Access Control and Windows Security

SharePoint Portal Server security is modeled on Windows security technology, which involves granting users and groups access to objects and principals. Security features in SharePoint Portal Server are designed to control and manage access to portal site and area content. In addition, SharePoint Portal Server security enables rights to be assigned to groups of users and specific areas. This makes it easier to manage a large number of users and projects and greatly reduces the number of times an administrator needs to update rights.

SharePoint Portal Server 2003 takes advantage of the following components to safeguard Web site content:

  • Standard Windows authentication and security methods. You manage security using Microsoft Windows NT® users and security groups (DOMAIN\user and DOMAIN\security group).

 Note   You cannot use distribution lists to control access to content with Windows SharePoint Services, because distribution lists are not used for authentication in Windows. For SharePoint Portal Server 2003, you can only connect to the database using Windows authentication. However, Windows SharePoint Services supports both Windows authentication and SQL authentication.

SharePoint Portal Server 2003 security relies on the following aspects of the Windows security model:

  • Security objects are items that can have actions carried out on them or contain data. In SharePoint Portal Server, this includes areas that consist of collections of content and views.
  • Security principals are roles with defined access to security objects. In SharePoint Portal Server, users and groups that have rights over security objects are referred to as security principals. Collections of users that have similar information and functionality needs can be aligned with the type of roles played within an organization using SharePoint site groups. Such group membership allows those users to access or manipulate SharePoint Portal Server objects appropriate to their job functions and to receive content targeted to their needs. Users can belong to multiple groups depending on the type of work they perform in your organization.
  • Domain group support. You can use domain groups to control access to your site.
  • SharePoint administrators group. You can use the SharePoint administrators group to permit members of a domain group to perform central administration tasks without granting them administrator rights to the local server computer.
  • SharePoint Central Administration. You can use the SharePoint Central Administration pages to change settings for SharePoint Portal Server and Windows SharePoint Services including the server farm, specific servers, and default settings for all sites. Additionally, you can add or delete users on all sites and assign site owners.

Secure Sockets Layer and firewall protection. You can use Secure Sockets Layer (SSL) security and a firewall to help prevent external access to the port used for SharePoint Central Administration. A properly configured firewall helps protect your data from unauthorized people and organizations. SharePoint Portal Server can work inside or through a firewall. For more information about configuring and enabling SSL, see Enabling Secure Sockets Layer for SharePoint Portal Server 2003.

  • Authenticated SQL Server database connections. Use Integrated Windows authentication to connect to the configuration database and content database. Windows SharePoint Services can be used with SQL Server authentication, SharePoint Portal Server requires Integrated Windows authentication.
  • Secure communication with external partners by using an extranet. If you work with external partners, or if you have users who need to access data from outside of your organization's firewall, you can use SharePoint Portal Server in an extranet environment. Depending upon your extranet configuration, you can enable internal and external users to view and interact with the same content and data. You can also employ antivirus protection and blocked file extension features to help protect your server integrity. For more information about configuring an extranet, see "Deploying SharePoint Portal Server 2003 on an Extranet by Using ISA Server 2000 and ISA Server 2004" available for download at <link>.
  • Secure access with single sign-on. Single sign-on makes it possible for users to access SharePoint Portal Server and third-party resources over the network without having to repeatedly supply their credentials.
 
 
Applies to:
Deployment Center 2003, SPS Admin 2003