MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-15 Documenting Security for Service Accounts Key Points Documenting your security plan is crucial. This will help you to manage the day-to- day security of your SharePoint infrastructure, troubleshoot problems, and recover from disaster. The service account configurations should be part of this documentation. You can use a worksheet to document your service account configuration. You should include the following information: • What is the account name? • Which service or service application does the account support? • Is this a managed account? Note: Always update your documentation when you make changes to any accounts. MCT USE ONLY. STUDENT USE PROHIBITED 5-16 Designing a Microsoft® SharePoint® 2010 Infrastructure Best Practices for Service Accounts Key Points The following list describes best practices for working with service accounts: • Use managed accounts. Active Directory now includes both fine-grained password policies and managed service accounts. The former enables you to require stronger, more complex, and more frequently changed passwords for important accounts—including service accounts. The latter enables you to change a password on a service account without reconfiguring the service itself with the new password. SharePoint 2010 can use these Active Directory features to automatically reset managed account passwords, but this configuration is optional. Prior to the implementation of the automatic password change feature, updating passwords required resetting each account password in Active Directory and then manually updating account passwords on all of the services running on all the computers in the farm. To do this, you had to run the Stsadm command-line tool or use the SharePoint Central Administration Web application. Using the automatic password change feature, you can now register managed accounts and enable SharePoint 2010 to control account passwords, based on individually configured password reset schedules. You MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-17 can configure accounts used exclusively by the SharePoint farm, such as the SharePoint Farm account, SharePoint service accounts, and the application pool accounts for SharePoint Web applications, to reset automatically. Accounts that are also used by other applications, such as the SQL Service account, should not be automatically reset. • Create separate service accounts for specific service applications. Creating separate service accounts for service applications that host sensitive data helps to secure your SharePoint infrastructure. By using separate service accounts, you can ensure that you do not assign the rights and permissions that these service applications require to generic service accounts that do not require them. • Create separate application pool accounts for specific Web applications. Creating separate application pool accounts for service applications that host sensitive data helps to secure your SharePoint infrastructure. By using separate service accounts, you can isolate Web applications and their content to provide a more secure environment. MCT USE ONLY. STUDENT USE PROHIBITED 5-18 Designing a Microsoft® SharePoint® 2010 Infrastructure Lesson 3 Planning Security for Users and Groups Designing a permission structure for users and groups that is easy to maintain and provides users with only the permissions that they require to perform their job functions is key to the security of your data. To design effective security, you must understand the structures that provide access to content in SharePoint 2010. You must consider how to use permission levels to apply permissions for sites and site collections, how best to group users, and how to determine the most appropriate groups to use. You must also decide whether to allow anonymous access and understand the impact of permission policies. Objectives After completing this lesson, you will be able to: • List the default permission levels for team sites and publishing sites. • Describe site collections and site permissions. • Plan permission assignment. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-19 • Plan access for authenticated users and anonymous users. • Plan access policies. MCT USE ONLY. STUDENT USE PROHIBITED 5-20 Designing a Microsoft® SharePoint® 2010 Infrastructure Permission Levels Key Points A permission level is a predefined set of permissions that allows users to perform a set of related tasks. For example, the Read permission level includes the View Items, Open Items, View Pages, and View Versions permissions (among others), all of which are required to read documents, items, and pages of a SharePoint site. SharePoint 2010 includes five permission levels by default. To simplify the administration of your security plan, you should use the default permission levels whenever possible. However, you can customize the permissions in the default permission levels, with the exception of the Limited Access and Full Control permission levels. You can also create customized permission levels that contain only the specific permissions that you require. Although you cannot directly edit the Limited Access and Full Control permission levels, you can make individual permissions unavailable for the entire Web application. This removes these permissions from the Limited Access and Full Control permission levels. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-21 The different SharePoint 2010 site templates have different default permission levels. For example, the following table lists the default permission levels for Team Sites in SharePoint 2010. Permission level Description Permissions included by default Limited Access Allows access to shared resources in the Web site so that users can access an item in the site. Designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document without giving them access to the entire site. Cannot be customized or deleted. Browse User Information Use Client Integration Features Open Read Allows read-only access to the Web site. View Items Open Items View Versions Create Alerts View Application Pages Use Self-Service Site Creation View Pages Browse User Information Use Remote Interfaces Use Client Integration Features Open Contribute Create and edit items in the existing lists and document libraries. Read permissions, plus: Manage Unsafe Content Design Create lists and document libraries and edit pages in the Web site. Approve permissions, plus: Manage Lists Add and Customize Pages Apply Themes and Borders Apply Style Sheets Full Control Allows full control of the scope. All permissions MCT USE ONLY. STUDENT USE PROHIBITED 5-22 Designing a Microsoft® SharePoint® 2010 Infrastructure If you use a site template other than the Team Site template, you will see a different list of default SharePoint groups. For example, the following table shows additional permission levels that are provided with the Publishing template. Permission level Description Permissions included by default Restricted Read View pages and documents. For publishing sites only. View Items Open Items View Pages Open View Only View pages, list items, and documents. If the document has a server-side file handler available, users can only view the document by using this file handler. Limited Access permissions, plus: View Items View Versions Create Alerts Create Mobile Alerts View Application Pages Approve Edit and approve pages, list items, and documents. For publishing sites only. Contribute permissions, plus: Override Checkout Approve Items Manage Hierarchy Create sites and edit pages, list items, and documents. For publishing sites only. Design permissions (minus the Approve Items permission), plus: Manage Permissions View Usage Data Create Subsites Manage Web Site Manage Alerts Additional Reading For more information about how to determine permission levels and groups for SharePoint 2010, see http://go.microsoft.com/fwlink/?LinkID=200877&clcid=0x409. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-23 Site Collections and Site Permissions Key Points By using permission levels, you can apply permissions at all levels in your SharePoint hierarchy to control access to content. You can give permissions for a specific site collection, site, list or library, folder, document, or item to users and groups. Consider how tightly you want to control permissions for the site or site content. For example, you may want to control access at the site level, or you may require more restrictive security settings for a specific list, folder, or item. Your security plan should include this information and the rationale behind it. For sites that have a definite security model and structure—such as Human Resources, Communications, Portal, or Document Center—your plan should cover the permissions structure in detail. For team and project sites, you should include general security practices and guidelines in the security plan. If your design requires local or departmental administrators to manage site collections, you can make them site collection administrators. Site collection administrators have the Full Control permission level on all Web sites in a site MCT USE ONLY. STUDENT USE PROHIBITED 5-24 Designing a Microsoft® SharePoint® 2010 Infrastructure collection. Site collection administrators have access to content in all sites in that site collection, even if they do not have explicit permissions on that site. Users who create sites automatically become site owners. They can perform administration tasks for the site and for any list or library in that site. Site owners receive e-mail notifications for events, such as the pending automatic deletion of inactive sites and requests for site access. If you require users to administer sites that they did not create, you can add them to the relevant site owners group. Default Site Permissions When a site collection is created, default groups are also created that receive specific permission levels for sites in the site collection. You should plan to use these defaults whenever possible to simplify your security plan. The groups that SharePoint creates vary depending on the template that is used. The following table describes these groups and the permission levels that SharePoint grants for team sites. Group name Default permission level Description Owners Full Control Administrator access. Designers Design Create lists and document libraries, edit pages, and apply themes, borders, and style sheets. Members Contribute Add, edit, and delete items in existing lists and document libraries. Visitors Read Read-only access. Viewers View Only View pages, list items, and documents. Additional Reading For more information about how to plan site permissions for SharePoint 2010, see http://go.microsoft.com/fwlink/?LinkID=200878&clcid=0x409. . the SharePoint Central Administration Web application. Using the automatic password change feature, you can now register managed accounts and enable SharePoint 2 010 to control account passwords,. SharePoint farm, such as the SharePoint Farm account, SharePoint service accounts, and the application pool accounts for SharePoint Web applications, to reset automatically. Accounts that are also. Note: Always update your documentation when you make changes to any accounts. MCT USE ONLY. STUDENT USE PROHIBITED 5 -16 Designing a Microsoft SharePoint 2 010 Infrastructure Best Practices