A number of factors must be considered to ensure that the user community has a positive experience with the new SharePoint 2003 environment and that it offers the appropriate level of security. There is no "one size fits all" solution for Windows SharePoint Services and SharePoint Portal Server 2003 implementations. One of the main goals of the design process is to determine what mechanisms and strategies will be used to ensure that data is secure, while being available to the internal and external users who require access to it. Performance must be kept in mind as well; excessive security features may result in unacceptably difficult access to site collections and the data contained in them. Securing the SharePoint 2003 EnvironmentChapter 15, "Implementing and Validating SharePoint Security," offers a more in-depth look at the many options available for configuring the SharePoint 2003 environment to meet the organization's security needs. These options should be discussed in more detail during the design process. A summary of the options available is as follows:
Securing the server or servers used in the SharePoint 2003 implementation is also critical to ensure the protection of the data. A number of areas need to be discussed and considered to ensure that the configuration is protected:
By reviewing the different options available to the organization in the design process, the design of the Windows SharePoint Services or SharePoint Portal Server 2003 environment will be able to provide a configuration that meets the organization's needs and provides the right combination of protection, manageability, and availability. SharePoint 2003 Authentication OverviewAuthentication for websites based on Windows SharePoint Services is configured in Internet Information Services (IIS) and uses the authentication method specified for a virtual server in IIS to control authentication for all top-level websites and subsites of that virtual server. The different methods of authentication should be reviewed, and the organization should decide which method or methods best meet its requirements. Windows SharePoint Services works with the following authentication methods in IIS:
Determining Which Types of Files to BlockWindows SharePoint Services allows the administrator the ability to define which types of files should be blocked from being uploaded to a SharePoint 2003 server. For example, if all files with the .exe file extension are blocked, users can neither upload nor download a file with the .exe extension. By default, a number of standard file extensions are blocked, including any file extensions treated as executable files by Windows Explorer. The design process should discuss what additional file types should be blocked. The list of blocked file types can be changed in the future as needed, but it is helpful to have a well-thought-out plan in advance. Deciding Whether to Permit Anonymous AccessIn some Windows SharePoint Services and SharePoint Portal Server 2003 implementations, the only users who have access to the various sites are authenticated network users who have been specifically granted access to the portal, top-level site, or subsite. In other implementations, it makes sense to allow anonymous access to a virtual server and the sites it manages. For example, a nonprofit organization may want to allow visitors to one of its SharePoint 2003 sites to be able to view the information provided without having to log in, and even to contribute to a discussion group or answer a survey. Anonymous access needs to be granted in IIS for a particular virtual server and can then be enabled or disabled for a site on that virtual server by using HTML Administration pages. IIS creates the anonymous account for web services, typically named IUSR_computername, and when IIS receives an anonymous request, it uses this account. Use of Microsoft Single Sign-On ServiceA feature that may be of interest to the organization and that is available with SharePoint Portal Server 2003 is the Microsoft Single Sign-On (MSSO) service. This service stores and maps user credentials, which eliminates the need for users to have to sign on again to retrieve information when portal-based applications request data from business applications. The single sign-on must be enabled on each front-end web server, on the job server, and on any server running the single sign-on service. A testing phase is recommended to ensure that that the MSSO service is compatible with the other business applications in use. Backing Up the SharePoint 2003 EnvironmentA key component of the design is to consider the possibilities of hardware failure or database corruption and the need to recover the data. This needs to be approached from a holistic standpoint (what if the entire SQL database needs to be restored) as well as from a site or subsite level (what if a user accidentally deletes a file from a library and wants it back). Chapter 19, "Backing up and Restoring SharePoint," "provides more information on the different alternatives, which are
Site collections can also be backed up and restored by using FrontPage 2003, but this is not considered to be an enterprise backup solution. Questions that should be discussed pertaining to backing up and restoring as well as disaster recovery include
Virus ProtectionA critical component in any technology environment is virus protection because any penetration of a virus can severely impact the network's performance. SharePoint 2003 requires the installation of compatible virus protection products and can then be configured to check files for viruses when a user adds a document to a document library or list, or when a user views a document in a document library or list. If a virus is found, the scanner attempts to clean the file, or if the file cannot be cleaned, blocks the file from being added or viewed. Third-party antivirus software is available from a number of companies including Trend Micro and Sybari. Enhanced features are available such as content filtering, available with Sybari's Antigen for SharePoint. Content filtering detects inappropriate content on SharePoint sites and provides options to quarantine or block accordingly. Antigen for SharePoint includes prepopulated dictionaries for content filtering. In addition, administrators can create their own dictionaries containing confidential or inappropriate keywords. |