Plan security hardening for extranet environments

  • Article

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

In this article:

  • Extranet hardening planning tool

  • Network topology

  • Domain trust relationships

  • Communication with server-farm roles

  • Communication with infrastructure server roles

  • Requirements to support document conversions

  • Communication between network domains

  • Connections to external servers

This article details the hardening requirements for an extranet environment in which a Microsoft Office SharePoint Server 2007 server farm is placed inside a perimeter network and content is available from the Internet or from the corporate network.

For more information on supported extranet topologies, see Design extranet farm topology (Office SharePoint Server).

Extranet hardening planning tool

The following planning tool is available for use with this article: Extranet hardening planning tool: back-to-back perimeter (https://go.microsoft.com/fwlink/?LinkId=85533&clcid=0x409). Based on the back-to-back perimeter topology, this tool articulates the port requirements for each of the computers running Microsoft Internet Security and Acceleration (ISA) Server and each of the routers or firewalls. This tool is an editable Microsoft Office Visio file that you can revise for your environment. For example, you can:

  • Add your custom port numbers, where applicable.

  • Where a choice of protocols or ports is provided, indicate which ports you will use.

  • Indicate the specific ports that are used for database communication in your environment.

  • Add or remove requirements for ports based on:

    • Whether you are configuring e-mail integration.

    • Which layer you deploy the query role to.

    • If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.

If you would like to see additional planning tools for other supported extranet topologies, submit a comment on this article to let us know.

Network topology

The hardening guidance in this article can be applied to many different extranet configurations. The following back-to-back perimeter network topology diagram shows an example implementation and illustrates the server and client roles across an extranet environment. The purpose of the diagram is to articulate each of the possible roles and their relationship to the overall environment. Consequently the query role appears twice. In a real implementation, the query role is deployed either on Web servers or as an application server, but not both. And, if the query role is deployed to the Web servers, it is deployed to all Web servers in a farm. For the purpose of communicating security hardening requirements, the diagram illustrates all options. The routers illustrated can be exchanged for firewalls.

Extranet security hardening diagram

Domain trust relationships

The requirement for a domain trust relationship depends on how the server farm is configured. This section discusses two possible configurations.

Server farm resides in the perimeter network

The perimeter network requires its own Active Directory directory service infrastructure and domain. Typically, the perimeter domain and the corporate domain are not configured to trust each other. However, to authenticate intranet users and remote employees who are using their domain credentials (Windows authentication), you must configure a one-way trust relationship in which the perimeter domain trusts the corporate domain. Forms authentication and Web SSO do not require a domain trust relationship.

Server farm is split between the perimeter network and the corporate network

If the server farm is split between the perimeter network and the corporate network with the database servers residing inside the corporate network, a domain trust relationship is required if Windows accounts are used. In this scenario, the perimeter network must trust the corporate network. If SQL authentication is used, a domain trust relationship is not required. The following table summarizes the differences between these two approaches.

Windows authentication SQL authentication

Description

Corporate domain accounts are used for all Office SharePoint Server 2007 service and administration accounts, including application pool accounts.

A one-way trust relationship, in which the perimeter network trusts the corporate network, is required.

Office SharePoint Server 2007 accounts are configured in the following ways:

  • SQL authentication is used for every database that is created.

  • All other administration and service accounts are created as domain accounts in the perimeter network.

  • Web servers and application servers are joined to the perimeter network.

A trust relationship is not required but can be configured to support client authentication against an internal domain controller.

Note

If the application servers reside in the corporate domain, a one-way trust relationship, in which the perimeter network trusts the corporate network, is required.

Setup

Setup includes the following:

  • Office SharePoint Server 2007 administration and service accounts are created in the corporate domain.

  • Web servers and application servers are joined to the perimeter network.

  • A trust relationship is established in which the perimeter domain trusts the corporate domain.

Setup includes the following:

  • All database accounts must be created as SQL login accounts in SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio. These accounts must be created before the creation of any Office SharePoint Server 2007 databases, including the configuration database and the AdminContent database.

  • You must use the Psconfig command-line tool to create the configuration database and the SharePoint_AdminContent database. You cannot use the SharePoint Products and Technologies Configuration Wizard to create these databases. In addition to using the -user and -password parameters to specify the server farm account, you must use the -dbuser and -dbpassword parameters to specify SQL authentication accounts.

  • You can create additional content databases in Central Administration by selecting the SQL authentication option. However, you must first create the SQL login accounts in SQL Server 2000 Enterprise Manager or SQL Server 2005 Management Studio.

  • Secure all communication with the database servers using SSL.

  • Ensure that ports used for communication with SQL Server remain open between the perimeter network and the corporate network

Additional information

The one-way trust relationship allows the Web servers and application servers that are joined to the extranet domain to resolve accounts that are in the corporate domain.

  • SQL login accounts are encrypted in the registry of the Web servers and application servers.

  • The server farm account is not used to access the configuration database and the SharePoint_AdminContent database. The corresponding SQL login accounts are used instead.

The information in the preceding table assumes the following:

  • Both the Web servers and the application servers reside in the perimeter network.

  • All accounts are created with the least privileges necessary, including the following recommendations:

    • Separate accounts are created for all administrative and service accounts.

    • No account is a member of the Administrators group on any computer, including the server computer that hosts SQL Server.

If you are using SQL authentication, the following SQL logins must be created with the following permissions:

  • SQL login for the account used to run the Psconfig command-line tool   The account must be a member of the following SQL roles: dbcreator and securityadmin. The account must be a member of the Administrators group on each server on which Setup is run (not the database server).

  • SQL login for the server farm account   This login is used to create the configuration database and the SharePoint_AdminContent database. The login must include the dbcreator role. The login does not need to be a member of the securityadmin role. The login must be created using SQL authentication. Configure the server farm account to use SQL authentication with the password that is specified when you create the SQL login.

  • SQL login for all other databases   The login must be created using SQL authentication. The login must be a member of the following SQL roles: dbcreator and securityadmin.

For more information about Office SharePoint Server 2007 accounts, see Plan for administrative and service accounts (Office SharePoint Server).

For more information about creating databases by using the Psconfig command-line tool, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Office SharePoint Server).

Communication with server-farm roles

When configuring an extranet environment, it is important to understand how the various server roles communicate within the server farm.

Communication between server roles

The following figure illustrates the communication channels within a server farm. The table directly after the figure indicates the ports and protocols that are represented in the figure. The black solid arrows indicate which server role initiates communication. For example, the Excel Calculation Services role initiates communication with the database server. The database server does not initiate communication with the Excel Calculation Services role. A red dotted arrow indicates that either server initiates communication. This is important to know when configuring inbound and outbound communication on a firewall.

Interfarm server communication

Callout Ports and protocols

1

Client access (including Information Rights Management (IRM) and search queries), one or more of the following:

  • TCP port 80

  • TCP port 443 (SSL)

  • Custom ports

2

File and printer sharing service — Either of the following:

  • Direct-hosted server message block (SMB) (TCP/UDP 445) — Recommended

  • NetBIOS over TCP/IP (TCP/UDP ports 137, 138, 139) — Disable if not used

3

Office Server Web Services — Both:

  • TCP port 56737

  • TCP 56738 (SSL)

4

Database communication:

  • TCP/SSL port 1433 (default) for default instance (customizable)

  • TCP/SSL random port for named instances (customizable)

5

Search crawling — Depending on how authentication is configured, SharePoint sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content. This configuration can result in custom ports.

  • TCP 80

  • TCP 443 (SSL)

  • Custom ports

6

Single Sign-on Service — Any server role that has the SSO service running must be able to communicate with the encryption key server using remote procedure call (RPC). This includes all Web servers, the Excel Calculation Services role, and the Index role. Additionally, if a custom security trimmer is installed on the query server and this security trimmer requires access to SSO data, the SSO service is running on this server role as well.

RPC requires TCP port 135 and either:

  • Static RPC — Restricted high ports (recommended)

  • Dynamic RPC — Random high ports in the range of 1024–65535/TCP

For more information about the encryption key server and which server roles require the SSO service, see Plan for single sign-on.

Web servers automatically load-balance query requests to the available query servers. Consequently, if the query role is deployed across Web server computers, these servers communicate with each other using the File and Printer Sharing service and the Office Server Web services. The following figure illustrates the communication channels between these servers.

Web server to query server

Communication between administrative sites and server roles

Administrative sites include:

  • Central Administration site   This site can be installed on an application server or a Web server.

  • Shared Services Administration sites   These sites are mirrored across Web servers.

This section details the port and protocol requirements for communication between an administrator workstation and server roles within the farm. The Central Administration site can be installed on any Web server or application server. Configuration changes that are made through the Central Administration site are communicated to the configuration database. Other server roles in the farm pick up configuration changes that are registered in the configuration database during their polling cycles. Consequently, the Central Administration site does not introduce any new communication requirements to other server roles in the server farm.

The following figure illustrates the communication channels from an administrator workstation to the administrative sites and the configuration database.

Administrator Site Administration topology

The following table describes the ports and protocols that are illustrated in the preceding figure.

Callout Ports and protocols

A

Shared Services Administration site — One or more of the following:

  • TCP 80

  • TCP 443 (SSL)

  • Custom ports

B

Central Administration site — One or more of the following:

  • TCP 80

  • TCP 443 (SSL)

  • Custom ports

C

Database communication:

  • TCP/SSL port 1433 (default) for default instance (customizable)

  • TCP/SSL random port for named instances (customizable)

Communication with infrastructure server roles

When configuring an extranet environment, it is important to understand how the various server roles communicate within infrastructure server computers.

Active Directory domain controller

The following table lists the port requirements for inbound connections from each server role to an Active Directory domain controller.

Item Web Server Query Server Index Server Excel Calculation Services Database Server

TCP/UDP 445 (Directory Services)

X

X

X

X

X

TCP/UDP 88 (Kerberos authentication)

X

X

X

X

X

Lightweight Directory Access Protocol (LDAP)/LDAPS ports 389/636 by default, customizable

X

X

X

LDAP/LDAPS ports are required for server roles based on the following conditions:

  • Web servers   Use LDAP/LDAPS ports if LDAP authentication is configured.

  • Index server   Role requires LDAP/LDAPS ports for importing profiles from the domain controllers that are configured as profile import sources, wherever these reside.

  • Excel Calculation Services   Uses LDAP/LDAPS ports only if data source connections are configured to authenticate using LDAP.

DNS server

The following table lists the port requirements for inbound connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory domain controller and the DNS server.

Item Web Server Query Server Index Server Excel Calculation Services Database Server

DNS, TCP/UDP 53

X

X

X

X

X

SMTP service

E-mail integration requires the use of the Simple Mail Transport Protocol (SMTP) service using TCP port 25 on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail (inbound connections). For outgoing e-mail, you can either use the SMTP service or route outgoing e-mail through a dedicated e-mail server in your organization, such as a computer running Microsoft Exchange Server.

Item Web Server Query Server Index Server Excel Calculation Services Database Server

TCP port 25

X

Requirements to support document conversions

If you are using document converters on the server, the following services must be installed and started on an application server:

  • Document Conversions Launcher Service

  • Document Conversions Load Balancer Service

Typically, these services are installed on the same application server or on separate application servers, depending on the topology that best suits your needs. These services can also be installed on one or more Web servers, if needed. If these services are installed on separate servers, communication between these separate servers must enable these services to communicate with each other.

The following table lists the port and protocol requirements for these services. These requirements do not apply to server roles in the farm that do not have these services installed.

Service Requirement

Document Conversions Launcher Service

TCP port 8082, customizable for either TCP or SSL

Document Conversions Load Balancer Service

TCP port 8093, customizable for either TCP or SSL

For information about how to configure these services in a server farm, see Design document conversions topology.

Communication between network domains

Active Directory communication

Active Directory communication between domains to support authentication with a domain controller inside the corporate network requires at least a one-way trust relationship in which the perimeter network trusts the corporate network.

In the example illustrated in the first figure in this article, the following ports are required as inbound connections to ISA Server B to support a one-way trust relationship:

  • TCP/UDP 135 (RPC)

  • TCP/UDP 389 by default, customizable (LDAP)

  • TCP 636 by default, customizable (LDAP SSL)

  • TCP 3268 (LDAP GC)

  • TCP 3269 (LDAP GC SSL)

  • TCP/UDP 53 (DNS)

  • TCP/UDP 88 (Kerberos)

  • TCP/UDP 445 (Directory Services)

  • TCP/UDP 749 (Kerberos-Adm)

  • TCP port 750 (Kerberos-IV)

When configuring ISA Server B (or an alternate device between the perimeter network and the corporate network), the network relationship must be defined as routed. Do not define the network relationship as Network Address Translation (NAT).

For more information about security hardening requirements related to trust relationships, see the following resources:

Hardening for content publishing

Content publishing requires one-way communication between the Central Administration site on the source server farm and the Central Administration site on the destination server farm. Hardening requirements are:

  • Port number that is used for the Central Administration site on the destination server farm.

  • TCP 80 or 443 outbound from the source farm (for Simple Object Access Protocol (SOAP) and HTTP Post).

When you configure content deployment on the source farm, you specify the account to use to authenticate with the destination farm. A trust relationship between domains is not required to publish content from one domain to the other. However, there are the following two account options for deploying content — one of which does require a domain trust relationship:

  • If the application pool account of the source farm has permissions to Central Administration on the destination farm, select the Use application pool account option. This requires a one-way trust relationship in which the domain of the destination farm trusts the domain of the source farm.

  • You can specify an account manually rather than using the source application pool account. In this case, the account does not have to exist in the network domain of the source farm. Typically, the account is unique to the destination farm. The account can authenticate using Integrated Windows authentication or basic authentication.

Connections to external servers

Several features of Office SharePoint Server 2007 can be configured to access data that resides on server computers outside of the server farm. If you configure access to data on external server computers, ensure that you enable communication between the appropriate computers. In most cases, the ports, protocols, and services that are used depend on the external resource. For example:

  • Connections to file shares use the File and Printer Sharing service.

  • Connections to external SQL Server databases use the default or customized ports for SQL Server communication.

  • Connections to Oracle typically use OLE DB.

  • Connections to Web services use both HTTP and HTTPS.

The following table lists features that can be configured to access data that resides on server computers outside the server farm.

Feature Description

Content crawling

You can configure crawl rules to crawl data that resides on external resources, including Web sites, file shares, Exchange public folders, and business data applications. When crawling external data sources, the index role communicates directly with these external resources.

For more information, see Plan to crawl content (Office SharePoint Server).

Business Data Catalog connections

Web servers and application servers communicate directly with computers that are configured for Business Data Catalog connections.

For more information, see Plan for business data connections with the Business Data Catalog.

Receiving Microsoft Office Excel workbooks

If workbooks opened on Excel Services connect to any external data sources (for example, Analysis Services and SQL Server), appropriate TCP/IP ports need to be opened for connecting to these external data sources. For more information, see Plan external data connections for Excel Services.

If Universal Naming Convention (UNC) paths are configured as trusted locations in Excel Services, the Excel Calculation Services application role uses the protocols and ports used by the File and Printer Sharing service to receive Office Excel workbooks over a UNC path.

Workbooks that are stored in content databases or that are uploaded or downloaded from sites by users are not affected by this communication.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for Office SharePoint Server 2007