Strategies for securing SharePoint in the Windows enterprise

Stephen Cummins

Requires Free Membership to View

When it comes to securing SharePoint Server, decisions are best made during the planning stages of SharePoint deployment because it's difficult to retroactively apply security policies. SharePoint security strategies should focus on three key areas: access control, application security and content security.

Access control
The main way to secure SharePoint is through access control. SharePoint allows users to create and manage their own groups, but there are ways to control them. The IT department can create Active Directory roles within SharePoint groups so only those authorized to use AD management tools can grant and change access permissions.

Centralized access management leads to greater control and more efficiency, but it also slows users from creating their own structures and granting access to them. A practical compromise is to control access to top-level department sites and enterprise-wide sites from Active Directory and IT, but to have areas in SharePoint where users can create ad hoc sites and grant access to them themselves.

More on SharePoint

Integrating document management systems into Microsoft SharePoint 2007

Using SharePoint search in the enterprise

These areas would then be managed using policies and quotas. For example, if a SharePoint site is not accessed for 90 days, the administrator would be asked to keep or delete it. Those sites can also have size quotas where administrators would be notified by email if they reach 80% of capacity; and no more content can be added when they reach 100%.

Application security
Application security policies protect against denial of service attacks and anything that might compromise the performance or stability of the SharePoint Server platform. For the first layer of protection, during installation, apply the principles of least privilege to the service accounts SharePoint uses to run the application. . To complete this process follow the steps outlined in TechNet's Plan for administrative and service accounts (Office SharePoint Server).

Note: SharePoint Server can be added to and customized since it is, at its core, an ASP.NET application. There are many ways code or markup changes can interfere with the system. Clear policies at the start will ensure that SharePoint remains as secure as possible. Once again, apply the principles of least privilege here. Custom code needs execute permission to run and this is a high level of privilege. There are three ways to provide this level of privilege.

  1. You could edit the virtual server's web.config file from minimal to medium or full. This is not recommended, as it allows too much latitude to the code.
  2. You can install the assemblies in the GAC. This provides very high privileges, but there is no way to control what the code can and cannot do. The solution is custom policy files, which are difficult to implement but are the most secure way to deploy assemblies. To learn more about code access security, review Microsoft Windows SharePoint services and code access security.
  3. You can use SharePoint Designer, which is a free productivity tool that has many benefits, but it can create security headaches because sites can become inaccessible. It can, however, be locked down at a number of levels by removing specific permissions within SharePoint.

Content security
Securing SharePoint's content requires having policies that dictate how, where and who can publish and share content and for what audience. For example, some companies may restrict employees from having blogs as a way of controlling how they share sensitive information with the public.

While policy restrictions may make it clear to employees that unauthorized sharing is prohibited, you may want to be more proactive by creating channels that do allow information to be shared, but in a way that means it is vetted and approved first. To create channels that restrict viewing before content is approved, use approval workflows. Note: While "audiences" can be defined to target what content can be viewed, they do not secure it. Anyone can still access information as long as he or she has the appropriate access rights.

Remember, business conditions and circumstances change all the time, so security policies must be reviewed and improved regularly to keep in step with business needs. SharePoint allows users and developers to be in control. They need clear rules that allow maximum freedom and that maintain security, stability and, most important, performance.

Stephen Cummins, founder of www.spsfaq.com, is a SharePoint consultant and has been a SharePoint MVP (Most Valuable Professional) for the past seven years. He lives in Kildare, Ireland with his wife, daughter, two dogs and an ever-changing number of goldfish.

This was first published in May 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.