Getting to Know the New and Improved Features for Administrators

SharePoint 2003 products enable administrators to perform many more administrative tasks directly from the portal interface. There is also greater integration with other software components such as Active Directory, facilitating tasks such as managing user access.

In SharePoint 2003, end users can be selectively provided with the ability to easily perform certain tasks that formerly only administrators could do.

This section highlights some of the major new features of interest to administrators.

Improvements in User and Group Management

Improvements in the area of user and group management provide for more efficient management of these entities. A tight integration with Active Directory provides dynamic and flexible user management. Users can be added to the site using one of two modes: Domain Account or Active Directory Account Creation. The mode is determined when SharePoint Services is installed. When configured in Domain Account mode, SharePoint can access the domain Active Directory to obtain user profile information. This mode can save many hours of data entry and provide consistency between SharePoint and the domain.

The alternative to obtaining user information from the domain Active Directory is to have SharePoint Portal create new user accounts when users are added to SharePoint. This mode of adding users is called Active Directory Account Creation and is used when outside users will be accessing the site, or when Internet service providers are hosting the site.

After the information has been copied to SharePoint, the SharePoint profiles can be modified by portal administrators through the browser interface. Properties can also be added to the user profile, and portal users are now an entity that can be searched.

As in SharePoint Portal 2001, site groups are used to grant and control access to SharePoint sites, and the data contained within them. A SharePoint site group can contain a Windows security group, which is a great way to minimize the management needed to control access to sites. When a new user is hired, she is added to a certain group in Active Directory, perhaps Research, and she then automatically gains access to SharePoint sites that allow this group access.The Administration pages can be used to create cross-site groups for use across all sites in a site collection. When users are members of a cross-site group, their rights are consistent across all sites in the collection, and the administrator only has to set them up once, at the group level, as opposed to setting up rights for each individual for each site.

Improvements in Site Management

With SharePoint Portal Server 2003, site administrators can grant permission to users for creating their own sites, without having to give the users full administrative rights for the SharePoint site or site collection.

SharePoint Portal Server 2003 has a new Sites Directory page for managing sites. Through the Sites Directory, links to sites can be added and managed. Users with the appropriate permissions can create SharePoint sites from the Sites Directory, indicate whether they want the new site listed in the directory, and decide whether the new site should be indexed. The Sites Directory can be viewed based on metadata, and Web Parts are available for viewing Sites I Added, Best Bets, and Newest Sites. Another improvement in site management is the ability of administrators to set a quota for the size of a site, thereby protecting the server from "runaway" sites that use up all the server storage. If the site exceeds the size specified, an automatic notification is sent to the site owner.

Enhancements in SharePoint 2003 Security

SharePoint 2003 provides a higher level of security than was possible with SharePoint Portal 2001. To begin with, SharePoint Portal Server 2001 required IIS 5.0 and Windows 2000 Server, both of which are less secure than the current Windows Server 2003 and IIS 6.0 products, which are required by Windows SharePoint Services and SharePoint Portal Server 2003.

Many documents are available that provide extensive details of the security improvements available in Windows Server 2003 and IIS 6.0, but a quick summary of some key enhancements follows.

Windows Server 2003 security enhancements include

• New authentication features and enhancements Forest Trust, Credential Manager, Constrained Delegation, Protocol Transition, .NET Passport integration with Active Directory

• Access control Role-based access control, URL-based access control, Software Restriction Policy (SRP)

• Auditing Operation-based auditing, per-user selective auditing, enhanced Logon/Logoff and Account Management auditing, Microsoft Audit Collection System (MACS)

• Public key infrastructure Cross-certification support, Delta Certificate Revocation Lists (CRL), key archival, auto-enrollment

• Network security 802.1x, Protected EAP (PEAP) authentication, improvements in IPSec

In addition, Windows Server 2003 SP1 provides additional tools for securing the Windows Server 2003 server environment.

IIS 6.0 security enhancements include

• Locked-down server IIS 6.0 provides significantly improved security. IIS 6.0 ships in a locked-down state, serving only static content. Using the web service extension node, website administrators can enable or disable IIS functionality based on the individual needs of the organization.

• Web service extensions list The default installation of IIS will not compile, execute, nor serve files with dynamic extensions. To have them served, each acceptable file extension must be added to the web service extensions list.

• Default low-privileged account All IIS 6.0 worker processesby defaultrun as Network Service user accounts, a new built-in account type with limited operating system privileges, on Windows Server 2003. All ASP built-in functions always run as low-privileged accounts (anonymous user).

• Authorization IIS 6.0 extends the use of a new authorization framework that comes with Windows Server 2003. In addition, web applications can use URL authorizationin tandem with Authorization Managerto control access.

Security features added to SharePoint 2003 include the following:

• User authentication Security is managed using Microsoft Windows NT users and security groups (DOMAIN\user and DOMAIN\security group).

• SharePoint administrators group SharePoint 2003 uses a Microsoft Windows user group that is authorized to perform administration tasks for Windows SharePoint Services but does not necessarily have administrative rights to the server itself.

• Site groups Provide a means of assigning rights to specific users or groups in a SharePoint site. The predefined list of site groups for each website includes Administrators, Web Designers, Contributors, and Readers.

• Secure Sockets Layer SharePoint 2003 supports Secure Sockets Layer (SSL) access, which uses encryption to secure data transmissions to and from the SharePoint environment.

• Microsoft SQL Server connection security SharePoint 2003 supports Windows NT Integrated authentication or SQL Server authentication to connect to the configuration and content databases.

• Granular file type blocking Specific file types can be blocked from being uploaded, thereby protecting the server from potentially damaging files, or files that don't belong in the site.

New Installation and Administration Features

There are many more new features of interest to administrators. These include features missing from the first version of SharePoint that were on wish lists, features that make it easier to migrate from SharePoint Portal 2001 to SharePoint 2003, and features to meet the expanding use of portal environments, including the following:

• Regional settings such as time zone, language, and currency that can be specified for each site. This makes it possible to develop a site and deploy it to users in any part of the world, as opposed to maintaining separate versions of the site based on the user access point.

• A command-line site migration tool for migrating SharePoint Team Services 1.0 sites to Windows SharePoint Services. The site migration tool can also be used to move Windows SharePoint Services sites from one server to another. For organizations that already have SharePoint Portal 2001 sites, this tool makes it easy to migrate those sites to the new version of SharePoint so that the advantages and features of SharePoint 2003 can be realized. When the environment of an organization warrants changing the configuration of existing SharePoint servers after the initial implementation, this tool provides the means for reconfiguring the servers, a task that was not easily done in SharePoint Portal 2001.

• Support for multiple sites on a server where the sites are using different languages. For international deployments, hosting multilanguage sites on a single server can save thousands of dollars in hardware and software costs.

Introduction of Single Sign-On Capabilities

SharePoint Portal Server supports Microsoft Single Sign-On Service (SSOSrv) for storing and mapping user credentials. This prevents users from having to sign on again to retrieve information when portal-based applications request data from business applications. An enterprise application definition is used for passing credentials securely through the portal to access applications. Two types of application definitions can be used:

• Individual Enterprise Application Definition User manages his own credentials.

• Group Enterprise Application Definition User is associated with a managed account and does not know the account credentials.

Regardless of the method used, single sign-on can be a great benefit for users who will be accessing a number of applications through the portal.

Additional New Administrative and Management Features

A number of other features have been added to facilitate administration and the processes involved in managing sites.

One area of advancement is in backing up data. Administrators can use the following methods to back up SharePoint data:

• Microsoft SQL Server 2000 tools to back up the databases

• The Stsadm.exe command-line tool to back up individual site collections

• The Microsoft SharePoint Migration Tool (smigrate.exe) to back up individual sites and subsites

• FrontPage 2003 tools for site backups

• Third-party backup products

Additional improvements include

• Control over inactive sites Notifications are sent to site owners if their site has been inactive for a specified amount of time (set by the administrator). The site can be automatically deleted if the site is still inactive after a specified number of notices has been sent to the site owner. This feature provides a means for easily cleaning up sites inadvertently created or no longer in use. In the prior version of SharePoint, this would have been a manual process that might have left many inactive sites using up valuable resources.

• Administrator control of the Web Part library The Web Part library, accessed by users for creating and personalizing sites, is maintained and controlled by a central administrator. This means that IT can test Web Parts before placing them in the library to ensure that they work properly in the organization's environment. (SharePoint Portal feature)

• Ability to lock down web pages or Web Parts The portal administrator can lock down and prevent changes from specific pages, or Web Parts on a page, thus providing a consistent interface and ensuring that important pages/Web Parts remain in the portal. (SharePoint Portal feature)

• Virus protection SharePoint Portal Server 2003 can work with SharePoint compatible virus protection software to force scans of documents being uploaded or saved to the server.