Security Basics mailing list archives
RE: secure sharepoint 2010 design
From: "Boyd, Chad" <CBoyd () madden com>
Date: Mon, 9 Aug 2010 15:20:32 +0000
I'm sorry, the list moderators for the security-basics list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly.
---Alright, I'll do that. :) A few of them are. Network segmentation - In the event of a compromise, it's always good forethought to segment your network to limit resources to only where they are needed. I consider this standard, regardless of the question. Server separation - I know that on WSS3, if you had search services, database services and the WFE on the same system, you would need some good hardware to handle it all. Perhaps that's better in 2010, I don't know. I do know that I have only ever set everything up on a single system once. That was in my home lab for testing. There is also a security aspect here, but I'd worry about network segmentation first. If you can get that, then by all means put your database on another box. If this is an internal only (Intranet) SharePoint deployment, I would still configure SSL. You can use a local CA for this if it's not going to be exposed to the outside world, but I wouldn't communicate with any web service that relies on username/passwords over HTTP. That goes double for my domain account (if you're using NTLM auth for this). Setting the httponly in the web.config isn't that bit of a deal on an Intranet only system, but it can't hurt, and it only takes a second to change. Always harden your web servers. Heck, always harden all of your servers. The NSA guides I provided go over several system scenario types and the best ways to secure them. There are sections for web servers, files servers, bastion hosts, domain controllers, etc. Almost all of these configs can be done through a GPO. ...and lastly the accounts. If you go to the trouble to segment your network, wouldn't it make equal sense to segment your accounts? Give them least privilege. No domain admin "just to get it working". In all, there's not much that I provided that I wouldn't do on an internal-only system that I would do on an externally facing one. Call me paranoid (I am the security guy for my company), but it's easier for me to trust someone out in the WWW, then someone in my own network. At least I can filter out the stuff from the web. -----Original Message----- From: Dan Lynch [mailto:DLynch () placer ca gov] Sent: Tuesday, August 03, 2010 5:49 PM To: Boyd, Chad; Paul Johnston; security-basics () securityfocus com Subject: RE: secure sharepoint 2010 design
In my experience, you should look in to ...
Chad, Good list, but only applicable if one is exposing Sharepoint to the internet. The OP can correct me, but I don't believe that was in his plan. Do you think these steps are (some or all of them) appropriate in a private enterprise network only deployment? Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: secure sharepoint 2010 design Paul Johnston (Aug 03)
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- Message not available
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 03)
- Message not available
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 10)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 10)
- Re: secure sharepoint 2010 design Ansgar Wiechers (Aug 11)