Very nice post on securing your SharePoint server, especially if it going to be exposed to the Internet. As taken from the Joel Oleson's blog.
More than 25 Tips to Lockdown Your SharePoint Environment
This is not fully comprehensive, but gets you started down the right track. Some of these may not apply.
1. Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (i.e. outbound HTTP)
2. Secure client communication with trusted SSL certificates (128bit HTTPS)
3. Use IPSEC Require mode between servers (Policy) Especially for secure communication between servers and DCs * Be careful with NLB. You can do also this on your Intranet with request mode, I recommend not using client require mode for non windows and legacy clients (MAC/Unix/Win 98)
4. Enable Kerberos Authentication (Intranet) *Careful with NLB
5. SQL SSL encrypted Traffic + Non Standard Port
6. Configure Central Admin on public internet facing servers on non routable IP (Index Server) Configure 2 factor and double hop access. i.e. 2 Factor auth VPN to TS to administration server to administer farm with specific IP rules to TS box.
7. Restrict IP Traffic on Central Admin and SSP App Pools (IIS)
8. Configure Deny Policies (Not Auth Users) on Content/Admin Web Apps for Applicable Groups/Domains, configure deny policy for Server Admins on all web apps (use Special non privileged accounts for administration of SharePoint farm)
9. Configure ISA Secure Publishing (or reverse hosting) better than Router ACLs (Rejects Invalid Requests and Verbs)
10. Configure at least 1 DMZ aka 2+ Firewalls/Interfaces between corp and publicly addressable Internet
11. Test/Run Windows R2 Server SCW (Security Configuration Wizard) (Custom Template)
12. Consider Basic over SSL alternatives… SSL with FBA with Expiring Cookies
13. Configure and enforce Auditing Policies on Site Collections (Solution Deployment & Timer job), Enable WSS & MOSS Usage Reporting
14. Remove unused server side extensions (i.e. ASP, HTA, IDX, etc..) and unused .NET extensions and verbs (Debug)
15. Disable the Web Services that are not used. i.e. SSP & Central Admin
16. Ensure that Any Auth traffic is secured between DC & Servers (IPSEC)
17. Ensure inbound email services are configured for auth users, and lock down SMTP/Outbound to allow only specific IPs
18. Stop unused services (this will require testing)
19. Configure Site Collection Quotas
20. Increase blocked file types to include non approved content
21. Install Antivirus Protection (Recommended FrontBridge with Inbound scanning and regular scan of all at a minimum, filter content as well)
22. Monitor for suspicious activity & Review #Failed Login Attempts Security Logs – Use Black Ice or other intrusion Detection software on all servers in the farm with reporting and alerting
23. Lock down SSC (Self Service Creation) to few trusted Support/Service groups
24. Run service accounts with domain accounts, run SSP and Central admin with different service accounts (ensure these accounts have no special rights)
25. Lock down SQL with relevant lockdown/hardening guides, remove server admin role and rights
TechNet: Plan Security , Plan Server Hardening (Lockdown) - More detail on locking down SQL ports, securing the web services (from the file system), RPC end point for DCOM communication (excellent recommendation), list of SharePoint NT services.
- Configure and/or lock down Excel safe locations. This will give you more control over calc perf.
- Consider Extranet Mode (limited UI mode/prevents SOAP interaction and depricates UI)
- Remove people picker AD lookups on extranet (stsadm -o setproperty peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode)
- Secure LDAPs (636) over SSL
- Lock down web services to the service accounts that need them (going to the files on the file system and changing file system security)
- Ensure outbound is restricted to only what is needed. Need to consume (outbound) XML web services or RSS feeds?
- Configure RPC DCOM server communication end points to static high ports
- Ensure Web Front Ends can talk to all Query boxes (even if they are on other web front ends)
- Disable Anonymous auth throughout the farm (off by default)
- Ensure policy against using authenticated users is well communicated and policed
Thinking about email archiving and email enabled lists... I'd recommend not using it when internet/extranet facing. Configuration allowing anonymous email is in the site collection/list level. - I'd also recommend against anonymous blog comments, there are way too many spammers out there. There isn't any approval mechanism without enabling workflows and there are a lot of potential opportunities for spammers. Overall anonymous contribution scenarios should be highly thought out.
- Web Based Forms and Forms Server does have some great scenarios, but if you aren't using it, lock down the anonymous posting services (disabled by default)
- Considering SQL auth to the SQL box in a separate locked down area? I'm a long time fan of getting the data/SQL in a separated isolated behind a firewall with no outbound holes and no service from the public DMZ accounts. I think I already mentioned it, but I'm a fan of non standard SQL ports even more than SQL traffic over SSL. If the traffic is bad who cares if it's encypted bad traffic. Maybe I'm not the only one who spent some time with slammer.
- Your SharePoint farm should be on Non Routable IPs, which goes to say... not directly in DNS.
6 comments:
酒店 ,酒店經紀 ,酒店公關 ,酒店兼職,酒店小姐, 酒店上班,酒店喝酒,酒店工作,酒店兼差,酒店打工
A片下載|成人影片下載|免費A片下載|日本A片|情色A片|免費A片|成人影城|成人電影|線上A片|A片免費看
米蘭情趣用品|情趣用品|情趣|飛機杯|自慰套|充氣娃娃|AV女優.按摩棒|跳蛋|潤滑液|角色扮演|情趣內衣|自慰器|穿戴蝴蝶|變頻跳蛋|無線跳蛋|電動按摩棒|情趣按摩棒|
情趣,情趣,視訊交友,情趣用品,情趣用品,飛機杯,自慰套,自慰套,自慰套,自慰器,充氣娃娃,AV,按摩棒,電動按摩棒,情趣按摩棒,按摩棒,跳蛋,跳蛋,跳蛋,男女,潤滑液,SM,情趣內衣,內衣,性感內衣,角色扮演,角色扮演服,吊帶襪,丁字褲
China Wholesale has been described as the world’s factory. This phenomenom is typified by the rise ofbusiness. Incredible range of products available with China Wholesalers “Low Price and High Quality” not only reaches directly to their target clients worldwide but also ensures that wholesale from china from China means margins you cannot find elsewhere and buy products wholesaleChina Wholesale will skyroket your profits.
Women’s nike tn Shox Rivalry est le modèle féminin le plus tendance de baskets pour le sport. tn chaussuresConcernant la semelle : le caoutchouc extérieur, l’EVA intermédiaire et le textile intérieur s’associent pour attribuer à la.ed hardy shirts pretty fitCharlestoncheap columbia jackets. turned a pair of double plays to do the trick.Lacoste Polo Shirts, , Burberry Polo Shirts.wholesale Lacoste polo shirts and cheap polo shirtswith great price.Cheap Brand Jeans ShopMen Jeans - True Religion Jeans nike shoes & Puma Shoes Online- tn nike,Thank you so much!!cheap polo shirts men'ssweate,gillette mach3 razor bladesfor men.As for
艾葳酒店經紀公司提供專業的酒店經紀, 飯局小姐,領檯人員,領台,傳播妹,或者想要到台北酒店、林森北路酒店,私人招待所,或者八大行業當酒店PT,酒店公關,酒店兼職,想去酒店上班, 日式酒店,制服酒店,ktv酒店,禮服店,整天穿得水水漂漂的禮服酒店,鋼琴酒吧當酒店領檯,酒店小姐,公關小姐??,還是想去制服店當上班小姐,水水們如果想要擁有打工工作、晚上兼差工作、兼差打工、假日兼職、兼職工作、學生兼差、兼差、打工兼差、日領工作、晚上兼差工作、酒店工作、酒店上班、酒店打工、兼職、兼差、兼差工作、酒店上班等,想了解酒店相關工作和特種行業內容,想找打工、假日兼職、兼差打工、或晚班兼職想擁有快速賺錢又有保障的工作嗎???又可以現領請找專業又有保障的艾葳酒店經紀公司!
艾葳酒店經紀是合法的公司工作環境高雅時尚,無業績壓力,無脫秀無喝酒壓力,高層次會員制客源,工作輕鬆,可日領、現領。
一般的酒店經紀只會在水水們第一次上班和領薪水時出現而已,對水水們的上班安全一點保障都沒有!艾葳酒店經紀公司的水水們上班時全程媽咪作陪,不需擔心!只提供最優質的酒店打工,酒店上班,酒店打工環境、上班條件給水水們。心動嗎!? 趕快來填寫你的酒店上班履歷表
水水們妳有缺現金、有卡債、缺錢卡奴的煩腦嗎?想到日本留學日本打工嗎?妳是工讀生找工作??想要擁有高時薪又輕鬆的夜間兼職工作,打工機會和,假日打工,兼職工作日領假日打工的機會嗎??想實現夢想卻又缺錢沒錢嗎!??整天還在煩腦如何賺錢有什麼賺錢方法,和賺錢最快方法!?,想要打工,日領工作,短期打工,兼差工作,打工兼差工作嗎!?,
請加入我們艾葳酒店經紀公司工作單純輕鬆”高時薪”又可日領徵想要當傳播妹,上班小姐,酒店兼差,酒店兼職,歡迎學生打工,!!!
加入我們實現夢想就從現在開始^__^
Post a Comment