Security of the SharePoint Farm is critical to the health and governance of the SharePoint implementation. It is important to understand the varied ways in which SharePoint can be secured.

The term secured in this chapter pertains to what information and permissions users need in order to be effective. As an administrator, it is critical to be able to determine who did what and when.

Successful server hardening depends on planning an appropriate server topology and logical architecture. This architecture is then implemented into the physical navigation and creation of libraries and lists. This should provide the appropriate isolation of data.

SharePoint groups can then be created, which follows the physical topology of the site.

Adverse issues with security will not just affect the ability for users to access content, but will also allow these items to be visible in people's searches. In real world terms, if employment data is saved in SharePoint, this information may be available...

When SharePoint is initially set up, many users may need to be added to SharePoint groups for a new site. The quickest and most efficient way to accomplish this is through PowerShell and scripting.

The following recipe shows how to add a user to a SharePoint group via PowerShell.

One of the many promises SharePoint 2010 delivers on is the empowering of users. In other words, SharePoint 2010 allows an administrator to delegate responsibility down to the other administrative user. The concern with doing this is exposing other administrative tasks. Just because someone can manage an application, such as Search, does not mean they should be able to manage other service applications. SharePoint 2010 handles this without putting at risk the security of the other components. Farm Administrators can designate users to manage their own service application, as we have seen in Chapter 2. This is done through the management UI of each service application. Taking this management one step further, a Farm Administrator can designate a user with the ability to run PowerShell commands against their particular service(s) from their own machines.

The least privileged account model in SharePoint has been taken to another level. Users have access to...

Once SharePoint 2010 is rolled out into an environment, it takes on a life of its own. Team sites, project sites, and other collaboration sites are created to fit the pressing business needs.

Along with each of these sites, security may be manipulated by breaking inheritance. This type of granularity breeds complexity. Sites are provisioned but not decommissioned due to the sheer number of sites. It is a common request from users to know what sites they have access to and what permissions they have on those sites. There is functionality within sites that provides such information.

The following recipe shows how to use this functionality.

When implementing external facing sites, it is critical that administrators be aware of what users can do under given conditions.

A common scenario on a site is to have a blog or article page and then have a comments section below it. In the SharePoint terminology, this implies that anonymous users can write back to a list. Think about this, a viewer of your site has the ability to add an item to a list (in the form of a comment).

By default, if the root site is a blog site, anonymous users can add comments. However, if a site collection is based on the publishing portal, they will not be able to add comments or articles to a blog that lives under the site collection.

In this recipe, we will see how to manipulate the feature that will enable anonymous users to add comments to a blog or article.

Often in a SharePoint site, it is important to know who is doing what and when. For instance, in a publishing site, sometimes users do things they don't mean to do and it is important to audit these events.

In many cases, it is mandatory to be able to track what happens to a document—especially in the case of sensitive company information, information related to ISO certifications, or some other type of industry standard.

In this recipe, we will show how to enable the settings at a site collection level so that all actions may be tracked. These include checking in a document, checking out documents, deletes, additions, and modifications to items.

In the previous recipe, we configured the auditing settings. We need to read this information and evaluate what is happening on our site.

The security policy reports show us what is going on in our sites. In this recipe, we will show how to run the reports.