Export (0) Print
Expand All

Plan security for an internal team or department environment (Office SharePoint Server)

SharePoint 2007

Updated: April 23, 2009

Applies To: Office SharePoint Server 2007

 

Topic Last Modified: 2009-04-17

In this article:

Security guidance for an internal team or department focuses on recommending practical security configurations and settings for a team or department within a larger organization. This guidance assumes that the servers are not hosted by the primary IT team within the organization.

While the guidance for this environment requires some IT knowledge, it is not necessary for farm administrators to be dedicated IT specialists. If more specialized roles are required to implement a setting, these roles are noted.

This guidance is intended to be used together with the guidance provided in Plan secure configurations for Office SharePoint Server features.

Review the following checklist to ensure that your plans meet the criteria for a secure server topology design.

Topology

[ ]

For a team or department deployment that has internal access only, Microsoft Office SharePoint Server 2007 can be installed on a single server or on two servers.

[ ]

In a two-server or more deployment, the Central Administration site should be hosted on a different server than the front-end Web server, where possible. This can only be accomplished if application server roles are hosted on a different server than the front-end Web server role.

For example, if Server A hosts the front-end Web server role and Server B hosts the database and application server roles, the most secure location for the Central Administration site is on Server B. However, if Server A hosts the front-end Web server and application server roles and Server B hosts only the database role, the only option is to host the Central Administration site on Server A.

Logical architecture

[ ]

At least one zone in each Web application uses NTLM authentication. This is required for the search account to crawl content within the Web application. The search account cannot use Kerberos authentication to crawl content.

For more information, see Plan authentication methods (Office SharePoint Server).

[ ]

When deploying custom Web Parts, ensure that only trustworthy Web Parts are deployed within Web applications that host sensitive or secure content. This protects the sensitive content against intradomain scripting attacks.

Guidance for an internal team or department environment assumes that only internal access is allowed for the servers, sites, and content and that the overall network environment is secured by policies developed by an IT department. Consequently, hardening servers for specific roles is not necessary to the same extent as for other environments. However, there are several features that require specific services or other settings that otherwise might not be configured.

The following table describes recommended hardening settings for an internal team or department.

 

Feature Setting

E-mail integration

If e-mail integration is enabled, the SMTP service is required on one front-end Web server.

Microsoft Office Project Server 2007 and Microsoft Office Forms Server 2007

Both Office Project Server 2007 and Office Forms Server 2007 maintain session state. If you are deploying these features or products within your server farm, do not disable the ASP.NET State Service. Additionally, if you are deploying InfoPath Forms Services, do not disable the View State service.

Single sign-on (SSO)

SSO relies on the Microsoft Single Sign-On service. For more information about configuring this feature, see Plan for single sign-on.

The following table describes additional recommendations for securing Office SharePoint Server 2007 features. These recommendations are appropriate for an internal team or department environment.

 

Feature or area Recommendation

Authentication

Authenticate against the existing identity management system. If this is not the Active Directory directory service, use ASP.NET forms authentication to connect to your identity management system. Using forms authentication might require assistance from the following roles:

  • ASP.NET developer to develop the authentication provider.

  • Administrator of the identity management system to which you are connecting.

Central Administration site

  • Restrict access to the Central Administration site to appropriate users only.

  • If you are enabling the Central Administration site for remote administration, secure the Central Administration site by using Secure Sockets Layer (SSL).

  • Administrators who run deployment operations must be members of the local administrators group on the server that hosts the Central Administration site.

Windows SharePoint Services Administration service

In a single-server deployment, the Windows SharePoint Services Administration service is disabled by default for the following reasons:

  • This service, which is used to run deployment tasks that are initiated from the Central Administration site, is generally not required for a single-server deployment. However, deployment tasks can be run by using the Stsadm.exe command-line tool, which does not require the use of this service.

  • The account that is used for the Central Administration site is shared with all other processes. Consequently, disabling this service results in a more secure configuration.

For a secure single-server deployment, it is recommended to:

  • Change the server farm account after running Setup.

  • Start the Windows SharePoint Services Administration service.

Performing these actions will enable you to perform deployment-related tasks directly from the Central Administration site.

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for Office SharePoint Server 2007.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft