Export (0) Print
Expand All
Expand Minimize

Windows Security Model

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

SharePoint Team Services, a new technology from Microsoft, and Microsoft FrontPage 2002 Server Extensions rely on the security features of Microsoft Windows NT (FrontPage 2002 Server Extensions only), Microsoft Windows 2000, and Microsoft Windows Server 2003 family (FrontPage 2002 Server Extensions only) to provide security for Web site content. There are two elements in Windows security:

  • User authentication — the process used to validate the user account that is attempting to gain access to a Web site or network resource.

  • File system security — the ability to control which users gain access to which files or folders in the file system.

In addition to these elements, SharePoint Team Services and FrontPage 2002 Server Extensions include a new security feature: user roles. With user roles, you do not have to control the file and folder permissions separately, or worry about keeping your local groups synchronized with your list of Web users. You use roles to give users permissions on your Web site, and use SharePoint Team Services and FrontPage 2002 Server Extensions administration tools to add new users directly. For more information about user roles, see Managing Roles.

User Authentication

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

When you use SharePoint Team Services or FrontPage 2002 Server Extensions on the Windows platform, user authentication is based on Internet Information Services (IIS) authentication methods. IIS provides five forms of user authentication:

  • Anonymous authentication

  • Basic authentication

  • Integrated Windows authentication

  • Digest Access authentication

  • Certificate authentication

Anonymous Authentication

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

Anonymous authentication provides access to users who do not have Windows NT server accounts on the server computer (for example, Web site visitors). IIS creates the anonymous account for Web services, IUSR_computername. When IIS receives an anonymous request, it impersonates the anonymous account.

Basic Authentication

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

Basic authentication is an authentication protocol supported by most Web servers and browsers. Although Basic authentication transmits user names and passwords in easily decoded clear text, it has some advantages over more secure authentication methods, in that it works through a proxy server firewall and ensures that a Web site is accessible by almost any Web browser. If you use Basic authentication in combination with Secure Sockets Layer (SSL) security, you can add a layer of protection to the user names and passwords, making your user information more secure.

Integrated Windows Authentication

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

Integrated Windows authentication (also known as Windows NT Challenge Response) encrypts user names and passwords in a multiple transaction interaction between client and server, thus making this method more secure than Basic authentication. Disadvantages are that this method cannot be performed through a proxy server firewall, and some Web browsers (most notably, Netscape Navigator) do not support it. You can, however, enable both this method and Basic authentication at the same time.

Digest Access Authentication

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

Digest Access authentication is similar to Basic authentication, except that a user's name and password are transmitted in a more secure format. This method requires IIS 5.0 or later on the server computer and Microsoft Internet Explorer 5 or later on the client computer. Digest Access authentication works with domain accounts only; you cannot use Digest Access authentication with local user accounts.

Certificate Authentication

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

Certificate authentication (also known as Secure Sockets Layer security) provides communications privacy, authentication, and message integrity for a TCP/IP connection. By using the SSL protocol, clients and servers can communicate in a way that prevents eavesdropping, tampering, or message forgery. With SharePoint Team Services or FrontPage 2002 Server Extensions, SSL ensures secure authoring across firewalls and ensures security during remote administration of SharePoint Team Services or FrontPage 2002 Server Extensions. You can also specify that SSL be used when opening a SharePoint team Web site or opening or publishing FrontPage-based Web sites.

You choose the authentication method you want to use when you set up your Web server. You cannot change the authentication method by using the SharePoint Team Services or FrontPage 2002 Server Extensions administration tools; you must use the Internet Information Services administration tool for your server computer to change the authentication method.

Note   For more information about IIS authentication methods, see the topic About authentication in IIS 5.0 or IIS 4.0 online Help.

About Firewalls

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

SharePoint Team Services and FrontPage 2002 Server Extensions support connectivity through firewalls. Depending on your configuration, you must make sure your firewall is open for the standard HTTP ports 80 and 443. When using a firewall, you must configure your Web sites with Basic Authentication because Integrated Windows Authentication cannot pass through a firewall.

File System Security

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

SharePoint Team Services and FrontPage 2002 Server Extensions rely on the Windows operating system to secure the file system for your Web sites. Microsoft Windows NT (FrontPage 2002 Server Extensions only), Microsoft Windows 2000, and Microsoft Windows Server 2003 family support access control lists (ACLs) to secure files and folders.

Note   ACLs are supported only by the Windows NT File System (NTFS). Because SharePoint Team Services and FrontPage 2002 Server Extensions security is in part based on ACLs, you must use NTFS on the server computer that hosts IIS and SharePoint Team Services or FrontPage 2002 Server Extensions.

The following ACLs can be given to accounts to control access to a file.

File ACL

Description

None

User has no access to a file.

Read (Read & Execute in Windows Server 2003 or Read Data in Windows 2000)

User can view data in a file.

Write (Create Files /Write Data in Windows Server 2003 or Write Data in Windows 2000)

User can change data in a file.

Execute (Traverse Folder/Execute File in Windows Server 2003 or Execute Data in Windows 2000)

User can run a program file.

Delete

User can delete a file.

Change Permissions

User can change permissions on a file.

Take Ownership

User can take ownership of a file (note that the owner of a file also has all other permissions for that file).

The following ACLs can be given to accounts to control access to a folder.

Folder ACL

Description

None

User has no access to a folder.

Read (List Folder/Read Data in Windows Server 2003 or List Folder in Windows 2000)

User can view file names and subfolder names in a folder.

Write (Create Files/Write Data in Windows Server 2003 or Create Files in Windows 2000)

User can add files and subfolders to a folder.

Execute (Traverse Folder/Execute Files in Windows Server 2003 or Traverse Folder in Windows 2000)

User can change to subfolders.

Delete (Delete subfolders and files in Windows 2000 and Windows Server 2003)

User can delete subfolders.

Change Permissions

User can change permissions on a folder.

Take Ownership

User can take ownership of a folder (note that the owner of a folder also has all other permissions for that folder).

Note   For more information about ACLs, see the topics File permissions and Folder permissions in the Windows NT 4.0 or Windows 2000 online Help, or the Access control topic in the Windows Server 2003 online Help.

Managing Permissions Manually

 Cc767976.spacer(en-us,TechNet.10).gif Cc767976.spacer(en-us,TechNet.10).gif

With FrontPage 2000 Server Extensions, you could bypass the built-in security management and set permissions manually on the content of a FrontPage-based Web site. With SharePoint Team Services and FrontPage 2002 Server Extensions, the roles and permissions have been improved, and this functionality is no longer available.

Best practices for protecting your administrative credentials

Along with controlling access to the content hosted on your servers, you should also do your best to protect your administrative credentials. To help protect your server administrative credentials:

  • Do not browse untrusted sites while logged in as an administrator of your server.

  • Do not enter your administrator credentials on an untrusted or unknown site.

  • Be aware when the intranet zone changes (for example, when you go from an intranet to an Internet site). Usually, this zone change prompts for your credentials – do not enter them if the site is unknown or untrusted.

  • Set your Internet Explorer security settings to Prompt for user name and password. This gives you a warning if your credentials are sent to a site that should not require them. To specify this security setting, in Internet Explorer, on the Tools menu, click Internet Options, and then click the Security tab. Select the zone you want to change (it is recommended that you change this setting for the Internet zone and Restricted zone), and then click Custom Level. Under User Authentication, under Logon, select Prompt for user name and password.

Related Links

For more information about users and roles in SharePoint Team Services and FrontPage 2002 Server Extensions, see Managing Roles and Managing Users.

The Microsoft Technet Web site includes white papers that describe IIS security in more detail. For an overview of IIS security, see The Basics of Security. For information about IIS and security issues, see Untangling Web Security: Getting the Most from IIS Security.

Cc767976.spacer(en-us,TechNet.10).gif

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft