Performing Administrative Tasks Using Central Administration (part 24) - General Security

1/20/2011 7:51:08 PM

5. Security

SharePoint 2010 includes several security options that enable global configuration for better control of security. These options are accessed using the Security functional category in Central Administration. When you make changes to many of the options in this management section, they will have a global effect on all SharePoint 2010 servers in your farm, so it is important that you understand the available options. There are three general sections of security management in this category.

  • Users

  • General Security

  • Information Policy

5.1. Users

This section provides configuration and management options for managing the farm administrators, Active Directory distribution groups, and user policies for Web applications.

5.1.1. Manage the Farm Administrators Group

This setting allows you to add and remove users or groups as administrators in the SharePoint 2010 farm. You should always use an Active Directory security group so that you can easily swap out users in the group without affecting security in SharePoint.

Controlling the Number of Farm Administrators

By default, the BUILTIN\Administrators group has farm administration permissions. It is recommended that you add the Active Directory security group immediately after a successful installation of SharePoint and then remove the BUILTIN\Administrators group to prevent the members of this group from having full SharePoint administrator permissions. You want to be extremely selective about who becomes part of the Farm Administrators group, because they have the capability to perform any task at any level in the farm. There should only be a few select individuals who have these permissions.

Being an administrator in SharePoint 2010 does not give the user the right to create Web applications in IIS; that still requires local administrator rights on the server. Additionally, it does not give the user the right to manage databases in SQL Server. Additional permissions are required to perform SQL Server tasks such as backups, restores, and changes to database properties.

5.1.2. Approve or Reject Distribution Groups

If you have chosen to enable incoming e-mail through the System Settings functional category, one of the options you have is to allow SharePoint groups to have e-mail addresses so that new distribution groups can be created in Active Directory. By default, when new distribution groups are created or deleted, these operations require farm administrator approval before the actual create or delete operation is performed in Active Directory.

5.2. General Security

There are several general security settings that are managed in the General Security section of Central Administration. Some of these security settings are farm level settings, and others are Web application settings. The following sections distinguish between these when discussing each of the General Security options.

5.2.1. Configure Managed Accounts

SharePoint 2010 introduces the concept of managed accounts, which are used to define an account in Active Directory and then configure it to automatically change the password. This enables SharePoint administrators to comply with strict Active Directory account policies in which service accounts need to have their passwords changed regularly to adhere to Active Directory policies. For this setting to work correctly, the Active Directory administrator must configure a Group Policy to enforce the password change policy.

This account management option allows SharePoint to update all the components that are using this service account with the new password change, which avoids disruption to any of the services using the Active Directory account, such as application pools.

You would use the interface shown in Figure 52 to specify the user name of the Active Directory account that will be registered as a managed account. You also use this page to specify when you want the password to be changed and if you want e-mail notifications sent before the password is changed.

Figure 52. Registering and configuring a managed account

5.2.2. Configure Service Accounts

This option allows you to manage service accounts that are being used by a SharePoint service, such as an application pool or service application. From the drop-down list on the Configure Service Accounts page, select the service you want to manage and then select the new account that you want it to use from the list of registered accounts. If your account is a new service account, then you can register it first from this page as a new SharePoint registered account.

5.2.3. Configure Password Change Settings

The Configure Password Change Settings option works in conjunction with the Configure Managed Accounts settings to automatically change passwords. To send notifications of the impending password changes, as well as to send error messages regarding the actual password change event, you must complete the fields in the Configure Password Change Settings interface. Specify the e-mail address where you want these notifications sent.


Best Practices Use a farm administrators group e-mail address as the address to send these notifications so that all farm administrators know about the impending password change as well as any problems that might occur during the change event.

5.2.4. Manage Trusts

Trusts are created when two farms are communicating with each other by allowing one of the farms to consume services from the other farm. This inter-farm configuration makes it easy for service applications to be shared between farms. When establishing the trust relationship between farms, the consuming farm must trust the root Certificate Authority (CA) for SSL on the farm that is hosting the shared service applications.

5.2.5. Manage Antivirus Settings

Before you can manage antivirus settings, you must first install a SharePoint 2010–compatible antivirus product such as Microsoft Forefront. After you install the antivirus product, it will either update the page shown in Figure 6-64 for you, or you can open the page and modify the settings to determine how the antivirus software will manage SharePoint documents.

After the software is installed, you can use the Antivirus settings page to configure the level of scanning that you want to set. You can choose from the following four scanning options.

  • Scan Documents On Upload

  • Scan Documents On Download

  • Allow Users To Download Infected Documents

  • Attempt To Clean Infected Documents

Figure 53. Configuring antivirus settings

You can also configure how long the virus scanner should run before it times out; the default is 5 minutes. Lastly, you can configure the number of threads that are used by the scanner. Both of these settings can impact the performance of both the scanner and the server hosting the antivirus software, so be sure to analyze the impact of any changes you make.

5.3. Information Policy

There are two options available for defining general settings at the document level for utilization, access, and control in SharePoint 2010.

5.3.1. Configure Information Rights Management

Security is always an important consideration for system administrators and management alike. Even though SharePoint 2010 has file security built into the document libraries, you still might require an additional layer of security. Information rights management (IRM) is built on top of a certificate-based infrastructure that allows users to restrict access to a document not just by name but also by their certificates. Information rights management requires both client- and server-based add-on software to work; there are also additional Client Access License (CAL) costs involved.

The difference between IRM and security is important to understand. Security focuses on regulating who can see what content. IRM targets what can be done with the content after it is accessed by the user. Some people have used the terms security and privacy to differentiate between the two concepts, with privacy describing the feature offered by IRM. Those who work extensively in the security field don’t like the privacy term, but nevertheless, they are good terms to help you remember the difference between security and IRM.

5.3.2. Configure Information Management Policy

Policies were introduced in SharePoint Server 2007, and except for a name change for one of the options (Expiration changed to Retention), they provide the same options at this level in SharePoint 2010. You can configure four farm level policies that are available for lists, libraries, and content types for use throughout the entire farm. Table 5 describes these default policies. By default, all policies are enabled and available throughout the farm, but all of them have the option of being decommissioned if you want to disable the functionality they provide.

Table 5. Information Management Policies
LabelsGives users the ability to view and add metadata labels in a document itself. These labels can be printed with the document and also can be searchable attributes.
AuditingAllows list and libraries to audit the actions of users in the library such as modify or delete, download, and back up.
RetentionProvides a method for processing content that has been assigned an expiration setting, possibly through a workflow for archiving.
BarcodesAllows unique barcodes to be inserted in documents that can then be printed with the document or searched.

Other -----------------
- SharePoint 2010: Modify a Content Type
- SharePoint 2010: Create a Content Type
- SharePoint 2010 : Create a Site Column
- SharePoint 2010 : Modify the Top or Left Navigation Bar (part 2)
- SharePoint 2010 : Modify the Top or Left Navigation Bar (part 1)
- SharePoint 2010: Change the Home Page of a Site
- SharePoint 2010: Change the Look of a Site by Using Themes
- SharePoint 2010 : Change the Name, Description, Icon, or URL of a Site
- SharePoint 2010 : Open the Site Settings Page
- SharePoint 2010 : Create an Event with a Website (part 2)
- SharePoint 2010 : Create an Event with a Website (part 1)
- SharePoint 2010 : Create a Subsite (part 3)
- SharePoint 2010 : Create a Subsite (part 2) - Create a Subsite Without Microsoft Silverlight Installed
- SharePoint 2010 : Create a Subsite (part 1) - Create a Subsite with Microsoft Silverlight Installed
- SharePoint 2010 : Associate a Workflow with a List or Library
- Navigating the Central Administration Home Page (part 3) - Central Administration Page Option
- Navigating the Central Administration Home Page (part 2)
- Navigating the Central Administration Home Page (part 1) - Central Administration Site Actions Menu
- Managing SharePoint 2010 Using Central Administration : Introducing Central Administration
- SharePoint 2010 : Track the Progress of a Workflow
Most View
- Exchange Server 2007: Configure a Unified Messaging Server - Create a UM IP Gateway
- SQL Server Integration Services : Running the SSIS Wizard
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- Windows Server 2008 : Configuring IP Security (IPsec)
- SharePoint 2010 : Create a Personal Site
- SQL Server 2008: Security and User Administration - Authentication Methods
- Windows Server 2008 : Understanding the Windows AIK (part 1)
- The Windows Azure Sandbox
- Microsoft ASP.NET 3.5 : Writing HTTP Handlers (part 1) - The IHttpHandler Interface
- Central Management Servers (part 1) - Creating a Central Management Server
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS