Windows 2012 R2: Active Directory Best Practices for SharePoint Use
Default Domain Policy
I recommend changing it for some value to have a more secure Active Directory.
http://www.jabea.net/img/wiki/sharepoint_ebook/image069.png
http://www.jabea.net/img/wiki/sharepoint_ebook/image070.jpg
Enable Auditing
For security issues, I recommend to enable the auditing. It will make your Security EventLog to fill fast on the other side. So you better think to your archiving need for those events. (Most business I visited keep a year back)
In our Default Domain Policy, we go into Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy, and we change the below options.
http://www.jabea.net/img/wiki/sharepoint_ebook/image071.jpg
We select the desired value..
http://www.jabea.net/img/wiki/sharepoint_ebook/image072.png
After we can go see our Event Viewer to validate the future logging of those events.
http://www.jabea.net/img/wiki/sharepoint_ebook/image073.png
We right-click Security and there we can change the path from the C (because it can come really big) or we can select that it overwrites old event.
http://www.jabea.net/img/wiki/sharepoint_ebook/image074.jpg
With this auditing, you will be able to keep a track of who tried to use the account of others or who try to brute force an account's password.
TIP : The above tip work for Kerberos authentification. For NTLM you got another policy to change. The path is Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. More detail there: Network Security: Restrict NTLM: Audit Incoming NTLM Traffic
|
Account Lockout Policy
I use to set it more restrictive. (It will prevent brute force attempt) I use to set a threshold of 5 attempts in 30 minutes the account got locked out, but with the duration at 0 you need a administrator to unlock. That way a user that know the policy will try 3-4 time in 5 minutes.. will wait.. and try after.
http://www.jabea.net/img/wiki/sharepoint_ebook/image075.jpg
Security’s Design
In that small step I will show a small tip to design the OU for SharePoint. Open the Active Directory User and Computer MMC.
Over the OU you want to create your SharePoint structure create a new OU. Named SharePoint in my case.
http://www.jabea.net/img/wiki/sharepoint_ebook/image076.jpg
http://www.jabea.net/img/wiki/sharepoint_ebook/image077.png
In that OU you can all SharePoint site and subsite. Like that..
http://www.jabea.net/img/wiki/sharepoint_ebook/image078.png
In those folder you can create all your security group and manage who are member of them. I used the term SSG for SharePoint Security Group.
The big value of that structure is that it's easy to manage and even if a user want to "map" is SharePoint folder, like M: is \sharepoint_srv\siteA\SubsiteA.. Then the security's model is easy to follow.
Tips : Always use group membership to assign user right, never the user itself. When you copy the user after all security will follow. (else not) |
Tips : Always try to assign right to folder, not on files separately. |