Securing SharePoint for Internet sites

SharePoint 2010 has provided users with the ability to take their companies where very few had gone before them: the Internet. In the release, Microsoft addressed several limitations that made it challenging to leverage SharePoint for an Internet site, including changes to the licensing model that make it a more cost-effective and competitive solution.

Many standard security principles have always applied when deploying SharePoint to the Internet. Use a defense-in-depth strategy with multiple security zones to isolate networks and your farm; harden your servers (including SQL Server); apply the latest cumulative updates with all security patches; utilize SSL; and leverage an application layer firewall like Microsoft’s Unified Access Gateway. The SharePoint 2010 platform, including enhancements made in IIS and ASP.NET, have helped greatly to resolve other challenges existing around authentication and authorization.

Publishing sites will typically be used as Internet-facing sites and are commonly configured for anonymous access for the majority of the site. Opening a SharePoint site for anonymous users adds several challenges to secure your SharePoint Internet site.

One of those challenges is that, by default, all SharePoint sites have a permission level named “Limited Access,” which is granted to all users who have access to a SharePoint site. The Limited Access permission level grants the “View Application Pages” right, which enables users to view all the SharePoint system pages for items, such as lists. This is not desirable for Internet sites because publishing sites are usually very structured and controlled. Content owners want to control what the users of a site can see.

To control this type of access, site administrators need to remove the “View Application Pages” right from the “Limited Access” permission level. Unfortunately, the “Limited Access” permission level is not editable through the browser interface. However, Microsoft has provided a feature named “Restrict Limited Access Permissions” (found in the path […]12TEMPLATEFEATURESViewFormPagesLockdown) that programmatically removes the “View Application Pages” right from the “Limited Access” permission level.

Anonymous access is the most common form of authentication for Internet sites. Sometimes, however, you may want to authenticate a user. In this case, you can use forms-based authentication.

ASP.NET forms-based authentication enables you to redirect unauthenticated users to a custom form or page where they are prompted to enter their credentials. For example, you can use forms-based authentication to authenticate users against a database, such as SQL Server. When users are authenticated, they are issued a cookie that identifies them for the remainder of their session. This can enable a site to present personalized information to registered users.

If you do want to use forms-based authentication with client integration, users must select “Sign me in automatically” when they log in to SharePoint. This creates a persistent cookie that is available to Microsoft Office applications rather than a session cookie that is constrained to the browser. However, forms-based authentication may still cause client integration to perform unpredictably, and it is recommended that you leave client integration disabled.

This article was originally published on March 13.

Russ Basiura is founder and CEO of RJB Technical Consulting, Inc.