Dan Usher Joel Ward Who we are What weve seen Security Concerns in todays world Why SmartCards? Authentication & Authorization of SharePoint

IIS and SmartCards Implementation Considerations and Pitfalls Dan Usher MCP, MCTS, Security+ SharePoint Architect and Implementation / Deployment Engineer UVA - BS Physics

Joel Ward MCP, MCAD Solutions Developer and Architect Penn State - BA Integrative Arts Large and Small SharePoint implementations Authentication schemas using SmartCard authentication integrated with Active Directory

and third party SSO systems Extranet Enabled SmartCard SharePoint systems Cyber Security Identity Theft Phishing Information Assurance

77 M @ Ku ns

hr 00 Strong Passwords Web of Trust Two Factor Authentication Biometrics

[email protected] t 3 L3 [email protected] 3 Nd 13

0h r 0 x [email protected] n

7 Confidentiality Integrity Authenticity Availability Non-repudiation

Stricter Password Policies Resetting Passwords More Often Password Enabled Screensavers disruptions in your daily work things arent quite as secure as they were Source: http://go.spdan.com/pki

Simplicity Simplicity to the end user Provides a secure tamper resistant storage physical token Enables portability of credentials and private information similar to other Federated

Identity like OpenID, Facebook Connect, Google OpenSocial, Microsoft Hailstorm A PIN is used Security Similar to a physical token

Contains the same information It has an expiration date It can be revoked Provides for similar IA capabilities However It can be exported It can be shared

It can be purchased It can be stolen Authentication IIS Username & Password Client Certificates ISAPI Filters

Custom Membership Providers Federation (ADFS or Third Party Identity Handler) Authorization SharePoint Groups and Permissions AD / LDAP / Role Provider Security Groups ASP.NET Authentication

Source: http://go.spdan.com/iisauth Handled by IIS and ASP.NET Checks user against AD or other auth provider Passes verification to IIS to proceed Option 0: SharePoint on an Intranet with

integrated authentication Option 1: SharePoint in a DMZ with client certificates and AD integration Option 2a: SharePoint published through Internet Security and Acceleration (ISA) Server Option 2b: SharePoint published through Intelligent Application Gateway (IAG) Server Option 3: Custom Membership Provider

SharePoint is Intranet based only Client Desktop utilizes the SmartCard Enabled Login Required security policy setting SharePoint utilizing Integrated Windows authentication Kerberos or NTLM

Intranet only situation Need to be within the network boundary for authentication tokens to pass properly Users account must be linked to their SmartCard user principal name Certificate Authority (CA) availability for CRL check may affect system availability

Web Server in DMZ Utilize Authentication Store (AD) IIS Configured to Require Client Certificate Relatively easy to configure Install a SSL certificate that belongs to a managed PKI environment

Within IIS in the specific web application, enable: Require Secure Channel (SSL) Require 128-bit encryption (optional) Require client certificate Certificate Revocation List (CRL) ports open LDAP or LDAP-S

OCSP or CRL checking could cause authentication to fail if CRL is not available Depending on number of requests, CRL checking could cause server load Puts server in DMZ, increases attack surface area wfetch will show your SharePoint Version Users account must be linked to their

SmartCard user principal name User selecting certificate that does not contain UPN Internet Security and Acceleration 2006 (ISA) Server Web Site Publishing with Constrained Kerberos Delegation Internal Windows Networking Infrastructure

system utilizing Kerberos Users authenticate to their client machine using different account than SmartCard linked to their AD user object Windows XP + Office 2007 requires a hot fix to allow for documents to open using ISA Increases authentication requirements for

external facing or extranet systems Users account must be linked to their SmartCard user principal name Multi-Forest trusts do not always work Reauthentication issues Only leverages Active Directory Intelligent Application Gateway (IAG) Server

Publishing Web Front End Server Similar to Option 2a (ISA Server), but better experience for the end user Stable session - Prevents constant requests for re-authorization using SmartCard Allows for NAP like capabilities Allows for mapping to something than AD

Additional hardware to maintain Current IAG is a hardware appliance IAG 2007 available as a virtual machine for demonstration purposes Future IAG will potentially be available as software and hardware IAG -> Forefront Unified Access Gateway (UAG)

Costly Requires authenticating to IAG dashboard Custom Membership provider for SmartCard IIS or SSO/ISAPI filter handshakes with the SmartCard Does not require Active Directory: Can use LDAP, SQL Server, or another authentication

provider Custom SharePoint login page (using Forms Based Authentication) completes the login process seamlessly without user input Can optionally create user account on the fly, based on SmartCard credentials Can add in logic for account approval, different

access levels based on SmartCard credentials, etc. Requires additional configuration in SharePoint Requires custom development If requiring client certificate in IIS (instead of SSO or ISAPI filter), OCSP or CRL checking could cause authentication to fail if CRL is not

available Must secure server if in DMZ Must add in appropriate security logic to custom login page 1) Configure domain name and SSL certificate for web application 2) Implement Forms Based Authentication with

SharePoint using appropriate membership and role provider (AD, LDAP, ASPNET, etc.) 3) Configure IIS to accept client certificates (or custom SSO) 4) Create custom login page for SharePoint _layouts folder //Get client certificate and appropriate user ID

HttpClientCertificate cert = Request.ClientCertificate; string userID; userID = cert.Get("[fieldname]"); //Create new user and add to Visitor role MembershipUser user = Membership.CreateUser(userID, [randomPassword],[email]); Roles.AddUserToRole(userID, "Visitors"); //If user exists in membership provider, login using FBA

if (Membership.GetUser(userID).UserName == userID) FormsAuthentication.RedirectFromLoginPage(userID, false); For SmartCard authentication to work properly, it relies heavily on the surrounding Windows networking infrastructure that it resides within SmartCard authentication can be done several different ways depending on the surrounding

infrastructure SmartCards works well when the user base understands their responsibility in upholding IA. Dan Usher [email protected] http://www.sharepointdan.com @usher

Joel Ward [email protected] http://joelsef.blogspot.com @joelsef

Recently Viewed Presentations

  • Chapter 8 Operator Overloading, Friends, and References Copyright

    Chapter 8 Operator Overloading, Friends, and References Copyright

    "Spirit" of OOP dictates all operators and functions be member functions. Many believe friends violate basic OOP principles. Advantageous? For operators: very! Allows automatic type conversion. Still encapsulates: friend is in class definition.
  • Cloud 101: Tools and Strategies for Evaluating Cloud

    Cloud 101: Tools and Strategies for Evaluating Cloud

    As long as Service Provider only provides access in the express manner set forth in the previous sentence, Enterprise Customer shall not obtain, record, transmit, or distribute any information contained in the Service Provider Online Information Security Policy in a...
  • Control Systems - Islamic University of Gaza

    Control Systems - Islamic University of Gaza

    Now, let us add the controller to the plant and view the root locus. We will position the zero near the origin to cancel out one of the poles. The pole of our compensator will be placed to the left...
  • Chapter 24

    Chapter 24

    4 C Physical / Wave Optics Homework. Chapter 21. Electromagnetic Waves. Read and take notes on . pgs. 714-717. in College Physics Text. Link to Bright Storm on Electromagnetic Waves. Electromagnetic Waves Produced by an Antenna.
  • Climate Change and Variability Impacting Public Health in the ...

    Climate Change and Variability Impacting Public Health in the ...

    Climate Change - our new world Environment. Climate Change : A long-term shift in the average weather. measured by features such as temperature, wind patterns and precipitation . of a location, region or planet
  • Time and Attendance Project Implementation

    Time and Attendance Project Implementation

    Time Keeper Training #2. September 16, 2019. ... Ability to have conversations around leave usage and hours worked (over/under time) Accuracy of pay. Accuracy of record keeping. Compliance with federal regulations and local policy. Development site for practice.
  • Introduction: Psychological Assessment

    Introduction: Psychological Assessment

    Introduction: Psychological Assessment Terms & Definitions Psychological Assessment The gathering and integrating of psychological data for psychological evaluation, through the use of tests, interviews, case studies, behavioral observation, and specially designed apparatuses and measurement procedures Terms & Definitions Psychological Testing...
  • Alaska Airlines Center Revenues

    Alaska Airlines Center Revenues

    Alaska Airlines Center:Revenues & Budgeting for a new Arena. Garrett James, Michael Batch, Tim Mollerstrom - PADM 628 Public Financial Management. Rationale for Creation. Current UAA facility Wells Fargo Sports Complex (WFSC) is no longer a sufficient facility for multiple...