Export (0) Print
Expand All

Plan security for an external anonymous access environment (Windows SharePoint Services)

SharePoint 2007

Updated: April 16, 2009

Applies To: Windows SharePoint Services 3.0

 

Topic Last Modified: 2009-04-15

In this article:

Security guidance for an external anonymous access environment is targeted to allow anonymous access to content while protecting back-end servers in the farm from direct user access or malicious actions targeted through front-end Web servers. In an environment where multiple farms might be deployed to support authoring, staging, and publishing, the guidance for this environment is intended for the published farm (the farm that is anonymously accessed by users).

There are several unique recommendations for an external anonymous access environment. Some of these recommendations might not be practical for all solutions.

Hosting sites for anonymous use requires Internet-facing servers. You can limit the exposure to traffic from the Internet by protecting back-end servers, including application servers (search) and servers that host databases:

  • Protecting database servers   At a minimum, place a firewall between front-end Web servers and servers that host databases. Some environments dictate that database servers be hosted in an internal network instead of directly in an extranet environment.

  • Protect the index role   The index component communicates through a front-end Web server to crawl content in sites. To protect this communication channel, consider configuring a dedicated front-end Web server for use by one or more index servers. This isolates crawling communication to a front-end Web server that is not accessible to users. Additionally, configure Internet Information Services (IIS) to restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it. Providing a front-end Web server dedicated to content crawling also improves performance by reducing the load on the main front-end Web servers, thereby improving the user experience.

For content to be available for anonymous access, the following must be configured:

  • The site or site collection must be configured to allow anonymous access.

  • At least one zone in the Web application must be configured to allow anonymous access.

Enable anonymous access only for Web applications that require unauthenticated access. If you want to use authentication for personalization, implement forms authentication by using a simple database authentication provider.

Because external users have access to the network zone, it is important to secure the Central Administration site to block external access and secure internal access:

  • Ensure that the Central Administration site is not hosted on a front-end Web server.

  • Block external access to the Central Administration site. This can be achieved by placing a firewall between front-end Web servers and the server that hosts the Central Administration site.

  • Configure the Central Administration site by using Secure Sockets Layer (SSL). This ensures that communication from the internal network to the Central Administration site is secured.

Do not use e-mail integration for incoming e-mail. This protects your environment from risks associated with e-mail sent from anonymous sources on the Internet. If you do allow incoming e-mail, configure the Central Administration site to enable anonymous e-mail. While this option is available, it is not very secure.

Use this design checklist together with the checklists in Review the secure topology design checklists (Windows SharePoint Services).

Topology

[ ]

Protect back-end servers by placing at least one firewall between front-end Web servers and the application and database servers.

[ ]

Plan a dedicated front-end Web server for crawling content. Do not include this front-end Web server in the end-user front-end Web rotation.

Logical architecture

[ ]

Enable anonymous access only for Web application zones that host sites or site collections that are configured to allow anonymous access.

For more information, see Plan authentication methods (Windows SharePoint Services).

[ ]

Use SSL to secure content deployment.

[ ]

Block access to the Central Administration site and configure SSL for the site.

The following table describes additional hardening recommendations for an external anonymous access environment.

 

Component Recommendation

Ports

Block external access to the port for the Central Administration site.

Protocols

Disable SMTP.

IIS

If you are configuring a dedicated front-end Web server for indexing, configure IIS to restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it.

No additional guidance is recommended for this environment.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft