SharePoint Config

Ari Bakker's thoughts on customising and configuring SharePoint

Archive for the ‘Security’ tag

Securing the authentication cookie for mixed SSL SharePoint sites

with 5 comments

This is the fifth in a series of posts detailing how to configure a partially SSL secured SharePoint site. This post will cover what is involved in ensuring the authentication cookie is only sent via a secure channel (i.e. SSL/HTTPS). This is best practice for securing forms based authentication but has several impacts that can require some fundamental changes to the site so are worth considering early in the development process.

cookie stolen from jar

Photo by a_funk / CC BY-NC-ND 2.0

Written by Ari Bakker

April 7th, 2010 at 11:46 pm

Partial SSL SharePoint Sites – Login over HTTPS from HTTP pages

with 6 comments

This is the fourth in a series of posts detailing how to configure a partially SSL secured SharePoint site. In the previous post we covered how to secure the login page so it is always delivered via SSL. This is fine for some pages but a common requirement for many public facing SharePoint sites is to have a login form that allows users to log in from any page. By default this is not secure as HTTP pages will send these details back via HTTP (i.e. in clear text), unless we configure the page to do otherwise. This post will cover how we can cater for this scenario without having to use SSL for the entire site.

custom sharepoint login control

Written by Ari Bakker

April 6th, 2010 at 10:31 pm

Posted in Development,Security

Tagged with , , ,

Enforcing the correct protocol for partially SSL secured SharePoint sites

with 6 comments

This is the third in a series of posts detailing how to configure a partially SSL secured SharePoint site. In the previous post we covered how to enable SSL for the site. In this post we will cover how to force connections to use the correct protocol (HTTPS for sensitive data, HTTP otherwise). This is required so that if a user tries to browse to page that sends or displays sensitive data via HTTP (e.g. http://www.company.com/pages/login.aspx) they will be redirected to the HTTPS version of the page (e.g. https://www.company.com/pages/login.aspx – so they can login securely) and vice versa for pages like the homepage that should be delivered via HTTP so they do not incur the performance hit of encrypting and decrypting the page.

signpost directions

Photo by nord_modular / CC BY-NC-SA 2.0

Written by Ari Bakker

March 18th, 2010 at 8:14 am

Configuring a SharePoint website to allow SSL connections

with 10 comments

This is the second in a series of posts on securing mixed SSL sites in SharePoint. This post will cover how to configure a SharePoint forms based web application to allow SSL/HTTPS connections. The process involves setting up an SSL certificate and configuring IIS and SharePoint to allow requests over HTTPS.

The following steps assume that you have a SharePoint web application already set up using forms based authentication. If you need details on how to do this see the article on Technet titled “Forms Authentication in SharePoint Products and Technologies”. We will be using IIS 7 in this example but a similar process can be followed using IIS 6 using the SelfSSL utility.

browser-ssl-sharepoint

Written by Ari Bakker

March 16th, 2010 at 12:26 pm

Securing mixed SSL sites in SharePoint

with 5 comments

Public facing SharePoint websites often contain a combination of content that is publicly available, and sensitive content that should only be shown to authenticated users (e.g. personal details like email, address and other account information). While SSL provides a mechanism for delivering the sensitive content over a secure connection it also has a performance overhead. This often results in a requirement to partially secure the site using SSL/HTTPS, but deliver the remainder of the site via HTTP. This is the first in a series of posts that show how you can accomplish this scenario using SharePoint.

padlock

Photo by piet_musterd / CC BY-NC-ND 2.0

Written by Ari Bakker

March 4th, 2010 at 9:03 pm