The document outlines best practices for securing a SharePoint environment across five layers: infrastructure, data, transport, edge, and rights management security. It provides details on configuring services accounts, enabling encryption of SQL databases, implementing Kerberos authentication, and using Active Directory rights management to restrict access to content.

1. Michael Noel, CCO

2. Thank you to our sponsors

3. Great to be back in Beautiful Australia!

4. • 1: Infrastructure Security
• Physical Security
• Best Practice Service Account Setup
• Kerberos Authentication
• 2: Data Security
• Role Based Access Control (RBAC)
• Transparent Data Encryption (TDE) of SQL Databases
• 3: Transport Security
• Secure Sockets Layer (SSL) from Client to Server
• IPSec from Server to Server
• 4: Edge Security
• Inbound Internet Security (Forefront UAG)
• 5: Rights Management

5. Layer

6. Service Account Name Role of Service Account Special Permissions
COMPANYABCSRV-SP-Setup SharePoint Installation Account Local Admin on all SP Servers (for installs)
COMPANYABCSRV-SP-SQL SQL Service Account(s) – Should be separate
admin accounts from SP accounts.
Local Admin on Database Server(s)
(Generally, some exceptions apply)
COMPANYABCSRV-SP-Farm SharePoint Farm Account(s) – Can also be
standard admin accounts. RBAC principles apply
ideally.
N/A
COMPANYABCSRV-SP-Search Search Account N/A
COMPANYABCSRV-SP-Content Default Content Access Account Read rights to any external data sources to
be crawled
COMPANYABCSRV-SP-Prof Default Profiles Access Account Member of Domain Users (to be able to read
attributes from users in domain) and
‘Replicate Directory Changes’ rights in AD.
COMPANYABCSRV-SP-AP-SPCA Application Pool Identity account for SharePoint
Central Admin.
DBCreator and Security Admin on SQL. Create
and Modify contacts rights in OU used for mail.
COMPANYABCSRV-SP-AP-Data Application Pool Identity account for the
Content related App Pool (Portal, MySites, etc.)
Additional as needed for security.
N/A

7. • When creating any Web Applications, USE KERBEROS. It is
much more secure and also faster with heavy loads as the SP
server doesn’t have to keep asking for auth requests from
AD.
• Kerberos auth does require extra steps, which makes people
shy away from it, but once configured, it improves security
considerably and can improve performance on high-load
sites.
• Should also be configured on SPCA Site! (Best Practice =
Configure SPCA for NLB, SSL, and Kerberos (i.e.
https://spca.companyabc.com)

8. • Use the setspn utility to create Service Principle
Names in AD, the following syntax for example:
• Setspn.exe -A HTTP/mysite.companyabc.com
DOMAINNAMEMYSiteAppAccount
• Setspn.exe -A HTTP/mysite DOMAINNAMEMYSITEAppAccount
• Setspn.exe -A HTTP/home.companyabc.com
DOMAINNAMEHOMEAppAccount
• Setspn.exe -A HTTP/sp DOMAINNAMEHOMEAppAccount

9. • Use setspn to create SPNs for SQL Service Account
• SPNs need to match the name that SharePoint uses
to connect to SQL
• Syntax similar to following:
• Setspn.exe -A MSSQLSvc/spsql:1433 COMPANYABCSRV-SQL-DB
• Setspn.exe –A MSSQLSvc/spsql.companyabc.com:1433
COMPANYABCSRV-SQL-DB
• MSSQLSvc = Default instance, if named instance, specify the
name instead
• In this example, SRV-SQL-DB is the SQL Admin account

10. • Required only for Excel
Services and other
impersonation applications.
• On all SP Computer
accounts and on the
Application Identity
accounts, check the box in
ADUC to allow for
delegation.
• In ADUC, navigate to the
computer or user account,
right-click and choose
Properties.
• Go to the Delegation tab
• Choose Trust this
user/computer for delegation
to any service (Kerberos)

11. • Go to Application Management
• Choose the appropriate Web
Application – click Authentication
Providers
• Click on the link for ‘Default’
under Zone
• Change to Integrated Windows
Authentication – Negotiate /
Kerberos)
• Run iisreset /noforce from the
command prompt
• If creating Web App from scratch,
this step may be unnecessary if
you choose Negotiate from the
beginning

12. Layer

13. • Role Groups defined within Active Directory
(Universal Groups) – i.e. ‘Marketing,’ ‘Sales,’ ‘IT,’ etc.
• Role Groups added directly into SharePoint ‘Access
Groups’ such as ‘Contributors,’ ‘Authors,’ etc.
• Simply by adding a user account into the associated
Role Group, they gain access to whatever rights their
role requires.
User1
User2
Role
Group
SharePoint
Group

14. • SQL Server Enterprise Edition
Feature
• Encrypts SQL Databases
Transparently, SharePoint is unaware
of the encryption and does not need
a key
• Encrypts the backups of the
database as well

15. • Does not encrypt the Communication Channel (IPSec
can be added)
• Does not protect data in memory (DBAs could
access)
• Cannot take advantage of SQL 2008 Backup
Compression
• TempDB is encrypted for the entire instance, even if
only one DB is enabled for TDE, which can have a
performance effect for other DBs
• Replication or FILESTREAM data is not encrypted
when TDE is enabled (i.e. RBS BLOBs not encrypted)

16. Key and Cert Hierarchy
SMK encrypts the DMK for master DB
Service Master KeySQL Instance Level
DPAPI Encrypts SMK
Data Protection API (DPAPI)Windows OS Level
DMK creates Cert in master DB
Database Master Keymaster DB Level
Certificate Encrypts DEK in Content DB
Certificatemaster DB Level
DEK used to encrypt Content DB
Database Encryption KeyContent DB Level

17. • Symmetric key used to protect private keys
and asymmetric keys
• Protected itself by Service Master Key
(SMK), which is created by SQL Server
setup
• Use syntax as follows:
• USE master;
• GO
• CREATE MASTER KEY ENCRYPTION BY PASSWORD =
'CrypticTDEpw4CompanyABC';
• GO

18. • Protected by the DMK
• Used to protect the database encryption
key
• Use syntax as follows:
USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert
WITH SUBJECT = 'CompanyABC TDE
Certificate' ;
GO

19. • Without a backup, data can be lost
• Backup creates two files, the Cert backup and the Private
Key File
• Use following syntax:
USE master;
GO
BACKUP CERTIFICATE CompanyABCtdeCert TO FILE =
'c:BackupCompanyABCtdeCERT.cer'
WITH PRIVATE KEY (
FILE = 'c:BackupCompanyABCtdeDECert.pvk',
ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!' );
GO

20. • DEK is used to encrypt specific database
• One created for each database
• Encryption method can be chosen for
each DEK
• Use following syntax:
USE SharePointContentDB;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert
GO

21. • Data encryption will begin after running
command
• Size of DB will determine time it will take,
can be lengthy and could cause user
blocking
• Use following syntax:
USE SharePointContentDB
GO
ALTER DATABASE SharePointContentDB
SET ENCRYPTION ON
GO

22. • State is Returned
• State of 2 = Encryption Begun
• State of 3 = Encryption Complete
• Use following syntax:
USE SharePointContentDB
GO
SELECT *
FROM sys.dm_database_encryption_keys
WHERE encryption_state = 3;
GO

23. • Step 1: Create new Master Key on Target Server (Does not need to
match source master key)
• Step 2: Backup Cert and Private Key from Source
• Step 3: Restore Cert and Private Key onto Target (No need to
export the DEK as it is part of the backup)
USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert
FROM FILE = 'C:RestoreCompanyABCtdeCert.cer'
WITH PRIVATE KEY (
FILE = 'C:RestoreCompanyABCtdeCert.pvk'
, DECRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!'
)
• Step 4: Restore DB

24. Layer

25. • External or Internal Certs highly
recommended
• Protects Transport of content
• 20% overhead on Web Servers
• Can be offloaded via SSL
offloaders if needed
• Don’t forget for SPCA as well!

26. • By default, traffic between
SharePoint Servers (i.e. Web and
SQL) is unencrypted
• IPSec encrypts all packets sent
between servers in a farm
• For very high security scenarios
when all possible data breaches
must be addressed

27. Layer

30. Layer

31. • AD RMS is a form of Digital Rights Management
(DRM) technology, used in various forms to
protect content
• Used to restrict activities on files AFTER they
have been accessed:
• Cut/Paste
• Print
• Save As…
• Directly integrates with SharePoint DocLibs

32. • Select Cluster Key Storage
• CSP used for advanced scenarios

35. • By default, RMS server is configured
to only allow the local system
account of the RMS server or the
Web Application Identity accounts
to access the certificate pipeline
directly
• SharePoint web servers and/or Web
Application Service Accounts need
to be added to this security list
• Add the RMS Service Group, the
machine account(s) of the
SharePoint Server and the Web App
Identity accountswith Read and
Excecute permissions to the
ServerCertification.asmx file in the
%systemroot%inetpubwwwroot_w
mcsCertification folder on the RMS
server

36. • RMS-enabled client, when accessing
document in doclib, will access RMS
server to validate credentials

37. • Effective
permissions can
be viewed from
the document
• The RMS client
will enforce the
restrictions

38. • Determine Security Risk for your SharePoint
Environment
• Identify any Regulatory Compliance
Requirements for SharePoint
• Determine which aspects of SharePoint need
to be secured, touching on all five layers of
SharePoint Security

39. Michael Noel
Company Site: http://www.cco.com
Twitter: http://twitter.com/michaeltnoel
LinkedIn: http://linkedin.com/in/michaeltnoel
Facebook: http://facebook.com/michaelnoel
Slides: http://slideshare.net/michaeltnoel
Travel blog: http://sharingtheglobe.com

40. Thank you to our sponsors