outgoing e-mail, you can either use the SMTP service or route outgoing e-mail through a dedicated e-mail server in your organization, such as a computer running Microsoft Exchange Server.
Item Web Server Search Server Database Server
TCP port 25
55
When configuring ISA Server B (or an alternate device between the perimeter network and the corporate network), the network relationship must be defined as routed. Do not define the network relationship as Network Address Translation (NAT). For more information about security hardening requirements related to trust relationships, see the following resources: How to configure a firewall for domains and trusts (http://go.microsoft.com/fwlink/? LinkId=83470&clcid=0x409). Active Directory in Networks Segmented by Firewalls (http://go.microsoft.com/fwlink/? LinkID=76147&clcid=0x409)
56
Use this article to plan server farm security. The tasks in the article are appropriate for the following security environments: Internal IT hosted External secure collaboration External anonymous access
The categories of security settings that are methodically prescribed in Securing Your Web Server (http://go.microsoft.com/fwlink/?LinkId=73705&clcid=0x409 ) are detailed in the following figure.
Additionally, each of the three guides includes a secure snapshot and a list of recommended security settings for either the specific server role or for the network. The snapshot lists are organized by categories that correspond to security settings illustrated in the preceding figure. The security design and hardening guidance provided in this article is based on the guidance published in these three guides. This guidance assumes that you will use these guides as a baseline for securing and hardening your server farm. This article describes the exceptions or additions to the snapshots that are recommended for your environment. These are detailed in table format by using the same categories and order as the three security guides. This format is intended to make it easy to identify and apply specific recommendations as you use the guides. The guide Deployment for Windows SharePoint Services 3.0 Technology (http://go.microsoft.com/fwlink/?LinkId=76140&clcid=0x409 ) includes instructions for applying specific security guidance that is not covered in the patterns & practices security guides. The nature of server-to-server communication within a server farm and the specific features provided by Windows SharePoint Services 3.0 are the primary reasons for specific hardening recommendations. This article also describes how key communication channels and Windows SharePoint Services 3.0 features affect security requirements.
58
59
60
To connect to an instance of SQL Server 2000, you install the SQL Server client tools on the target computer and then configure the SQL client alias. You install these by running Setup for SQL Server and selecting SQL Server Client Tools. To connect to an instance of SQL Server 2005, you install SQL Server client components on the target computer and then configure the SQL client alias by using SQL Server Configuration Manager. To install SQL Server client components, run Setup and select only the following client components to install: Connectivity Components Management Tools (includes SQL Server Configuration Manager)
SQL Server client components work with SQL Server 2000 and can be used instead of the SQL Server client tools.
Hardening steps
Configure SQL Server
Configure a SQL Server 2000 instance to listen on a nondefault port Use SQL Server Network Utility to change the TCP port that is used by an instance of SQL Server 2000. 1. On the SQL Server computer, run SQL Server Network Utility. 2. On the Instance(s) on this server menu, select the instance. Ensure that you have selected the intended instance. By default, the default instance listens on port 1433. Named instances of SQL Server 2000 are assigned a random port number, so you might not know the current port number assigned to a named instance when you run SQL Server Network Utility. 3. In the Enabled Protocols pane on the right side of the SQL Server Network Utility interface, click TCP/IP, and then click Properties. 4. In the Network Protocol Default Value Setup dialog box, change the TCP port number. Avoid using any of the well-known TCP ports. For example, select a higher-range port number, such as 40000. Do not select the Hide Server check box. 5. Click OK. 6. In the SQL Server Network Utility dialog box, click OK. You will receive a message indicating that the change will not take effect until the SQL Server service is restarted. Click OK. 7. Restart the SQL Server service and confirm that your SQL Server computer is listening on the port you selected. You can confirm this by looking in the event viewer log after restarting the SQL Server service. Look for an information event similar to the following event: Event Type:Information Event Source:MSSQLSERVER Event Category:(2) 61
Event ID:17055 Date:3/6/2008 Time:11:20:28 AM User:N/A Computer:computer_name Description: 19013: SQL Server listening on 10.1.2.3: 40000 Configure a SQL Server 2005 instance to listen on a nondefault port Use SQL Server Configuration Manager to change the TCP port that is used by an instance of SQL Server 2005. 1. Use SQL Server Configuration Manager to change the TCP port that is used by an instance of SQL Server 2005. 2. On the SQL Server computer, open SQL Server Configuration Manager. 3. In the left pane, expand SQL Server 2005 Network Configuration. 4. Under SQL Server 2005 Network Configuration, click the corresponding entry for the instance that you are configuring. The default instance is listed as Protocols for MSSQLSERVER. Named instances will appear as Protocols for named_instance. 5. In the right pane, right-click TCP/IP and click Properties. 6. Click the IP Addresses tab. For every IP address assigned to the SQL Server computer, there is a corresponding entry on this tab. By default, SQL Server is listening on all IP addresses assigned to the computer. 7. To globally change the port that the default instance is listening on, perform the following: a. For each IP except IPAll, clear all values for both TCP dynamic ports and TCP Port. b. For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000. 8. To globally change the port that a named instance is listening on, perform the following: a. For each IP including IPAll, clear all values for TCP dynamic ports. A value of 0 for this field indicates that SQL Server uses a dynamic TCP port for the IP address. A blank entry for this value means that SQL Server 2005 will not use a dynamic TCP port for the IP address. b. For each IP except IPAll, clear all values for TCP Port. c. For IPAll, clear the value for TCP dynamic ports. In the TCP Port field, enter the port that you want the instance of SQL Server to listen on. For example, enter 40000. 9. Click OK. You will receive a message indicating that the change will not take effect until the SQL Server service is restarted. Click OK. 10. Close SQL Server Configuration Manager.
62
11. Restart the SQL Server service and confirm that the SQL Server computer is listening on the port you selected. You can confirm this by looking in the event viewer log after restarting the SQL Server service. Look for an information event similar to the following event: Event Type:Information Event Source:MSSQL$MSSQLSERVER Event Category:(2) Event ID:26022 Date:3/6/2008 Time:1:46:11 PM User:N/A Computer:computer_name Description: Server is listening on [ 'any' <ipv4>50000]
63
Note: For more information about using Internet Protocol security (IPsec) to secure communication to and from your SQL Server computer, see the Microsoft Knowledge Base article 233256: How to Enable IPSec Traffic Through a Firewall (http://go.microsoft.com/fwlink/?LinkId=76142&clcid=0x409 ).
64
Services Protocols
File and Printer Sharing Named pipes that use directhosted SMB Disable NBT
Requires use of named pipes. Named pipes can use NBT instead of direct-hosted SMB. However, NBT is not considered as secure as directhosted SMB. Used by direct-hosted SMB.
Ports
For more information about disabling NBT, see the Microsoft Knowledge Base article 204279: Direct hosting of SMB over TCP/IP (http://go.microsoft.com/fwlink/?LinkId=76143&clcid=0x409 ).
65
SMTP service E-mail integration requires the use of the SMTP service on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming email. For outgoing e-mail, you can either use the SMTP service or route outgoing email through a dedicated e-mail server in your organization, such as a Microsoft Exchange Server computer. Microsoft SharePoint Directory Management Service Windows SharePoint Services 3.0 includes an internal service, the Microsoft SharePoint Directory Management Service, for creating e-mail distribution groups. When you configure e-mail integration, you have the option to enable the Directory Management Service feature, allowing users to create distributions lists. When users create a SharePoint group and they select the option to create a distribution list, the Microsoft SharePoint Directory Management Service creates the corresponding Active Directory directory service distribution list in the Active Directory environment. In security-hardened environments, the recommendation is to restrict access to the Microsoft SharePoint Directory Management Service by securing the file associated with this service, which is SharePointEmailws.asmx. For example, allow access to this file by the server farm account only. Additionally, this service requires permissions in the Active Directory environment to create Active Directory distribution list objects. The recommendation is to setup a separate organizational unit in Active Directory for SharePoint objects. Only this organizational unit should allow write access to the account used by the Microsoft SharePoint Directory Management Service.
66
If your environment disallows services that run as a local system, you can consider disabling the Windows SharePoint Services Administration service only if you are aware of the consequences and can work around these. This service is a Win32 service that runs as a local system. This service is used by the Windows SharePoint Services Timer service to perform actions that require administrative privileges on the server, such as create IIS Web sites, deploy code, and stop and start services. If you disable this service, you cannot run deployment-related tasks from the Central Administration site. You will need to use the Stsadm.exe command-line tool and run the execadminsvcjobs command to complete multi-server deployments for Windows SharePoint Services 3.0 and to run other deployment-related tasks.
Web.config file
The .NET Framework, and ASP.NET in particular, uses XML-formatted configuration files to configure applications. The .NET Framework relies on configuration files to define configuration options. The configuration files are text-based XML files. Multiple configuration files can, and typically do, exist on a single system. System-wide configuration settings for the .NET Framework are defined in the Machine.config file. The Machine.config file is located in the %SystemRoot%\Microsoft.NET\Framework\ %VersionNumber%\CONFIG\ folder. The default settings that are contained in the Machine.config file can be modified to affect the behavior of applications that use the .NET Framework on the whole system. For recommendations about configuring Machine.config files, see Securing Your Web Server (http://go.microsoft.com/fwlink/?LinkId=73705&clcid=0x409 ). You can change the ASP.NET configuration settings for a single application if you create a Web.config file in the root folder of the application. When you do this, the settings in the Web.config file override the settings in the Machine.config file. When you extend a Web application by using Central Administration, Windows SharePoint Services 3.0 automatically creates a Web.config file for the Web application. The Secure snapshot additions section later in this article lists recommendations for configuring Web.config files. These recommendations are intended to be applied to each Web.config file that is created, including the Web.config file for the Central Administration site. For more information about ASP.NET configuration files and editing a Web.config file, see ASP.NET Configuration (http://go.microsoft.com/fwlink/?LinkID=73257&clcid=0x409 ).
67
All
No additional recommendations
Securing your Web server snapshot additions The following table describes recommendations for securing your Web server additions.
Component Characteristic
Services
Enable: File and Printer Sharing World Wide Web Publishing Service Windows SharePoint Services Administration Windows SharePoint Services Search Windows SharePoint Services Timer Windows SharePoint Services Tracing Windows SharePoint Services VSS Writer
Protocols
Disable:
68
Component
Characteristic
Accounts
If the Microsoft Directory Management Service is enabled as part of e-mail integration, configure your Active Directory environment to allow write access to the account used by the Microsoft Directory Management Service (the server farm account). For additional guidance on configuring accounts, see Plan for administrative and service accounts (Windows SharePoint Services) for Windows SharePoint Services 3.0 account requirements and recommendations.
If e-mail integration is enabled and the Directory Management Service feature is turned on, restrict access to the Microsoft SharePoint Directory Management service by securing the file associated with this service: SharePointEmailws.asmx. For example, allow access to this file only to the server farm account. No additional recommendations Open TCP/UDP port 445.
Shares Ports
If UDP port 1434 is blocked on the SQL Server computer and databases are installed on a named instance, configure a SQL client alias for connecting to the named instance. If TCP port 1433 is blocked on the SQL Server computer and databases are installed on the default instance, configure a SQL client alias for connecting to the named instance. Ensure that ports remain open for Web applications that are accessible to users. Block external access to the port used for the Central Administration site. Registry Auditing and logging IIS Sites and virtual directories Script mappings ISAPI filters If using SSO, edit the registry to configure static RPC. If log files are relocated, ensure that the log file locations are updated to match. See guidance for IIS below. No additional recommendations No additional recommendations No additional recommendations
69
Component
Characteristic
IIS metabase .NET Framework Machine.config: HttpForbiddenHandler Machine.config: Remoting Machine.config: Trace Machine.config: compilation Machine.config: customErrors Machine.config: sessionState Code access security
No additional recommendations See guidance for .NET Framework below. No additional recommendations No additional recommendations No additional recommendations No additional recommendations No additional recommendations No additional recommendations Ensure that you have a minimal set of code access security permissions enabled for your Web application. (The <trust> element in Web.config for each Web application should be set to WSS_Minimal (where WSS_Minimal has its low defaults as defined in 12\config\wss_minimaltrust.config) or your own custom policy file, which is minimally set.) No additional recommendations No additional recommendations
LocalIntranet_Zone Internet_Zone
70
Component
Characteristic
Web.config
Apply the following recommendations to each Web.config file that is created after running Setup: Do not allow compilation or scripting of database pages via the PageParserPaths elements. Ensure <SafeMode> CallStack=""false"" and AllowPageLevelTrace=""false"". Ensure that the Web Part limits around maximum controls per zone is set low. Ensure that the SafeControls list is set to the minimum set of controls needed for your sites. Ensure that your Workflow SafeTypes list is set to the minimum level of SafeTypes needed. Ensure that customErrors is turned on (<customErrors mode=""On""/>). Consider your Web proxy settings as needed (<system.net>/<defaultProxy>). Set the upload.aspx limit to the highest size you reasonably expect users to upload (default is 2 GB). Performance of can be affected by uploads greater than 100 MB.
Securing your database server snapshot additions The following table describes recommendations for securing your database server additions.
Component Characteristic exception
No additional recommendations No additional recommendations Manually remove unused accounts regularly. No additional recommendations No additional recommendations Block UDP port 1434. Consider blocking TCP port 1433.
No additional recommendations No additional recommendations See guidance for SQL Server settings below. 71
Component
Characteristic exception
SQL Server security SQL Server logins, users, and roles SQL Server database objects
72
Security guidance for an external secure environment is targeted to hosting content in an extranet for the purpose of collaborating on content with contributors who do not have general access to your corporate network. This environment allows external partners to participate in a workflow or to collaborate on content together with employees of your organization. There are several unique recommendations for an external secure collaboration environment. Some of these recommendations might not be practical for all solutions.
Require certificates on client computers. SSL can be implemented without requiring client certificates. You can increase the security of external collaboration by requiring certificates on all client computers. Use IPsec. If client computers support IPsec, you can configure IPsec rules to achieve a greater level or granularity of security compared with SSL.
[]
Logical architecture [] [] Block access to the Central Administration site and configure SSL for this site. Secure SSP administration sites by configuring these sites with SSL, by hosting these sites in a dedicated Web application, and by configuring a policy to deny external access to these sites.
74
Ports IIS
Block external access to the port for the Central Administration site. Restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it.
Authentication
Use SSL for authenticated users. This does not apply to the anonymous user who is browsing the site. Use security policy to cap external users permission (create deny policies to limit what external users can do).
Authorization
75
Security guidance for an external anonymous access environment is targeted to allow anonymous access to content while protecting back-end servers in the farm from direct user access or malicious actions targeted through front-end Web servers. In an environment where multiple farms might be deployed to support authoring, staging, and publishing, the guidance for this environment is intended for the published farm (the farm that is anonymously accessed by users). There are several unique recommendations for an external anonymous access environment. Some of these recommendations might not be practical for all solutions.
76
Enable anonymous access only for Web applications that require unauthenticated access. If you want to use authentication for personalization, implement forms authentication by using a simple database authentication provider.
[]
77
Logical architecture [] Enable anonymous access only for Web application zones that host sites or site collections that are configured to allow anonymous access. For more information, see Plan authentication methods. [] [] Use SSL to secure content deployment. Block access to the Central Administration site and configure SSL for the site.
Block external access to the port for the Central Administration site. Disable SMTP. If you are configuring a dedicated front-end Web server for indexing, configure IIS to restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it.
78