MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-35 Certificates To set up SSL encryption, you must first obtain a digital certificate. You can either submit a request to an internal CA, or you can use Certificate Services (an optional component of Windows Server® 2008) to create your own certificates for internal use. You must then install the certificate in IIS and configure the Web site to require secure communication. Port Mappings You should limit Internet-facing ports on your WFE servers to port 80 for HTTP and port 443 for HTTPS. You can assign a nonstandard port for Web applications by using SSL over HTTPS, but users must specify that port number to connect to the site. This may cause extra administrative effort. MCT USE ONLY. STUDENT USE PROHIBITED 5-36 Designing a Microsoft® SharePoint® 2010 Infrastructure Lab: Designing a Security Plan Exercise 1: Designing for Least-Privilege Security Scenario Your team must develop a security plan for the Contoso, Ltd SharePoint 2010 deployment that is based on the existing logical and physical designs. The plan must conform to the principle of least privilege. You should begin by reviewing the available documentation. The main task for this exercise is as follows: 1. Read the supporting information. 2. Complete the SharePoint 2010 Security Planning worksheet. f Task 1: Read the supporting information 1. Read the lab scenario. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-37 2. Log on to 10231A-NYC-DC1-05 as CONTOSO\Ed with the password Pa$$w0rd. 3. In the E:\Labfiles\Lab05\Starter folder, review the Contoso Business Requirements.doc file. 4. In the E:\Labfiles\Lab05\Starter folder, review the Logical Architecture Diagram - Solution.vsd file. 5. In the E:\Labfiles\Lab05\Starter folder, review the SharePoint 2010 Service Applications Planning Worksheet - Solution.xlsx file. f Task 2: Complete the SharePoint 2010 Security Planning worksheet • In the E:\Labfiles\Lab05\Starter folder, complete the worksheet in the SharePoint 2010 Security Planning Worksheet.xlsx file. Exercise 2: Identifying and Resolving Potential Security Issues Scenario Your team must review the existing lab environment and ensure that it adheres to your security plan. The main tasks for this exercise are as follows: 1. Apply least privilege to the farm account and reset IIS. 2. Create and register a new service account as a managed service account and modify which service account is used for an application pool. 3. Remove an account from the managed accounts list and reset IIS. f Task 1: Apply least privilege to the farm account and reset IIS 1. In Active Directory Users and Computers, remove the SharePoint server farm account from the Domain Admins group. 2. In SharePoint 2010 Central Administration, configure the farm account to use CONTOSO\sp-farm. 3. From an administrator command prompt, reset IIS. MCT USE ONLY. STUDENT USE PROHIBITED 5-38 Designing a Microsoft® SharePoint® 2010 Infrastructure f Task 2: Create and register a new service account as a managed service account and modify which service account is used for an application pool 1. In Active Directory Users and Computers, in the Managed Service Accounts container, create a new service account by using the information in the following table. Option Value Full name SharePoint App Pool Service Account User logon name sp-apppool Password Pa$$w0rd User must change password at next logon cleared 2. In SharePoint 2010 Central Administration, register the managed account by using the information in the following table. Option Value User name CONTOSO\sp-apppool Password Pa$$w0rd 3. Configure the SharePoint-80 Web application pool to use the CONTOSO\sp- apppool account. f Task 3: Remove an account from the managed accounts list and reset IIS 1. In SharePoint 2010 Central Administration, remove the contoso\administrator account from the managed accounts list. 2. From an administrator command prompt, reset IIS. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-39 Exercise 3: Granting Read Access to the Production Auditors Group Scenario For compliance reasons, the production audit team requires access to all information in the Contoso, Ltd intranet. The main task for this exercise is to grant a group Full Read access to a Web application. f Task 1: Grant a group Full Read access to a Web application • In SharePoint 2010 Central Administration, grant the CONTOSO\production auditors Full Read access to the SharePoint – 80 Web application. MCT USE ONLY. STUDENT USE PROHIBITED 5-40 Designing a Microsoft® SharePoint® 2010 Infrastructure Module Review and Takeaways Review Questions 1. What are the key elements of a security plan for SharePoint 2010? 2. How should you use SharePoint groups to secure a site? 3. How does SSL help to secure site content? Best Practices Related to Designing a Security Plan Supplement or modify the following best practices for your own work situations: • Use the principle of least privilege when you apply permissions to users and groups. • Consider all elements of the SharePoint 2010 security architecture when you design your security plan. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-41 • Apply security at the highest level possible (site or site collection) and allow permission inheritance to give users permission at lower levels of the hierarchy. • Always keep your security documentation up to date. You may require it to help you troubleshoot an excessive access issue or rebuild the security environment in the case of a catastrophic failure. MCT USE ONLY. STUDENT USE PROHIBITED MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-1 Module 6 Planning Authentication Contents: Lesson 1: Overview of Authentication 6-3 Lesson 2: Planning a Claims-Based Authentication Topology 6-16 Lesson 3: Selecting Authentication Methods 6-25 Lab: Planning Authentication 6-36 MCT USE ONLY. STUDENT USE PROHIBITED 6-2 Designing a Microsoft® SharePoint® 2010 Infrastructure Module Overview To be secure and usable, Microsoft® SharePoint® 2010 must be able to identify users who are attempting to access content and resources. After it identifies the user, SharePoint 2010 must validate the user to ensure that the user is permitted to access the requested resources. The process of identifying and validating the user is known as authentication, and designing an all-encompassing authentication plan is a vital part of your SharePoint 2010 infrastructure design. Objectives After completing this module, you will be able to: • Describe the different authentication and authorization methods that SharePoint 2010 uses. • Describe claims-based authentication in SharePoint 2010. • Select the most appropriate authentication method for a given SharePoint 2010 design. . intranet. The main task for this exercise is to grant a group Full Read access to a Web application. f Task 1: Grant a group Full Read access to a Web application • In SharePoint 2 010 Central. authorization methods that SharePoint 2 010 uses. • Describe claims-based authentication in SharePoint 2 010 . • Select the most appropriate authentication method for a given SharePoint 2 010 design. . 2 010 Infrastructure Module Review and Takeaways Review Questions 1. What are the key elements of a security plan for SharePoint 2 010 ? 2. How should you use SharePoint groups to secure a