SharePoint 2010 : Securing a SharePoint Farm

• Farm administrators group

• Service account configurations

• Approve/reject distribution groups

• Configure information rights management

• Configure information management policies

1. Farm Administrators Group

Members of the farm administrators group have pervasive, complete access to all settings and content in the farm. Nearly all network operating systems and platforms have at least one account or group that has full and complete access to configuration settings and content. SharePoint is no different. Be careful about who you allow into this group, because they will have full access to all content hosted in the farm.

Note:

SECURITY ALERT Be sure that anyone who is placed in this group has undergone a security background check and has proven (as much as is reasonably possible) that he or she is a trustworthy individual. Remember, there are two elements from which developers can never protect their code: untrustworthy administrators and unwise administrators. Those who can’t (or shouldn’t) be trusted and those who make unwise decisions in their administration of an operating system or platform should not be entrusted with full administrative rights to SharePoint farms.

By default, the account under which SharePoint was installed, the BUILTIN\Administrators, and the application pool account for the Central Administration website are automatically members of the farm administrators group. You’ll need to log in with one of these three accounts to add additional accounts to the farm administrators group.

Service accounts are used to proxy user requests to the service and receive back the output from the service. For example, when a user makes a call for a document in a library, the call between the user and the Web front-end server (WFE) is made within the security context of the user. But when the WFE connects to the SQL database to retrieve the content, that call is made within the security context of the application pool account. By using this architecture, the user is unable to connect directly to the information stored in the SQL server, because those databases will not talk directly with the user’s account—they will only talk with the application pool account.

Service accounts can be configured to secure transmissions between the WFE and service applications. Best practice would be to create a separate account for each service, thereby isolating the calls between the service applications and the WFE servers in unique security contexts.

3. Approving or Rejecting Distribution Groups

When a group in SharePoint is configured to receive e-mail messages, that configuration must be approved by a farm administrator before the group’s e-mail functionality is enabled. This can be thought of as a security feature, because the farm administrator can decide which SharePoint groups should and should not receive e-mail messages. Because there is a chance that a group’s e-mail alias will match another distribution group in your e-mail system, the SharePoint farm administrator should have a method available to check that the requested e-mail alias for a group does not conflict with existing aliases. You might see this happen, for example, when users from different sites use the default security groups for e-mail distribution lists. In addition, because e-mail messages can contain viruses, it is good for someone on the IT team to be involved in the approval of a distribution group.

Information rights management (IRM) is really about privacy, not security. But most people think of this feature as a security feature, so it is included in this section. The reason you should think of IRM as more about privacy than security is because IRM concerns itself with what a user can do with the information (or document) after the information has been accessed. For example, Joe might have full-control permissions to a document library, but after accessing the library and opening a document, Joe might not be able to print that document due to the IRM settings on the document.

SharePoint is agnostic about IRM settings. It preserves whatever settings are set on the document but doesn’t really care if IRM settings exist or not. If you want to introduce IRM across a plethora of documents and other content items in your SharePoint farm, however, you’ll need to configure IRM at the farm level.

Information management policies are designed to help you apply configurations to information uniformly. These policies are created first at the farm level, but they are applied at the content type or list level. If the policy contains configuration choices, those choices are selected and applied at the content type or list level as well. The four policies that ship with SharePoint 2010 include Labels, Barcodes, Auditing, and Retention.

5.1. Labels

Labels give you the ability to add metadata labels in a document. At the farm level, you can either enable or disable (decommission) this policy. Decommissioning the policy will remove it from availability throughout your farm; it is enabled by default. If you don’t disable the Label policy at the outset of your deployment and users utilize this policy in some of their documents, when you decommission the policy, it will still be available in those documents that are currently utilizing it. However, it will not be available for new documents.

As a security measure, labels are indexed and can potentially cause sensitive information to appear in the results set if a document isn’t properly secured. Although this is a potential problem for any document, labels might make this problem more sensitive if your information design is built around finding documents through keyword metadata.

5.2. Barcodes

For some reason, barcodes seem to be a point of confusion for a number of SharePoint administrators and users. The only thing barcodes do is allow you to track a physical document based on the barcode that is in it. This can be a security enhancement if you scan the document’s barcode and associate that with a biometric identifier of the person who has control of the document. Barcodes can also allow you to track the location of the physical document in the workflow at any time.

5.3. Retention

Retention policies allow you to enforce end-of-use phases for documents and list items that are hosted in your SharePoint farm. At the farm level, you simply ensure that that policy is either enabled or disabled. But the policy itself is rich in configuration values and can make sure that you limit your exposure to liability if your organization is involved in a legal matter by ensuring that only up-to-date and official documents are available during the discovery process.

A thorough use of retention policies allows you to ensure that no old data exists in your SharePoint farm. One of the most common complaints about file servers is that they are hosting duplicative, outdated, and irrelevant content. Many administrators feel that well over 50 percent of the documents on their file servers could be classified in one or more of these three categories. Merely moving this content to SharePoint doesn’t resolve this issue unless you do the following.

• Create disposition and end-of-life policies for the various types of documents and list items you will host in your SharePoint 2010 farm.

• Create content types for each of the various types of documents and list items and use the Microsoft Metadata Services Content Type Syndication feature to push out these content types to the site collections in your farm.

• As part of creating the content types, enforce retention policies for your content at the content type layer and ensure that the proper workflows are associated and in place in each site collection that will host each content type with a retention policy.

To be sure, it takes a lot of effort up front to comply with these suggestions by creating the proper content types, retention policies, and end-of-life policies for your documents. But the payoff later will be tremendous, both in terms of disposition compliance and in your ability to limit your organization’s exposure to liability through the eDiscovery processes.

Real World: eDiscovery, SharePoint, and Security

A topic that is closely related to security is eDiscovery, which is any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. This includes, but is not limited to, computer forensics, e-mail archiving, online review, and proactive management. The emergent eDiscovery field augments legal, constitutional, political, security, and personal privacy issues.

eDiscovery was part of a formal amendment to the Federal Rules on Civil Procedure and was released on December 1, 2006. These rules complicate data storage and exposure to liability for every organization in the United States. The main point is that if you have a reasonable expectation that you will ever be involved in a legal dispute, even as a third party, you have a duty to preserve evidence that might be germane to that proceeding. This means that your IT and legal departments will need to work together more often and more closely.

The plain truth is that most companies are not ready for an eDiscovery process. For example, 57 percent of law firms surveyed said that their clients are not ready to find and produce information relevant to litigation, and 39 percent of in-house counsel reported that their companies are not prepared for eDiscovery.^[20]

As part of your litigation readiness review, you should have your legal team specify which documents and records would be needed in an eDiscovery process and what the retention times should be for those records. Detailing this information is time consuming and can create an upfront cost, but the cost of not finding the right information or not finding all of the right information can cost your organization much more in a legal battle, both in terms of fines and in terms of a judgment. Utilizing the retention policies in SharePoint can lessen the administrative burden for ensuring that documents are both preserved for the right amount of time and purged after that time has expired.