SharePoint Summit 2013 - Best Practices for Security in Microsoft SharePoint 2013

Thanks to everyone that attended my session yesterday afternoon in Toronto at the SharePoint Summit 2013.  I had a packed room for the last session of the day, so a big thank you to everyone for sticking around. You can find the presentation I gave here:

Best Practices for Security in Microsoft SharePoint 2013

There were some great questions at the end of the session, in particular around anonymous Access to SharePoint sites and one that I could not answer well on permissions related to SharePoint Apps (related to the new App Model in SharePoint 2013).

Permissions for SharePoint 2013 Apps

I did a bit of reading and research today into how permissions work for SharePoint Apps in the new App Model.  A few quick points to know are:

• An app for SharePoint requests the permissions that it needs during installation from the user who is installing it.
• A developer must request, through the app manifest file, the permissions that the particular app needs to be able to run.
• An app must be granted permissions by the user who is executing the app.
• Users can grant only the permissions that they have.
• The user who installs the app must grant all the permissions that an app requests or not grant any permission. The user can grant an app all or nothing in terms of the permissions requested.

In my readings I found some great MSDN articles related to Authentication, Authorization and Permissions related to SharePoint 2013 Apps here:

• Authorization and authentication for apps in SharePoint 2013
• App permissions in SharePoint 2013

Please do reach out if you have any questions at all.

Enjoy.
   -Antonio

Ottawa IT Camp - Introduction to Developing/Deploying Apps for Office and SharePoint 2013

A big thank you to everyone that attended my session at the Ottawa IT Camp on Saturday May 4th.  There were some great questions and I'm really glad everyone found the session helpful.  Thanks for the feedback.  As well, big thanks to the organizers for putting on a great day!

In addition to on the Ottawa IT Camp web site, you can also find the presentation deck that I showed here:  Introduction to Developing and Deploying Apps for Microsoft SharePoint Office 2013.

Please let me know you have any follow-up questions.

There was one remaining question about development environments for creating SharePoint 2013 Apps that I'm working on answering now, and I'll post the answer here as another blog entry.

Enjoy,
 -Antonio

How do I know which Claims were retrieved?

Many people know that I do a lot of work with Claims in SharePoint.  Claims based authentication was introduced in SharePoint 2010 for the purpose of both authentication and authorization.  SharePoint 2013 has only strengthened its use of claims by making Claims Based Authentication the default authentication mechanism, and relegating Classic Mode Authentication to only configurable through PowerShell. 





For a while, I've been a big proponent of using claims based authentication/authorization in general, and I tend to specialize in using claims for various security related purposes within SharePoint.  When working on enforcing security policies in SharePoint, you often get into a situation where you need to figure out why a particular policy is not doing what you expected it to do.  Sometimes its simply because the correct claim types or claim values were not retrieved.  As well, sometimes you need to figure out why your claims based authentication is not working the way you expected - again, this can simply because the claim values returned were not configured correctly for the user that is logging in.



The question is - when you're logged into SharePoint, how do you know which claims were retrieved? 

To answer this, there is a free tool available from Microsoft that has been indispensable in helping with this kind of analysis.  The tool was created by Steve Peschka of Microsoft, so big shout out to him for writing it and making it freely available.  Its called the "SharePoint Claims Web Part".  A few people have been asking me about it recently - its a pretty simple process but I thought a blog post that goes into detail about where you get it and how you configure it would be useful.

Download

First of all, the web part must be downloaded from here. 

Install to the GAC

Next step is to install the included DLL to the GAC:

1.       Copy “SharePointClaims.dll” to each SharePoint web front end server in the farm (i.e. c:\SharePointClaims\)

2.       Open a command window (make sure you do this as an administrator) and navigate to the location where the file has been copied

3.       Run the command:   gacutil -if SharePointClaims.dll

Configure the Web Part

Next we must configure the web part to appear where we want it to appear.  I typically display it on the home page of the site collection I'm logging into so that its the first thing I see.  Here are the steps to do that:

1.       On each SharePoint web front end server, navigate to the physical directory where the web application is located (i.e. “C:\inetpub\wwwroot\wss\VirtualDirectories\443”) and open the web.config file.

2.       Add the following SafeControl entry to the web application's web.config file on all web front ends you are using:

<SafeControl Assembly="SharePointClaims, Version=1.0.0.0, Culture=neutral, PublicKeyToken=d01fae4d46160aca" Namespace="SharePointClaims" TypeName="ClaimWP" Safe="True" AllowRemoteDesigner="True" SafeAgainstScript="False" />

3.       Issue an IISRESET using the command window.

4.       Log in to the SharePoint site using a Site Collection Administrator account and go to Site Settings.

 

5.       Select Web Parts under Galleries.

 

6.       In “Library Tools” select “Upload a Document”.

7.       Browse for the location of the file “SharePointClaims.webpart”.

8.       Accept the default settings.

 

9.   Navigate to the SharePoint page in which you want to view the claims retrieved.  Again, I usually add the web part to the Home site collection page, so its the first thing I see after logging in.  However, if you are deploying this to a production farm, you may want to add it to a site page that end users typically do not see.

 

10. Click Site Settings, then Edit Page, then the Insert Tab, and then the Web Part button in the ribbon.  Now click Add a Web Part.

 

 

11. Select “Miscellaneous” on the left panel, select “SharePoint Claims Web Part” in the middle panel and click “Add”.

 

 

12. The web part will appear. On the Page tab, click “Stop Editing” to return to the normal view.

      The web part will now appear as follows and you can see all of the claims that were returned from any claims provider (trusted identity provider or custom claim provider) that SharePoint is configured with.

 

Hopefully this is helpful.

      -Antonio

SharePoint Governance: The Impacts of Moving to the Cloud

Thanks to everyone that attended this webcast on March 28th.  We had a great turn out.  Christian Buckley and I were very happy to speak to everyone on this important topic.  Look for more detailed information coming soon to this blog related to things you need to consider when looking at moving business workloads like SharePoint to the cloud.

You can find a link to the presentation deck here.

You can find a link to the on-demand version of the webcast here.

If you had any questions that were not answered during the call, please feel free to reach out to me.

  -Antonio

March 28th Webinar - SharePoint Governance: The Impacts of Moving to the Cloud

Webinar: Thursday, March 28, 2013 11:00 AM - 12:00 PM EDT

Register today for this webcast to learn the pros and cons of moving to the Cloud:  https://www2.gotomeeting.com/register/714036874.

Is your enterprise considering a move to the Cloud? Are you aware of the benefits and risks of moving SharePoint and key workloads to a Cloud environment?  

Join Microsoft SharePoint MVPs Christian Buckley, Director of Evangelism, Axceler and myself for a discussion on functional trade-offs of the platform, potential impacts and risks that need to be considered when moving SharePoint to the Cloud.  This webinar will cover topics such as:

•    SharePoint capabilities in Office365
•    Existing investments that organizations have made in customizing SharePoint
•    Data sovereignty
•    Regulatory compliance

Is SharePoint Online the right decision for you?

Understand the impacts to your business of moving to the cloud in order to determine if your enterprise is ready?

Hoping you can join us.  We're looking forward to the discussion and taking people's questions.
     - Antonio

Help Microsoft Focus on Customers and Partners!

As part of the Microsoft community, we often work with Anthony, Pierre and Mitch, the evangelists from the IT Pro team at Microsoft Canada.  They asked us to share this important message with you.

The team at Microsoft Canada is focused on ensuring that they help set you up for success by providing the information and tools you need in order to be get the most out of Microsoft based solutions, at home and at work.

Twice a year, Microsoft sends out the Global Relationship Study (GRS for short); it’s a survey that Microsoft uses to collect your feedback and help inform their planning.  If you receive emails from Microsoft, subscribe to their newsletters‚ or you’ve attended our any of their events you may receive the survey.

The important details:

• Timing – March 4^th to April 12^th 2013
• Sent From – “Microsoft Feedback”
• Email Alias – “feedback@e–mail.microsoft.com”
• Subject Line – “Help Microsoft Focus on Customers and Partners”

Many of you already read the Microsoft Canada IT Pro team’s blogs‚ connect with them on LinkedIn and have attended their events in the last year or so. So you may already know that you’re their top priority. So they want to hear from you.

Pierre, Anthony and Mitch use the GRS results to shape what they do, how they do it and if it’s resonating with you. Tell them what you need to be the “go-to” guy or ga).  Tell them what you need to grow your career.  They want you to be completely satisfied with Microsoft Canada.

 

This year, Pierre, Anthony and Mitch have delivered 30 IT Camps and counting across the country.  Giving you the opportunity to get hands on and learn how to get the most value for your organization.  They have a few more events planned this year, so keep an eye on their plancast feed for events near you.  Based on your feedback, topics they’re planning to cover will include:

• Windows 8
• Windows Server 2012
• System Center 2012
• Private Cloud
• BYOD – Management and Security

That’s not all.  They’ve heard you loud and clear so in addition to hands on events, they’re also delivering more technical content online via the IT Pro Connection Blog.  Windows 8 continues to be a big area of focus for them.  They covered a lot of great content at launch and they’ve complimented that with new content like:

·          Security Concepts

·          Enterprise Focused Content

·          Windows 8 and System Center 2012 Integration

In addition to this, there are some valuable online resources you can use like Microsoft Virtual Academy, Microsoft’s no-cost online training portal.  Or software evaluations (free trials) on TechNet that allow you to build your own labs to try out what you’ve learned.

Regardless of how you engage with the team at Microsoft Canada‚ you’d probably agree that they hear you. They’d also encourage you to continue to provide that great feedback. They thrive on it‚ they relish it‚ they wallow in it and most importantly of all‚ they action it. So please keep connecting with them and keep it coming! Pierre, Anthony and Mitch are listening. 

Resources, Tools and Training

·         Tim Horton’s Gift Card Contest – We’re giving away 350 Tim Horton’s gift cards, all you have to do to qualify is download a free qualifying software evaluation (trial).  Download all three for more chances to win, but hurry, the contest closes soon.*

·         Windows 8 Resource Guide - Download a printable, one-page guide to the top resources that will help you explore, plan for, deploy, manage, and support Windows 8 as part of your IT infrastructure.

·         Windows Server 2012 Evaluation – Get hands on with Windows Server 2012 and explore the scale and performance possibilities for your server virtualization.

·         Microsoft Support  - Get help with products‚ specific errors‚ virus detection and removal and more.

·         Microsoft Licensing  -Visit the Volume Licensing Portal today to ask questions about volume licensing‚ get a quote‚ activate a product or find the right program for your organization. 

*No purchase necessary. Contest open to residents of Canada, excluding Quebec.  Contest closes April 11, 2013 at 11:59:59 p.m. ET. Three-Hundred-and-Fifty (350) prizes are available to be won: (i) $10 CDN Tim Horton’s gift card.  Skill-testing question required. Odds of winning depend on the number of eligible entries. For full rules, including entry, eligibility requirements and complete prize description, review the full terms and Conditions.

  

Updated SharePoint 2013 Software Boundaries and Limits: Unique Permissions

I am really happy to report a recent update to the SharePoint 2013 Boundaries and Limits web page.  Large enterprises in particular can have extremely large requirements for their SharePoint environments and this site has proven to be invaluable in determining what SharePoint can do, what it can't do and which boundaries can be pushed to the brink.

The update I want to highlight is related to SharePoint security scopes.  Security scopes in SharePoint are also referred to as "unique permissions" or "fine grained permissions".  People often think of fine grained permissions when they refer to a document or library that requires some unique permission for a user or group (for example, a spreadsheet containing senior executive salaries might require unique permission to prevent other individuals from being permitted to view or access it).  In fact, whenever permission inheritance is broken on a document, item, folder, library or subsite, a new security scope is created.

For years, advisors in the SharePoint community have been telling SharePoint administrators and consultants that they should avoid fine grained permissions because this would cause performance issues for end users when navigating through SharePoint or retrieving content that needs to be security trimmed.  As well, there was a lot of confusion in the community about whether the threshold at which performance issues started was 1000 or 5000 security scopes.  There were several Microsoft publications on this topic with differing numbers.  In fact, this limitation was previously true in older versions of SharePoint and in early releases of SharePoint 2010. 

However, this limitation has been seen for some time as a real problem for many organizations that deal with very sensitive information.  Examples of these are the military, governments, defense organizations and large regulated enterprises.  They deal with large amounts of very sensitive information and very strict regulatory compliance requirements, so creating new sites or libraries with specific permissions and having all content within inherit those permissions is simply not practical in these environments.

I'm very happy to say that Microsoft has finally updated this threshold! 

Microsoft actually released an update to SharePoint 2010 in the summer of 2011 to address this issue.  With SharePoint 2010 Service Pack 1, with the August 2011 cumulative update or higher, this threshold on security scopes was actually raised to 50,000.  As well, the point at which multiple round trips to the SQL database occur was clarified - its actually when the number of unique security scopes (unique permissions) in a list or library exceeds the List View Threshold setting.  Its not a hard setting of 5000 items that triggers multiple SQL roundtrips to occur.

Despite this very significant update, the documentation related to this threshold was not updated at that time.  SharePoint 2013 was released with the same security scope threshold of 50,000.  The goal for that release was to hold this line, which is great.  However, again the documentation was not updated.

At last, as of March 5, 2013, the documentation related to this threshold has now been updated to reflect this change! 


Security Scopes Section in SharePoint 2013 Boundaries and Limits Documentation
 

The full site on SharePoint 2013 Boundaries and Limits can be found here: http://technet.microsoft.com/en-us/library/cc262787.aspx.  A big thank you to the Microsoft folks I've been speaking with about this issue for making the update!

At TITUS we have been working in the realm of unique permissions and security scopes for years.  We work with military, government organizations and large enterprises around the world helping them to secure access to sensitive information in SharePoint.  So this is a welcome change.  We have had customers in the field with several libraries and lists containing between 50,000 and 60,000 unique security scopes, and after significant testing after the update to SharePoint 2010 Service Pack 1 (with appropriate CUs)  they've found that their end users are not experience performance issues when navigating these lists and libraries or searching for content. 

Its important to note that the Security Scope value is a threshold and not a hard limit, so you can surpass 50,000 if you really want to or if you can throw enough hardware at the problem.  Remember, the number which can be used without experiencing performance issues is not unlimited, so unique permissions must still be applied appropriately where needed.  That said, they are a useful tool in cases where sensitive information or regulatory compliance requirements requires that permissions be applied at a fine grained level in order to ensure the right users are accessing the right information... and I would suggest that we in the community can stop recommending against their usage.

This is a significant and welcome change for Microsoft SharePoint, especially in environments that deal with sensitive information, or compliance obligations.

     - Antonio

Microsoft Office Arrives in the Cloud on Feb. 27th

I'm very excited that next week Microsoft is hosting two Office 365 Virtual Launch Events on Feb 27^th at 8am and 5pm PDT.

Virtual Launch Event for the new Office 365 for business

Date Wednesday, February 27^th 8 am PDT and 5 pm PDT

Why Attend?

•   Learn how the new Office 365 can help people do
their best work in a world of devices and services

•   Hear customers talk about how Office 365
is transforming the way they deliver productivity
tools across their organization

•   See how Office 365 delivers new experiences
combining the power of social with collaboration,
email and unified communications

•   Join in a live Q&A with Microsoft executives
and product experts

 

Make sure you sign up and attend to learn all about this awesome offering for business.
     - Antonio

Locking Out Farm Admins from Sensitive Content in SharePoint 2010

It’s amazing - I get asked all the time about if there is a way to lock out farm administrators from accessing sensitive content in SharePoint.  Last December, I was asked 3 times within an hour of completing a conference session on SharePoint Security and, in all 3 cases the question was related to SharePoint sites that contained sensitive information and documents related to Mergers and Acquisitions.

This is a common problem that we in the community often hear about.  Often the answer give is “there is no way to do that” or “you have to move that content to Office365”.

Just to restate the problem:  Farm administrators in SharePoint are in effect “super users” and they have access to everything within the SharePoint farm.  The farm administrator role is an IT role, which involves solution deployment, back end configuration and infrastructure management.  By definition the farm administrator is an IT function.  However, in many commercial organizations with sensitive information the IT staff is not permitted to view or access sensitive business date, especially if that information is subject to regulatory compliance or audit requirements.  In the government, military or intelligence community the IT staff is typically not Top Secret cleared, meaning they do not have Top Secret security clearance and therefore are not permitted to access classified or confidential government information.  But remember, farm administrators can access everything.  Yes you can configure farm administrators to not be able to view or access content, however they have sufficient privileges to give themselves back rights to access content.

I’ve thought about this problem over the last few months and tried to come up with some possible solutions to suggest.  Here is one suggestion I made to some people that asked me this question late last year.

The first thing you need to consider is which individual(s) is the content owner for the sensitive content that you are protecting.  You need to ensure that they have ultimate rights to manage permissions to this content.  This person must also be able to serve as a backup to edit or restore permissions should they get truly out of hand in the library holding this content – so an individual with a technical aptitude or some training for the content owners may be required.  Remember you are intentionally locking out the farm administrator (and possibly the entire IT staff) from viewing or accessing content, and this includes managing or restoring permissions as well.  So, the farm administrators can no longer serve as a backup to restore or manage permissions.

Next you should consider using Microsoft's Information Rights Management (IRM) feature within SharePoint to protect and encrypt content as it leaves SharePoint.

So, there is some configuration that needs to be done at the farm level to turn on IRM - this needs to be done by that farm administrator we mentioned above (so this solution is not fool proof).  Once IRM is turned on, it can be pointed to a Microsoft AD-RMS server within the same network.  Microsoft AD-RMS (or Active Directory Rights Management Server) is the server that will generate keys, actually encrypt content and manage the rights that are assigned to individual documents that are protected.  So, this is a server that needs to be setup and managed like any other server. You should ensure that the SharePoint farm administrator is not the same person that administers Microsoft AD-RMS - in fact, in this case ensure that the SharePoint farm admin doesn't have any access to the Microsoft RMS server.  You can find a good overview on Microsoft AD-RMS here.  Once SharePoint IRM is turned on, then site owners can configure on a library by library basis which libraries have IRM applied and what rights will be enforced (this part is not a farm administrator function).

Essentially, when using the IRM feature within SharePoint, when a user downloads a document from SharePoint it will be encrypted on the way out.  As well, it will have certain rights associated with it (like 'do not print' for example).  This protection is built in such a way that to decrypt the document, after it is downloaded from SharePoint, and access the content within is simply a matter of opening the document in the appropriate application (ex. Microsoft Word, Excel or PowerPoint).  An IRM projected .docx file still looks like a .docx file.  It is the payload (or content) within the .docx file that is encrypted.  The encryption and decryption of that content happens completely seamlessly from the end user trying to access the content.  And of course, only users for which the content has been encrypted will be able to decrypt it.  Keep in mind, SharePoint IRM encrypts the documents only when they are downloaded or opened from SharePoint.  Documents actually sit in the clear while they are within SharePoint - this is done so that the contents of the documents is still index-able and searchable.

So, the idea behind using SharePoint IRM being a suggested solution in cases where SharePoint farm admins are not permitted to access sensitive content is:

• You can certainly turn off their access to see it through out of box SharePoint configuration. 
• As an additional measure you can use the IRM feature within SharePoint to encrypt sensitive documents on download, so that even if the SharePoint farm admin gives themselves back access to view documents in SharePoint, if they download those documents they will be encrypted for other users and they will not be permitted to access the content within.

There is still a hole in this as mentioned above:  the SharePoint farm admin can completely turn off the IRM feature.  To resolve this at this point, either in SharePoint 2010 or SharePoint 2013, would involve looking for (or developing) an auditing and alerting solution that would monitor this type of configuration change in SharePoint Central Admin and issue alerts if the feature was disabled or modified.

If this is a possible solution for you then I recommend you take at an article I wrote a little while ago on Understanding and Configuring Information Rights Management in SharePoint 2013.

-Antonio