The main way to secure SharePoint is through access control. SharePoint allows users to create and manage their own groups, but there are ways to control them. The IT department can create Active Directory roles within SharePoint groups so only those authorized to use AD management tools can grant and change access permissions.
Centralized access management leads to greater control and more efficiency, but it also slows users from creating their own structures and granting access to them. A practical compromise is to control access to top-level department sites and enterprise-wide sites from Active Directory and IT, but to have areas in SharePoint where users can create ad hoc sites and grant access to them themselves.
These areas would then be managed using policies and quotas. For example, if a SharePoint site is not accessed for 90 days, the administrator would be asked to keep or delete it. Those sites can also have size quotas where administrators would be notified by email if they reach 80% of capacity; and no more content can be added when they reach 100%.
Application security policies protect against denial of service attacks and anything that might compromise the performance or stability of the SharePoint Server platform. For the first layer of protection, during installation, apply the principles of least privilege to the service accounts SharePoint uses to run the application. . To complete this process follow the steps outlined in TechNet's Plan for administrative and service accounts (Office SharePoint Server).
- You could edit the virtual server's web.config file from minimal to medium or full. This is not recommended, as it allows too much latitude to the code.
- You can install the assemblies in the GAC. This provides very high privileges, but there is no way to control what the code can and cannot do. The solution is custom policy files, which are difficult to implement but are the most secure way to deploy assemblies. To learn more about code access security, review Microsoft Windows SharePoint services and code access security.
- You can use SharePoint Designer, which is a free productivity tool that has many benefits, but it can create security headaches because sites can become inaccessible. It can, however, be locked down at a number of levels by removing specific permissions within SharePoint.
Securing SharePoint's content requires having policies that dictate how, where and who can publish and share content and for what audience. For example, some companies may restrict employees from having blogs as a way of controlling how they share sensitive information with the public.
While policy restrictions may make it clear to employees that unauthorized sharing is prohibited, you may want to be more proactive by creating channels that do allow information to be shared, but in a way that means it is vetted and approved first. To create channels that restrict viewing before content is approved, use approval workflows. Note: While "audiences" can be defined to target what content can be viewed, they do not secure it. Anyone can still access information as long as he or she has the appropriate access rights.
Remember, business conditions and circumstances change all the time, so security policies must be reviewed and improved regularly to keep in step with business needs. SharePoint allows users and developers to be in control. They need clear rules that allow maximum freedom and that maintain security, stability and, most important, performance.
|Stephen Cummins, founder of www.spsfaq.com, is a SharePoint consultant and has been a SharePoint MVP (Most Valuable Professional) for the past seven years. He lives in Kildare, Ireland with his wife, daughter, two dogs and an ever-changing number of goldfish.|
This was first published in May 2009