Server hardening in an EPM/Office SharePoint Server 2007 extranet environment
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
This article describes the hardening requirements for an extranet environment in which a Microsoft Office SharePoint Server 2007 server farm is positioned inside a perimeter network and content is available from the Internet or from the corporate network.
The following planning tool applies to this article: Extranet hardening planning tool: back-to-back perimeter (https://go.microsoft.com/fwlink/?LinkId=85533\&clcid=0x409)
Based on the back-to-back perimeter topology, this tool articulates the port requirements for each computer that is running Microsoft Internet Security and Acceleration (ISA) Server and each router or firewall. This tool is an editable Microsoft Office Visio file that you can revise for your environment. For example, you can:
Add your custom port numbers, where applicable.
Where a choice of protocols or ports is provided, indicate which ports that you will use.
Indicate the specific ports that are used for database communication in your environment.
Add or remove requirements for ports based on:
Whether you are configuring e-mail integration.
Which layer that you deploy the query role to.
If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.
If you want to see additional planning tools for other supported extranet topologies, submit a comment on this article.
The hardening guidance in this article can be applied to many extranet configurations. The following back-to-back perimeter network topology diagram shows an example implementation and shows the server and client roles across an extranet environment. The purpose of the diagram is to explain each possible role and its relationship to the overall environment. Consequently the query role appears two times. In a real implementation, the query role is deployed either on Web servers or as an application server, but not both. And, if the query role is deployed to the Web servers, it is deployed to all Web servers in a farm. For the purpose of communicating security hardening requirements, the diagram shows all options. The routers illustrated can be exchanged for firewalls.
.gif "Extranet security hardening diagram")
The requirement for a domain trust relationship depends on how the server farm is configured. This section discusses two possible configurations.
The perimeter network requires its own Active Directory directory service infrastructure and domain. Typically, the perimeter domain and the corporate domain are not configured to trust one another. However, to authenticate intranet users and remote employees who are using their domain credentials (Windows authentication), you must configure a one-way trust relationship in which the perimeter domain trusts the corporate domain. Forms authentication and Web SSO do not require a domain trust relationship.
If the server farm is split between the perimeter network and the corporate network with the database servers residing inside the corporate network, a domain trust relationship is required if Windows accounts are used. In this scenario, the perimeter network must trust the corporate network. If SQL authentication is used, a domain trust relationship is not required. The following table summarizes the differences between these two approaches.
| Windows authentication | SQL authentication | |
|---|---|---|
Description |
Corporate domain accounts are used for all Office SharePoint Server 2007 service and administration accounts, including application pool accounts. A one-way trust relationship, in which the perimeter network trusts the corporate network, is required. |
Office SharePoint Server 2007 accounts are configured in the following ways:
A trust relationship is not required but can be configured to support client authentication against an internal domain controller. Note If the application servers reside in the corporate domain, a one-way trust relationship, in which the perimeter network trusts the corporate network, is required. |
Setup |
Setup includes the following:
|
Setup includes the following:
|
More information |
The one-way trust relationship allows the Web servers and application servers that are joined to the extranet domain to resolve accounts that are in the corporate domain. |
|
The information in the previous table assumes the following:
Both the Web servers and the application servers reside in the perimeter network.
All accounts that are created have the least privileges necessary, including the following recommendations:
Separate accounts are created for all administrative and service accounts.
No account is a member of the Administrators group on any computer, including the server computer that hosts SQL Server.
If you are using SQL authentication, the following SQL logins must be created having the following permissions:
SQL login for the account that is used to run the Psconfig command-line tool The account must be a member of the following SQL roles: dbcreator and securityadmin. The account must be a member of the Administrators group on each server on which Setup is run (not the database server).
SQL login for the server farm account This login is used to create the configuration database and the SharePoint_AdminContent database. The login must include the dbcreator role. The login does not have to be a member of the securityadmin role. The login must be created by using SQL authentication. Configure the server farm account to use SQL authentication with the password that is specified when you create the SQL login.
SQL login for all other databases The login must be created by using SQL authentication. The login must be a member of the following SQL roles: dbcreator and securityadmin.
For more information about Office SharePoint Server 2007 accounts, see Plan for administrative and service accounts (Office SharePoint Server).
For more information about how to create databases by using the Psconfig command-line tool, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Office SharePoint Server).
When configuring an extranet environment, you must understand how the various server roles communicate within the server farm.
The following figure shows the communication channels in a server farm. The table directly after the figure indicates the ports and protocols that are represented in the figure. The black solid arrows indicate which server role starts communication. For example, the Excel Calculation Services role starts communication with the database server. The database server does not start communication with the Excel Calculation Services role. A red dotted arrow indicates that either server starts communication. This is important to know when you configure incoming and outgoing communication on a firewall.
.gif "Interfarm server communication")
| Callout | Ports and protocols |
|---|---|
1 |
Client access (including Information Rights Management (IRM) and search queries), one or more of the following:
|
2 |
File and printer sharing service — Either of the following:
|
3 |
Office Server Web Services — Both:
|
4 |
Database communication:
|
5 |
Search crawling — Depending on how authentication is configured, SharePoint sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content. This configuration can result in custom ports.
|
6 |
Single Sign-on Service — Any server role that has the SSO service running must be able to communicate with the encryption key server by using remote procedure call (RPC). This includes all Web servers, the Excel Calculation Services role, and the Index role. Additionally, if a custom security trimmer is installed on the query server and this security trimmer requires access to SSO data, the SSO service is running on this server role also. RPC requires TCP port 135 and either:
For more information about the encryption key server and which server roles require the SSO service, see Plan for single sign-on. |
Web servers automatically load-balance query requests to the available query servers. Consequently, if the query role is deployed across Web server computers, these servers communicate with one another using the File and Printer Sharing service and the Office Server Web services. The following figure shows the communication channels between these servers.
.gif "Web server to query server")
Communication between administrative sites and server roles
Administrative sites include the following:
Central Administration site This site can be installed on an application server or a Web server.
Shared Services Administration sites These sites are mirrored across Web servers.
This section details the port and protocol requirements for communication between an administrator workstation and server roles within the farm. The Central Administration site can be installed on any Web server or application server. Configuration changes that are made through the Central Administration site are communicated to the configuration database. Other server roles in the farm receive configuration changes that are registered in the configuration database during their polling cycles. Consequently, the Central Administration site does not introduce any new communication requirements to other server roles in the server farm.
The following figure shows the communication channels from an administrator workstation to the administrative sites and the configuration database.
.gif "Administrator Site Administration topology")
The following table describes the ports and protocols that are illustrated in the previous figure.
| Callout | Ports and protocols |
|---|---|
A |
Shared Services Administration site — one or more of the following:
|
B |
Central Administration site — one or more of the following:
|
C |
Database communication:
|
When configuring an extranet environment, you must understand how the various server roles communicate within infrastructure server computers.
The following table lists the port requirements for incoming connections from each server role to an Active Directory domain controller.
| Item | Web Server | Query Server | Index Server | Excel Calculation Services | Database Server |
|---|---|---|---|---|---|
TCP/UDP 445 (Directory Services) |
X |
X |
X |
X |
X |
TCP/UDP 88 (Kerberos authentication) |
X |
X |
X |
X |
X |
Lightweight Directory Access Protocol (LDAP)/LDAPS ports 389/636 by default, customizable |
X |
X |
X |
LDAP/LDAPS ports are required for server roles based on the following conditions:
Web servers Use LDAP/LDAPS ports if LDAP authentication is configured.
Index server Role requires LDAP/LDAPS ports for importing profiles from the domain controllers that are configured as profile import sources, wherever these reside.
Excel Calculation Services Uses LDAP/LDAPS ports only if data source connections are configured to authenticate using LDAP.
The following table lists the port requirements for incoming connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory domain controller and the DNS server.
| Item | Web Server | Query Server | Index Server | Excel Calculation Services | Database Server |
|---|---|---|---|---|---|
DNS, TCP/UDP 53 |
X |
X |
X |
X |
X |
E-mail integration requires that you use the Simple Mail Transfer Protocol (SMTP) service that uses TCP port 25 on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail (incoming connections). For outgoing e-mail, you can either use the SMTP service or route outgoing e-mail through a dedicated e-mail server in your organization, such as a computer that is running Microsoft Exchange Server.
| Item | Web Server | Query Server | Index Server | Excel Calculation Services | Database Server |
|---|---|---|---|---|---|
TCP port 25 |
X |
If you are using document converters on the server, the following services must be installed and started on an application server:
Document Conversions Launcher Service
Document Conversions Load Balancer Service
Typically, these services are installed on the same application server or on separate application servers, depending on the topology that best suits your needs. These services can also be installed on one or more Web servers, if they are needed. If these services are installed on separate servers, communication between these separate servers must enable these services to communicate with one another.
The following table lists the port and protocol requirements for these services. These requirements do not apply to server roles in the farm that do not have these services installed.
| Service | Requirement |
|---|---|
Document Conversions Launcher Service |
TCP port 8082, customizable for either TCP or SSL |
Document Conversions Load Balancer Service |
TCP port 8093, customizable for either TCP or SSL |
For information about how to configure these services in a server farm, see Design document conversions topology.
Active Directory communication between domains to support authentication with a domain controller inside the corporate network requires at least a one-way trust relationship in which the perimeter network trusts the corporate network.
In the example illustrated in the first figure in this article, the following ports are required as incoming connections to ISA Server B to support a one-way trust relationship:
TCP/UDP 135 (RPC)
TCP/UDP 389 by default, customizable (LDAP)
TCP 636 by default, customizable (LDAP SSL)
TCP 3268 (LDAP GC)
TCP 3269 (LDAP GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP/UDP 445 (Directory Services)
TCP/UDP 749 (Kerberos-Adm)
TCP port 750 (Kerberos-IV)
When configuring ISA Server B (or an alternative device between the perimeter network and the corporate network), the network relationship must be defined as routed. Do not define the network relationship as Network Address Translation (NAT).
For more information about security hardening requirements related to trust relationships, see the following resources:
How to configure a firewall for domains and trusts (https://go.microsoft.com/fwlink/?LinkId=83470).
Active Directory in Networks Segmented by Firewalls (https://go.microsoft.com/fwlink/?LinkID=76147)
Content publishing requires one-way communication between the Central Administration site on the source server farm and the Central Administration site on the destination server farm. Hardening requirements are as follows:
Port number that is used for the Central Administration site on the destination server farm.
TCP 80 or 443 outgoing from the source farm (for Simple Object Access Protocol (SOAP) and HTTP Post).
When you configure content deployment on the source farm, you specify the account to use to authenticate with the destination farm. A trust relationship between domains is not required to publish content from one domain to the other. However, there are the following two account options to deploy content — one of which does require a domain trust relationship:
If the application pool account of the source farm has permissions to Central Administration on the destination farm, select the Use application pool account option. This requires a one-way trust relationship in which the domain of the destination farm trusts the domain of the source farm.
You can specify an account manually instead of by using the source application pool account. In this case, the account does not have to exist in the network domain of the source farm. Typically, the account is unique to the destination farm. The account can authenticate using Integrated Windows authentication or basic authentication.
Several features of Office SharePoint Server 2007 can be configured to access data that resides on server computers outside the server farm. If you configure access to data on external server computers, ensure that you enable communication between the appropriate computers. In most cases, the ports, protocols, and services that are used depend on the external resource. For example:
Connections to file shares use the File and Printer Sharing service.
Connections to external SQL Server databases use the default or customized ports for SQL Server communication.
Connections to Oracle typically use OLE DB.
Connections to Web services use both HTTP and HTTPS.
The following table lists features that can be configured to access data that resides on server computers outside the server farm.
| Feature | Description |
|---|---|
Content crawling |
You can configure crawl rules to crawl data that resides on external resources. This includes Web sites, file shares, Exchange public folders, and business data applications. When crawling external data sources, the index role communicates directly with these external resources. For more information, see Plan to crawl content (Office SharePoint Server). |
Business Data Catalog connections |
Web servers and application servers communicate directly with computers that are configured for Business Data Catalog connections. For more information, see Plan for business data connections with the Business Data Catalog. |
Receiving Microsoft Office Excel workbooks |
If workbooks opened on Excel Services connect to any external data sources (for example, Analysis Services and SQL Server), appropriate TCP/IP ports have to be opened for connecting to these external data sources. For more information, see Plan external data connections for Excel Services. If Universal Naming Convention (UNC) paths are configured as trusted locations in Excel Services, the Excel Calculation Services application role uses the protocols and ports that are used by the File and Printer Sharing service to receive Office Excel workbooks over a UNC path. Workbooks that are stored in content databases or that are uploaded or downloaded from sites by users are not affected by this communication. |