Module 4Securing a Web Content Management System.docx

1、Module 4 Securing a Web Content Management SystemModule 4: Securing a Web Content Management System Date published:February 2009Summary:This paper describes the security considerations that apply to Web Content Management (WCM) solutions in Microsoft Office SharePoint Server 2007.See Web Content Man

2、agement Training Modules ( for a complete list of the available downloads.The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not

3、 be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION

4、 IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanic

5、al, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressl

6、y provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Excel, Forefront, InfoPath,

7、 SharePoint, SQL Server, Windows, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.Table of ContentsModule 4: Securing a Web Content Management System 1Module 4 Overview 1Objectives 1Lesson 1: Securing Servers 1Protec

8、ting Servers with Firewalls 1Using Perimeter Networks 1Important Ports 2Server Hardening for Web Content Management 4Domain Trust Relationships 4File and Printer Sharing Service 4Database Communication 4Securing the Web.config File 5Microsoft Security Products 6ISA Server and Office SharePoint Techn

9、ologies 6Microsoft Forefront Security for SharePoint and Office SharePoint Technologies 6Lesson 2: Network Security 7Objectives 7Using Secure Sockets Layer 7Digital Certificates 8SSL Sessions 8Implementation Options 9Using IP Security 9IP Security Policies 10IP Filter Lists 10Filter Actions 10Typica

10、l IP Security Policy 11Service Requirements for Session State 12Session State and Office SharePoint Server 2007 12Security Measures and Session State 12Secure Authentication 12Selecting Authentication Methods 13Supporting Multiple Authentication Methods 14Supporting the Indexing Service 14Locking Do

11、wn Forms Pages 14Undesirable Anonymous Access 15The Lockdown Feature 15Review of Module 4 15Module 4 OverviewWhen you publish content to an anonymous, Internet-facing environment, you must take particular care to ensure that your servers and your network are secure. This module describes the securit

12、y considerations that apply to Web Content Management (WCM) solutions in Microsoft Office SharePoint Server 2007.ObjectivesAfter completing this module, you will be able to: Describe techniques to secure servers in an Office SharePoint Server 2007 WCM solution (Lesson 1) Describe techniques to secur

13、e network communications in a WCM server farm (Lesson 2)Lesson 1: Securing ServersWhen you deploy a WCM solution, you must often isolate your production server farm both from the Internet and from your internal network. This lesson describes some of the measures you can take to protect your servers

14、while still enabling legitimate anonymous users to access your content.ObjectivesAfter completing this lesson, you will be able to: Plan firewall configurations for a SharePoint Server 2007 WCM deployment Describe how standard server-hardening guidelines differ for WCM solutions Describe how you can

15、 use Microsoft security products to provide edge security, virus protection, and content filteringProtecting Servers with FirewallsFirewalls are devices that regulate connections between different networks, such as between the Internet and a corporate network. A properly configured firewall only per

16、mits network connections that have been explicitly allowed, based on the source and destination address, protocol, port number, and target application of a request. To protect an Internet-facing WCM solution with firewalls, you must understand the port numbers and protocols that Office SharePoint Se

17、rver 2007 uses to communicate with clients and servers. Using Perimeter Networks Important PortsUsing Perimeter NetworksA perimeter network (also known as demilitarized zone, DMZ, and screened subnet) sits between an organizations internal network and the Internet. The perimeter network typically co

18、ntains servers such as Web servers and Mail servers that you want to expose to external users. Conceptually, a perimeter network includes two firewalls: an outer firewall between the Internet and the perimeter network, and an inner firewall between the perimeter network and the internal network. In

19、practice, you are likely to use Microsoft Internet Security and Acceleration Server (ISA Server) or a similar product to manage the perimeter network and provide firewall functionality.The outer firewall is configured to allow external users to connect to specific servers in the perimeter network on

20、 specific ports. For example, your outer firewall might allow connections to your Web servers on port 80 and port 443, and connections to your Mail server on port 110. Similarly, the inner firewall is configured to allow internal users to connect to specific servers in the perimeter network on speci

21、fic ports. It also regulates any necessary network traffic from the perimeter network to the internal network. Together, the outer firewall and the inner firewall prevent external users from gaining access to servers in your internal network.If you use multiple Office SharePoint Server 2007 farms fo

22、r a WCM solution, only your production environment is typically exposed to external users. As such, you usually install the entire production server farm in your perimeter network. Your staging environment, together with development and test environments if you use them, are normally not exposed to

23、external users. For this reason, you should install staging, test, and development server farms in your internal network. To deploy content from your staging environment to your production environment, you must configure your inner firewall to permit communication from the Central Administration ser

24、ver in your staging environment to the Central Administration server in your production environment. If you share a Shared Services Provider (SSP) across a firewall, you must configure the firewall to permit communication on various ports for different services.Finally, you should note that the reco

25、mmended server farm layouts described here for WCM solutions differ from recommended server farm layouts for other Office SharePoint Server 2007 solutions, where you are more likely to deploy Web servers in a perimeter network with Application servers and Database servers in an internal network.Impo

26、rtant PortsThe servers in an Office SharePoint Server 2007 server farm communicate on several different ports. If this communication occurs across a firewall, you must configure the firewall to permit communication on that particular port. The following table lists the ports that Office SharePoint S

27、erver 2007 requires for various functions.FunctionFrom/ToPortsClient access External users to Web servers Internal users to Web servers TCP port 80 TCP port 443 (SSL)Remote administration Terminal Services jump point to all servers RDP (TCP 3389)Administrator access to Central Administration Interna

28、l users to Web server that hosts the Central Administration Web site Configured on installationFile and printer sharing service Web servers to Query servers (search requests) Index servers to Query servers (index propagation) TCP/UDP port 445 (SMB) (recommended)or TCP/UDP ports 137, 138, and 139 (Ne

29、tBIOS)Office Server Web services Web servers to Query servers Web servers to Index server Web servers to Excel Calculation Services host Index server to Query servers Query servers to Index server TCP port 56737or TCP port 56738 (SSL) (configured per SSP)Database communication All Office SharePoint

30、servers (regardless of role) to Database servers TCP port 1433 UDP port 1434 Note: You should reassign these ports. This is described in the next section, “Server Hardening for Web Content Management.”SSO service From any server role that hosts the single sign-on (SSO) service to the encryption key

31、server TCP port 135 Restricted high ports (for static RPC) or random high ports (for dynamic RPC)Document conversions Web servers to document conversions services host TCP port 8082 (Document Conversions Launcher Service) TCP port 8093 (Document Conversions Load Balancer Service)Index crawls Index s

32、erver to web servers (or dedicated crawl server Index server to other content sources TCP port 80 TCP port 443 (SSL) Other content source-appropriate portsAuthentication and DNS ALL Office SharePoint servers to DC and DNS servers DS (TCP 445) RPC (TCP 135) DNS (UDP 53) Kerberos (UDP 88)Outbound Email Web servers to SMTP and