Performing Administrative Tasks Using Central Administration (part 24) - General Security

5. Security

SharePoint 2010 includes several security options that enable global configuration for better control of security. These options are accessed using the Security functional category in Central Administration. When you make changes to many of the options in this management section, they will have a global effect on all SharePoint 2010 servers in your farm, so it is important that you understand the available options. There are three general sections of security management in this category.

• Users

• General Security

• Information Policy

5.1. Users

This section provides configuration and management options for managing the farm administrators, Active Directory distribution groups, and user policies for Web applications.

5.1.1. Manage the Farm Administrators Group

This setting allows you to add and remove users or groups as administrators in the SharePoint 2010 farm. You should always use an Active Directory security group so that you can easily swap out users in the group without affecting security in SharePoint.

Being an administrator in SharePoint 2010 does not give the user the right to create Web applications in IIS; that still requires local administrator rights on the server. Additionally, it does not give the user the right to manage databases in SQL Server. Additional permissions are required to perform SQL Server tasks such as backups, restores, and changes to database properties.

5.1.2. Approve or Reject Distribution Groups

If you have chosen to enable incoming e-mail through the System Settings functional category, one of the options you have is to allow SharePoint groups to have e-mail addresses so that new distribution groups can be created in Active Directory. By default, when new distribution groups are created or deleted, these operations require farm administrator approval before the actual create or delete operation is performed in Active Directory.

5.2. General Security

There are several general security settings that are managed in the General Security section of Central Administration. Some of these security settings are farm level settings, and others are Web application settings. The following sections distinguish between these when discussing each of the General Security options.

5.2.1. Configure Managed Accounts

SharePoint 2010 introduces the concept of managed accounts, which are used to define an account in Active Directory and then configure it to automatically change the password. This enables SharePoint administrators to comply with strict Active Directory account policies in which service accounts need to have their passwords changed regularly to adhere to Active Directory policies. For this setting to work correctly, the Active Directory administrator must configure a Group Policy to enforce the password change policy.

This account management option allows SharePoint to update all the components that are using this service account with the new password change, which avoids disruption to any of the services using the Active Directory account, such as application pools.

You would use the interface shown in Figure 52 to specify the user name of the Active Directory account that will be registered as a managed account. You also use this page to specify when you want the password to be changed and if you want e-mail notifications sent before the password is changed.

5.2.2. Configure Service Accounts

This option allows you to manage service accounts that are being used by a SharePoint service, such as an application pool or service application. From the drop-down list on the Configure Service Accounts page, select the service you want to manage and then select the new account that you want it to use from the list of registered accounts. If your account is a new service account, then you can register it first from this page as a new SharePoint registered account.

5.2.3. Configure Password Change Settings

The Configure Password Change Settings option works in conjunction with the Configure Managed Accounts settings to automatically change passwords. To send notifications of the impending password changes, as well as to send error messages regarding the actual password change event, you must complete the fields in the Configure Password Change Settings interface. Specify the e-mail address where you want these notifications sent.

Note:

Best Practices Use a farm administrators group e-mail address as the address to send these notifications so that all farm administrators know about the impending password change as well as any problems that might occur during the change event.

5.2.4. Manage Trusts

Trusts are created when two farms are communicating with each other by allowing one of the farms to consume services from the other farm. This inter-farm configuration makes it easy for service applications to be shared between farms. When establishing the trust relationship between farms, the consuming farm must trust the root Certificate Authority (CA) for SSL on the farm that is hosting the shared service applications.

5.2.5. Manage Antivirus Settings

Before you can manage antivirus settings, you must first install a SharePoint 2010–compatible antivirus product such as Microsoft Forefront. After you install the antivirus product, it will either update the page shown in Figure 6-64 for you, or you can open the page and modify the settings to determine how the antivirus software will manage SharePoint documents.

After the software is installed, you can use the Antivirus settings page to configure the level of scanning that you want to set. You can choose from the following four scanning options.

• Scan Documents On Upload

• Scan Documents On Download

• Allow Users To Download Infected Documents

• Attempt To Clean Infected Documents

You can also configure how long the virus scanner should run before it times out; the default is 5 minutes. Lastly, you can configure the number of threads that are used by the scanner. Both of these settings can impact the performance of both the scanner and the server hosting the antivirus software, so be sure to analyze the impact of any changes you make.

5.3. Information Policy

There are two options available for defining general settings at the document level for utilization, access, and control in SharePoint 2010.

5.3.1. Configure Information Rights Management

Security is always an important consideration for system administrators and management alike. Even though SharePoint 2010 has file security built into the document libraries, you still might require an additional layer of security. Information rights management (IRM) is built on top of a certificate-based infrastructure that allows users to restrict access to a document not just by name but also by their certificates. Information rights management requires both client- and server-based add-on software to work; there are also additional Client Access License (CAL) costs involved.

The difference between IRM and security is important to understand. Security focuses on regulating who can see what content. IRM targets what can be done with the content after it is accessed by the user. Some people have used the terms security and privacy to differentiate between the two concepts, with privacy describing the feature offered by IRM. Those who work extensively in the security field don’t like the privacy term, but nevertheless, they are good terms to help you remember the difference between security and IRM.

5.3.2. Configure Information Management Policy

Policies were introduced in SharePoint Server 2007, and except for a name change for one of the options (Expiration changed to Retention), they provide the same options at this level in SharePoint 2010. You can configure four farm level policies that are available for lists, libraries, and content types for use throughout the entire farm. Table 5 describes these default policies. By default, all policies are enabled and available throughout the farm, but all of them have the option of being decommissioned if you want to disable the functionality they provide.