About security options

• User authentication — the process used to validate the user account that is attempting to gain access to a Web site or network resource.
• File system security — the ability to control which users gain access to which files or folders in the file system.

In addition to these elements, Windows SharePoint Services includes or takes advantage of the following elements that interact with and affect your security:

• SharePoint administrative group — a Windows user group authorized to perform administrative tasks for Windows SharePoint Services.
• User groups — a means of controlling the rights assigned to particular users or groups in a Web site based on Windows SharePoint Services.
• Secure administrative port — the administrative port is secured by using Secure Sockets Layer (SSL) security or by configuring the firewall to not allow external access to the administration port, or both.
• Secure SQL Server connections — either SQL Server authentication or Windows NT Integrated authentication is used to connect you to your SQL Server databases.
• Auditing — the operating system auditing tools used to document and view actions that occur on the server computer running Windows SharePoint Services.
• Firewall protection — Windows SharePoint Services can work inside or through your organization's firewall.

User authentication

User authentication for Windows SharePoint Services is based on Internet Information Services (IIS) authentication methods. Windows SharePoint Services can be used with the following forms of user authentication:

• Anonymous authentication
• Basic authentication
• Integrated Windows authentication
• Digest and Advanced Digest authentication
• Certificates authentication (SSL)

You choose the authentication method you want to use when you set up your Web server. You cannot change the authentication method by using the Windows SharePoint Services administration tools; you must use the Internet Information Services administration tool for your server computer to change the authentication method. For more information about setting an authentication method, see Configuring Authentication.

Note   For more information about IIS authentication methods, see the topic About authentication in IIS 6.0 online Help.

Anonymous authentication

Anonymous authentication provides access to users who do not have Windows NT server accounts on the server computer (for example, Web site visitors). IIS creates the anonymous account for Web services, IUSR_computername. When IIS receives an anonymous request, it impersonates the anonymous account. You can enable or disable anonymous access in IIS for a particular virtual server, and enable or disable anonymous access for a site on that virtual server by using HTML Administration pages. For more information about configuring anonymous access for a site, see Assign Permissions to Users and Groups.

Basic authentication

Basic authentication is an authentication protocol supported by most Web servers and browsers. Although Basic authentication transmits user names and passwords in easily decoded clear text, it has some advantages over more secure authentication methods, in that it works through a proxy server firewall and ensures that a Web site is accessible by almost any Web browser. If you use Basic authentication in combination with Secure Sockets Layer (SSL) security, you can add a layer of protection to the user names and passwords, making your user information more secure.

Integrated Windows authentication

Integrated Windows authentication (also known as Windows NT Challenge Response) encrypts user names and passwords in a multiple transaction interaction between client and server, thus making this method more secure than Basic authentication. Disadvantages are that this method cannot be performed through a proxy server firewall, and some Web browsers (most notably, Netscape Navigator) do not support it. You can, however, enable both this method and Basic authentication at the same time, and most Web browsers will select the most secure option (for example, if both Basic and Integrated Windows authentication are enabled, Internet Explorer will try Integrated Windows authentication first).

Digest and Advanced Digest authentication

Digest authentication and Advanced Digest authentication are similar to Basic authentication, except that a user's name and password are transmitted in a more secure format. With Advanced Digest authentication, the user name and password are stored as an MD5 hash in the domain controller. This method requires Microsoft Internet Explorer 5.0 or later on the client computer. Digest authentication works with domain accounts only; you cannot use Digest authentication with local user accounts.

Certificates authentication (SSL)

Certificates authentication (also known as Secure Sockets Layer security) provides communications privacy, authentication, and message integrity for a TCP/IP connection. By using the SSL protocol, clients and servers can communicate in a way that prevents eavesdropping, tampering, or message forgery. With Windows SharePoint Services, SSL ensures secure authoring across firewalls and ensures security during remote administration of Windows SharePoint Services. You can also specify that SSL be used when opening a Web site based on Windows SharePoint Services.

The SharePoint administrative group

To install Windows SharePoint Services, you must be a member of the local administrators group on the server computer. This group also gives users the permissions needed to control settings on the Central Administration pages, and to run the command-line tool Stsadm.exe. In addition to the local administrators group, Windows SharePoint Services allows you to identify a specific domain group to allow administrative access to Windows SharePoint Services. You can add users to this group rather than to the local administrators group, to separate administrative access to Windows SharePoint Services from administrative access to the local server computer. Members of the SharePoint administrator's group do not have access to the IIS metabase, so they cannot perform the following actions for Windows SharePoint Services:

• Extend virtual servers (they can, however, create root Web sites or change settings for a virtual server).
• Manage paths.
• Change the SharePoint administrator's group.
• Change the configuration database settings.

Members of the SharePoint administrator's group can perform any other administrative action using the command line, HTML Administration pages, or object model for Windows SharePoint Services.

Members of both the SharePoint administrators group and the local machine administrators group have rights to view and manage all sites created on their servers. This means that a server administrator can read documents or list items, change survey settings, delete a site, or perform any action on a site that the site administrator can perform.

Windows SharePoint Services user groups

Windows SharePoint Services includes user groups to help you assign particular rights to users. With user groups, you do not have to control the file and folder permissions separately, or worry about keeping your local groups synchronized with your list of Web users. You use groups to give users permissions on your Web site, and use Windows SharePoint Services administration tools to add new users directly.

In effect, user management is delegated from server administrators to the site owners or administrators. Site administrators control site access and by default, have rights to add, delete, or change group membership for users. Inside an organization, this typically means that site administrators can select users from the list of the organization's users, and grant them access to varying degrees. For example, if the Windows SharePoint Services Web site is for members of a particular workgroup to share documents and information, the site administrator would add members of that workgroup to the site and assign them to the contributor group, so that they can add documents and update lists. In an ISP or Extranet environment, a site owner can add new users and create accounts in an Active Directory group, perhaps using separate user lists for each top-level Web site. The site administrator adds the users to the Web site and Windows SharePoint Services automatically adds the users to the Active Directory.

Note that administrators of a top-level Web site can control more options than administrators of a subweb. Administrators of a top-level Web site can perform actions such as enabling or disabling Web document discussions or Alerts, viewing usage and quota data, and changing anonymous access settings.

Securing the administrative port

If a malicious user can gain access to your administrative port, he or she can potentially block other users from accessing their sites, or can change or delete content from the sites, or even completely disable your Web server. It is important to secure access to the Windows SharePoint Services administration port, and you can do so by using the following methods:

• Use Secure Sockets Layer (SSL) encryption

  If you want to be able to administer Windows SharePoint Services across an Internet connection, use SSL to provide secure communication between a client machine and the server, even across the Internet. To use SSL, you must first configure SSL in IIS, and then use the command line to configure Windows SharePoint Services. Note that when you use SSL, the URL for SharePoint Central Administration changes from http:// to https://. For more information about configuring SSL, see Configure Authentication.

• Use a firewall or IIS to restrict external access to certain domains

  You can use the settings for your firewall to block access to the administrative port altogether (if you don't need to allow administration over the Internet), or to restrict access to the administrative port to certain domains. Use the stsadm -o setadminport operation to set each server in your Web farm to the same port number, and configure the firewall to protect that port on all servers. Alternatively, you can use the IP and name restrictions feature in IIS to restrict access to specific domains (you must set this for each virtual server that you want to protect). For more information about protecting a port in IIS, see the Securing Your Site with IP Address Restrictions topic in the IIS Help system.

• Use the SharePoint administrators group to restrict internal access

  Use the SharePoint administrators group to control which users can access SharePoint Central Administration. Only the domain group you specify, and local machine administrators, can then access the administrative port. Limit the local machine administrator access to only a few machine operators.

• Use Integrated Windows authentication instead of Basic authentication

  When you use Integrated Windows authentication, only users with accounts in your domain can gain access to your server. Basic authentication is less secure.

• Disable anonymous access

  Allowing anonymous access makes your server inherently less secure. If an anonymous user can get access to your server, they can change settings or content, and their actions cannot be traced to a real user account. Be sure to disable anonymous access for the administration port.

Securing SQL Server connections

If you are using SQL Server instead of MSDE for your databases, you can choose between the following two security methods for your interactions between Windows SharePoint Services and SQL Server:

• Windows NT Integrated authentication — connect to SQL Server using an IIS application pool. This method is the more secure option, and is the default authentication type for Windows SharePoint Services installations with SQL Server.
• SQL Server authentication — connect to SQL Server using credentials you type in Windows SharePoint Services administrative controls.

About Windows NT Integrated authentication

With Windows NT Integrated authentication, you use the IIS application credentials and the IIS application process (called an application pool) to connect to the database. The credentials are stored securely in the IIS metabase with other IIS worker processes. When Windows SharePoint Services connects to the SQL Server database, it runs under its usual process, and uses the IIS process for the connection. This configuration can require a few more steps in a clustered server environment on occasion. For example, if your domain has a policy requiring frequent password resets, you must remember to change the password in IIS for every server computer in your cluster.

You can have a single process for all of your virtual servers, or you can isolate each virtual server with its own application pool. Using separate processes is more secure. For example, if you have a custom script running for one virtual server, it could potentially be written to access pages in another virtual server if they are sharing an application pool. If they have separate application pools, the script would be unable to authenticate for the database across virtual servers.

About SQL Server authentication

SQL Server authentication uses the system administrator (sa) account and password stored in the SQL Server database to connect between Windows SharePoint Services and the databases. This same account name and password are used for all updates to the databases, no matter which server (in a Web farm) or virtual server (Web farm or single server) requests the update. Also, when you use SQL Server authentication, the password for the administrator account is sent over the network, and can potentially be detected by malicious users. It is recommended that you use Windows NT Integrated authentication for connections between Windows SharePoint Services and the SQL Server backend databases.

About firewalls

Windows SharePoint Services supports connectivity through firewalls. Depending on your configuration, you must make sure your firewall is open for the standard HTTP ports 80 and 443. When using a firewall, you must configure your Web sites with Basic Authentication because Integrated Windows Authentication cannot pass through a firewall.