5. Security
SharePoint 2010 includes several security
options that enable global configuration for better control of
security. These options are accessed using the Security functional
category in Central Administration. When you make changes to many of the
options in this management section, they will have a global effect on
all SharePoint 2010 servers in your farm, so it is important that you
understand the available options. There are three general sections of
security management in this category.
Users
General Security
Information Policy
5.1. Users
This section provides
configuration and management options for managing the farm
administrators, Active Directory distribution groups, and user policies
for Web applications.
5.1.1. Manage the Farm Administrators Group
This setting allows you to add
and remove users or groups as administrators in the SharePoint 2010
farm. You should always use an Active Directory security group so that you can easily swap out users in the group without affecting security in SharePoint.
By default, the
BUILTIN\Administrators group has farm administration permissions. It is
recommended that you add the Active Directory security group immediately
after a successful installation of SharePoint and then remove the
BUILTIN\Administrators group to prevent the members of this group from
having full SharePoint administrator permissions. You want to be
extremely selective about who becomes part of the Farm Administrators
group, because they have the capability to perform any task at any level
in the farm. There should only be a few select individuals who have
these permissions.
|
Being an administrator in
SharePoint 2010 does not give the user the right to create Web
applications in IIS; that still requires local administrator rights on
the server. Additionally, it does not give the user the right to manage
databases in SQL Server. Additional permissions are required to perform
SQL Server tasks such as backups, restores, and changes to database
properties.
5.1.2. Approve or Reject Distribution Groups
If you have chosen to enable
incoming e-mail through the System Settings functional category, one of
the options you have is to allow SharePoint groups to have e-mail
addresses so that new distribution
groups can be created in Active Directory. By default, when new
distribution groups are created or deleted, these operations require
farm administrator approval before the actual create or delete operation
is performed in Active Directory.
5.2. General Security
There are several
general security settings that are managed in the General Security
section of Central Administration. Some of these security settings are
farm level settings, and others are Web application settings. The
following sections distinguish between these when discussing each of the
General Security options.
5.2.1. Configure Managed Accounts
SharePoint 2010 introduces the concept of managed
accounts, which are used to define an account in Active Directory and
then configure it to automatically change the password. This enables
SharePoint administrators to comply with strict Active Directory account
policies in which service accounts need to have their passwords changed
regularly to adhere to Active Directory policies. For this setting to
work correctly, the Active Directory administrator must configure a
Group Policy to enforce the password change policy.
This account management
option allows SharePoint to update all the components that are using
this service account with the new password change, which avoids
disruption to any of the services using the Active Directory account,
such as application pools.
You would use the interface shown in Figure 52
to specify the user name of the Active Directory account that will be
registered as a managed account. You also use this page to specify when
you want the password to be changed and if you want e-mail notifications
sent before the password is changed.
5.2.2. Configure Service Accounts
This option allows you to
manage service accounts that are being used by a SharePoint service,
such as an application pool or service application. From the drop-down
list on the Configure Service Accounts page, select the service you want
to manage and then select the new account that you want it to use from
the list of registered accounts. If your account is a new service
account, then you can register it first from this page as a new
SharePoint registered account.
5.2.3. Configure Password Change Settings
The Configure Password
Change Settings option works in conjunction with the Configure Managed
Accounts settings to automatically change passwords. To send
notifications of the impending password changes, as well as to send
error messages regarding the actual password change event, you must
complete the fields in the Configure Password Change Settings interface.
Specify the e-mail address where you want these notifications sent.
Note:
Best Practices
Use a farm administrators group e-mail address as the address to send
these notifications so that all farm administrators know about the
impending password change as well as any problems that might occur
during the change event.
5.2.4. Manage Trusts
Trusts are created when two
farms are communicating with each other by allowing one of the farms to
consume services from the other farm. This inter-farm configuration
makes it easy for service applications to be shared between farms. When
establishing the trust relationship between farms, the consuming farm
must trust the root Certificate Authority (CA) for SSL on the farm that
is hosting the shared service applications.
5.2.5. Manage Antivirus Settings
Before you can manage antivirus
settings, you must first install a SharePoint 2010–compatible antivirus
product such as Microsoft Forefront. After you install the antivirus
product, it will either update the page shown in Figure 6-64
for you, or you can open the page and modify the settings to determine
how the antivirus software will manage SharePoint documents.
After the software is
installed, you can use the Antivirus settings page to configure the
level of scanning that you want to set. You can choose from the
following four scanning options.
Scan Documents On Upload
Scan Documents On Download
Allow Users To Download Infected Documents
Attempt To Clean Infected Documents
You can also configure how
long the virus scanner should run before it times out; the default is 5
minutes. Lastly, you can configure the number of threads that are used
by the scanner. Both of these settings can impact the performance of
both the scanner and the server hosting the antivirus software, so be
sure to analyze the impact of any changes you make.
5.3. Information Policy
There are two options
available for defining general settings at the document level for
utilization, access, and control in SharePoint 2010.
5.3.1. Configure Information Rights Management
Security
is always an important consideration for system administrators and
management alike. Even though SharePoint 2010 has file security built into the document libraries, you still might require an additional layer of security.
Information rights management (IRM) is built on top of a
certificate-based infrastructure that allows users to restrict access to
a document not just by name but also by their certificates. Information
rights management requires both client- and server-based add-on
software to work; there are also additional Client Access License (CAL)
costs involved.
The difference between IRM and
security is important to understand. Security focuses on regulating who
can see what content. IRM targets what can be done with the content
after it is accessed by the user. Some people have used the terms
security and privacy to differentiate between the two concepts, with
privacy describing the feature offered by IRM. Those who work
extensively in the security field don’t like the privacy term, but
nevertheless, they are good terms to help you remember the difference
between security and IRM.
5.3.2. Configure Information Management Policy
Policies were introduced
in SharePoint Server 2007, and except for a name change for one of the
options (Expiration changed to Retention), they provide the same options
at this level in SharePoint 2010. You can configure four farm level
policies that are available for lists, libraries, and content types for
use throughout the entire farm. Table 5
describes these default policies. By default, all policies are enabled
and available throughout the farm, but all of them have the option of
being decommissioned if you want to disable the functionality they
provide.
Table 5. Information Management Policies
POLICY NAME | POLICY DESCRIPTION |
---|
Labels | Gives
users the ability to view and add metadata labels in a document itself.
These labels can be printed with the document and also can be
searchable attributes. |
Auditing | Allows list and libraries to audit the actions of users in the library such as modify or delete, download, and back up. |
Retention | Provides
a method for processing content that has been assigned an expiration
setting, possibly through a workflow for archiving. |
Barcodes | Allows unique barcodes to be inserted in documents that can then be printed with the document or searched. |