Section 2.11. Maintaining Server Security | Essential SharePoint 2007: A Practical Guide for Users, Administrators and Developers

2.11. Maintaining Server Security

Access to SharePoint sites is controlled through the authentication settings in IIS. The default setting is to use Windows integrated authentication, but sites can also use digest or basic authentication.

Digest authentication is used when SharePoint is installed in Active Directory mode (as when configured for use by an ISP). Basic authentication sends user name and password information as text, which provides less protection for that information but allows it to pass though a network firewall.

In addition, the security settings in the site's web.config file can control which users are allowed or denied permission to access the site. For example, the following settings only allow access to users with Administrative privileges on the server:

 <authentication mode="Windows" />    <authorization>          <allow roles="Administrators" />          <deny users="*" />    </authorization>    <identity impersonate="true" />

The roles attribute above refers to the Windows account group, not the SharePoint group . You can use allow and deny element to add or remove specific roles or users. For example the following element blocks the BeigeBond from access the site:

 <deny users="WOMBAT1\BeigeBond" />

The impersonate attribute determines the identity used to run applications within the SharePoint site. In this case, SharePoint . aspx pages and web parts execute using the permissions granted to the user's account.

Once a user is authenticated, SharePoint uses the members list stored in the site's content database to determine what the user can see and do. This two- tier system allows a lot of flexibility. For example, it is very easy to grant all network users access to the SharePoint site (see "Adding Members Quickly" earlier in the chapter), and then add a few specific members to a particular workspace.

SharePoint automatically blocks executable file types from being uploaded and includes a virus scanner for uploaded files. To configure these settings from SharePoint Central Administration, choose Manage blocked file types or Configure antivirus settings.

The default settings do not enable virus-checking, so it's a good idea to change that setting if your site allows access through the Internet.