As promised, here are Antonio’s answers to questions that we didn’t have time to address during our recent Take Control of SharePoint Security webcast. Please let us know if you have any additional questions from the webcast by either filling out the comments field or contacting us directly. We’d be happy to answer your questions!
Webcast Q&A
1. Is there a white paper on what you have learned on security in SharePoint?
TITUS has several white papers about SharePoint security. Please visit the SharePoint Security Resources section on our website for a complete list. You may also want to check out the recently published SharePoint Survey Results from the webcast.
2. Is there any option for setting access permissions at a content type level?
SharePoint itself does not support setting permissions on content types – more specifically, with native SharePoint capabilities you cannot configure permissions to be set on all instances of a particular content type like an “Expense Report”. Permissions can only be assigned to securable objects like items and documents (or any content type derivation of those) and to containers like folders, documents sets, libraries, lists, sites and site collections. However, TITUS Metadata Security for SharePoint can set permissions on items and documents (and any derivation of those) automatically based on the content type of each item. For example, when configuring policies in TITUS Metadata Security, you can include conditions like “if ContentType = Expense Report” and have unique permissions assigned only to items of those specific content types.
3. Which versions of SharePoint offer claims-based authentication?
To use claims based authentication and authorization, you’ll need to use either SharePoint 2010 or SharePoint 2013. For both versions, it is supported in both Foundation and Server Editions.
4. SharePoint provides many ways to access SharePoint data. Can we believe in the custom solutions that set the security for SharePoint?
With regards to TITUS Metadata Security, the answer is YES. Because TITUS Metadata Security is automatically setting native SharePoint permissions, and those permissions are enforced by SharePoint itself in all channels through which you can access SharePoint data, you can be assured that access control will be enforced consistently according to the TITUS policies. So, TITUS Metadata Security and SharePoint’s native permissions will enforce access control through the SharePoint web view, through any web parts, through the Windows Explorer view (WebDAV), through native search, through FAST search, through SharePoint web services, through the SharePoint client object model and through the server object model.
There is perhaps one exception to this, and that is the Windows Explorer view into SharePoint – although this view does enforce SharePoint native permissions and therefore the TITUS Metadata Security policies, there are various native security issues with the Windows Explorer that cannot be addressed by third party software, so many organizations turn off access to that view.
5. What is the difference between User Policy and Site Permissions?
There are a few differences between user policies and site permissions. First of all, you define one or more user policies at the web application level. As such, when you apply a user policy to a web application the permissions defined for the user policy will be applied to all site collections and sites within the web application. When you define site permissions you are defining those on a particular site and you are impacting only that site, and potentially the libraries, lists and content within it.
Another difference is that you define user policies within SharePoint Central Admin, which typically requires you to be a SharePoint farm administrator to access it. Site permissions can be defined by site owners, site collection admins and farm admins. This means that with site permissions, there is the possibility to delegate the responsibility of creating and managing them to site owners (or sometimes business unit managers). For user policies, there is no delegation possible without giving someone much higher level privileges within SharePoint.
As well, user policies allow you to define a Deny policy, where you can explicitly deny a user or group access. This is not possible with site permissions.
6. Does TITUS have any document watermarking solution for SharePoint? If yes, can you share more info about same?
Yes, TITUS Document Policy Manager for SharePoint can automatically add watermarks (and headers and footers) to Microsoft Office and PDF documents. In addition, the product can apply watermarks to PDFs downloaded from SharePoint, which promotes end user accountability over sensitive information. By marking PDFs upon download from SharePoint with identifying information like the current user’s name and the current date/timestamp, organizations can better prevent leaks of sensitive information and have traceability over sensitive content if it’s disclosed.
7. Is Joel using a product like the TITUS products?
Joel has been looking at the product as part of a general review but also for his organization. You can read more about his review on his blog: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?ID=574.
8. How does the does the automatic security application work when people use the Explorer view to upload information?
When documents are added to SharePoint through the Windows Explorer view (WebDAV), TITUS Metadata Security for SharePoint will intercept that event and evaluate any metadata available for it to determine what permissions should be assigned (based on the policies which you configure). However, with the Windows Explorer view there is no requirement to add metadata to uploaded files, which is a significant drawback for SharePoint. There are a few options for dealing with this scenario:
Firstly, you can turn off the Windows Explorer view for SharePoint, so that users cannot access it. We often recommend this to customers because that view has some inherent security issues that no third party application can address.
However, if you need to use the Windows Explorer view, you can make some metadata fields mandatory. What happens in this case is that the file will still be uploaded to SharePoint, but it will only be made available to the original user that added it. No other user will be able to see or access the file until the original uploader fills in the required metadata through the SharePoint web interface. This is native SharePoint functionality and not the result of any third party product. Once the mandatory metadata is filled out in this way, TITUS Metadata Security can then apply the appropriate permissions to the file.
9. Do we need to have additional hardware for watermarking security suite?
No additional hardware is needed for any of the TITUS SharePoint security products. They run on your existing SharePoint server.
10. Can DRM be applied to the PDF documents when they are downloaded from a SharePoint site?
Yes this can be configured in SharePoint, however Microsoft’s DRM solution (called RMS outside of SharePoint and called IRM within SharePoint) will only work with Microsoft Office files. There are a number of third party companies that create plug-ins (or what are called “protectors”) for Microsoft RMS so that PDF files and other file formats can also be protected.
11. So there is nothing to prevent a malicious user from emailing confidential information to third parties?
TITUS Metadata Security for SharePoint can ensure that malicious users don’t see the confidential information in the first place. However, if a user did download a document and attempt to email it, there are options for preventing it from being disclosed outside the organization. For example, you can use TITUS Classification solutions to identify the document as sensitive, and then use TITUS Message Classification to block any emails containing the document.
12. Are there any guidelines for implementing item level security without affecting performance?
Yes. TITUS has published a white paper on this exact topic, which can be found here: Effectively Managing Permissions in SharePoint.
13. Does metadata security have a negative influence on performance?
It depends on how a product that manages permissions and security is used, and how your content is organized within SharePoint. A third party solution is of course no substitute for a well-organized content structure within SharePoint. SharePoint itself can experience negative performance impacts if too much content is stored within individual libraries, or if its native permission capabilities are over-used or used in the wrong way. TITUS has published a white paper on this exact topic to provide our customers with best practices and guidance. It can be found here: Effectively Managing Permissions in SharePoint.
14. My company deployed SharePoint 2010 with 150,000 users. It is running successfully. We need to change the SharePoint Admin User ID. We are using Service Account. But we are bit worried that if we change the password or User ID it will impact the entire site.
This is an interesting situation, and one that I have not dealt with specifically. Here are a couple blog posts that may help:
http://technet.microsoft.com/en-us/library/cc263445.aspx
15. Does Titus Metadata security work with metadata assigned through Managed Metadata site columns?
Yes. TITUS Metadata Security can use any column type, including Managed Metadata site columns, when creating policies.
16. So Titus changes breaks and changes the permissions on item level to enforce the security rules?
Yes, this is correct. TITUS Metadata Security will assign unique permissions to individual items and documents (or any derived content type), as well as folders and document sets.
17. Can Titus trigger RMS encryption? For example, Confidential Documents are automatically encrypted.
Yes, several TITUS products can trigger RMS encryption to occur automatically. Those products include TITUS Message Classification, TITUS Classification for Office and TITUS Classification for Desktop. The TITUS SharePoint products however do not trigger RMS within SharePoint because they operate on individual items, and SharePoint’s native RMS capabilities (or what’s called IRM in SharePoint) can only be configured at the library level.
18. Does Titus Metadata Security affect security trimming for search results, both SharePoint enterprise search and FAST search?
Yes, TITUS Metadata Security will security trim search results, both from native SharePoint search and for FAST search.
19. What are the possibilities to integrate some third party Identity and Access Management system with the TITUS SharePoint system?
TITUS supports any trusted identity and access management systems that SharePoint 2010 or later supports. SharePoint supports external identity and access providers that support the WS-Federation Passive tokens and SAML tokens. Microsoft has a great product in this category with Microsoft Active Directory Federation Services 2.0 (ADFS 2). As well, there are other commercial products in the same category, like Ping Federate. The TITUS Security Suite for SharePoint can work with attributes or claims retrieved from either of these products, or from other identity and access management systems that SharePoint itself supports. As well, SharePoint 2010 has the ability to work with custom claim providers to retrieve identity information, and the TITUS solutions work with any custom claim provider deployed to SharePoint as well.
