SharePoint security is a term compromised of multiple concepts and features. There are many layers to SharePoint Security that extend beyond the application itself. In addition to SharePoint user and group security, there are considerations such as server-level security, transport-level security, patch management, and the like, that must be taken into account. Security within SharePoint itself is somewhat similar to standard NTFS file-level security, which uses distinct user and group accounts to control access to files and folders. SharePoint's security model is a variation on this theme and is familiar to administrators used to this model. That said, some distinctive traits of internal SharePoint security must be addressed before a full understanding of how to secure SharePoint can be achieved. Reviewing SharePoint Site GroupsSharePoint Portal Server 2003 and Windows SharePoint Services utilize a series of built-in site groups to control default access to SharePoint lists, sites, areas, and workspaces. When users are added as members of these particular groups, they are granted specific defined permissions at the site level. The following site groups are available in a SharePoint Portal Server 2003 implementation:
Access to specific portions of SharePoint sites, areas, and workspaces can be granted to members of these groups, as shown in Figure 15.1. The permissions set in SharePoint use existing Active Directory accounts for authentication but are technically separate accounts added into SharePoint itself. Figure 15.1. Members of site groups in a SharePoint site.Limiting and Controlling Access to SharePoint ListsIn addition to controlling access to SharePoint sites through the site group functionality, Windows SharePoint Services offers the capability to set granular permissions at a list level. This allows administrators to effectively secure a specific document library within a site to specific users or groups of users. This flexibility allows for a higher degree of granularity than permissions established at the site level. To grant a user access to a specific list, follow these steps:
Applying security to individual lists allows administrators to have a greater degree of freedom than the site-level permissions allow for. Managing Anonymous Access to SharePoint SitesSharePoint was designed to be able to fit many roles. In one role, it serves as a central document-management platform for an organization, in which access to the platform is limited to employees only. Another common role for SharePoint, however, is as a portal to an organization, when access is allowed for all users on the Internet. Several large security caveats must be taken into account before deploying SharePoint in the later scenario, however. As the server is exposed to the Internet, a greater degree of care must be taken to secure its contents. In addition, support for anonymous users must be enabled to allow for access from the Internet into the SharePoint site. Anonymous access can be delegated to an individual virtual server that is created, or it can be added to the default virtual server, opening up anonymous access to an entire SharePoint site. Anonymous access can be enabled in two steps. The first step involves allowing access through the IIS virtual server. The second step involves opening up access from within SharePoint itself. To perform these activities, follow these steps:
Allowing anonymous access to a SharePoint site is risky; it is a best practice to allow access only to portals that do not include any sensitive information. In many cases, organizations deploy a separate SharePoint farm for external, anonymous access and use a different set of servers for internal employee access to ensure security of the environment. |