Saturday, 8 March 2008

Building a Secure SharePoint Server

There are some rules when building your sharepoint environment one of them is to locate your sharepoint server where it will be used if its for internal use only then behind the firewall and network protection of your company, if its going to be public facing then somewhere on your DMZ and if you don't have a DMZ you should build one. I will most likely cover how to build a DMZ in another blog posting later.

So here are the steps for a medium and large environment at the steps for SBS are not the same and if you have every thing on one box like SBS you have already broken the security rules of never having all your password in one place.

Step One
First thing you need to do is create a service account, now remember that this should not be used by a person and there for never changes so a complex password is a good idea as you do not want this account to be hacked, this account should have only user rights to the domain and local admin rights on the SQL server its self.

Step Two
Installing SQL 2005 components you install are always going to be up to what your needs are but the important think is to use windows authentication, another tip is to create this as an instance not just as a default instance, also something to think about is if your using this SQL server for other SQL applications if yes then put them on a difrant instance to avoide security issues, remember it is recommended to have an instance per department or role so as an example you would never put the finance database in the same instance as public web facing databases, as the install gets to the end you will be asked for an account for it to run under this is where you enter your service account.

Step Three
Loss ends are left even when windows authenation is used as an example there is still an SA user and even if you can authnticate with it at the moment that might change so i strongly recommend you create complex password for SA and rename SA or better yet disable it, I like to disable it as its more secure

Here is some sample script to do it

Step Four
Since some one will have to act as your database administrator and it no a good idea for it to be all of the admin team as some don't have the skill you should add a group that will have sys admin rights, with 2005 a default group is created with this right if you want to use it


this group name is made upi of your domain server and instance name so should be unlike any other in your domain, make sure the Database Administrator is a member of this group before doing step six.

Step Five
Make sure you have at least one database administrator before you do this as other wise you risk locking yourself out of SQL.
Remove bultin\administrators logon in SQL

Install the most current service pack and hotfixes as with all products its only as secure as the latest fix.

Step Six
This is one you might not all use but i do recommend it if you have the CPU and drive space for large event log files enable C2 Auditing, this can only be done by query the syntax is as follows

exec sp_configure 'c2 audit mode', 1

depending on your version of SQL you might not be able to use this command without first enabling advanced options, the can be enable by using the following syntax

EXEC sp_configure 'show advanced options', 1

Now for the moment you've been waiting for...
The SharePoint Install
Installing Sharepoint doesn't take to long now you've got your SQL setup

Step One
Create a service account for SharePoint to use this only need to be a normal domain user account but again remember no user will be logging on with it so make the name and the password complex.

Step Two
This is again before we start the SharePoint install is to add the service account for sharepoint to SQL it will need to be able to create config databases and content database and even index ones so you will need to assign it db_creator role to the account for it to function normally

Step Three
Install SharePoint use our secured SQL server to host the database do not install MSDE or SQL Express to your SharePoint box unless it is a stand alone server other wise you will oh defeated the point of creating a secure server at the beginning

No comments: