Archive for the ‘Security’ tag
Securing the authentication cookie for mixed SSL SharePoint sites
This is the fifth in a series of posts detailing how to configure a partially SSL secured SharePoint site. This post will cover what is involved in ensuring the authentication cookie is only sent via a secure channel (i.e. SSL/HTTPS). This is best practice for securing forms based authentication but has several impacts that can require some fundamental changes to the site so are worth considering early in the development process.
Photo by a_funk / CC BY-NC-ND 2.0
Partial SSL SharePoint Sites – Login over HTTPS from HTTP pages
This is the fourth in a series of posts detailing how to configure a partially SSL secured SharePoint site. In the previous post we covered how to secure the login page so it is always delivered via SSL. This is fine for some pages but a common requirement for many public facing SharePoint sites is to have a login form that allows users to log in from any page. By default this is not secure as HTTP pages will send these details back via HTTP (i.e. in clear text), unless we configure the page to do otherwise. This post will cover how we can cater for this scenario without having to use SSL for the entire site.
Enforcing the correct protocol for partially SSL secured SharePoint sites
This is the third in a series of posts detailing how to configure a partially SSL secured SharePoint site. In the previous post we covered how to enable SSL for the site. In this post we will cover how to force connections to use the correct protocol (HTTPS for sensitive data, HTTP otherwise). This is required so that if a user tries to browse to page that sends or displays sensitive data via HTTP (e.g. http://www.company.com/pages/login.aspx) they will be redirected to the HTTPS version of the page (e.g. https://www.company.com/pages/login.aspx – so they can login securely) and vice versa for pages like the homepage that should be delivered via HTTP so they do not incur the performance hit of encrypting and decrypting the page.
Photo by nord_modular / CC BY-NC-SA 2.0
Configuring a SharePoint website to allow SSL connections
This is the second in a series of posts on securing mixed SSL sites in SharePoint. This post will cover how to configure a SharePoint forms based web application to allow SSL/HTTPS connections. The process involves setting up an SSL certificate and configuring IIS and SharePoint to allow requests over HTTPS.
The following steps assume that you have a SharePoint web application already set up using forms based authentication. If you need details on how to do this see the article on Technet titled “Forms Authentication in SharePoint Products and Technologies”. We will be using IIS 7 in this example but a similar process can be followed using IIS 6 using the SelfSSL utility.
Securing mixed SSL sites in SharePoint
Public facing SharePoint websites often contain a combination of content that is publicly available, and sensitive content that should only be shown to authenticated users (e.g. personal details like email, address and other account information). While SSL provides a mechanism for delivering the sensitive content over a secure connection it also has a performance overhead. This often results in a requirement to partially secure the site using SSL/HTTPS, but deliver the remainder of the site via HTTP. This is the first in a series of posts that show how you can accomplish this scenario using SharePoint.
Photo by piet_musterd / CC BY-NC-ND 2.0