Monday, 1 December 2008

SharePoint - Reporting Services Integration

I always have a problem setting up the Project Properties for Business Intelligence Development Studio when I need to deploy reports to a Report Services Integrated SharePoint, the problem is whether to use a full site url, whether to use slashes at the end or not etc.

The following are the settings which work for me (MOSS 2007 / SQL Server 2005):
TargetDataSourceFolder: http://servername/sites/SiteCollection/Site/subsite/DataSources
TargetReportFolder: http://servername/sites/SiteCollection/Site/subsite/Reports
TargetServerURL: http://servername/sites/SiteCollection/site/subsite

As you can see you need to specify the full URL and no ending slashes, otherwise you'll get obscure errors like:
the name of the item '' is not valid. The name must be less than 128 characters long. The name must not start with slash; other restrictions apply.

Friday, 28 November 2008

Active Directory Forms Based Authentication

Recently we needed to use Forms Based Authentication with Active Directory from an Extranet. This is how we got it to work.

1. Extend the Web Application
Instead of tweaking the internal web app, Extend the web application you want to expose to the Extranet, giving it the required host headers etc.

2. Configure SharePoint Central Admin to use FBA for the "new" Web Applications

Login to SharePoint Central Admin
Go to Application MBoldanagement / Application Security / Authentication Providers and Change the Web Application to the one which needs to be configured for Forms Based Authentication
Click zone / default, change authentication type to forms and enter ActiveDirectoryMemebershipProvider under membership provider name ( for example , "ADMembershipProvider") and save this change

3. Update the web.config of SharePoint Central admin site
under configuration node
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local />
</connectionStrings>

under system.web node
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString"
connectionUsername="xxx" connectionPassword="yyy"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>

4.Update the web.config of SharePoint Web application
Repeat step 3 for the web.config of the SharePoint webapplication to be configured for Forms Based Authentication
Change the authentication in web.config to
<authentication mode="Forms">
<forms loginUrl="/_layouts/login.aspx"></forms>
</authentication>

5. Grant Access on the extended Web Application
Your extranet web application is now configured to use FBA. However, until users, who will be accessing the site via FBA, are given permissions for the site, it will be inaccessible to them.

To get started, open your browser and navigate to your farm’s Central Administration site. Click on Application Management and then click on Policy for Web Application. Make sure that you are working on the extranet web application. Do the following steps:
Click on Add Users.
In the Zones drop down, select the appropriate Extranet zone. IMPORTANT: If you select the incorrect zone, you may not be able to resolve user names. Hence, the zone you select must match the zone of the web application that is configured to use FBA.
Click the Next button.
In the Users edit box, type the name of the FBA user whom you wish to have full control for the site.
Click the Resolve link next to the Users edit box. If the web application's FBA information has been configured correctly, the name will resolve and become underlined.
Check the Full Control checkbox.
Click the Finish button.

Resources:
http://blogs.msdn.com/solutions/archive/2007/08/27/forms-based-authentication-fba-in-wss-3-0-moss-2007.aspx
http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx

Monday, 11 August 2008

SharePoint List Filter - Making it work

The SharePoint List Filter is a webpart which offers nice out of the box filtering benefits especially when linking lists to each other (using Lookups) or otherwise.

Strangely, its not extremely straightforward to use and I had been getting the following error over and over again much to my disappointment:

"An error occurred while retrieving the filter values. One or more columns used for the filter does not exist."

The error is not very enlightening although it does offer a hint to why the problem might be occurring. The column used to display. The issue I was having is that I was using the Filter List View as the column for the filter, and choosing the Title. By default the Title column is linked to the Context Menu which causes the filter to screw up. So how do you solve it?

Create a new List, based on the Title, however link to Title only, not the Title with a link to the Context Menu. Create the filter based on this view and it will all work nicely :)

Tuesday, 22 July 2008

MOSS 2007 Group By - Performance Issues

Performance issues occur when Group By is used on large filters.

http://www.dailycode.net/blog/post/MOSS-2007-list-performance-drop.aspx

Tuesday, 27 May 2008

Recover a deleted site collection from SQL Backup

Solution from Mauro Cardarelli's blog: http://blogs.officezealot.com/mauro/archive/2007/12/12/20674.aspx


In this scenario, let's assume that you have NOT been doing site collection backups but you do have SQL backups. You notice that last night's content database backup is considerably smaller than the night before (yes, you have been saving multiple days of backups). Phew! Your data is all there; we just need to reconnect it. Here's how:
1. Create a new database and restore (through SQL Server) the last good database into it
2. At the command prompt, use stsadm command to add the content database to your site
stsadm.exe -o addcontentdb -url -databasename -databaseserver
3. Run an IISRESET
4. Go to Central Administration and look at the list of content databases for your web application (under Application Management). There should be two (the old one - with zero sites - and the new one just attached). Delete the old database.
5. Done! Go to your URL... all should be good again.

Thursday, 22 May 2008

File Not Found Error

I have once again encountered the dreaded File Not Found error. The annoying thing about SharePoint is you don't get a clue where the problem is coming from.

The error was thrown just after we had performed a restore, so my guess was that something had not been restored. Turns out that in the Master Page settings there was a reference to CSS file which was in a different Site Collection which hadn't been migrated, and this was causing the error. Luckily, even though you might think that you're screwed once you get the File Not Found error, you can still access the settings. Just paste _layouts/settings.aspx to the end of the Site Collection URL and you can play around in the settings to find what might be wrong.

Tuesday, 20 May 2008

IIS / App Pool Performance Tuning for SharePoint

Joel Oleson has a great blog about tuning IIS 6 settings for optimal SharePoint performance:

http://blogs.msdn.com/joelo/archive/2007/10/29/sharepoint-app-pool-settings.aspx

Very good read.

Wednesday, 14 May 2008

Emulating Windows Mobile 6 for SharePoint Demo

Setting up an Windows Mobile emulator has not been straight forward at all. Possibly because it is the first time I am doing this. After trying over and over to install Windows Mobile 5, I went to Windows Mobile 6, because 5 refuses to live without a VS2005.


The following articles explains how to connect the emulator to Active Sync.




Friday, 25 April 2008

Extracting a DLL from the Global Assembly Cache

Sometimes, you might need to access DLLs which for various reasons might exists only in the Windows\Assembly folder. This folder allows you to drop DLLs into it, but does not allow you to drag DLLs out.

The following workaround allows you to get access to the DLLs in the GAC.

Create a mapped drive to:

\\servername\C$\Windows\assembly

When you click on the mapped drive you will find a number of GAC folders. Browse around to find the DLL you require.

I'm not sure if this is something advisable to do, so please handle with care!

Monday, 14 April 2008

Unknown Error - Revealing the true source of the error

SharePoint has the production friendly, but definetely developer unfriendly page - Unknown error when an error is thrown. My usual way to finding the error was to look at the Logs found in the 12 hive, however it looks like there is an easier way to do this:

The Sharepoint web.config is abstracting this message from the user. Find the web.config for the site you normally use as your development site.

<safemode callstack="false"> and change it to CallStack="true"
Set <customerrors mode="On"> to mode="Off"
Set <compilation batch="false" debug="false"> to <compilation batch="true" debug="true">

You will now get a hopefully less cryptic error message...

Monday, 7 April 2008

Team-Based Development in Microsoft Office SharePoint Server 2007

Good read:
http://msdn2.microsoft.com/en-us/library/bb428899.aspx

Thursday, 3 April 2008

Migration Hassles - made easy(ier)

I stumbled across the following while struggling with some migrations, haven't had time to try it out though it looks promising!

Migrating implementations has been one of my greatest headaches since day 1, and anything which helps with this is always welcome.

Introducing the SharePoint Content Deployment Wizard. The tool provides a wizard-like approach to deploying content between SharePoint sites. The selected content is exported using the Content Migration API (PRIME), giving a .cmp file (Content Migration Package) which can be copied to other servers.
http://www.sharepointnutsandbolts.com/2007/12/introducing-sharepoint-content.html

Monday, 17 March 2008

WSS - Search Indexer

If you get the following error when trying to run a search on a WSS site:

Your search cannot be completed because this site is not assigned to an indexer. Contact your administrator for more information.

You'll need to set the indexer on the content database of the site collection. This is done by going to the Central Adminstration > Application Management > Content Databases.

In the Search Server option, choose the Indexer which you want to index your site. Then give it time to index.

Friday, 14 March 2008

Customizing Alert Emails

You need to create a copy of AlertTemplates.xml

Create a Custom Site Definition - Link Dump

Intro: How to create your own custom site definition (Todd)
http://www.sharepointblogs.com/tbaginski/archive/2007/08/16/creating-a-custom-site-definition-in-wss-v3-moss.aspx

Creating a Site Definition from an Existing Site Definition (MSDN)
http://msdn2.microsoft.com/en-us/library/ms868598.aspx

and more generically Customizing Templates
http://msdn2.microsoft.com/en-us/library/aa151982.aspx

Creating a custom site collection that automatically creates subsites
http://suguk.org/blogs/sharepointhack/archive/2007/06/03/3595.aspx

Supported and Unsupported Scenarios:
http://support.microsoft.com/kb/898631

Basically, creating your own templates is supported, customizing the original templates is NOT supported.

File not found error when creating Site from Template

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2367212&SiteID=1

Wednesday, 5 March 2008

Filter Views based on Approval / Workflow Status

You need to create the filter based on the integer representation of the status value you are looking for, like this:

Not Started 0

Failed on Start 1

In Progress 2

Error Occurred 3

Canceled 4

Completed 5

Failed on Start (retrying) 6

Error Occurred (retrying) 7

Canceled 15

Approved 16

Rejected 17

Tuesday, 4 March 2008

More Branding stuff ...

How to remove the SharePoint blue!

Joel once again to the rescue. This is quite a nice solution...

http://blogs.msdn.com/joelo/archive/2007/04/12/master-page-and-themes-on-wss-sites-in-moss.aspx

Wednesday, 27 February 2008

SharePoint 2007: Defining your own Portal Template and Customising Look and Feel

Whilst looking for a way to customize the "Custom" site templates name after create a Site Template, I came across the following this post which looks quite interesting. It shows you how to modify the Colloboration Portal to create your own Colloboration Portal Template

http://sharepointandstuff.blogspot.com/2007/07/customizing-out-of-box-collaboration.html

If you are looking for a way to fix the "Custom", the following post will help:

http://blogs.officezealot.com/mauro/archive/2007/06/13/20412.aspx

Apply a theme across all sites in a Site Collection
Also, if you want to apply the CSS of a particular theme across a whole site collection, or from a site and all its subsites, you'll need to do the following. You need to find the path to the theme you have chosen (e.g. /_themes/Lacquer/Lacq1011-65001.css), and then apply this to the top level site and all subsites in the Alternate CSS URL (Site Actions > Site Settings > Master Page). Once you apply the CSS to all subsites, you'll have gotten rid of the MS Blue forever ;)

Change the SharePoint Site Logo across a Site Collection
In case you want to change the Site Logo image across all the site collection, Shane explains cross how to easily do this using SharePoint Designer. Basically, you need to replace the Logo Place holder in the Site Collection master page with an img tag which references your logo.

  • Browse to the top level of your site collection in the browser. Site Actions > View All Site Content. Select the Site Collection Images Library and upload your Company Logo (companylogo.gif)
  • Open SharePoint Designer 2007 and Select File, Open Site. Type the URL of the top level of your site collection. Locate the master page gallery in the left pane. _catalogs\masterpage
  • Double click the default.master (you may be prompted to check it out - if so choose yes)
  • Search For: <sharepoint:sitelogoimage id="onetidHeadbnnr0" logoimageurl="/_layouts/images/titlegraphic.gif" runat="server/">
    Repace With: <asp:Image runat="server" id="logo" ImageUrl="< %$ SPUrl: ~sitecollection/sitecollectionimages/companylogo.gif %>"/>

SharePoint 2007: Show the Quick Launch in Custom Web Part Pages

Funnily, when you create a Web Part Page, the Quick Launch is not available. This has always annoyed me, because it changes the look and feel of the whole site. Looks like this can be easily fixed.

One Off Fix

  • Open the Page for editing in Sharepoint Designer
  • Remove the LeftNavBar Content Place holder from Master Page (ie. remove the content Place holder)
  • Save the Page. You can now find the Quick Launch in Web Part Page

Permanent Fix

If you have MOSS 2007 - All you have to do is to activate the "Office SharePoint Server Publishing" feature for your team site. Once you activate this feature, the team site will have some publising site features: a new "pages" library will be created, and all new created pages will be automatically stored in this library. In addition all pages will display the same "envelope" - including the missing quick launch on the left side of each page.

The only problem with this solution is that now every change you make requires publishing, and this is certainly NOT a natural part of team-site working flow.

Hack

This is the same as above fix in SharePoint Designer however the hack is on the file system and applies to all team sites created on your server. Also, if any upgrade changes these files, you'll have the "old" style again. And please backup before you change anything.

If you only have WSS installed - in this case you don't have the "Office SharePoint Server Publishing" feature installed. However, you can change the team site page templates, and have them display the quick launch.

  • Browse to the "C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\1033\STS\DOCTEMP\SMARTPGS" folder on the SharePoint server.This folder contains all templates that you see in the "New Web Part Page" wizard
  • Every page inherits the same team site's master page, and all of them override this master page's placeholder tags. This is why the quick launch is not displayed in new pages created in a team site.
  • Delete the "PlaceHolderLeftNavBar" content tag in the required templates and save the file/s

References:

http://techblog.udayakumar.net/2007/08/how-to-display-quick-launch-in-web-part.html

http://kwizcom.blogspot.com/2007/05/adding-quick-launch-to-team-site-pages.html

Thursday, 7 February 2008

Google Account - Where is the My Account link?

This morning, as soon as I accessed my iGoogle page, I found the My Account link had disappeared. Instead it has been replaced by a Web History and Preferences buttons which I rarely used and need. I rarely need to edit my Preferences, whilst I access My Account at the least every few hours.

I loved the fact that My Account made all my various Google Services including, AdSense, Analytics and WebMaster tools available under a single link.

So please Google, give me back the My Account button on the iGoogle default page! Funnily it appears after I run search. Now why would I need to access My Account if I am searching for something?!

Update: It has re-appeared :)

Friday, 1 February 2008

SharePoint - Programming Security



Thursday, 31 January 2008

Custom SharePoint Reports using CAML

I've long wondered how the default SharePoint Site Collections reports are created, and finally I came across an article on how this is done. It seems the only thing required, is a CAML query.

The following article from the MS ECM blog explains how to create your own reports with a number of examples using CAML queries. Check it out.


A summary of how to do it:

Site Actions > Manage Content and Structure > Content and Structure Reports > New item and fill in the following information:


  • Report Title
  • Leave both Resource Ids empty, they're for internal use (?)
  • CAML List Type - You can specify a list template here if you only want your report to search through a specific type of list. For example, the out of the box "My Tasks" report specifies in this field to ensure the report only queries the My Tasks list. This SDK article has a list of these ServerTemplate values for each SharePoint list type.
  • CAML Query - The CAML query for the report
  • Target Audience - if you want the report to be targeted to a particular audience
  • Report Description


Monday, 28 January 2008

Setting up a SharePoint Development Environment

Farm (?) ish environment
http://weblogs.asp.net/erobillard/archive/2007/02/23/build-a-sharepoint-development-machine.aspx

Single Machine Environment
http://blah.winsmarts.com/2007-10-A_Single_Developers_SharePoint_2007_Development_Environment.aspx

Thursday, 24 January 2008

Integrating ASP.NET applications and SharePoint 2007

Link Dump

SharePoint 2007 - Built on ASP.NET 2.0

MOSS 2007 - Creating an ASP.NET application in the _layouts directory using Visual Studio 2005

Application Development on MOSS 2007 and WSS 3.0

ASP.NET 2.0 Web Part Infrastructure and SharePoint 2007

Write Custom WebParts for SharePoint 2007

Using ASP.NET Web Part into MOSS 2007 Web Site

Tuesday, 22 January 2008

SharePoint databases file location

Typically, for performance, backup and various other reasons, you'll want that the SharePoint databases are not stored in the default locations. Unfortunately, the Central Administration does not allow you to specify the actual file locations to use when it creates the databases.

So to be able to specify different locations for the mdf / lsf files, you'll need to create the databases manually beforehand and then when the creating the Configuration database, creating web application (or other) databases, specify the location / name of the database created.

If you've already created your databases, a simple way to shift them to the correct locations is to stop the SharePoint services, detach the database, move the files to the correct locations, and then re-attach the databases. The restart the SharePoint services. As long as the name of the database doesn't change, SharePoint won't notice that the actual file locations have changed.

The only database for which I couldn't create the database beforehand is the AdminConfig database. Please comment if you know at which point during the setup this database is created, and whether one can create this database beforehand, and point to it.

SharePoint Performance Tuning

When you are thinking in terms of large server farms, you'll need to spend some good time tuning your SharePoint setup for performance.

Joel Oleson (who else?) has a great post on performance tuning of the application pool settings.

Although some people beg to differ on some of these settings. As always, you should always test and tune and see what works best for you.

Wednesday, 16 January 2008

SharePoint Look and Feel for ASP.NET applications

Ever wondered how to get an ASP.NET application to look like SharePoint? This blog shows you how to do this.

Approach 1

Approach 2

I would recommend Approach 2 rather than approach 1

Friday, 11 January 2008

User Accounts and Rights required for a MOSS Installation

Clayton has posted a great article about accounts required for MOSS installation:

"Installing MOSS 2007 in a farm environment requires a few dedicated accounts and can be quite a confusing process. I came across a couple of great resources so I thought I would save you the heart ache and post them here. "

http://claytonj.wordpress.com/2007/04/23/moss-2007-setup-accounts/

Scroll down for table (something is screwed up with this post :\ )
































































































AccountPurposeScopeUsed ByNeededRequirements
Setup UserUser account that is used to run setup on each server.FarmPerson installingSetupMember of the administrator group on each Web front-end (WFE) server and application server computer in the farm. Member of the following SQL Server groups with SQL Security administrator and database creator rights on SQL servers.
SQL Server ServiceThis is the security context used By Central Administration for creating databases and other SQL configurations.FarmMSSQLSERVER, SQLSERVERAGENTSetupMember of the administrators group on each server on which setup runs, administrators group on each SQL Server computer, database system administrator, and member of the SQL security administrator and database creator SQL Server groups.
Server FarmThis account is also referred to as the database access account.FarmCentral administration site application pool identitySetupMember of administrators group on each WFE server and application server computer in the farm with SQL security administrator and database creator rights on SQL Servers. Database Owner (DBO) for all databases and additional permissions on WFE server and application server computers are automatically configured for this account when SharePoint is installed.
SSP App PoolAppSSP App Pool IdentitySSP CreationNo configuration is necessary. The following permissions are automatically configured for this account when SharePoint is installed: DBO for the Share Service Provider (SSP) content database, read/write permissions for the SSP content database, read/write permissions for content databases for Web applications that are associated with the SSP, read permissions for the configuration database, read permissions for the central administration content database, and additional permissions on WFE server and application server computers
SSP Service AccountUsed to run timer jobs and for interserver communications.FarmSSP Timer service; SSP Web servicesSSP CreationSame as SSP App Pool Account
Windows SharePoint Services SearchUsed as the service account for the Windows SharePoint Services Search service. There is only one instance of this service, and it is used by all SSPs.FarmWindows SharePoint Services 3.0 Search serviceSSP CreationMust be a domain account, but must not be a member of the farm administrators group. Permissions automatically configured for this account when SharePoint is installed include the following: read/write permissions for content databases for Web applications, read permissions for the configuration database, and read/write permissions for the Windows SharePoint Services Search database
Search Default Content Access AccountThe default account used by a specific SSP to crawl content. It is used when an account is not specified for a content source.AppWindows SharePoint Services 3.0 Search serviceSSP CreationMust be a domain account, but must not be a member of the farm administrators group. It requires read access to external or secure content sources that you want to crawl using this account. Additional permissions for this account are automatically configured when SharePoint is installed.
Search Specific Content Access AccountThis is an optional account that is configured to replace the default content access account to crawl a specific content source.RuleWindows SharePoint Services 3.0 Search serviceCreate a new crawl ruleRead access to external or secure content sources that this account is configured to access.
User Profile and Properties Content Access AccountAccount used to connect to a directory service, such as Active Directory, a Lightweight Directory Access Protocol (LDAP) directory, Business Data Catalog (BDC) application, or other directory source and used to import profile data from a directory service. Note: If no account is specified, the Search Default Content Access account is used. If the Search Default Content Access account does not have read access to the directory or directories that you want to import data from, you will need to specify a different account. You should plan for one account per directory connection.AppProfile ImportSSP CreationRead access to the directory service. For an Active Directory service connection that enables Server Side Incremental, the account must have the Replicate Changes permissions for Active Directory directory services provided by Windows 2000 Server. This permission is not required for Windows 2003 Active Directory. Manage user profiles right. View rights on entities used in Business Data Catalog import connections.
Excel Services Unattended Service AccountExcel Calculation Services uses this account to connect to data sources that require user name and password strings for authentication. The SSP App Pool account is used if none is specified. For security, plan to use a low-privileged account that does not have the database privileges of the SSP App Pool Account.AppExcel Services ServiceSSP CreationRead/write access to the Excel data sources.
App Pool IdentityUsed to access content databases associated with the Web application. Plan one for each application pool.AppWeb ApplicationsApp Pool CreationNo configuration is necessary. SQL Server privileges that are automatically assigned to this account are member of Database Owners Group for content databases associated with the Web application, read/write access to the associated SSP database only, and read permission for the configuration database. Additional privileges for this account on WFE servers and application servers are automatically configured by SharePoint.

Thursday, 10 January 2008

Uploading documents to SharePoint 2007 via a Webservice

Web Service for uploading documents into SharePoint

http://blogs.ittoolbox.com/km/sharepoint/archives/custom-web-service-for-uploading-files-to-sharepoint-13217

Securing SharePoint 2007

Very nice post on securing your SharePoint server, especially if it going to be exposed to the Internet. As taken from the Joel Oleson's blog.

More than 25 Tips to Lockdown Your SharePoint Environment

This is not fully comprehensive, but gets you started down the right track. Some of these may not apply.

1. Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (i.e. outbound HTTP)
2. Secure client communication with trusted SSL certificates (128bit HTTPS)
3. Use IPSEC Require mode between servers (Policy) Especially for secure communication between servers and DCs * Be careful with NLB. You can do also this on your Intranet with request mode, I recommend not using client require mode for non windows and legacy clients (MAC/Unix/Win 98)
4. Enable Kerberos Authentication (Intranet) *Careful with NLB
5. SQL SSL encrypted Traffic + Non Standard Port
6. Configure Central Admin on public internet facing servers on non routable IP (Index Server) Configure 2 factor and double hop access. i.e. 2 Factor auth VPN to TS to administration server to administer farm with specific IP rules to TS box.
7. Restrict IP Traffic on Central Admin and SSP App Pools (IIS)
8. Configure Deny Policies (Not Auth Users) on Content/Admin Web Apps for Applicable Groups/Domains, configure deny policy for Server Admins on all web apps (use Special non privileged accounts for administration of SharePoint farm)
9. Configure ISA Secure Publishing (or reverse hosting) better than Router ACLs (Rejects Invalid Requests and Verbs)
10. Configure at least 1 DMZ aka 2+ Firewalls/Interfaces between corp and publicly addressable Internet
11. Test/Run Windows R2 Server SCW (Security Configuration Wizard) (Custom Template)
12. Consider Basic over SSL alternatives… SSL with FBA with Expiring Cookies
13. Configure and enforce Auditing Policies on Site Collections (Solution Deployment & Timer job), Enable WSS & MOSS Usage Reporting
14. Remove unused server side extensions (i.e. ASP, HTA, IDX, etc..) and unused .NET extensions and verbs (Debug)
15. Disable the Web Services that are not used. i.e. SSP & Central Admin
16. Ensure that Any Auth traffic is secured between DC & Servers (IPSEC)
17. Ensure inbound email services are configured for auth users, and lock down SMTP/Outbound to allow only specific IPs
18. Stop unused services (this will require testing)
19. Configure Site Collection Quotas
20. Increase blocked file types to include non approved content
21. Install Antivirus Protection (Recommended FrontBridge with Inbound scanning and regular scan of all at a minimum, filter content as well)
22. Monitor for suspicious activity & Review #Failed Login Attempts Security Logs – Use Black Ice or other intrusion Detection software on all servers in the farm with reporting and alerting
23. Lock down SSC (Self Service Creation) to few trusted Support/Service groups
24. Run service accounts with domain accounts, run SSP and Central admin with different service accounts (ensure these accounts have no special rights)
25. Lock down SQL with relevant lockdown/hardening guides, remove server admin role and rights

TechNet: Plan Security , Plan Server Hardening (Lockdown) - More detail on locking down SQL ports, securing the web services (from the file system), RPC end point for DCOM communication (excellent recommendation), list of SharePoint NT services.

  1. Configure and/or lock down Excel safe locations. This will give you more control over calc perf.
  2. Consider Extranet Mode (limited UI mode/prevents SOAP interaction and depricates UI)
  3. Remove people picker AD lookups on extranet (stsadm -o setproperty peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode)
  4. Secure LDAPs (636) over SSL
  5. Lock down web services to the service accounts that need them (going to the files on the file system and changing file system security)
  6. Ensure outbound is restricted to only what is needed. Need to consume (outbound) XML web services or RSS feeds?
  7. Configure RPC DCOM server communication end points to static high ports
  8. Ensure Web Front Ends can talk to all Query boxes (even if they are on other web front ends)
  9. Disable Anonymous auth throughout the farm (off by default)
  10. Ensure policy against using authenticated users is well communicated and policed
    Thinking about email archiving and email enabled lists... I'd recommend not using it when internet/extranet facing. Configuration allowing anonymous email is in the site collection/list level.
  11. I'd also recommend against anonymous blog comments, there are way too many spammers out there. There isn't any approval mechanism without enabling workflows and there are a lot of potential opportunities for spammers. Overall anonymous contribution scenarios should be highly thought out.
  12. Web Based Forms and Forms Server does have some great scenarios, but if you aren't using it, lock down the anonymous posting services (disabled by default)
  13. Considering SQL auth to the SQL box in a separate locked down area? I'm a long time fan of getting the data/SQL in a separated isolated behind a firewall with no outbound holes and no service from the public DMZ accounts. I think I already mentioned it, but I'm a fan of non standard SQL ports even more than SQL traffic over SSL. If the traffic is bad who cares if it's encypted bad traffic. Maybe I'm not the only one who spent some time with slammer.
  14. Your SharePoint farm should be on Non Routable IPs, which goes to say... not directly in DNS.

Wednesday, 9 January 2008

BI and KPIs in Analysis Services 2005

Nice introductory article to Business Intelligence and KPIs in Analysis Services 2005

http://www.databasejournal.com/features/mssql/article.php/10894_3604206_1