SharePoint Security – Five Golden Rules
SharePoint Security is an often ignored issue , many users and admins focus on optimizing SharePoint for performance and convenience to the detriment of security. To kick off our SharePoint security series we present the four golden rules for ensuring the security of your SharePoint site/farm, we will dive into greater depth on security in future article but these are the high level rules to get started with.
Rule 1 : Never open anonymous connections from the Internet to your local network unless necessary.
Opening your SharePoint site for anonymous access is an open invitation to script kiddies and hostile bots/worms that are designed to track you down and load your site with spam and trojans. In the title I said “unless necessary” – which really means NEVER EVER. Of course, there are still SharePoint sites and services available from the internet for regular, anonymous users – but they just need to be opened to the world using a more complex setup (see Rule 2).
Rule 2 : For Internet-enabled SharePoint sites, use a dedicated Web-Front SharePoint server that will be placed in Demilitarized Zone (DMZ).
A DMZ Zone is a network segment that is directly connected to the firewall. This is a more secure way of sharing a SharePoint application with the world. It’s still not a perfect solution, but at least you are not opening up your entire local network. For more on the using SharePoint in a DMZ please refer to this article.
This solution is still vulnerable to Denial of Service (DoS) attacks but placing SharePoint in a DMZ Zone limits the surface area of any attack.
Rule 3 : If you are opening a SharePoint site to the public internet – use Microsoft TMG Firewall as a proxy.
This should be considered a golden rule for all deployments of corporate sites. Microsoft Forefront TMG’s primary security feature is a firewall which inspects network traffic and filters out malware, attempts to exploit security vulnerabilities and content which does not match a predefined security policy.
TMG can also boost performance through compression and caching.
Rule 4 : Use SSL for all Extranet Sites, consider SSL for Intranet Sites.
In the past using SSL with IIS was a tricky and involved a large performance penalty. These issues have largely been addressed in IIS7 (see Install an SSL Certificate on IIS 7 for details on how to get started).
SSL ensures that your data is encrypted when it is sent from the end-user to SharePoint Front-End. Although it can be overkill in some circumstances (since 100% of the data is encrypted when all you may want is to prevent a packet sniffer hijacking a user’s account) SSL is still the primary protection against nefarious users accessing user data which is transmitted over the internet.
Rule 5 : Ensure all Updates and Patches are Applied the OS.
The recent ASP.NET security vulnerability may have highlighted this issue, but it has always been a security best practice to ensure that the OS and any parts of the stack that SharePoint runs are fully patched with the latest updates. For more on security of ASP.NET check out ASP.NET Security Best Practices.