Chapter 16 – Securing Information

MS Sharepoint 2010 Admin’s Companion eBook (P. 779) 01/23/2011, 09:33PM

Securing a Sharepoint Farm —

5 farm level security settings:
(1) Farm Administrator group
(2) Service Account configurations
(3) Approve/Reject distribution Groups
(4) Configure information rights management
(5) Configure information management policies

Farm Administrator —
Complete and pervasive access to all settings and content in the farm. By default, the (1) BUILTIN\Administrators and the (2) application pool account for the Central Admin web site are in the farm admin group.

Service Account Configurations —
Service accounts are used to proxy user requests to the service and receive back the output from the service.

Approving/Rejecting Distribution Groups —
When a group in Sharepoint is configured to receive email messages, that configuration must be approved by a farm administrator before the group’s email functionality is enabled.

Configuring Information Rights Management (IRM) – (NEED MORE STUDY IN THIS TOPIC)

Configuring Information Management Policies (IMP) —
Labels –Add metadata labels in a document. At farm level, either enable or disable.
Barcodes —
Retention —
Audit —

Securing a Web Application – 01/24/2011, 10:15PM

To Extend a web application – (enter a new port number, and authentication provider to make it available on a different site)

When you extend a web application, you extend it to a different ZONE. Where to see your extension web application? Alternate Access Mapping (AAM), but you can’t tell which is ROOT and which is EXTENSION.

To configure the security of an extended web application, click the Security Policy:

We need to create a new policy and assigned it to a Contractor User Group.

Once you have a new policy “Contractor”.

Next, click User Policy. To add a new user group to the zone.

Click Add user to add user and policy to the zone.

Select the zone that has the extended web application

Enter the contractor user group, and select user policy.

****** To force the contractor to use the extended URL, need to create another permission policy that deny all access on the default zone, and assign it to Contractor Group.
Change authentication providers:

Note: if using classical authentication, you can’t change to FORM based authentication!!! (fba)

Self-Service site creation – (SSSC)
To enable SSSC, need to do it at 2 levels: (1) Central Admin and (2) Site Collection

(1) Central Admin Security General Security

Once the self-service site creation is enabled, an announcement will be posted:


Securing Site Collections – Main security boundary in Sharepoint 2010 – Site Collection.
Securing sites – Page 801

Permission Level inheritance (Page 813) —
Site collection is the security boundary of Sharepoint, permission within a site collection are inherited from the root site.

To break permission between a site and a list, go to List Settings à Permission for this List à Stop inheriting Permission

Group – you cannot populate Sharepoint Groups with other (1) Sharepoint groups or (2) AD Distribution group.

TO assign permission level to AD Group/User, Site Settings à Set Permissions

To run Windows Powershell command, you must have Sharepoint_Shell_Access role in the Configuration DB (SQL Role) and (2) Windows group – WSS_Service_Admin.

To grant someone permission, use Add-SPSShellAdmin. 01/25/2011, 11:28PM


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: