Windows SharePoint Services Security Model

Microsoft Windows SharePoint Services includes or takes advantage of the following elements that interact with and affect your security for Web site content:

  • User authentication    The process used to validate the user account that is attempting to gain access to a Web site or network resource. You manage security using Microsoft Windows NT users and security groups (DOMAIN\user and DOMAIN\security group). You cannot use distribution lists to control access to content in Windows SharePoint Services, because distribution lists are not used for authentication in Windows.
  • SharePoint administrators group    A Microsoft Windows user group authorized to perform administrative tasks for Windows SharePoint Services.
  • Site groups    A means of controlling the rights (rights: File-level and folder-level permissions that allow access to a Web site.) assigned to particular users or groups in a Web site based on Windows SharePoint Services. There is a pre-defined list of site groups for each Web site (Administrators, Web Designers, and so on). To grant a user access to a Web site, you assign that user to a site group.

Windows SharePoint Services also uses cross-site groups. Cross-site groups are a group of users that can be assigned to a site group on any Web site in a site collection. There are no cross-site groups defined by default in Windows SharePoint Services.

User Authentication

User authentication for Windows SharePoint Services is based on Internet Information Services (IIS) (Internet Information Services (IIS): Software services from Microsoft that support Web site creation, configuration, and management, along with other Internet functions.) authentication methods. Windows SharePoint Services can be used with the following forms of user authentication:

  • Anonymous authentication
  • Basic authentication
  • Integrated Windows authentication
  • Certificates authentication (SSL)

You choose the authentication method you want to use when you set up your Web server (Web server: A computer that hosts Web pages and responds to requests from browsers. Also known as an HTTP server, a Web server stores files whose URLs begin with http://.). You cannot change the authentication method by using the Windows SharePoint Services administration tools; you must use the Internet Information Services administration tool for your server computer to change the authentication method. For more information about setting an authentication method, see Configuring Authentication.

 Note   For more information about IIS authentication methods, see the topic About authentication in IIS 6.0 Help.

Anonymous Authentication

Anonymous authentication (Anonymous authentication: An authentication method that provides access to users who do not have user accounts on the server computer.) provides access to users who do not have Windows NT server accounts on the server computer (for example, Web site visitors). IIS creates the anonymous account for Web services, which is often named IUSR_computername. When IIS receives an anonymous request, it impersonates the anonymous account.

You can enable or disable anonymous access in IIS for a particular virtual server (virtual server: A virtual computer that resides on an HTTP server but appears to the user as a separate HTTP server. Several virtual servers can reside on one computer. Each virtual server can have its own domain name and IP address.), and enable or disable anonymous access for a site on that virtual server by using HTML Administration pages. Anonymous access must be enabled in IIS before you can enable it for a Web site on that virtual server. For more information about configuring anonymous access for a site, see Managing Site Groups and Permissions.

Basic Authentication

Basic authentication (Basic authentication: An authentication protocol supported by most Web servers and browsers. Transmits the user name and password in clear text.) is an authentication protocol supported by most Web servers and browsers. Although Basic authentication transmits user names and passwords in easily decoded clear text (clear text: Unencrypted, non-machine dependent, ASCII text in readable form.), it has some advantages over more secure authentication methods, in that it works through a proxy server firewall and ensures that a Web site is accessible by almost any Web browser. If you use Basic authentication in combination with Secure Sockets Layer (SSL) security, you can help protect the user names and passwords, making your user information more secure.

Integrated Windows Authentication

Integrated Windows authentication (Integrated Windows authentication: An authentication method that encrypts user names and passwords in a multiple-transaction interaction between client and server. Also known as Windows NT Challenge/Response authentication.) (also known as Windows NT Challenge Response) encrypts user names and passwords in a multiple transaction interaction between client and server, thus making this method more secure than Basic authentication. Disadvantages are that this method cannot be performed through a proxy server firewall, and some Web browsers (most notably, Netscape Navigator) do not support it. You can, however, enable both this method and Basic authentication at the same time, and most Web browsers will select the most secure option (for example, if both Basic and Integrated Windows authentication are enabled, Microsoft Internet Explorer will try Integrated Windows authentication first).

Certificates Authentication (SSL)

Certificate authentication (Certificate authentication: An authentication method that provides security for TCP/IP connections. Also known as Secure Sockets Layer (SSL).) (also known as Secure Sockets Layer (SSL) security) provides communications privacy, authentication, and message integrity for a TCP/IP connection. By using the SSL protocol, clients and servers can communicate in a way that prevents eavesdropping, tampering, or message forgery. With Windows SharePoint Services, SSL helps secure authoring across firewalls and allows more secure remote administration of Windows SharePoint Services. You can also specify that SSL be used when opening any Web site based on Windows SharePoint Services.

The SharePoint Administrators Group

To install Windows SharePoint Services, you must be a member of the local administrators group (local administrators group: The group of users who have permission to perform administration tasks on the local server computer. The permissions for this group are set by using the administration tools for the operating system.) on the server computer. This group also gives users the permissions needed to control settings on the Central Administration pages, and to run the command-line tool Stsadm.exe. You can also identify a specific domain group to allow administrative access to Windows SharePoint Services, in addition to the local administrators group. You can add users to this group rather than to the local administrators group, to separate administrative access to Windows SharePoint Services from administrative access to the local server computer.

Members of the SharePoint administrators group do not have access to the IIS metabase, so they cannot perform the following actions for Windows SharePoint Services:

Members of the SharePoint administrators group can perform any other administrative action using the HTML Administration pages or object model for Windows SharePoint Services.

Members of both the SharePoint administrators group and the local administrators group have rights to view and manage all sites created on their servers. This means that a server administrator can read documents or list items, change survey (survey: A Web site component that presents users with a set of questions specified by the creator of the survey and collects user responses. Results are tallied in a graphical summary. Requires a Web server that is running Windows SharePoint Services.) settings, delete a site, or perform any action on a site that the site administrator can perform.

Windows SharePoint Services Site Groups

Windows SharePoint Services includes site group (site group: A custom security group that applies to a specific Web site. Users are assigned to site groups to grant them rights on a SharePoint site.) to help you assign particular rights to users and cross-site groups (cross-site group: A custom security group that applies to more than one Web site. A cross-site group can be assigned to a site group as if it was a single user.). With site groups, you do not have to control the file and folder permissions separately, or worry about keeping your local groups synchronized with your list of Web users. You use site groups to give users permissions on your Web site, and use Windows SharePoint Services administration tools to add new users directly.

In effect, user management is delegated from server administrators to the site owners and administrators. Site administrators control site access and, by default, have rights to add, delete, or change site group membership for users. Inside an organization, this typically means that site administrators can select users from the list of the organization's users, and grant them access to varying degrees. For example, if the Web site is for members of a particular workgroup to share documents and information, the site administrator adds members of that workgroup to the site and assigns them to the Contributor site group, so that they can add documents and update lists.

In an ISP or extranet (extranet: An external Web site for an organization; usually secured so that only authorized users can gain access to it.) environment, a site owner can add new users and create accounts in an Active Directory group, using separate user lists for each site collections (site collection: A set of Web sites on a virtual server that have the same owner and share administration settings. Each site collection contains a top-level Web site and can contain one or more subsites.). The site administrator adds the users to the Web site and Windows SharePoint Services automatically adds the users to the Active Directory directory service.

Members of the Administrator site group for a top-level Web site can control more options than administrators of a subsites (subsite: A complete Web site stored in a named subdirectory of the top-level Web site. Each subsite can have administration, authoring, and browsing permissions that are independent from the top-level Web site and other subsites.). Administrators of a top-level Web site can perform actions such as enabling or disabling Web document discussions or alerts (alert: A feature that notifies a user by e-mail when there is a change to an item, document, list, or document library on the Web site.), viewing usage and quota (quota: A value that limits the amount of storage or number of users for a Web site.) data, and changing anonymous access settings.

 Note   The owner and secondary owner of a top-level Web site may be members of the Administrator site group for their site, but they are also identified separately in the configuration database as site collection owners. This owner flag can only be changed by using the Manage Site Collection Owners page in Central Administration or by using the siteowner operation with Stsadm.exe. If you remove an owner from the Administrator site group for the site, the owner retains the owner flag in the database, and can still perform site collection administration tasks.

For more information about user accounts and Active Directory account creation mode, see Managing Users and Cross-Site Groups. For more information about site groups, see Managing Site Groups and Permissions.

Securing the Administrative Port

If a malicious user can gain access to your administrative port, he or she can potentially block other users from accessing their sites, or can change or delete content from the sites, or even completely disable your Web server. When you install Windows SharePoint Services, the administration port is assigned to a random port number. It is important to restrict access to the Windows SharePoint Services administration port, and you can do so by using the following methods:

If you want to be able to manage Windows SharePoint Services across an Internet (Internet: The worldwide collection of networks and gateways that use the TCP/IP suite of protocols to communicate with one another. If you have access to the Internet, you can retrieve information from millions of sources.) connection, use SSL to provide more secure communication between a client machine and the server, even across the Internet. To use SSL, you must first configure SSL in IIS, and then use the command line to configure Windows SharePoint Services. Note that when you use SSL, the Uniform Resource Locator (URL) (Uniform Resource Locator (URL): An address that specifies a protocol (such as HTTP or FTP) and a location of an object, document, World Wide Web page, or other destination on the Internet or an intranet. Example: http://www.microsoft.com/.) for SharePoint Central Administration changes from http:// to https://. For more information about configuring SSL, see Configuring Authentication.

  • Use a firewall or IIS to restrict external access to certain domains.

You can use the settings for your firewall to block access to the administrative port altogether (if you don't need to allow administration over the Internet), or to restrict access to the administrative port to certain domains. Use the stsadm -o setadminport operation to set each server in your server farm (server farm: A centralized grouping of network servers maintained by an enterprise or, often, an Internet service provider (ISP). A server farm provides a network with load balancing, scalability, and fault tolerance.) to the same port number, and configure the firewall to help protect that port on all servers. Alternatively, you can use the IP and name restrictions feature in IIS to restrict access to specific domains (you must set this for each virtual server that you want to restrict access to). For more information about helping to protect a port in IIS, see the Securing Your Site with IP Address Restrictions topic in the IIS Help system.

  • Use the SharePoint administrators group to restrict internal access.

Use the SharePoint administrators group to control which users can access SharePoint Central Administration. Only the domain group you specify, and local administrators, can then access the administrative port. Limit the local administrator access to only a few computer operators.

  • Use Integrated Windows authentication instead of Basic authentication.

When you use Integrated Windows authentication, you avoid having passwords sent in clear text, as can happen when Basic authentication is used. Basic authentication is less secure because it uses clear text.

  • Disable anonymous access.

Allowing anonymous access makes your server inherently less secure. If anonymous users can get access to your server, they can change settings or content, and their actions cannot be traced to a real user account. Anonymous access is disabled by default for the administration port.

Securing SQL Server Connections

If you are using SQL Server instead of Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) (Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE): A version of MSDE 2000 designed specifically for Windows SharePoint Services.) for your databases, you can choose between the following two security methods for your interactions between Windows SharePoint Services and SQL Server:

Note that if you are using SQL Server on a separate server from the server running Windows SharePoint Services, you must use a domain account (or the Local System or Network Service account) as the IIS application pool account. If you are using a local account, it will not be able to access the SQL Server computer. For the administration virtual server, the IIS application pool account must also have rights to create new databases in SQL Server. In other words, this account must be a member of the Security Administrators and Database Creators roles in SQL Server. If you use Local System or Network Service, you must grant the SQL Server privileges to the machine account for the Web server computer. Application pool accounts for other virtual servers do not need database creation rights; they rely on the administration virtual server to create databases.

  • SQL Server authentication —Connect to SQL Server using credentials you type in Windows SharePoint Services administrative controls.

About Integrated Windows Authentication

Windows SharePoint Services uses the authentication method specified in the IIS metabase, which is Integrated Windows Authentication, by default. Integrated Windows Authentication contains both Kerberos v5 authentication and NTLM authentication methods. New in SP2, the authentication method that is used when Windows SharePoint Services connects to the database is determined by the value of the NTAuthenticationProviders metabase property in IIS. If this property is not set (is null) or is set to Negotiate,NTLM, Kerberos authentication is used; otherwise NTLM is used. For more information about Integrated Windows Authentication, see the Integrated Windows Authentication topic in the IIS 6.0 Administrator Guide.

 Notes 

With Integrated Windows authentication, you use the IIS application credentials and the IIS application process (called an application pool) to connect to the database. The credentials are stored securely in the IIS metabase with other IIS worker processes. When Windows SharePoint Services connects to the SQL Server database, it runs under its usual process, and uses the IIS process for the connection. This configuration can require a few more steps in a server farm environment on occasion. For example, if your domain has a policy requiring frequent password resets, you must remember to change the password in IIS for every server computer in your server farm.

You can have a single process for all of your virtual servers, or you can isolate each virtual server with its own application pool. Using separate processes is more secure. For example, if you have a custom script running for one virtual server, it could potentially be written to access pages in another virtual server if they are sharing an application pool. If they have separate application pools, the script is unable to authenticate for the database across virtual servers.

About SQL Server Authentication

SQL Server authentication uses an administrator account and password (often the default sa account) stored in the SQL Server database to connect between Windows SharePoint Services and the databases. This same user name and password are used for all updates to the databases, no matter which server (in a server farm) or virtual server (server farm or single server) requests the update. Also, when you use SQL Server authentication, the password for the administrator account is sent over the network, and can potentially be detected by malicious users. It is recommended that you use Integrated Windows authentication for connections between Windows SharePoint Services and the SQL Server databases.

When you use SQL Server authentication, the user name and password you specify is available to all members of the STS_WPG group, which may include accounts associated with other applications on your server.

About Firewalls

Windows SharePoint Services supports connectivity through firewalls. Depending on your configuration, you must make sure your firewall is open for the standard HTTP ports 80 and 443. When using a firewall, you must configure your Web sites with Basic authentication because Integrated Windows authentication cannot pass through a firewall.

Related Topics

For more information about site groups in Windows SharePoint Services, see Managing Site Groups and Permissions and Managing Users and Cross-Site Groups.

 
 
Applies to:
Deployment Center 2003