Talking SharePoint Security
SharePoint Metadata and Classification and more

Last week I received a huge surprise and a great honor in finding out that I had been given a Microsoft MVP award for SharePoint Server.

It’s a real honor to receive this designation from Microsoft. I have been working in the SharePoint space for a little over 8 years on and off, with a lot of focus in particular over the last 2 years. I’m passionate about the power of SharePoint. I’m also excited about how we at TITUS are working with Microsoft to enhance the security and data governance capabilities of the SharePoint platform. My focus is on solving security challenges within Microsoft SharePoint, helping organizations share the right information with the right people.
Read the rest of this entry »

I ran across an interesting little side effect of altering my claims enabled web application in SharePoint 2010 the other day I thought would be useful for others to know about. The situation has to do with accessing AD Groups from within the SharePoint people picker in a claims enabled environment.
Read the rest of this entry »

Implementing claims based authorization in SharePoint 2010 provides great alternatives to using security groups in order to control access to sensitive content in SharePoint.  Traditionally, security groups have been used to restrict access to content or to enforce a role based security mechanism.  However, organizations are quickly finding that security groups, whether they are SharePoint groups or Active Directory groups, do not scale well in large enterprise environments.  Many enterprises already have large numbers of groups deployed, so how can those organizations still make use of those groups to enforce advanced security policies without complicating group management further?  As well, how can they check membership to multiple groups in order to allow access to sensitive content? This article focuses on using claim rules in Active Directory Federation Services version 2 (ADFSv2) as an efficient mechanism to enforce security policies in SharePoint based on group membership.
Read the rest of this entry »

In a recent post I introduced the concept of claim rules within Microsoft Active Directory Federation Services 2.0 (ADFSv2) and the templates it provides.  Claim rules can be used to easily evaluate, transform or augment claims before they are returned to a relying party application like SharePoint.  In this post, the second in the series, we dive into ADFSv2’s Claim Rule Language and how it can be used to issue claims under more specific conditions, retrieve attributes from external data sources and implement some unique scenarios.

Read the rest of this entry »

Microsoft SharePoint is used in many highly secure environments around the world that deal with very sensitive information – information that is considered ’secret’ or ‘top secret’ and where security of that data is critical to not only business but also to national security. These deployments exist primarily in military and government installations, or as part of the intelligence community. In these SharePoint deployments, its extremely important that security and access control policies be configured in such a way that they “Fail Safe”.
Read the rest of this entry »

Previously, we’ve talked about how using trusted attributes of a user’s identity (or claims) along with document metadata is a very robust way of enforcing security policies within Microsoft SharePoint 2010. This article reviews another important tool that can be used to configure security policies for SharePoint:  Claim Rules.

In general, claim rules can be used to centrally evaluate, transform or augment claims before they are returned to a relying party application like SharePoint. Microsoft Active Directory Federation Services version 2.0 (ADFSv2) can act as a trusted identity provider to SharePoint and other relying party apps.  It provides a great interface with templates for creating and editing claim rules as part of its management console.  As well, it provides a ‘claim rule language’ that can be used to configure detailed policies with very specific conditions. This allows us to configure specific claims to be retrieved under very specific conditions, and thereby enforce very specific security policies for authentication and authorization.

This series of articles talks in detail about how to use this mechanism to enforce dynamic access control policies within SharePoint 2010 and, it illustrates how these policies relate to particular industries and regulations in SharePoint.
Read the rest of this entry »