European SharePoint Conference Copenhagen 2013 – 5 Layers of Security


Day three of the conference and I attended a comprehensive session on SharePoint security by Michael Noel. Now I wouldn’t normally heap praise on a session like this as security does tend to have the yawn factor and I for one struggle to keep awake on the subject of SP security so yes I did bring match sticks to keep my eyes open just in case..

Michael Noel comes from an infrastructure background so the session turned out to be quite interesting. A couple of key takeaways from the session were certainly to utilise the ‘Always On’ feature of SQL 2012 and the Transparent Data Encryption (TDE) features to encrypt your database backups. TDE is a very good feature available in both SQL 2008 and SQL 2012.

The key points from the session are detailed below in the five layers of SharePoint Security:

  • Layer 1 – Infrastructure Security: Use Kerberos instead of NTLM for numerous benefits like less hops for authentication. The search service account and content access account should be different as this will stop users seeing content they shouldn’t normally be allowed to see.
  • Later 2 – Data Security: Use Transparent Data Encryption (TDE) to encrypt the database. Note that the temp database will also be encrypted so you will need a separate SQL instance if only some of your content databases are required to be encrypted. If you use RBS then you can use bitlocker to encrypt the files on the file server. However, the data in memory is not encrypted.
  • Layer 3 – Transport Security: External or internal certificates are recommended if your SharePoint site is external facing. Be aware that there is a 20% overhead on your web servers when using certs. It is best practice to load balance Central Admin and use SSL. The traffic between your web servers and SQL is unencrypted so to encrypt this transport layer you will need to use IPSEC as it encrypts all packets between servers.
  • Layer 4 – Internet & SharePoint: SharePoint is not designed to be Internet facing without a degree of protection, so forefront unified access gateway (UAG) along with an ISO/Proxy server and your firewalls would need to be in place.
  • Layer 5 – Rights Management: AD RMS is a form of digital rights management (DRM) that is used to restrict activities on files.

I hope you found this interesting and you have some takeaways that you might use in your environment or even consider as an option in the future.


European SharePoint Conference Copenhagen 2013 – Enterprise Search

I have finally got round to blogging about the European SharePoint conference. I would have liked to have given the excuse that it has taken this long due my hands still needing time to defrost from the Scandinavian chill but work and life have been on fast forward til now. Ok, enough of me rabbiting on, here is some feedback from the conference and in particular Enterprise Search.

As you may well know, SharePoint 2013 now fully integrates FAST Search for SharePoint into the main product as a service application (so no separate install). Below are some key points about SP2013 search from the Enterprise Search workshop I attended that was run by Agnes Molnar.

  • Fast Search now fully integrated as a service application
  • Deep refiners are not switched on by default, they have to be enabled.
  • A new hover button is available in your search results (very nice feature)
  • Document previews are only available for documents held within SharePoint.
  • Document previews not available for PDFs.
  • Managed Properties are now opened from the ‘Search Schema’ in your search administration.
  • ‘Results Sources’ now replaces ‘Search Scopes’ and ‘Federated Sources’ in search administration.
  • You can now create ‘Result Sources’ from managed properties.
  • A new feature called ‘Continuous Crawling’ can enable you to crawl your content sources continually. However, this is for SharePoint content sources only.
  • The Continuous Crawler component requires resources of at least 6-8 processors.
  • You can now delegate search administration to designated users.
  • People Search is now fully integrated into the Search application using the Fast search capabilities unlike in SP2010 where it had to use SharePoint Search only to crawl people data.
  • Better query rules, one query request returns multiple result sets.
  • Document parsing is different than 2010, the crawl component crawls every file in the content source regardless of the document extension. I believe powershell can be used to exclude certain document extensions if needed. This will mean that your ndex will be larger in SharePoint 2013, worth looking out for.

I hope this sheds a little light into the SP 2013 Search Application. Some companies will be some way off migrating to SharePoint 2013 but the more information we are aware of before migrating then the more prepared we will be.

I will have another blog on troubleshooting and the performance of SharePoint Search from the conference which will follow soon.