Security
Security can be divided into two primary components: authentication and authorization.
Authentication Provider
Windows SharePoint Services authentication is configured by the Web application’s authentication provider. Windows SharePoint Services 3.0 supports Windows authentication, which enables users to authenticate with accounts stored in the server’s local security accounts manager (SAM) database or in Active Directory (AD). Additionally, you can configure a Web application to use forms-based authentication, which supports any ASP.NET 2.0 authentication provider or Active Directory Federated Services (ADFS).
In order to support more than one authentication provider, you will need to create or extend more than one Web application. For example, you might want to give Windows SharePoint Services 3.0 access to users within your organization who maintain accounts in Active Directory, as well as to partners who access Windows SharePoint Services 3.0 through an extranet site by using accounts stored in an ASP.NET 2.0 authentication provider. To give this access, you need to create a Web application (for example, http://intranet.contoso.com) that uses Windows authentication. You would then extend that application to another Web application (for example, http://extranet.contoso.com) that would utilize forms-based authentication. Both sites would be attached to the same content database. Therefore, regardless of which URL they accessed, users would see the same content.
Authentication Timeout for Forms Based Authentication
If the Web application uses forms-based authentication, the user will remain authenticated until the user closes his or her browser or until the authentication timeout occurs. You can configure this expiration time, set by default to 30 minutes, for a Web application in the application’s Web.config file. Add or modify the timeout attribute of the forms element, for example:
<forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" timeout="100" />
Authentication for a Site
To allow a user to authenticate to a specific site, you must add to the site collection (by using the People and Groups link in the site’s settings) the user’s account or a group to which the user belongs. The definition of valid users and groups is contained at the site collection level and, once added, you can give to a user or group permissions to any object (site, list, library, item, or document) within the site collection.
Anonymous Access
Users without user or group accounts in the site collection are considered anonymous users. You must set anonymous access, which is off by default, at the Web application level before such users can access any site or list. Once you have enabled anonymous access for the Web application, you can configure it for a site to support access to the entire site or to specific lists and libraries. Each list and library can then deny or allow anonymous access.
Access to Securable Objects
After authentication as either a valid user account or as an anonymous user, access to any securable object (a site, list, library, item, or document) is controlled by the permissions for that object. Permissions should be assigned to groups defined in either the SharePoint site collection or the authentication provider (such as Active Directory groups), but can also be assigned to a user defined in the authentication provider. By default, permissions are inherited from the parent object. The permissions assigned to the top-level site in a site collection are inherited by each site within the collection, each library and list within that site, and each document and item within the library or list. You can edit permissions on any securable object, but by doing so, you break the inheritance of that object’s permissions from its parent, and any changes to the parent’s permissions will no longer affect the child object.
Permission Levels
The permission levels you can configure on a securable object for a user or group are, by default, Full Control, Design, Contribute, Read, and Limited Access. You can modify these permission levels at the site collection level to enable the configuration of additional security-related roles.
Permissions
Each permission level is itself composed of granular permissions. For example, the Read permission level comprises eleven permissions such as View Pages, View Items, and Create Alerts. By default, all Windows SharePoint Services permissions are available for use in defining permission levels in a site collection. However, you can restrict which permissions are available to site collections within a Web application by configuring User permissions for Web application in SharePoint Central Administration.
Web Application Policies
Finally, Windows SharePoint Services 3.0 enables you to override object-level permissions through security policies configured for the Web application. By default, the administrators of the server hosting Windows SharePoint Services do not have access to any Windows SharePoint Services content. If business needs mandate such access, you can configure a security policy for each Web application that enables appropriate access for the administrators group. Similarly, corporate policy may require that a team of auditors or security personnel have access to content within a Web application. A Full Control or Full Read policy will provide the assigned users access to content throughout the Web application, overriding any more restrictive permissions on objects within the application. Alternatively, a particular group of users might need to be restricted from accessing content, even if permissions have been granted that would otherwise allow access. A Deny Write or Deny All policy will override any more liberal permissions on objects within the Web application.
Security Control Summary
· Authentication provider: Configured for the Web application in SharePoint Central Administration.
· Authentication timeout for forms-based authentication: By default, 30 minutes. Configured for the Web application in Web.config. Add or modify a timeout attribute to the forms element.
· Authentication for a site: Configured by adding the user or a group to which the user belongs to the site collection in People and Groups.
· Anonymous authentication: Enabled for the Web application in its authentication provider configuration. Then enabled for the site (none, entire site, or lists and libraries) and then further restricted or enabled per list or library.
· Access to securable objects: Configured for the securable object (site, list, library, item, or document). By default, inherited from parent object. Permission levels assigned to a user in the authentication provider or to a group in either the authentication provider or the site collection’s groups.
· Permission levels: Defined in the site’s Permissions settings. By default, inherited from the parent site.
· Permissions: Enabled for the Web application in SharePoint Central Administration.
· Security policies: Configured for the Web application in SharePoint Central Administration.
| Control
| Configured for Windows SharePoint Services Component
| Location for Configuration
| Notes
|
| Authentication provider
| Web application | SharePoint Central Administration: Application Management: Authentication providers: Edit Authentication | Windows, forms-based, or Web single sign-on (SSO) is available. |
| Authentication timeout for forms-based authentication
| Web application | Web application’s Web.config file: The timeout attribute of the forms element | Configure the lifetime of the authentication cookie. Authentication will time out at this interval or when the user closes the browser. |
| Authentication for a site
| Site collection | People and Groups: All People or People and Groups: All Groups | Add a user or a group to which the user belongs to the site collection. |
| Anonymous access
| Web application | SharePoint Central Administration: Application Management: Authentication Providers: Edit Authentication | Anonymous access to any object within the Web application is not possible unless enabled by the Web application. |
|
| Site | Site Settings: Permissions | At the site level, anonymous access can be: · Blocked · Enabled for the entire site · or enabled for specific lists and libraries |
|
| List or library | List Settings: Permissions for this list | A list or library can enable anonymous users to add, edit, view, and/or delete items. |
| Access to securable objects
| Object (site, list, library, item, or document) | Permissions | By default, permissions are inherited from the parent object. Permission levels are assigned to a user in the authentication provider or to a group in either the authentication provider or the site collection’s groups. |
| Permission levels
| Site | Site Settings: Permissions | By default, permission levels such as Full Control, Contribute, Read, and Limited Access are inherited from the parent site. |
| Permissions
| Web application | SharePoint Central Administration: Application Management: User permissions for Web application | Permissions supported by Windows SharePoint Services 3.0 can be enabled or disabled for a Web application. Enabled permissions are used to create permission levels for a site. |
| Security policies
| Web application | SharePoint Central Administration: Application Management: Policy for Web application | Security policies allow you to enable or deny access to users or groups. Policies override the permissions on securable objects. |
162
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
