Understanding Internal SharePoint Security Components

SharePoint security is a term compromised of multiple concepts and features. There are many layers to SharePoint Security that extend beyond the application itself. In addition to SharePoint user and group security, there are considerations such as server-level security, transport-level security, patch management, and the like, that must be taken into account.

Security within SharePoint itself is somewhat similar to standard NTFS file-level security, which uses distinct user and group accounts to control access to files and folders. SharePoint's security model is a variation on this theme and is familiar to administrators used to this model. That said, some distinctive traits of internal SharePoint security must be addressed before a full understanding of how to secure SharePoint can be achieved.

Reviewing SharePoint Site Groups

SharePoint Portal Server 2003 and Windows SharePoint Services utilize a series of built-in site groups to control default access to SharePoint lists, sites, areas, and workspaces. When users are added as members of these particular groups, they are granted specific defined permissions at the site level. The following site groups are available in a SharePoint Portal Server 2003 implementation:

• Reader Membership in this site group grants access to search, list, and browse content in read-only mode.

• Member Members of this site group have all the access of readers, plus the capability to create personal sites and submit listings to SharePoint lists. This site group is only available by default in SharePoint Portal Server 2003, not in Windows SharePoint Services.

• Contributor Contributors are allowed access to add content to areas in the site in which they are granted access.

• Web Designer These users can modify and create web-based content in a site such as page layout and settings.

• Content Manager Content managers can manage settings and content in the area in which they are granted access. This is another site group only available in SPS.

• Administrator As the name suggests, Administrators have full, unfettered access to a site. Membership in this group does not automatically grant membership in the local admin group on the physical server, however.

Access to specific portions of SharePoint sites, areas, and workspaces can be granted to members of these groups, as shown in Figure 15.1. The permissions set in SharePoint use existing Active Directory accounts for authentication but are technically separate accounts added into SharePoint itself.

Figure 15.1. Members of site groups in a SharePoint site.

Limiting and Controlling Access to SharePoint Lists

In addition to controlling access to SharePoint sites through the site group functionality, Windows SharePoint Services offers the capability to set granular permissions at a list level. This allows administrators to effectively secure a specific document library within a site to specific users or groups of users. This flexibility allows for a higher degree of granularity than permissions established at the site level. To grant a user access to a specific list, follow these steps:

1.	Choose the specific list where the permissions will be applied and then click Modify Settings and Columns.
2.	Click on Change Permissions for This List under General Settings on the customize page, as shown in Figure 15.2. Figure 15.2. Applying security to individual lists.
3.	Click on Add Users on the list toolbar.
4.	Add the specific user in the Users text box by entering domainname/username and then choose the type of permissions required in the Permissions section, as shown in Figure 15.3. Click Next to continue. Figure 15.3. Selecting permissions for individual lists.
5.	Verify that all user settings are correct and/or an email needs to be sent and then click Finish to apply the specific permissions.

Applying security to individual lists allows administrators to have a greater degree of freedom than the site-level permissions allow for.

Managing Anonymous Access to SharePoint Sites

SharePoint was designed to be able to fit many roles. In one role, it serves as a central document-management platform for an organization, in which access to the platform is limited to employees only. Another common role for SharePoint, however, is as a portal to an organization, when access is allowed for all users on the Internet. Several large security caveats must be taken into account before deploying SharePoint in the later scenario, however. As the server is exposed to the Internet, a greater degree of care must be taken to secure its contents. In addition, support for anonymous users must be enabled to allow for access from the Internet into the SharePoint site.

Anonymous access can be delegated to an individual virtual server that is created, or it can be added to the default virtual server, opening up anonymous access to an entire SharePoint site. Anonymous access can be enabled in two steps. The first step involves allowing access through the IIS virtual server. The second step involves opening up access from within SharePoint itself. To perform these activities, follow these steps:

Allowing anonymous access to a SharePoint site is risky; it is a best practice to allow access only to portals that do not include any sensitive information. In many cases, organizations deploy a separate SharePoint farm for external, anonymous access and use a different set of servers for internal employee access to ensure security of the environment.