Monday, December 14, 2009

SharePoint Security. Part 1. Introduction

When our company involved into SharePoint development as Security consultants or when we asked to improve legacy system we very often shocked by the level of security of that systems and by the implementation efforts applied to it. Sometimes it seems that all we are working in trust environment where everyone is a saint and there is no thefts, corruptions and other sins.
We prepared the series of articles which should help in security implementation and design in SharePoint portals. This is only the first one from this series.

A little bit about problems

Anyone who develops enterprise level system at least once knows how high is the security requirements and importance of the security in such a systems. These applications usually works as central storage for documents, information, materials etc. And it doesn’t matter what the system type is (CRM, ERP, ECM) . Depending on it we just can understand different  means of one term “information”
  • — Information about employees ;
  • — Clients contact information;
  • — Agreements and other important documents;
  • — Reports and statistics;
  • — Financial information;
  • - add your type of information here…
But anyway access to this information by unauthorized parties could lead to very serious consequences. We  won’t consider all aspects of the security and won’t consider security from theoretical point of view. We jus stop on the following tasks of the security: unauthorized access prevention, integrity and accessibility, - and consider their practical applications in SharePoint.
These seems to be evident and clear things, everyone understand the importance of security in enterprise-level systems, but as practice shown security of developed systems leaves much to be desired.  And we can see several reasons for this.
First and the most evident cause is a complexity of these systems determined by there scale. And the weakest point of such systems are links and interoperations between its parts. It’s a first place where we should look at, because we need to create and configure accounts, distribute permissions, setup ciphering etc. And in the most of cases we miss something.
Moreover, systems of such a scale are tightly integrated with components of OS and third-party programs. This requires even more knowledge supported by experience from administrators who install and maintain the system, and from, developers who implement it. 
Second cause from our point of view is a lack of security planning. And unfortunately just a few people think under this problem. But it is very important. Huge amount of problems in security are caused by that circumstances that people start looking at the problem after the system development. The one of the most often scenarios we saw was when  after installation integrator left security settings by default, despite on the fact they satisfy requirements of any particular organization very rarely. Every case needs separate detailed consideration not only from functional but also from security point of view. That’s why security analysis is also a vital and important part of any enterprise-level system development.
SharePoint is an enterprise platform, thus themes we have touched upon earlier are related to it.

…and more about solutions and plans for the future

Information in these articles cold be applied to the following versions of Share Point: Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0.
Security in SharePoint is implemented on several logical levels (in Microsoft’s articles we can often meet the term ‘defense-in-depth’). For creation of sterling and safe portals and applications it’s strongly necessary to understand security system on every level.
That’s why we decided to split security information into several parts:
First, this, article is a long introduction into the problem.
As we discussed earlier it’s very important to plan security as early as possible, to choose services accounts right, to understand and know security architecture. These questions will be discussed in the second article.
Very often when enterprise systems are developed much time is spared to secure a system from external unauthorized access. At the same time it’s necessary to pay attention to right permissions distribution. This will be discussed in the third article. Also we will explain some security basics as: roles, groups, permissions, permission levels, detailed description of built-in groups.
In the forth article we will consider SharePoint Security API. Article will contain examples of how to create, remove permissions, users etc. Also we will consider questions of rights inheritance and impersonation.
SharePoint is well known by its extensibility through custom lists descriptions, custom types, workflows, forms and web parts. There is a huge amount of articles about all these possibilities. But, unfortunately only a few of them consider implementation of security during custom components development. Fifth article will elucidate this question: CAS (Code Access Security), trust levels and Safe Controls. Also we will consider Service accounts information and under what accounts SharePoint services (such as workflows, event listeners, timer jobs) are running.
We are open to your questions and will try to consider them in future articles and share our experience in SharePoint security development.
P.S. Despite on “wateriness” if this article all the rest parts will have technical character and will be intended to SharePoint administrators and developers.
P.P.S. This and coming articles are mostly written by Alexander Grishanov – our main Security Specialist. Many thanks to him!

kick it on
Vote on DZone:

No comments: