Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SharePoint securization

from [tevfik] Network Security [Permanent Link]
Subject: Re: SharePoint securization
Date: Thu, 18 Aug 2005 11:10:34 +0200 (CEST) 
Hi,

Thanks for info about Sharepoint rights.

The first link is about Sharepoint Portal Server. I cannot find it in
Administration website for Sharepoint Services. The second one is
applicable if you want to develop a Sharepoint application.

In my humble opinion, the default role groups are more than enough to have
a decent access regulation. However, There will be definitely scenarios
where tweaking and hardening at Sharepoint level are necessary.

Best regards

Tev

http://itefix.no


I'm familiar with the template... I just know folks that tighten up
Sharepoint as well and will tweak the rights shown below and adjust the
defaults.

Security Architecture for SharePoint Products and Technologies:
http://www.microsoft.com/technet/prodtechnol/sppt/reskit/c0661881x.mspx


SharePoint Security:
http://www.brienposey.com/kb/sharepoint_security.asp
15 Seconds : SharePoint Security and .NET Impersonation:
http://www.15seconds.com/issue/040511.htm
Download details: Windows SharePoint Services Administrator's Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a637eff6-8224-4b19-a6a4-3e33fa13d230&DisplayLang=en


        Site Groups

Windows SharePoint Services includes 21 rights, which are used in the
five default user site groups. The five default user rights groups are
Guest, Reader, Contributor, Web Designer, and Administrator. Table 6-1
shows user rights that are included in each site group by default.

The rights assigned to the Guest and Administrator site groups cannot be
changed. However, you can customize the rights available in Reader,
Contributor, and Web Designer site groups to include only the rights you
want.

You can add new site groups to combine different sets of rights, edit
the rights assigned to a site group, or delete an unused site group.

You cannot assign users directly to the Guest site group, rather users
who are given access to lists or document libraries by way of per-list
permissions are automatically added to the Guest site group. The Guest
site group cannot be customized or deleted.




*Site Group Name*



*User Rights Included*

Guest



None

Reader



Use Self-Service Site Creation

View Pages

View Items

Contributor



Use Self-Service Site Creation

View Pages

View Items

Add Items

Add/Remove Private Web Parts

Browse Directories

Create Cross-Site Groups

Delete Items

Edit Items

Manage Personal Views

Update Personal Web Parts

Web Designer



Use Self-Service Site Creation

View Pages

View Items

Add Items

Add/Remove Private Web Parts

Browse Directories

Create Cross-Site Groups

Delete Items

Edit Items

Manage Personal Views

Update Personal Web Parts

Add and Customize Pages

Apply Themes and Borders

Apply Style Sheets

Cancel Check-Out

Manage Lists

Administrator




Use Self-Service Site Creation

View Pages

View Items

Add Items

Add/Remove Private Web Parts

Browse Directories

Create Cross-Site Groups

Delete Items

Edit Items

Manage Personal Views

Update Personal Web Parts

Add and Customize Pages

Apply Themes and Borders

Apply Style Sheets

Cancel Check-Out

Manage Lists

Create Subsites

Manage List Permissions

Manage Site Groups

View Usage Data

Manage Lists






* *

*Right*

* *



* *

*Permission*



* *

*Groups Included*



* *

*Dependency Rights*

Add and customize pages



Can create ASP.NET, ASP, HTML Web pages for a site



Web Designer

Administrator



Browse directories

View Pages

Add items



Add documents to documents libraries or items to lists



Contributor

Web Designer

Administrator



View Items

View Pages

Add and remove private Web parts (Web modules)



Add and/or remove Web parts to pages



Contributor

Web Designer

Administrator



Update Web Parts

View Items

View Pages

Apply style sheets



Apply a style to the entire site



Web Designer

Administrator



View Pages

Apply themes and borders



Apply a theme and/ or border to a site



Web Designer

Administrator



View Pages

Browse directories



Browse a Web site?s directory structure



Contributor

Web Designer

Administrator



View Pages

* *

*Right*

* *



* *

*Permission*



* *

*Groups Included*



* *

*Dependency rights*

Cancel check-out



Can cancel the check-out performed by a user



Web Designer

Administrator



View Pages

Create cross-site groups



Delete and create cross-site groups, change membership



Contributor

Web Designer

Administrator



View pages

Create subsites



Create subsite



Reader

Contributor

Web Designer

Administrator



View pages

Delete items



Delete items and documents



Contributor

Web Designer

Administrator



View items

View pages

Edit items



Edit existing list items and document in the Web site



Contributor

Web Designer

Administrator



View items

View pages

Manage Lists



Delete, create, edit lists and change settings



Web Designer

Administrator



View items

View pages

Manage personal views

Manage list permissions



Change permissions for a list



Administrator



Manage lists

View items

View pages

Manage personal views

Manage personal views



Create, delete, and edit personal views



Contributor

Web Designer

Administrator



View items

View pages

Manage site groups



Edit, create, and delete site groups, change the rights assigned to the
site group



Administrator



View pages

Manage Web site



Perform tasks for the site or subsite



Administrator



View pages

Update personal Web parts



Update Web parts



Contributor

Web Designer

Administrator



View items

View pages

Use self-service site creation



Use to create top-level Web site



Reader

Contributor

Web Designer

Administrator



View pages

* *

*Right*

* *



* *

*Permission*



* *

*Groups Included*



* *

*Dependency rights*

View items



View items in lists, documents



Reader

Contributor

Web Designer

Administrator



View pages

View pages



Browse pages



Reader

Contributor

Web Designer

Administrator



None

View usage data



View reports on Web site use



Administrator



View pages



tevfik@itefix.no wrote:


Hi,

As you say, it all depends on your requirements. Bastion Host Template is
a part of Security Guide for Windows 2003. More information can be found
at
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

After having applied that template, I run some verification tools like
BSA, Nessus and C2I Security Benchmark. In my opinion, the results were
acceptable.

When it comes to Sharepoint, I don't understand what you mean by default
user and permissions. AFAIK, there are none. You have to set up access
per
site. Sub-sites can inherit permissions from the parent if you want to.
In
our case, there are a couple of well-managed extranet applications.

Best regards

Tevfik




Did you also review the permissions of the Sharepoint users inside of
Sharepoint?

You secured the server...but what about reviewing Sharepoint?

If you have not changed the default users and their permissions and
roles, many Sharepoint gurus I know say there's work to be done inside
of there depending on your needs and risk.

Why did you choose that template?  What risks is it averting?


Tevfik Karagülle wrote:




Hi,

What I did for a customer was to use Microsoft's Bastion Host security
template on a Windows 2003
Server Web edition and Sharepoint Service v2 w/SP1.

Best regards

Tevfik Karagulle
ITEFIX Consulting

http://itefix.no







-----Original Message-----
From: limpiezasgomez@terra.es [mailto:limpiezasgomez@terra.es]
Sent: 17. august 2005 12:12
To: focus-ms@securityfocus.com
Subject: SharePoint securization

Is there any resource where I could find information on steps
to secure a SharePoint Services installation?

Thanks!

Pedro

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------






--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com













---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IEEE 802.1x & dynamic vlan assignment, Kim, Cameron
Next by Date:  Re: SharePoint securization, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Previous by Thread:  Re: SharePoint securization, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  RE: SharePoint securization, Soluk, Kirk
Indexes:  [Date] [Thread] [Top] [All Lists]