Sunteți pe pagina 1din 20

Microsoft Official Course

Module 10

Securing a SharePoint 2013


Deployment
Module Overview

• Securing the Platform


• Configuring Farm-Level Security
Lesson 1: Securing the Platform

• Planning a Secure Deployment


• Hardening a SharePoint Server
• Configuring Ports and Protocols
• Configuring SharePoint and SQL Server to
Communicate over Non-Standard Ports
• Configuring Antivirus Settings
Planning a Secure Deployment

• To secure your SharePoint 2013 environment, you


need to consider the types of scenarios you need
to support:
• Intranet – Internal user access
• Extranet – External and internal user access
• Internet – Anonymous external user access

• Use the defense in depth principle


• Multilayered security measures
Hardening a SharePoint Server

• Server security hardening depends on server role


• Web server
• Application server
• Database server

• Primary server hardening measures


• Shut down non-essential Windows and SharePoint
services
• Configure ports and protocols
Configuring Ports and Protocols

• Securing communications
• Service application
• Web server
• Database server
• Search server
• Active Directory and Forefront Identity Manager

• Configuring ports and protocols


• Windows Firewall with Advanced Security
• Windows PowerShell
• GetSPServiCeHostConfig
• SetSPServiCeHostConfig
Configuring SharePoint and SQL Server to
Communicate over Non-Standard Ports

• Configure a SQL Server instance to listen on a non-


standard port
• SQL Server Configuration Manager > SQL Server Network
Configuration > Protocols for MSSQLSERVER > TCP/IP > IP
Addresses

• Block the standard SQL Server Ports


• Windows Firewall with Advanced Security
• Secured by default

• Configure a SQL Server client alias


• SQL Server Configuration Manager > SQL Native Client
Configuration > Aliases > New Alias
Configuring Antivirus Settings

• Only take effect when compatible antivirus scanner is


installed

• Security > General Security > Manage antivirus


settings
• Antivirus settings – Control scanning of uploaded and
downloaded documents
• Antivirus time out/antivirus threads – Help improve server
response times while scanning
Lab A: Hardening a SharePoint 2013 Server Farm

• Exercise 1: Configuring SharePoint and SQL Server


to Communicate Over Non-Standard Ports
• Exercise 2: Configuring Firewalls for SharePoint
Server Farms

Logon Information
• Virtual machines: 20331B-NYC-DC-10,
20331B-NYC-DB-10, 20331B-NYC-SP-10
• User name: administrator@contoso.com
• Passw0rd: Pa$$w0rd

Estimated Time: 35 minutes


Lab Scenario

The IT team at Contoso has created a server farm for an


initial deployment of SharePoint Server 2013. The server
farm consists of three servers: a domain controller, a SQL
Server 2012 server, and a SharePoint 2013 server. Your
team has installed SQL Server 2012 and SharePoint Server
2013. You have been assigned to take various steps to
improve the security of the server farm. As part of this
process, you must configure SharePoint and SQL Server to
communicate on non-standard ports. You must also
enable and configure firewalls on both the database server
and the SharePoint server.
Lesson 2: Configuring Farm-Level Security

• Applying Least Privilege Principles


• Understanding the Delegated Administration
Model
• Configuring Blocked File Types
• Configuring Web Part Security
• Configuring Information Rights Management
• Configuring Activity and Security Auditing
Applying Least Privilege Principles

• Provide users with the appropriate level of access,


while still preventing inappropriate access

• Grant users the permissions that they require to


perform their job task(s) and no more
• Installation privileges
• Administration privileges
• Services
• Application pools
Understanding the Delegated Administration
Model

• Levels of administration
• Farm, server, service application, web application, site

• Delegating service application–level administration


• Application Management > Manage service applications >
User Profile Service Application > Administrators > Full
Control

• Delegating service application feature–level


administration
• Application Management > Manage service applications >
User Profile Service Application > Administrators > Feature
Permission Level
Configuring Blocked File Types

• Executable files can contain malicious code

• It’s important to control which files can be run or


accessed

• Adding blocked file types


• Central Administration > Security > General Security >
Define blocked file types
• Add new file name extensions to the end of the list
Configuring Web Part Security

• Managing Web Part security


• Security > General Security > Manage web part security
• Web Part connections
• Online Web Part gallery
• Scriptable Web Parts

• Managing available Web Parts


• Settings > Site Settings > Web Designer Galleries > Web
Parts
• View, add, delete, edit properties, edit permissions
Configuring Information Rights Management

• IRM overview

• SharePoint permissions and IRM permissions

• Active Directory Rights Management Services (AD RMS)

• Associate AD RMS with farm

• Configure IRM in SharePoint 2013


• Library Settings > Permissions and Management >
Information Rights Management > Information Rights
Management Settings > Restrict permissions on this library on
download
Configuring Activity and Security Auditing

• Configuring SharePoint auditing


• Settings > Site settings > Site Collection Administration
> Site collection audit settings
• Configure audit settings:
• Audit Log Trimming; Documents and Items; Lists, Libraries, and
Sites

• Viewing audit reports


• Settings > Site settings > Site Collection Administration
> Audit log reports

• View auditing reports


• Content activity, information management policy,
security and site settings, custom
Lab B: Configuring Farm-Level Security

• Exercise 1: Configuring Blocked File Types


• Exercise 2: Configuring Web Part Security
• Exercise 3: Implementing Security Auditing

Logon Information
• Virtual machines: 20331B-NYC-DC-10,
20331B-NYC-DB-10, 20331B-NYC-SP-10
• User name: administrator@contoso.com
• Passw0rd: Pa$$w0rd

Estimated Time: 30 minutes


Lab Scenario

The IT team at Contoso has now completed the server hardening


process for the new SharePoint 2013 deployment. Your next task is to
configure various farm-level security settings. To reduce the number of
large files on the SharePoint intranet, you must prevent users from
uploading images in bitmap (.bmp) or device independent bitmap
(.dib) formats. This will force users to upload images in formats with
smaller file sizes. To reduce security risks and prevent excessive
resource consumption, you must configure Web Part security settings
to prevent users from making connections between Web Parts or
accessing the Online Web Part Gallery. Finally, to meet the
requirements of the audit and compliance team, you must configure
site collections to audit certain events, such as file deletions and
permission changes.
Module Review and Takeaways

• Review Question(s)

S-ar putea să vă placă și