Major security breaches expose an organizations sensitive data so make sure you take time to ensure your own SharePoint environment is secure. Storing documents and all the content in SQL Server helps protect it from being stolen, but also keep these things in mind:
- When your site has been configured to use SSL, don’t forget to turn off HTTP (port 80). Make sure this is done in both IIS at the web app site level bindings and also in Alternate Access Mappings in Central Admin.
- For external sites, extend the web app so it uses forms based authentication (FBA) for external users and not Active Directory (AD). On the original web application, continue to use AD authentication. The key element that you want to be sure to setup is within Alternate Access Mappings in Central Admin, configure 2 different DNS entries targeting the respective environment.
- For external users consider and for internal users consider – This will prevent someone from obtaining the domain admin password and getting all the information on your site because the external address does not use AD integrated security.
- Consider using IP restrictions when in IIS. If you know that web traffic is going to be coming from specific IP addresses (a vendor for example), restrict the site to only accept traffic from that IP range.
- Any external access should be done through a DMZ configuration with minimal ports opened on the firewall. TechNet outlines several different topologies that can be configured to support a DMZ environment.
- If your external facing site is configured for anonymous access but allows users to create their own logins consider the following approach:
- Create a page that requests the users e-mail address and other demographic information
- When submitting the information, send an e-mail to the address provided with a link in the body of the e-mail back to a,”create password,” page. You can embed a GUID in the URL so that the receiving page knows the user who is trying to be created.
- The user can then create their password. Upon submission, you now have enough information to create the user in the FBA database.
- Implement a formal governance plan to continually monitor and audit security settings. There are PowerShell scripts and 3rd party tools that can help you.
- Follow Microsoft guidance on the service accounts used to setup a farm. Don’t use the spadmin account for everything. Not only does it open up a lot of potential security breaches if in the wrong hands, it’s not that much extra work to do it right from the start.
- Security by obscurity is not security. When using item level security, don’t think the [Me] filter operator in a view will work, users familiar with WebDav or the REST API can get to the library and see everything. There is a free SharePoint Designer activity on CodePlex that you can use to easily apply the correct security on an item. You can consider using both the [Me] view filter and item level permissions together. At times the SharePoint workflow engine is not as quick as we want it to be. The [Me] view filter gives the appearance that item level security has been applied, but really it’s just a disguise until the workflow actually completes.
To find out more about this or other ways that RSM can assist you with your SharePoint needs, contact our professionals at 800.274.3978 or email us.