Re: SharePoint securization

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 08/18/05

  • Next message: Soluk, Kirk: "RE: SharePoint securization"
    Date: Thu, 18 Aug 2005 00:39:38 -0700
    To: tevfik@itefix.no
    
    

    I'm familiar with the template... I just know folks that tighten up
    Sharepoint as well and will tweak the rights shown below and adjust the
    defaults.

    Security Architecture for SharePoint Products and Technologies:
    http://www.microsoft.com/technet/prodtechnol/sppt/reskit/c0661881x.mspx

    SharePoint Security:
    http://www.brienposey.com/kb/sharepoint_security.asp
    15 Seconds : SharePoint Security and .NET Impersonation:
    http://www.15seconds.com/issue/040511.htm
    Download details: Windows SharePoint Services Administrator's Guide:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=a637eff6-8224-4b19-a6a4-3e33fa13d230&DisplayLang=en

            Site Groups

    Windows SharePoint Services includes 21 rights, which are used in the
    five default user site groups. The five default user rights groups are
    Guest, Reader, Contributor, Web Designer, and Administrator. Table 6-1
    shows user rights that are included in each site group by default.

    The rights assigned to the Guest and Administrator site groups cannot be
    changed. However, you can customize the rights available in Reader,
    Contributor, and Web Designer site groups to include only the rights you
    want.

    You can add new site groups to combine different sets of rights, edit
    the rights assigned to a site group, or delete an unused site group.

    You cannot assign users directly to the Guest site group, rather users
    who are given access to lists or document libraries by way of per-list
    permissions are automatically added to the Guest site group. The Guest
    site group cannot be customized or deleted.

    *Site Group Name*

            

    *User Rights Included*

    Guest

            

    None

    Reader

            

    Use Self-Service Site Creation

    View Pages

    View Items

    Contributor

            

    Use Self-Service Site Creation

    View Pages

    View Items

    Add Items

    Add/Remove Private Web Parts

    Browse Directories

    Create Cross-Site Groups

    Delete Items

    Edit Items

    Manage Personal Views

    Update Personal Web Parts

    Web Designer

            

    Use Self-Service Site Creation

    View Pages

    View Items

    Add Items

    Add/Remove Private Web Parts

    Browse Directories

    Create Cross-Site Groups

    Delete Items

    Edit Items

    Manage Personal Views

    Update Personal Web Parts

    Add and Customize Pages

    Apply Themes and Borders

    Apply Style Sheets

    Cancel Check-Out

    Manage Lists

    Administrator

            

    Use Self-Service Site Creation

    View Pages

    View Items

    Add Items

    Add/Remove Private Web Parts

    Browse Directories

    Create Cross-Site Groups

    Delete Items

    Edit Items

    Manage Personal Views

    Update Personal Web Parts

    Add and Customize Pages

    Apply Themes and Borders

    Apply Style Sheets

    Cancel Check-Out

    Manage Lists

    Create Subsites

    Manage List Permissions

    Manage Site Groups

    View Usage Data

    Manage Lists

    * *

    *Right*

    * *

            

    * *

    *Permission*

            

    * *

    *Groups Included*

            

    * *

    *Dependency Rights*

    Add and customize pages

            

    Can create ASP.NET, ASP, HTML Web pages for a site

            

    Web Designer

    Administrator

            

    Browse directories

    View Pages

    Add items

            

    Add documents to documents libraries or items to lists

            

    Contributor

    Web Designer

    Administrator

            

    View Items

    View Pages

    Add and remove private Web parts (Web modules)

            

    Add and/or remove Web parts to pages

            

    Contributor

    Web Designer

    Administrator

            

    Update Web Parts

    View Items

    View Pages

    Apply style sheets

            

    Apply a style to the entire site

            

    Web Designer

    Administrator

            

    View Pages

    Apply themes and borders

            

    Apply a theme and/ or border to a site

            

    Web Designer

    Administrator

            

    View Pages

    Browse directories

            

    Browse a Web site’s directory structure

            

    Contributor

    Web Designer

    Administrator

            

    View Pages

    * *

    *Right*

    * *

            

    * *

    *Permission*

            

    * *

    *Groups Included*

            

    * *

    *Dependency rights*

    Cancel check-out

            

    Can cancel the check-out performed by a user

            

    Web Designer

    Administrator

            

    View Pages

    Create cross-site groups

            

    Delete and create cross-site groups, change membership

            

    Contributor

    Web Designer

    Administrator

            

    View pages

    Create subsites

            

    Create subsite

            

    Reader

    Contributor

    Web Designer

    Administrator

            

    View pages

    Delete items

            

    Delete items and documents

            

    Contributor

    Web Designer

    Administrator

            

    View items

    View pages

    Edit items

            

    Edit existing list items and document in the Web site

            

    Contributor

    Web Designer

    Administrator

            

    View items

    View pages

    Manage Lists

            

    Delete, create, edit lists and change settings

            

    Web Designer

    Administrator

            

    View items

    View pages

    Manage personal views

    Manage list permissions

            

    Change permissions for a list

            

    Administrator

            

    Manage lists

    View items

    View pages

    Manage personal views

    Manage personal views

            

    Create, delete, and edit personal views

            

    Contributor

    Web Designer

    Administrator

            

    View items

    View pages

    Manage site groups

            

    Edit, create, and delete site groups, change the rights assigned to the
    site group

            

    Administrator

            

    View pages

    Manage Web site

            

    Perform tasks for the site or subsite

            

    Administrator

            

    View pages

    Update personal Web parts

            

    Update Web parts

            

    Contributor

    Web Designer

    Administrator

            

    View items

    View pages

    Use self-service site creation

            

    Use to create top-level Web site

            

    Reader

    Contributor

    Web Designer

    Administrator

            

    View pages

    * *

    *Right*

    * *

            

    * *

    *Permission*

            

    * *

    *Groups Included*

            

    * *

    *Dependency rights*

    View items

            

    View items in lists, documents

            

    Reader

    Contributor

    Web Designer

    Administrator

            

    View pages

    View pages

            

    Browse pages

            

    Reader

    Contributor

    Web Designer

    Administrator

            

    None

    View usage data

            

    View reports on Web site use

            

    Administrator

            

    View pages

    tevfik@itefix.no wrote:

    >Hi,
    >
    >As you say, it all depends on your requirements. Bastion Host Template is
    >a part of Security Guide for Windows 2003. More information can be found
    >at
    >http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
    >
    >After having applied that template, I run some verification tools like
    >BSA, Nessus and C2I Security Benchmark. In my opinion, the results were
    >acceptable.
    >
    >When it comes to Sharepoint, I don't understand what you mean by default
    >user and permissions. AFAIK, there are none. You have to set up access per
    >site. Sub-sites can inherit permissions from the parent if you want to. In
    >our case, there are a couple of well-managed extranet applications.
    >
    >Best regards
    >
    >Tevfik
    >
    >
    >
    >>Did you also review the permissions of the Sharepoint users inside of
    >>Sharepoint?
    >>
    >>You secured the server...but what about reviewing Sharepoint?
    >>
    >>If you have not changed the default users and their permissions and
    >>roles, many Sharepoint gurus I know say there's work to be done inside
    >>of there depending on your needs and risk.
    >>
    >>Why did you choose that template? What risks is it averting?
    >>
    >>
    >>Tevfik Karagülle wrote:
    >>
    >>
    >>
    >>>Hi,
    >>>
    >>>What I did for a customer was to use Microsoft's Bastion Host security
    >>>template on a Windows 2003
    >>>Server Web edition and Sharepoint Service v2 w/SP1.
    >>>
    >>>Best regards
    >>>
    >>>Tevfik Karagulle
    >>>ITEFIX Consulting
    >>>
    >>>http://itefix.no
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>>-----Original Message-----
    >>>>From: limpiezasgomez@terra.es [mailto:limpiezasgomez@terra.es]
    >>>>Sent: 17. august 2005 12:12
    >>>>To: focus-ms@securityfocus.com
    >>>>Subject: SharePoint securization
    >>>>
    >>>>Is there any resource where I could find information on steps
    >>>>to secure a SharePoint Services installation?
    >>>>
    >>>>Thanks!
    >>>>
    >>>>Pedro
    >>>>
    >>>>--------------------------------------------------------------
    >>>>-------------
    >>>>--------------------------------------------------------------
    >>>>-------------
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>--
    >>Letting your vendors set your risk analysis these days?
    >>http://www.threatcode.com
    >>
    >>
    >>
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Soluk, Kirk: "RE: SharePoint securization"

    Relevant Pages

    • Re: SharePoint securization
      ... Thanks for info about Sharepoint rights. ... > Guest, Reader, Contributor, Web Designer, and Administrator. ... > The rights assigned to the Guest and Administrator site groups cannot be ...
      (Focus-Microsoft)
    • Re: Issue with webparts....
      ... In other words Contributor has Reader rights +; ... rights + and Administrator has Web Designer rights +. ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: SharePoint Portal Server - SiteGroup Security
      ... I guess I got confused between Site Groups and Domain Groups. ... Groups you mean "Administrator", "Reader", etc... ... Does this mean I can have readonly rights at the parent area ... >>> Area and Child Area hierarchy. ...
      (microsoft.public.sharepoint.portalserver)
    • Default Site Groups in a Site
      ... Is it possible to change what site groups gets added to a new site. ... would like to change the default (administrator, web designer, ... Thomas Olsson ...
      (microsoft.public.sharepoint.portalserver)
    • RE: http://companyweb/default.aspx
      ... user in the internal companyweb. ... administrator template, the users will be added into 'Administrator' ... Web Designer: Can create lists and document libraries and customize ... Online Partner Support ...
      (microsoft.public.windows.server.sbs)