Section 4.2. User Management

4.2. User Management

Windows SharePoint Services simplifies user management by relying on IIS and Microsoft Windows Server 2003 to manage user accounts and authentication. Either Windows Server 2003 or Active Directory can be used to manage the user accounts; however, IIS is always used to manage user authentication.

4.2.1. User Account Modes

Windows SharePoint Services provides two user administration modes:

• Domain account mode

• Active Directory account creation mode

When you or your administrator installs and configures Windows SharePoint Services on a department or company server, you choose the account mode to use in SharePoint. This is an important decisiononce you select one mode, you cannot change back to the other mode without uninstalling and reinstalling Windows SharePoint Services. Further, SharePoint will not run in a mixed mode.

A default Windows SharePoint Services installation uses domain account mode. Domain account mode allows users with Windows Domain accounts access to your site. This account mode is best suited when you plan to use SharePoint internally on a Windows-based network where your systems administrator controls user creation.

If you plan to use SharePoint externally, choose Active Directory account creation mode. In Active Directory account creation mode, you can create users in the SharePoint central administration web site. SharePoint then adds the user to Active Directory after creation.

4.2.2. Authentication Modes

SharePoint limits which users can access a team site through authentication. Granting a user access to a site means the user passed authentication. Denying a user access to a site means the user failed authentication. Windows SharePoint Services uses IIS to control how a user is authenticated. IIS provides four authentication methods (in order of increasing security):

Anonymous authentication

This mode grants all users access to a SharePoint site. Anonymous access contains no advance security features. You should restrict the use of this mode to external SharePoint sites while securing all internal documents against access from anonymous users.

Basic authentication

More secure than anonymous authentication, basic authentication requires all users to provide credentials prior to accessing the site. However, transmitting the credentials poses a security risk. Credentials are passed along the network in clear text, with no encryption provided. Like anonymous access, use of this authentication mode should be restricted.

Integrated Windows authentication

This is the default authentication mode. A user provides her Windows domain account to access a SharePoint site. If a user does not have a Windows domain account, IIS prompts the user to enter a username and password.

Certificates authentication

Certificates authentication uses SSL certificates to authenticate a user. To implement this mode, you need to configure both IIS and Windows SharePoint Services to accept certificates, which must be generated by a certificate authority such as Verisign or Thwate.

You can choose any of the four authentication methods, depending on the security needs for your site.

4.2.3. Default User Permissions

After authenticating a user, SharePoint assigns a default set of permissions to the user. By default, new users receive the site group reader (see the Section 4.3). You can change this setting and grant increased access rights or even grant administrative rights. You can also create different sets of rites for different users or user groups.