Windows Security Model
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
SharePoint Team Services, a new technology from Microsoft, and Microsoft FrontPage 2002 Server Extensions rely on the security features of Microsoft Windows NT (FrontPage 2002 Server Extensions only), Microsoft Windows 2000, and Microsoft Windows Server 2003 family (FrontPage 2002 Server Extensions only) to provide security for Web site content. There are two elements in Windows security:
User authentication — the process used to validate the user account that is attempting to gain access to a Web site or network resource.
File system security — the ability to control which users gain access to which files or folders in the file system.
In addition to these elements, SharePoint Team Services and FrontPage 2002 Server Extensions include a new security feature: user roles. With user roles, you do not have to control the file and folder permissions separately, or worry about keeping your local groups synchronized with your list of Web users. You use roles to give users permissions on your Web site, and use SharePoint Team Services and FrontPage 2002 Server Extensions administration tools to add new users directly. For more information about user roles, see Managing Roles.
User Authentication
.gif "Cc767976.spacer(en-us,TechNet.10).gif")
When you use SharePoint Team Services or FrontPage 2002 Server Extensions on the Windows platform, user authentication is based on Internet Information Services (IIS) authentication methods. IIS provides five forms of user authentication:
Anonymous authentication
Basic authentication
Integrated Windows authentication
Digest Access authentication
Certificate authentication
Anonymous Authentication
Anonymous authentication provides access to users who do not have Windows NT server accounts on the server computer (for example, Web site visitors). IIS creates the anonymous account for Web services, IUSR_computername. When IIS receives an anonymous request, it impersonates the anonymous account.
Basic Authentication
Basic authentication is an authentication protocol supported by most Web servers and browsers. Although Basic authentication transmits user names and passwords in easily decoded clear text, it has some advantages over more secure authentication methods, in that it works through a proxy server firewall and ensures that a Web site is accessible by almost any Web browser. If you use Basic authentication in combination with Secure Sockets Layer (SSL) security, you can add a layer of protection to the user names and passwords, making your user information more secure.
Integrated Windows Authentication
Integrated Windows authentication (also known as Windows NT Challenge Response) encrypts user names and passwords in a multiple transaction interaction between client and server, thus making this method more secure than Basic authentication. Disadvantages are that this method cannot be performed through a proxy server firewall, and some Web browsers (most notably, Netscape Navigator) do not support it. You can, however, enable both this method and Basic authentication at the same time.
Digest Access Authentication
Digest Access authentication is similar to Basic authentication, except that a user's name and password are transmitted in a more secure format. This method requires IIS 5.0 or later on the server computer and Microsoft Internet Explorer 5 or later on the client computer. Digest Access authentication works with domain accounts only; you cannot use Digest Access authentication with local user accounts.
Certificate Authentication
Certificate authentication (also known as Secure Sockets Layer security) provides communications privacy, authentication, and message integrity for a TCP/IP connection. By using the SSL protocol, clients and servers can communicate in a way that prevents eavesdropping, tampering, or message forgery. With SharePoint Team Services or FrontPage 2002 Server Extensions, SSL ensures secure authoring across firewalls and ensures security during remote administration of SharePoint Team Services or FrontPage 2002 Server Extensions. You can also specify that SSL be used when opening a SharePoint team Web site or opening or publishing FrontPage-based Web sites.
You choose the authentication method you want to use when you set up your Web server. You cannot change the authentication method by using the SharePoint Team Services or FrontPage 2002 Server Extensions administration tools; you must use the Internet Information Services administration tool for your server computer to change the authentication method.
Note For more information about IIS authentication methods, see the topic About authentication in IIS 5.0 or IIS 4.0 online Help.
About Firewalls
SharePoint Team Services and FrontPage 2002 Server Extensions support connectivity through firewalls. Depending on your configuration, you must make sure your firewall is open for the standard HTTP ports 80 and 443. When using a firewall, you must configure your Web sites with Basic Authentication because Integrated Windows Authentication cannot pass through a firewall.
File System Security
SharePoint Team Services and FrontPage 2002 Server Extensions rely on the Windows operating system to secure the file system for your Web sites. Microsoft Windows NT (FrontPage 2002 Server Extensions only), Microsoft Windows 2000, and Microsoft Windows Server 2003 family support access control lists (ACLs) to secure files and folders.
Note ACLs are supported only by the Windows NT File System (NTFS). Because SharePoint Team Services and FrontPage 2002 Server Extensions security is in part based on ACLs, you must use NTFS on the server computer that hosts IIS and SharePoint Team Services or FrontPage 2002 Server Extensions.
The following ACLs can be given to accounts to control access to a file.
File ACL |
Description |
|---|---|
None |
User has no access to a file. |
Read (Read & Execute in Windows Server 2003 or Read Data in Windows 2000) |
User can view data in a file. |
Write (Create Files /Write Data in Windows Server 2003 or Write Data in Windows 2000) |
User can change data in a file. |
Execute (Traverse Folder/Execute File in Windows Server 2003 or Execute Data in Windows 2000) |
User can run a program file. |
Delete |
User can delete a file. |
Change Permissions |
User can change permissions on a file. |
Take Ownership |
User can take ownership of a file (note that the owner of a file also has all other permissions for that file). |
The following ACLs can be given to accounts to control access to a folder.
Folder ACL |
Description |
|---|---|
None |
User has no access to a folder. |
Read (List Folder/Read Data in Windows Server 2003 or List Folder in Windows 2000) |
User can view file names and subfolder names in a folder. |
Write (Create Files/Write Data in Windows Server 2003 or Create Files in Windows 2000) |
User can add files and subfolders to a folder. |
Execute (Traverse Folder/Execute Files in Windows Server 2003 or Traverse Folder in Windows 2000) |
User can change to subfolders. |
Delete (Delete subfolders and files in Windows 2000 and Windows Server 2003) |
User can delete subfolders. |
Change Permissions |
User can change permissions on a folder. |
Take Ownership |
User can take ownership of a folder (note that the owner of a folder also has all other permissions for that folder). |
Note For more information about ACLs, see the topics File permissions and Folder permissions in the Windows NT 4.0 or Windows 2000 online Help, or the Access control topic in the Windows Server 2003 online Help.
Managing Permissions Manually
With FrontPage 2000 Server Extensions, you could bypass the built-in security management and set permissions manually on the content of a FrontPage-based Web site. With SharePoint Team Services and FrontPage 2002 Server Extensions, the roles and permissions have been improved, and this functionality is no longer available.
Best practices for protecting your administrative credentials
Along with controlling access to the content hosted on your servers, you should also do your best to protect your administrative credentials. To help protect your server administrative credentials:
Do not browse untrusted sites while logged in as an administrator of your server.
Do not enter your administrator credentials on an untrusted or unknown site.
Be aware when the intranet zone changes (for example, when you go from an intranet to an Internet site). Usually, this zone change prompts for your credentials – do not enter them if the site is unknown or untrusted.
Set your Internet Explorer security settings to Prompt for user name and password. This gives you a warning if your credentials are sent to a site that should not require them. To specify this security setting, in Internet Explorer, on the Tools menu, click Internet Options, and then click the Security tab. Select the zone you want to change (it is recommended that you change this setting for the Internet zone and Restricted zone), and then click Custom Level. Under User Authentication, under Logon, select Prompt for user name and password.
Related Links
For more information about users and roles in SharePoint Team Services and FrontPage 2002 Server Extensions, see Managing Roles and Managing Users.
The Microsoft Technet Web site includes white papers that describe IIS security in more detail. For an overview of IIS security, see The Basics of Security. For information about IIS and security issues, see Untangling Web Security: Getting the Most from IIS Security.