Follow me on Twitter @AntonioMaio2

Tuesday, March 25, 2014

Webinar: SharePoint Security Risks and Compliance - Best Practices for Governance

Thanks to everyone that attended the webinar I co-presented with Chris Taylor (@ctaylor123) of Trend Micro last week. We had a great audience with some really engaging questions.  For anyone looking for more information on the presentation or to view it again, I've reprinted the webinar abstract, included links to the live recording of the presentation and a link to the slide deck.

Webinar Abstract

Organizations are generating vast amounts of content and, with mobile access, enterprise social collaboration and cloud solutions, employees are sharing information in new ways, continually expanding how we collaborate.  Microsoft SharePoint has become the corporate information hub for most organizations, and SharePoint content is often coming from for both internal employees as well as external partners and clients. 

This presents new risks to organizations like the inadvertent exposure of sensitive information, malware entering the enterprise and regulatory compliance issues.
It’s important to consider if you are protecting yourself against these types of security risks and compliance issues? Is your corporate SharePoint Strategy using the best practices available for information security and governance?

In this live webinar, Antonio Maio, Microsoft SharePoint MVP, and Chris Taylor, Trend Micro Director of Global Product Marketing, will discuss how current shifts in SharePoint utilization can create risks and compliance concerns for even the most veteran users and IT organizations. 

Helpful Links

There were several Microsoft case studies mentioned in the presentation which describe successful Intranet and Extranet deployments of SharePoint.  Here are the links to those case studies:

You can view a live recording of the webinar by visiting: Live Recording.

In a portion of the webinar Chris spoke about Trend Micro's product: Portal Protect for SharePoint.  If you are interested in more information about this product, here are a few links that may be useful:

You can view the slide deck on SlideShare as well, either by visiting the following link SlideShare Presentation or by clicking through the embedded presentation below:

In the spirit of full disclosure, its important to note that the author was not paid to participate in this webinar, nor to review the vendor's product.  The purpose of this webinar and the supplementary information provided is to educate the SharePoint community on real issues and concerns with governance and security in SharePoint and present real-world solutions.

Please let me know if you have any questions, and enjoy!

Saturday, March 8, 2014

Notes from SPC14: Tackling the Challenges of Information Management and Governance

Insights from AIIM president, John Mancini 

Tuesday March 5, 2014, 1:45-3:00pm
Speakers: John Mancini
ITPro Session 
I attended a great session by John Mancini on the research that AIIM (Association of Information and Image Management) has done into how enterprises are tackling the challenges of information and governance given the amount of information, the velocity with which it is growing and the multitude of new ways that information is being accessed.  It was a fantastic session.  Here are my notes. 
At the end of this post, there is a link to the research report that AIIM produced that can be downloaded for free.
  • Why dealing with information chaos is the most significant challenge facing business in the next decade
  • The causes and effects of this disruption
  • What is the current state of SharePoint deployments?
  • What are the business questions you need to ask about content management? 
Information is the World's New Currency!
  • It was the best of times.  It was the worst of times.
  • Gartner: Every budget is an IT budget…
But amidst this opportunity, these are the kinds of things we hear…
  • Our file servers are out of control
  • Nobody can find anything
  • Information is leaking
  • The volume of stuff is in the process of drowning us
  • Maximizing this SharePoint investment is a little different than we though
  • Every time I turn around the business has implemented some new application that we didn't even know about in IT
  • As the CEO I can't believe we are not getting more value out of the money we spend on technology
Welcome to the era of Information Chaos! 
How did we end up here?
  • Consumerization is transforming what users expect from applications and how we deliver them
    • The 4 drivers of consumerization (Forrester)
    • A computer
    • An internet connection
    • Programing language and SDK
    • Friction free platform for distributing and making money 
  • IT always assumed that we control all of this stuff… and for 10 to 15 years we did 
  • We are seeing the extrapolation of consumer services (ex. file sharing services) into the enterprise… 
  • Changing nature of work is forcing organizations to think flat and agile, not hierarchical and slow
    • Approx 100 million people in Americal hold full time jobs
    • 30 millino are engaged and inspired at work
    • 20 million are actively disengaged - these employees who have bosses from hell that make them miserable roam the halls spreading discontent
    • Other 50 million are not engaged - they are just kind of present, but not inspired by their work or their managers
    • Engaged organizations = 147 higher earnings per share compared with their competition
    • Disengaged organizations… 
Managing information chaos - managing the volume, variety and velocity of information and content created by these 3 disruptors… is the business challenge for the decade 
What is the current state of SharePoint deployments?
  • Moving forward the buying decisions are going to be made more and more by the business - by the business leaders
  • Survey done

  • Question…
    • 57% of orgs have half or more as active users
    • 26% less than 1 in 5 are active
    • Larger orgs are still piling on users - 26% increasing rapidly; 11% plateau'ed or reducing 
  • Widespread and rapid adoption at scale means governance must be automated! 
  • Project success - thinking about the scope and depvelopment of your SharePoint ECM project, how would you describe progress?
    • 40% moving forward
    • 6% great success
    • 28% stalled
    • 33% struggling 
  • Driving force
    • 49% driven by IT dept
    • 34% business driven (higher than last year… will increase moving forward)
    • 14% multi-dept steering committee

The governance improvements in SP 2013 and O365 have not yet been properly communicated.
  • this is an opportunity for the channel

Content management is evolving.  We are at a cross roads.  People are starting to ask: What is my process within my ECM platform, within SharePoint, to achieve as many of these boxes as I can?

You can download the full report for free from here:


Friday, March 7, 2014

Notes from SPC14: Authentication and Authorization Infrastructure in Microsoft SharePoint 2013

Wednesday March 5, 2014 10:45-12:00pm
Speaker: Paolo Pialorsi (, MCM, Consultant
ITPro Session

  • Authentication
    • Users authentication
    • Federation
    • Apps authentication
    • Custom claim provider
  • Authorization
    • User's authorization
    • App authorization
    • Server to server (high trust) 

Classic Mode
  • Deprecated!
  • For backwards compatibility only
  • Available only throguh PowerShell - no longer in Central Admin
  • Must Convert-SPWebApplication to migrate to claims


Claims Based
  • Default mode - only mode available in Central Admin
  • The future of authentication in SharePoint… and across the Microsoft stack 

Claims Modes Available/Supported
  • Anonymous
  • Windows - Basic, NTLM, Kerberos
  • Forms based Auth (FBA) - membership API, LDAP Provider, Claims Provider
  • Claims based authentication


Breakdown of claims notation for identity claim - the notation has a specific meaning 

Trusting an external identity provider
  • Windows Azure ACS 2.0
    • Identity provider and security token service
    • Leverages external Identity Providers - MS account, facebook, google, yahoo, ADFS 2.0 or 3.0, Windows Azure AD, customer WS-Federation
    • Free!
    • Protocols: Oauth 3.0, WS-trust, WS-Federation
    • Tokens: SAML 1.1, 2.0, JSON Web Tokens (JWT)


  • In Azure Management Portal > AD  - select Access Control Namespaces
  • Define the identity providers we want to use - will have a Windows Live ID Account provider by default (cannot remove)
    • Select the kind of identity provider: ex. For facebook need application ID, application secret
      • For facebook will need to login to and create an app to get this info
      • Provide the Windows Azure ACS URL to facebook form in order to get app ID and secret
  • Define Relying Party
    • Provide name, realm, return URL
    • Select token format - SP supports SAML 1.1
    • Define token lifetime (seconds to keep token alive)
  • Define Rule Groups
    • Very similar to ADFS claims rules
    • Can use a Generate button to automatically generate rules
  • Can open the Federation XML file that is generated
    • open it, copy the <x509Certificate> section and save it in a text file - save it as .cer file
    • Keep track of the PassiveRequestorEndpoint as well
    • Will need to use these in PowerShell to trust the ACS identity provider you just created 

Federating with Windows Azure ACS
  • When you trust an external IP you get claims
  • Sometimes you need to augment them
  • Sometimes you need to search for them in the peoplepicker
  • Often you need to authorize based on them 

Claims Providers
  • What you need is a claim provider
  • Claims augmentation - custom claims to extend issued security tokens
  • Names resolution (search, resolve, friendly values for claims, people, roles)
  • Available out of the box
    • SPActiveDirectoryClaimProvider
    • SPFormsClaimProvider
    • SPTrustedClaimProvider 

Developing Custom Claim Provider - Quick Overview
  • Inherit from SPClaimProvider: Microsoft.SharePoint.Administration.Claims
  • Implement methods for
    • Name resolution
    • Claims augmentation
    • Support hierarchies
    • Resolve claims
    • Search claims
  • Requires farm level solution (.WSP)
    • Not appropriate for Office 365
  • Leverages a dedicated feature with a receiver: SPClaimProviderFeatureReceiver
  • Must be activated via PowerShell  

DEMO - how a custom claim provider is built
  • Reviewed code sample of creating a custom claim provider - kept the example simple
  • Constructor
  • Setting default properties
  • Override FillClaimsForEntity

App Authentication
  • App Authentication is supported only for CSOM or REST API requests originated by an App! 

  • Internal App Authentication - when an app invokes CSOM/REST API from within an app web and with SAML token for user SharePoint hosted apps use this kind of app authentication
  • Cross domain calls in Cloud hosted apps use this kind of app authentication

External app authentication via Oauth
  • The app invokes CSO/REST API providing an access token signed by Windows Azure ACS
  • The access token can include app and user identity
  • Access token can be an app only identity
  • Is the only model supported by Office 365 

External App Authentication via server to server
  • App involves CSOM/REST API providing an access token signed with a trusted cert 

Oauth Flow

Server to Server (High Trust) Scenario
  • High Trust Not Equal to Full Trust
    • Extension of Oauth
    • Leveraged by apps and infrastructural services (workflow manager, exchange, etc)
    • Can use any user identity
  • Direct Trust Relationship
    • Between SharePoint and the external app/service
    • Based on x509 certs
    • One cert for each app (avoid sharing certs across apps)
    • Can leverage shared certs for trust brokers
  • Available for Provider Hosted Apps
    • Supported by wizard of VS 2012/2013 and Office Developer Tools for VS
    • Configurable using PowerShell

  • Provided example of PowerShell Script 

  • High Trust is NOT SAME as Full Trust!

  • SPUser and SPGroup
    • Almost the same as SP2010
    • Define user or group principals - inherit SPPrincipal
    • You can give explicit permissions (authorization) - target site, lists, libraries, items/folders
    • Authorization leverages permission levels
    • Permission levels are made of permissions
      • Manage lists, add items, edit items, delete items, etc.
  • App Permissions
    • Apps are not users
    • Apps granted permissions on all or nothing basis
    • Performed through the app manifest
    • User installing an app grants/denies permissions during installation
    • If permission request is denied the app will not be installed at all
    • User can only grant permissions they have - must at least be a site owner to install an app
    • Cannot change permissions after assigned - can only remove the app

  • Every app by default has full control over its app web - but no other default permissions
  • Permissions are made of scope and right
  • Permission scopes
    • Site collection, web site, list, tenant, services
    • Permissions applied to a target scope, apply also to all the children of that scope
  • Permission Rights
    • Read-only, write, manage, full control
    • Other specific rights for services 

DEMO - SharePoint 2013 Authorization
  • Define permission levels on site collections
  • Define anonymous access
  • Trusting an App upon installation of that App 

Future of Claims Identity in SharePoint
Sesha Mani - Principal Program Manager SharePoint & Office 365 Cloud Services 

  • Started it in SP2010
  • Improved in SP2013 and made it the default
  • Claims infrastructure is at the core of future investments in SharePoint 

Claims, Oauth, S2S in SharePoint - Roadmap


S2S scenarios Available Out of Box
  • SharePoint to Exchange - eDiscovery, site mailboxes, mysite project tasks sync
  • High resolution photos
  • SharePoint to SharePoint - translation service, hybrid Duet/SAP, Hybrid Search
  • SharePoint to MTW - multi-tenant workflows (MTW)
  • SharePoint to Apps - App Model extensibility
  • SharePoint to Azure media service - SharePoint Video Portal (coming soon)

Microsoft is fully committed to evolving claims within SharePoint and the rest of the platform 

Wrap Up
  • User authentication claims based
  • External Identity Providers
    • ACS, ADFS
    • Custom claim providers for better user experience
  • App Authentication
    • Internal auth
    • External Auth via Oauth
    • External Auth via S2S
  • Authorization
    • SPPrincipal
    • App Principal

Wednesday, March 5, 2014

Notes from SPC14: SharePoint Data Security and Compliance

Wednesday March 5, 2014 9:00-10:15am
Speaker: Liam Cleary
ITPro Session 

Authentication vs Authorization
  • Authentication = verification of claim
  • Authorization = verification of permission
  • Authentication precedes authorization
  • Exception to the rule
    • Anonymous access can leave comments on blog site
    • Anonymous users are already authorized but not authenticated 

  • SharePoint does not perform authentication (domain authenticates you), but it does authorization 

  • SharePoint does this after Authentication
    • Is user member of group?
    • Is user account added to ACL of object?
    • Does user have required attribute?
  • SharePoint only understands what it is told
    • Ex. Just because user logged in at? Does not authorize 

  • SharePoint out of the box is secure!
    • By default it will deny you access 

  • Best approach to authorization
    • Active directory groups
    • Roles from membership and role provider
    • Claims associated to user… can move away from groups

  • First web page request is always anonymous 

  • Classic authorization approach
    • Active directory users and groups
    • Users added to AD groups, AD groups added to SharePoint site groups
  • Single Sign On
    • Web applications set to the same authentication
    • Sites added to intranet zone with auto login enabled
  • People Picker = full name resolution control
  • Specific configuration: none
  • Custom component: none 


Custom Role Provider
  • Classic .NET approach
    • Support local & remote authentication store
    • Web services, remote database calls
  • Single sign on  = custom solution
  • People picker - name resolution control
  • Specific configuration = yes, web.config 

SAML Approach
  • Single Sign On, sites set to require authentication
  • People picker = claim provider needed, otherwise use the default provider with its issues
  • Specific configuration = no (need to use powershell to configure trusted provider and SSL certs)
  • Custom components = yes, welcome control, login control, etc. 

Windows Azure Authentication Process
  • Request web page (anonymous)
  • Send to Azure ACS provider picker
  • Redirect to provider login page
  • Send credentials to provider
  • User authenticated, redirect to Azure ACS
  • Request SAML security token wrapped from provider
  • Validate credentials with STS
  • Send a SAML security token
  • Create SharePoint security token and send page 

Claims Fundamentals
  • Identity - info about a person or object (ad, google, windows live, facebook, etc.)
  • Claim - attributes of the identity(user ID, email, age, etc.)
  • Token - binary of identity, claims and signature
  • Relying Party - users token, SharePoint 

  • Ex. Driver's license has an Identity, Issuer, Claims 

Claims Augmentation
  • Ability to intercept the incoming claims and transform to different outgoing claims
  • Add additional attributes before output is generated
  • Why?
    • Retrieve user attributes from line of business apps
  • Types of augmentation
    • Federation gateway: claim mapping transformation
    • SharePoint: claim mapping transformation
    • Custom claim provider: append claim attributes
  • Definition - enabled users to approve an application without sharing credentials
    • Used only for access token that are then used to retrieve date from SharePoint
    • Not used for sign-in tokens
  • Use of tokens
    • Specific site, resource or for a defined duration
  • User does not reveal credentials or their data 

App Model

  • App Model
    • Used to authorize app requests - facebook type
    • SharePoint Store based using Windows Azure ACS
    • Windows Azure ACS or User defined permission
  • App Permissions
    • Based on "trust" - user must select that they trust it
    • Request trust levels as part of the app
  • App Types
    • Cloud, SharePoint or Provider Hosted 

  • Permissions
    • User permissions
    • App and user permissions
    • App permission
  • Types
    • Server 2 Server - 2 legged approach
    • High trust - SSL certificate (inherent trust for anything using that certificate)
    • Azure ACS - 3 legged approach
  • Man in Middle Attack
    • Fiddler is great for this 

Protecting Content
  • Location based - URL path classification
  • Taxonomy Classification - only show data based on tagged taxonomy
  • Permission based - security groups, roles
  • Claim attribute based - user has "X" associated with them
  • Request Management Service - specific blocking based on parameter 

  • Rights Management - client based, compliments baseline security
  • File and Drive - bit locker and EFS, protection storage location only
  • SQL encryption - content database specific, no restoring of databases without private key 

Protecting Infrastructure - Edge/Perimeter
  • Stop just publishing "Windows Login"
  • Utilize firewall technology
    • UAG
    • Similar firewall technology
  • Multi-factor authentication
    • Certificate services
    • Azure multi-factor services

Protecting Infrastructure: Database
  • Block the standard SQL server ports - makes it a little more difficult for someone to realize they're talking to a SQL box
  • Listen on a nonstandard port
  • Implement Windows Firewall Policies
  • Utilize group policies - implement least privileges 

Protecting Infrastructure: General
  • Implement firewall layers between server layers
  • Run 'best practice security analyzer"
  • Close unused ports (80, 443, UDP 1434, TCP 1433, 25
  • File and printer sharing services
  • Lots more ports to protect, depending on where communication is needed between servers 

Who are you protecting against?
  • Staff, vendors, partners, anonymous users or the kid next door
  • Insider threats
  • Protection is only as good as what you implement
  • Log traffic - review firewall and server logs, authentication traffic is logged extensively
  • Implement alerting mechanism for breaches