Module 4Securing a Web Content Management System.docx
《Module 4Securing a Web Content Management System.docx》由会员分享,可在线阅读,更多相关《Module 4Securing a Web Content Management System.docx(25页珍藏版)》请在冰豆网上搜索。
Module4SecuringaWebContentManagementSystem
Module4:
SecuringaWebContentManagementSystem
Datepublished:
February2009
Summary:
ThispaperdescribesthesecurityconsiderationsthatapplytoWebContentManagement(WCM)solutionsinMicrosoft®OfficeSharePoint®Server2007.
SeeWebContentManagementTrainingModules(foracompletelistoftheavailabledownloads.
TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
ThisWhitePaperisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
©2009MicrosoftCorporation.Allrightsreserved.
Microsoft,ActiveDirectory,Excel,Forefront,InfoPath,SharePoint,SQLServer,Windows,andWindowsServeraretrademarksoftheMicrosoftgroupofcompanies.
Allothertrademarksarepropertyoftheirrespectiveowners.
TableofContents
Module4:
SecuringaWebContentManagementSystem1
Module4Overview1
Objectives1
Lesson1:
SecuringServers1
ProtectingServerswithFirewalls1
UsingPerimeterNetworks1
ImportantPorts2
ServerHardeningforWebContentManagement4
DomainTrustRelationships4
FileandPrinterSharingService4
DatabaseCommunication4
SecuringtheWeb.configFile5
MicrosoftSecurityProducts6
ISAServerandOfficeSharePointTechnologies6
MicrosoftForefrontSecurityforSharePointandOfficeSharePointTechnologies6
Lesson2:
NetworkSecurity7
Objectives7
UsingSecureSocketsLayer7
DigitalCertificates8
SSLSessions8
ImplementationOptions9
UsingIPSecurity9
IPSecurityPolicies10
IPFilterLists10
FilterActions10
TypicalIPSecurityPolicy11
ServiceRequirementsforSessionState12
SessionStateandOfficeSharePointServer200712
SecurityMeasuresandSessionState12
SecureAuthentication12
SelectingAuthenticationMethods13
SupportingMultipleAuthenticationMethods14
SupportingtheIndexingService14
LockingDownFormsPages14
UndesirableAnonymousAccess15
TheLockdownFeature15
ReviewofModule415
Module4Overview
Whenyoupublishcontenttoananonymous,Internet-facingenvironment,youmusttakeparticularcaretoensurethatyourserversandyournetworkaresecure.ThismoduledescribesthesecurityconsiderationsthatapplytoWebContentManagement(WCM)solutionsinMicrosoft®OfficeSharePoint®Server2007.
Objectives
Aftercompletingthismodule,youwillbeableto:
∙DescribetechniquestosecureserversinanOfficeSharePointServer2007WCMsolution(Lesson1)
∙DescribetechniquestosecurenetworkcommunicationsinaWCMserverfarm(Lesson2)
Lesson1:
SecuringServers
WhenyoudeployaWCMsolution,youmustoftenisolateyourproductionserverfarmbothfromtheInternetandfromyourinternalnetwork.Thislessondescribessomeofthemeasuresyoucantaketoprotectyourserverswhilestillenablinglegitimateanonymoususerstoaccessyourcontent.
Objectives
Aftercompletingthislesson,youwillbeableto:
∙PlanfirewallconfigurationsforaSharePointServer2007WCMdeployment
∙Describehowstandardserver-hardeningguidelinesdifferforWCMsolutions
∙DescribehowyoucanuseMicrosoftsecurityproductstoprovideedgesecurity,virusprotection,andcontentfiltering
ProtectingServerswithFirewalls
Firewallsaredevicesthatregulateconnectionsbetweendifferentnetworks,suchasbetweentheInternetandacorporatenetwork.Aproperlyconfiguredfirewallonlypermitsnetworkconnectionsthathavebeenexplicitlyallowed,basedonthesourceanddestinationaddress,protocol,portnumber,andtargetapplicationofarequest.ToprotectanInternet-facingWCMsolutionwithfirewalls,youmustunderstandtheportnumbersandprotocolsthatOfficeSharePointServer2007usestocommunicatewithclientsandservers.
∙UsingPerimeterNetworks
∙ImportantPorts
UsingPerimeterNetworks
Aperimeternetwork(alsoknownasdemilitarizedzone,DMZ,andscreenedsubnet)sitsbetweenanorganization'sinternalnetworkandtheInternet.TheperimeternetworktypicallycontainsserverssuchasWebserversandMailserversthatyouwanttoexposetoexternalusers.Conceptually,aperimeternetworkincludestwofirewalls:
anouterfirewallbetweentheInternetandtheperimeternetwork,andaninnerfirewallbetweentheperimeternetworkandtheinternalnetwork.Inpractice,youarelikelytouseMicrosoftInternetSecurityandAccelerationServer(ISAServer)orasimilarproducttomanagetheperimeternetworkandprovidefirewallfunctionality.
Theouterfirewallisconfiguredtoallowexternaluserstoconnecttospecificserversintheperimeternetworkonspecificports.Forexample,yourouterfirewallmightallowconnectionstoyourWebserversonport80andport443,andconnectionstoyourMailserveronport110.Similarly,theinnerfirewallisconfiguredtoallowinternaluserstoconnecttospecificserversintheperimeternetworkonspecificports.Italsoregulatesanynecessarynetworktrafficfromtheperimeternetworktotheinternalnetwork.Together,theouterfirewallandtheinnerfirewallpreventexternalusersfromgainingaccesstoserversinyourinternalnetwork.
IfyouusemultipleOfficeSharePointServer2007farmsforaWCMsolution,onlyyourproductionenvironmentistypicallyexposedtoexternalusers.Assuch,youusuallyinstalltheentireproductionserverfarminyourperimeternetwork.Yourstagingenvironment,togetherwithdevelopmentandtestenvironmentsifyouusethem,arenormallynotexposedtoexternalusers.Forthisreason,youshouldinstallstaging,test,anddevelopmentserverfarmsinyourinternalnetwork.Todeploycontentfromyourstagingenvironmenttoyourproductionenvironment,youmustconfigureyourinnerfirewalltopermitcommunicationfromtheCentralAdministrationserverinyourstagingenvironmenttotheCentralAdministrationserverinyourproductionenvironment.IfyoushareaSharedServicesProvider(SSP)acrossafirewall,youmustconfigurethefirewalltopermitcommunicationonvariousportsfordifferentservices.
Finally,youshouldnotethattherecommendedserverfarmlayoutsdescribedhereforWCMsolutionsdifferfromrecommendedserverfarmlayoutsforotherOfficeSharePointServer2007solutions,whereyouaremorelikelytodeployWebserversinaperimeternetworkwithApplicationserversandDatabaseserversinaninternalnetwork.
ImportantPorts
TheserversinanOfficeSharePointServer2007serverfarmcommunicateonseveraldifferentports.Ifthiscommunicationoccursacrossafirewall,youmustconfigurethefirewalltopermitcommunicationonthatparticularport.ThefollowingtableliststheportsthatOfficeSharePointServer2007requiresforvariousfunctions.
Function
From/To
Ports
Clientaccess
∙ExternaluserstoWebservers
∙InternaluserstoWebservers
∙TCPport80
∙TCPport443(SSL)
Remoteadministration
∙TerminalServicesjumppointtoallservers
∙RDP(TCP3389)
AdministratoraccesstoCentralAdministration
∙InternaluserstoWebserverthathoststheCentralAdministrationWebsite
∙Configuredoninstallation
Fileandprintersharingservice
∙WebserverstoQueryservers(searchrequests)
∙IndexserverstoQueryservers(indexpropagation)
∙TCP/UDPport445(SMB)(recommended)
or
∙TCP/UDPports137,138,and139(NetBIOS)
OfficeServerWebservices
∙WebserverstoQueryservers
∙WebserverstoIndexserver
∙WebserverstoExcelCalculationServiceshost
∙IndexservertoQueryservers
∙QueryserverstoIndexserver
∙TCPport56737
or
∙TCPport56738(SSL)
∙(configuredperSSP)
Databasecommunication
∙AllOfficeSharePointservers(regardlessofrole)toDatabaseservers
∙TCPport1433
∙UDPport1434
∙Note:
Youshouldreassigntheseports.Thisisdescribedinthenextsection,“ServerHardeningforWebContentManagement.”
SSOservice
∙Fromanyserverrolethathoststhesinglesign-on(SSO)servicetotheencryptionkeyserver
∙TCPport135
∙Restrictedhighports(forstaticRPC)orrandomhighports(fordynamicRPC)
Documentconversions
∙Webserverstodocumentconversionsserviceshost
∙TCPport8082(DocumentConversionsLauncherService)
∙TCPport8093(DocumentConversionsLoadBalancerService)
Indexcrawls
∙Indexservertowebservers(ordedicatedcrawlserver
∙Indexservertoothercontentsources
∙TCPport80
∙TCPport443(SSL)
∙Othercontentsource-appropriateports
AuthenticationandDNS
∙ALLOfficeSharePointserverstoDCandDNSservers
∙DS(TCP445)
∙RPC(TCP135)
∙DNS(UDP53)
∙Kerberos(UDP88)
OutboundEmail
∙WebserverstoSMTPand