Re: SharePoint securization

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 08/18/05

Next message: Soluk, Kirk: "RE: SharePoint securization"

Previous message: tevfik_at_itefix.no: "Re: SharePoint securization"
Maybe in reply to: limpiezasgomez_at_terra.es: "SharePoint securization"
Next in thread: tevfik_at_itefix.no: "Re: SharePoint securization"
Reply: tevfik_at_itefix.no: "Re: SharePoint securization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 18 Aug 2005 00:39:38 -0700
To: tevfik@itefix.no

I'm familiar with the template... I just know folks that tighten up
Sharepoint as well and will tweak the rights shown below and adjust the
defaults.

Security Architecture for SharePoint Products and Technologies:
http://www.microsoft.com/technet/prodtechnol/sppt/reskit/c0661881x.mspx

SharePoint Security:
http://www.brienposey.com/kb/sharepoint_security.asp
15 Seconds : SharePoint Security and .NET Impersonation:
http://www.15seconds.com/issue/040511.htm
Download details: Windows SharePoint Services Administrator's Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a637eff6-8224-4b19-a6a4-3e33fa13d230&DisplayLang=en

Site Groups

Windows SharePoint Services includes 21 rights, which are used in the
five default user site groups. The five default user rights groups are
Guest, Reader, Contributor, Web Designer, and Administrator. Table 6-1
shows user rights that are included in each site group by default.

The rights assigned to the Guest and Administrator site groups cannot be
changed. However, you can customize the rights available in Reader,
Contributor, and Web Designer site groups to include only the rights you
want.

You can add new site groups to combine different sets of rights, edit
the rights assigned to a site group, or delete an unused site group.

You cannot assign users directly to the Guest site group, rather users
who are given access to lists or document libraries by way of per-list
permissions are automatically added to the Guest site group. The Guest
site group cannot be customized or deleted.

*Site Group Name*

*User Rights Included*

Guest

None

Reader

Use Self-Service Site Creation

View Pages

View Items

Contributor

Use Self-Service Site Creation

View Pages

View Items

Add Items

Add/Remove Private Web Parts

Browse Directories

Create Cross-Site Groups

Delete Items

Edit Items

Manage Personal Views

Update Personal Web Parts

Web Designer

Use Self-Service Site Creation

View Pages

View Items

Add Items

Add/Remove Private Web Parts

Browse Directories

Create Cross-Site Groups

Delete Items

Edit Items

Manage Personal Views

Update Personal Web Parts

Add and Customize Pages

Apply Themes and Borders

Apply Style Sheets

Cancel Check-Out

Manage Lists

Administrator

Use Self-Service Site Creation

View Pages

View Items

Add Items

Add/Remove Private Web Parts

Browse Directories

Create Cross-Site Groups

Delete Items

Edit Items

Manage Personal Views

Update Personal Web Parts

Add and Customize Pages

Apply Themes and Borders

Apply Style Sheets

Cancel Check-Out

Manage Lists

Create Subsites

Manage List Permissions

Manage Site Groups

View Usage Data

Manage Lists

* *

*Right*

* *

*Permission*

* *

*Groups Included*

* *

*Dependency Rights*

Add and customize pages

Can create ASP.NET, ASP, HTML Web pages for a site

Web Designer

Administrator

Browse directories

View Pages

Add items

Add documents to documents libraries or items to lists

Contributor

Web Designer

Administrator

View Items

View Pages

Add and remove private Web parts (Web modules)

Add and/or remove Web parts to pages

Contributor

Web Designer

Administrator

Update Web Parts

View Items

View Pages

Apply style sheets

Apply a style to the entire site

Web Designer

Administrator

View Pages

Apply themes and borders

Apply a theme and/ or border to a site

Web Designer

Administrator

View Pages

Browse directories

Browse a Web site’s directory structure

Contributor

Web Designer

Administrator

View Pages

* *

*Right*

* *

*Permission*

* *

*Groups Included*

* *

*Dependency rights*

Cancel check-out

Can cancel the check-out performed by a user

Web Designer

Administrator

View Pages

Create cross-site groups

Delete and create cross-site groups, change membership

Contributor

Web Designer

Administrator

View pages

Create subsites

Create subsite

Reader

Contributor

Web Designer

Administrator

View pages

Delete items

Delete items and documents

Contributor

Web Designer

Administrator

View items

View pages

Edit items

Edit existing list items and document in the Web site

Contributor

Web Designer

Administrator

View items

View pages

Manage Lists

Delete, create, edit lists and change settings

Web Designer

Administrator

View items

View pages

Manage personal views

Manage list permissions

Change permissions for a list

Administrator

Manage lists

View items

View pages

Manage personal views

Create, delete, and edit personal views

Contributor

Web Designer

Administrator

View items

View pages

Manage site groups

Edit, create, and delete site groups, change the rights assigned to the
site group

Administrator

View pages

Manage Web site

Perform tasks for the site or subsite

Administrator

View pages

Update personal Web parts

Update Web parts

Contributor

Web Designer

Administrator

View items

View pages

Use self-service site creation

Use to create top-level Web site

Reader

Contributor

Web Designer

Administrator

View pages

* *

*Right*

* *

*Permission*

* *

*Groups Included*

* *

*Dependency rights*

View items

View items in lists, documents

Reader

Contributor

Web Designer

Administrator

View pages

Browse pages

Reader

Contributor

Web Designer

Administrator

None

View usage data

View reports on Web site use

Administrator

View pages

tevfik@itefix.no wrote:

>Hi,
>
>As you say, it all depends on your requirements. Bastion Host Template is
>a part of Security Guide for Windows 2003. More information can be found
>at
>http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
>
>After having applied that template, I run some verification tools like
>BSA, Nessus and C2I Security Benchmark. In my opinion, the results were
>acceptable.
>
>When it comes to Sharepoint, I don't understand what you mean by default
>user and permissions. AFAIK, there are none. You have to set up access per
>site. Sub-sites can inherit permissions from the parent if you want to. In
>our case, there are a couple of well-managed extranet applications.
>
>Best regards
>
>Tevfik
>
>
>
>>Did you also review the permissions of the Sharepoint users inside of
>>Sharepoint?
>>
>>You secured the server...but what about reviewing Sharepoint?
>>
>>If you have not changed the default users and their permissions and
>>roles, many Sharepoint gurus I know say there's work to be done inside
>>of there depending on your needs and risk.
>>
>>Why did you choose that template? What risks is it averting?
>>
>>
>>Tevfik Karagülle wrote:
>>
>>
>>
>>>Hi,
>>>
>>>What I did for a customer was to use Microsoft's Bastion Host security
>>>template on a Windows 2003
>>>Server Web edition and Sharepoint Service v2 w/SP1.
>>>
>>>Best regards
>>>
>>>Tevfik Karagulle
>>>ITEFIX Consulting
>>>
>>>http://itefix.no
>>>
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: limpiezasgomez@terra.es [mailto:limpiezasgomez@terra.es]
>>>>Sent: 17. august 2005 12:12
>>>>To: focus-ms@securityfocus.com
>>>>Subject: SharePoint securization
>>>>
>>>>Is there any resource where I could find information on steps
>>>>to secure a SharePoint Services installation?
>>>>
>>>>Thanks!
>>>>
>>>>Pedro
>>>>
>>>>--------------------------------------------------------------
>>>>-------------
>>>>--------------------------------------------------------------
>>>>-------------
>>>>
>>>>
>>>>
>>>>
>>>>
>>--
>>Letting your vendors set your risk analysis these days?
>>http://www.threatcode.com
>>
>>
>>
>
>
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Soluk, Kirk: "RE: SharePoint securization"

Previous message: tevfik_at_itefix.no: "Re: SharePoint securization"
Maybe in reply to: limpiezasgomez_at_terra.es: "SharePoint securization"
Next in thread: tevfik_at_itefix.no: "Re: SharePoint securization"
Reply: tevfik_at_itefix.no: "Re: SharePoint securization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: SharePoint securization
... Thanks for info about Sharepoint rights. ... > Guest, Reader, Contributor, Web Designer, and Administrator. ... > The rights assigned to the Guest and Administrator site groups cannot be ...
(Focus-Microsoft)
Re: Issue with webparts....
... In other words Contributor has Reader rights +; ... rights + and Administrator has Web Designer rights +. ...
(microsoft.public.sharepoint.windowsservices)
Re: SharePoint Portal Server - SiteGroup Security
... I guess I got confused between Site Groups and Domain Groups. ... Groups you mean "Administrator", "Reader", etc... ... Does this mean I can have readonly rights at the parent area ... >>> Area and Child Area hierarchy. ...
(microsoft.public.sharepoint.portalserver)
Default Site Groups in a Site
... Is it possible to change what site groups gets added to a new site. ... would like to change the default (administrator, web designer, ... Thomas Olsson ...
(microsoft.public.sharepoint.portalserver)
RE: http://companyweb/default.aspx
... user in the internal companyweb. ... administrator template, the users will be added into 'Administrator' ... Web Designer: Can create lists and document libraries and customize ... Online Partner Support ...
(microsoft.public.windows.server.sbs)