Overview of security features in SharePoint Server 2010
Published: July 29, 2011
This article contains a brief overview of the security features and improvements that are included in Microsoft SharePoint Server 2010. These include the following:
SharePoint Server 2010 support two modes of authentication: Claims-based and Classic mode.
Claims-based authentication is built on Windows Identity Foundation (WIF), which is a set of the .NET Framework classes that are used to implement claims-based identity.
For additional information about claims-based authentication, see Plan authentication methods (SharePoint Server 2010)
Classic mode authentication
This mode of authentication uses Windows authentication and SharePoint Server 2010 treats all user accounts as Active Directory Domain Services (AD DS) accounts. Internet Information Services (IIS) provides three built-in forms of authentication: Integrated Windows authentication, Digest authentication, and Basic authentication.
For additional information about classic mode authentication, see Plan authentication methods (SharePoint Server 2010)
Automatic password change and managed accounts
The automatic password change feature enables you to update and deploy passwords without having to perform manual password update tasks across multiple accounts, services, and Web applications. In earlier SharePoint versions, to change a farm password, you would have to locate each server in the farm and manually change the password. However in SharePoint Server 2010, a service account is mapped to a managed account from which all password updates are controlled.
Benefits of using a managed account are as follows:
Passwords of managed accounts can be updated from a single location and changes can be distributed to all servers in the farm that use that managed account.
Password changes can be scheduled to automatically occur, either according to a schedule, or based on the password expiry policy set in AD DS.
Managed accounts generate very long, cryptographically random passwords for all accounts.
The generated password is at least 32 characters in length, with a mix of alphanumeric in both cases and special characters, and is created by using built-in core .NET Framework password generation routines.
For additional information about automatic password change, see Plan automatic password change (SharePoint Server 2010) and Configure automatic password change (SharePoint Server 2010)
In previous SharePoint versions, administrators used the Permission Reporting tool in the SharePoint Administration Toolkit version 4.0 to determine the effective permission of a specific user and how the user gets the permission on a particular object. However, in SharePoint Server 2010, administrators can use the Check Permissions functionality to check effective permissions. It determines a user or group's permissions on all site collection resources. An administrator can also find a user's directly assigned permissions and the permissions assigned to any groups to which the user belongs. You can check permissions for a user or group on the Site Permissions page.
For additional information about site permissions, see Plan site permissions (SharePoint Server 2010)
Secure Store service
The Secure Store Service replaces the Microsoft Office SharePoint Server 2007 Single Sign On feature. Secure Store Service provides storage and mapping of credentials such as account names and passwords. It enables you to securely store data that provides credentials that are required to connect to external systems and to associate those credentials to a specific identity or group of identities.
For organizations that are migrating from Microsoft SharePoint Server 2007 to Microsoft SharePoint Server 2010, see How other services are affected by upgrade (SharePoint Server 2010)
For additional information about Secure Store service, see Plan the Secure Store Service (SharePoint Server 2010) and Configure the Secure Store Service (SharePoint Server 2010)
Migrating security settings
For organizations that have migrated from Office SharePoint Server 2007 to SharePoint Server 2010 the following articles are available to help in the migration process:
Browser file handling setting
In SharePoint Products 2010, the method to download security header information to a client's Web browser is restrictive. The default setting is Strict which will not allow certain file types to run (for example, Adobe Flash or Adobe Portable Document Format (PDF) files).
For additional information about browser file handling, see Configure settings for a Web application (SharePoint Server 2010) or Microsoft.SharePoint.Administration.SPWebApplication.BrowserFileHandling
Sandboxed solutions in SharePoint Products 2010 let code run in a restricted execution environment. For additional information about sandboxed solution, see Sandboxed solutions overview (SharePoint Server 2010)
Limited access permission level
This permission level is used to give groups access to a specific list, library, folder, document, or item, without giving them access to the whole site. For additional information about the limited access permission level, see Determine permission levels and groups (SharePoint Server 2010) . For a graphical representation of the limited access permission level, download Best practices for using fine-grained permissions (white paper) (SharePoint Server 2010)
Access control in SharePoint Designer
Built-in support controls who in an organization can use SharePoint Designer 2010 and how they can use it. For information about how to delegate access control in SharePoint Designer 2010, see Control where and how people use SharePoint Designer 2010 (http://go.microsoft.com/fwlink/p/?LinkId=224715) and Changes in SharePoint Designer 2010 (for IT pros)