Plan security for an internal team or department environment (Windows SharePoint Services)

Windows SharePoint Services 3.0

Updated: April 16, 2009

Applies To: Windows SharePoint Services 3.0


Topic Last Modified: 2009-04-15

In this article:

Security guidance for an internal team or department focuses on recommending practical security configurations and settings for a team or department within a larger organization. This guidance assumes that the servers are not hosted by the primary IT team within the organization.

While the guidance for this environment requires some IT knowledge, it is not necessary for farm administrators to be dedicated IT specialists. If more specialized roles are required to implement a setting, these roles are noted.

This guidance is intended to be used together with the guidance provided in Plan secure configurations for Windows SharePoint Services features.

Review the following checklist to ensure that your plans meet the criteria for a secure server topology design.


[ ]

For a team or department deployment that has internal access only, Windows SharePoint Services 3.0 can be installed on a single server or on two servers.

[ ]

In a two-server or more deployment, the Central Administration site should be hosted on a different server than the front-end Web server, where possible. This can only be accomplished if application server roles are hosted on a different server than the front-end Web server role.

For example, if Server A hosts the front-end Web server role and Server B hosts the database and application server roles, the most secure location for the Central Administration site is on Server B. However, if Server A hosts the front-end Web server and application server roles and Server B hosts only the database role, the only option is to host the Central Administration site on Server A.

Logical architecture

[ ]

At least one zone in each Web application uses NTLM authentication. This is required for the search account to crawl content within the Web application. The search account cannot use Kerberos authentication to crawl content.

For more information, see Plan authentication methods (Windows SharePoint Services).

[ ]

When deploying custom Web Parts, ensure that only trustworthy Web Parts are deployed within Web applications that host sensitive or secure content. This protects the sensitive content against intradomain scripting attacks.

Guidance for an internal team or department environment assumes that only internal access is allowed for the servers, sites, and content and that the overall network environment is secured by policies developed by an IT department. Consequently, hardening servers for specific roles is not necessary to the same extent as for other environments. However, there are several features that require specific services or other settings that otherwise might not be configured.

The following table describes recommended hardening settings for an internal team or department.


Feature Setting

E-mail integration

If e-mail integration is enabled, the SMTP service is required on one front-end Web server.

The following table describes additional recommendations for securing Windows SharePoint Services 3.0 features. These recommendations are appropriate for an internal team or department environment.


Feature or area Recommendation


Authenticate against the existing identity management system. If this is not the Active Directory directory service, use ASP.NET forms authentication to connect to your identity management system. Using forms authentication might require assistance from the following roles:

  • ASP.NET developer to develop the authentication provider.

  • Administrator of the identity management system to which you are connecting.

Central Administration site

  • Restrict access to the Central Administration site to appropriate users only.

  • If you are enabling the Central Administration site for remote administration, secure the Central Administration site by using Secure Sockets Layer (SSL).

  • Administrators who run deployment operations must be members of the local administrators group on the server that hosts the Central Administration site.

Windows SharePoint Services Administration service

In a single-server deployment, the Windows SharePoint Services Administration service is disabled by default for the following reasons:

  • This service, which is used to run deployment tasks that are initiated from the Central Administration site, is generally not required for a single-server deployment. However, deployment tasks can be run by using the Stsadm.exe command-line tool, which does not require the use of this service.

  • The account that is used for the Central Administration site is shared with all other processes. Consequently, disabling this service results in a more secure configuration.

For a secure single-server deployment, it is recommended to:

  • Change the server farm account after running Setup.

  • Start the Windows SharePoint Services Administration service.

Performing these actions will enable you to perform deployment-related tasks directly from the Central Administration site.

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable books for Windows SharePoint Services.