Plan security for an external anonymous access environment (Office SharePoint Server)
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
In this article:
Protect back-end servers
Configure anonymous access
Secure the Central Administration site
Secure content deployment by using SSL
Disable incoming e-mail
Use lockdown mode
Secure design checklist
Plan security hardening for server roles
Plan secure configurations for Office SharePoint Server features
Security guidance for an external anonymous access environment is targeted to allow anonymous access to content while protecting back-end servers in the farm from direct user access or malicious actions targeted through front-end Web servers. In an environment where multiple farms might be deployed to support authoring, staging, and publishing, the guidance for this environment is intended for the published farm (the farm that is anonymously accessed by users).
There are several unique recommendations for an external anonymous access environment. Some of these recommendations might not be practical for all solutions.
Protect back-end servers
Hosting sites for anonymous use requires Internet-facing servers. You can limit the exposure to traffic from the Internet by protecting back-end servers, including the index server and other application server roles and servers that host databases:
Protecting database servers At a minimum, place a firewall between front-end Web servers and servers that host databases. Some environments dictate that database servers be hosted in an internal network instead of directly in an extranet environment.
Protect application servers At a minimum, protect application servers by requiring Internet Protocol security (IPsec) to secure communication between server farm computers. Additionally, you can place application servers behind the firewall used to protect database servers. Or, you can introduce an additional firewall between front-end Web servers and application servers.
Protect the index role The index component communicates through a front-end Web server to crawl content in sites. To protect this communication channel, consider configuring a dedicated front-end Web server for use by one or more index servers. This isolates crawling communication to a front-end Web server that is not accessible to users. Additionally, configure Internet Information Services (IIS) to restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it. Providing a front-end Web server dedicated to content crawling also improves performance by reducing the load on the main front-end Web servers, thereby improving the user experience.
Configure anonymous access
For content to be available for anonymous access, the following must be configured:
The site or site collection must be configured to allow anonymous access.
At least one zone in the Web application must be configured to allow anonymous access.
Enable anonymous access only for Web applications that require unauthenticated access. If you want to use authentication for personalization, implement forms authentication by using a simple database authentication provider.
Secure the Central Administration site
Because external users have access to the network zone, it is important to secure the Central Administration site to block external access and secure internal access:
Ensure that the Central Administration site is not hosted on a front-end Web server.
Block external access to the Central Administration site. This can be achieved by placing a firewall between front-end Web servers and the server that hosts the Central Administration site.
Configure the Central Administration site by using Secure Sockets Layer (SSL). This ensures that communication from the internal network to the Central Administration site is secured.
Secure content deployment
If you are not using the content deployment feature, disable the server farm from receiving content deployments (under Content Deployment Settings, select Reject incoming content deployment jobs). This is the default setting.
If you are using content deployment features to deploy content from one server farm to another server farm, ensure that the Central Administration site for the receiving server farm is configured to use SSL. This will ensure that server communication related to content deployment between the two server farms is secured by using SSL.
Additionally, to protect the identities of your authors, disable the Deploy user names setting when you configure the content deployment path.
Disable incoming e-mail
Do not use e-mail integration for incoming e-mail. This protects your environment from risks associated with e-mail sent from anonymous sources on the Internet. If you do allow incoming e-mail, configure the Central Administration site to enable anonymous e-mail. While this option is available, it is not very secure.
Use lockdown mode
Lockdown mode is a feature that you can use to secure published sites. When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced. The following table details the default permissions of the limited access permission level and the reduced permissions when lockdown mode is turned on.
Permission | Limited access — default | Limited access — lockdown mode |
---|---|---|
List permissions: View Application Pages |
● |
|
Site permissions: Browse User Information |
● |
● |
Site permissions: Use Remote Interfaces |
● |
|
Site permissions: Use Client Integration Features |
● |
● |
Site permissions: Open |
● |
● |
Lockdown mode is applied to sites under the following circumstances:
The Stsadm.exe command-line tool is used to turn lockdown mode on.
The Publishing Portal site template is applied to the site collection. By default, lockdown mode is turned on when this template is applied.
Consider using lockdown mode on published sites if greater security on these sites is a requirement. Additionally, if you applied the Publishing Portal site template, determine if lockdown mode is the desired configuration for these sites. If not, use the Stsadm.exe command-line tool to turn off lockdown mode.
The following table lists the Stsadm commands related to using lockdown mode.
Action | Command |
---|---|
Turn on lockdown mode for a site collection |
stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml |
Turn off lockdown mode for a site collection |
stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml |
Secure design checklist
Use this design checklist together with the checklists in Review the secure topology design checklists (Office SharePoint Server).
Topology
[ ] |
Protect back-end servers by placing at least one firewall between front-end Web servers and the application and database servers. |
[ ] |
Plan a dedicated front-end Web server for crawling content. Do not include this front-end Web server in the end-user front-end Web rotation. |
Logical architecture
[ ] |
Enable anonymous access only for Web application zones that host sites or site collections that are configured to allow anonymous access. For more information, see Plan authentication methods (Office SharePoint Server). |
[ ] |
Use SSL to secure content deployment. |
[ ] |
Block access to the Central Administration site and configure SSL for the site. |
Plan security hardening for server roles
The following table describes additional hardening recommendations for an external anonymous access environment.
Component | Recommendation |
---|---|
Ports |
Block external access to the port for the Central Administration site. |
Protocols |
|
IIS |
If you are configuring a dedicated front-end Web server for indexing, configure IIS to restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it. |
Plan secure configurations for Office SharePoint Server features
The following table describes additional recommendations for securing Microsoft Office SharePoint Server 2007 features in an external anonymous access environment.
Feature or area | Recommendation |
---|---|
Authentication |
Specify Anonymous authentication in IIS. |
Content deployment |
If you are not using the content deployment feature, disable the server farm from receiving content deployments. This is the default setting. If you are using the content deployment feature, the following configurations are recommended:
|
E-mail integration |
Do not enable e-mail integration for incoming mail. |
Content caching of pages that have personalized content |
Output caching can be used to optimize performance for sites that display some personalized content. In this scenario, post-cache substitution is used to ensure that the personalized content is refreshed for the user. Consequently, if the entire page or most of the page includes personalized content, there is little benefit received by using output caching. If you are using output caching on pages that have personalized content, be aware of the security implications resulting from how this is configured. If the following conditions are true, ensure that sites that display personalized content support post-cache substitution:
In this scenario, anonymous users all see identical content. The content that authenticated users see depends on whether personalized content is displayed and if post-cache substitution is supported for this content:
|
InfoPath Forms Server |
In an anonymous environment, disable the InfoPath Forms Services Web service proxy. This service runs as a trusted service account and forwards requests to Web services by using the identity of the trusted service account. In environments where InfoPath forms are accessed only by authenticated users, access to a back-end data system is protected by authentication. However, if subsequent InfoPath forms are created for use by anonymous users and these forms access the same back-end data system, the back-end data system is configured to trust the Web service proxy and provide the requested data. In this case, it is possible for anonymous users to access data that is typically only available to authenticated users. By default, the Web service proxy is disabled. You manage this service in Central Administration. On the Application Management tab, look in the InfoPath Forms Services category and click Manage the Web service proxy. |
Download this book
This topic is included in the following downloadable book for easier reading and printing:
Planning and architecture for Office SharePoint Server 2007, part 2
Planning an Extranet Environment for Office SharePoint Server
See the full list of available books at Downloadable content for Office SharePoint Server 2007