SharePoint Security - ARB SEcurity Solutions
Site Blog Home About ARBBlog SharePoint Dev Center Security Labs Contact
General SharePoint Security Research and Articles




© Adam Buenz / ARB Security Solutions

MOSS (SharePoint 2007) Security Article Index

Introduction to MOSS Security Architecture

The Microsoft Office Server System (SharePoint 2007) has many exiciting new security mechanisms built into it that allows one to build a highly guarded collobration environment that provide a unique, fluid user experience. In previous versions of SharePoint, sometimes implementing very granular security options had the negative side effect of degrading the rich communications and collobrations feature of the product, required heavy development efforts, or additional hardware and software purchase (for such things as Windows Rights Management).....

Read More

There are three main pieces that build the application architecture of a membership provider in ASP.NET 2.0. There is the membership API, the membership provider, and the provider specific storage. The actual logic process of the membership model is very simplistic because of its relatively straight-forward design pattern that provides a high layer of abstraction. Instead of being restricted when using the provider API by simply providing methods to tap into a data store through it, the API is flexible and can be molded by a developer, along with definition of the user member storage mechanism.

The main class within the membership API is the membership class. The membership class only contains static methods, and it doesn't require an object instance. Though the controls handle the majority of desired functionally, ASP.NET 2.0 provides public methods of the Membership class to expand the developer’s control. A few of these include.....

Read More


Download MOSS Oracle Membership Provider
Download MOSS mySQL Membership Provider
Download MOSS PostSQL Membership Provider
Download Microsoft Access Membership Provider
Download XML/Flat Text Membership Provider


The portion that the Universal Provider framework is dependent on are the abstract factory classes that will define a layer for various types of data providers, which will allow us access to various types of membership stores while keeping a layer of abstractness. The DbProviderFactory is an abstract factory class (as shown in the above diagram) which will define all of the relevant methods that we need in order to connect and massage our provider independent data member store. The abstract class pattern framework can simply be defined as keeping things with as little ties to a specific platform as possible. This has several advantages over use concrete factories......

Read More

Arguably the most significant function that you will execute against your membership provider data store is creating your SharePoint users that will be authenticated against your custom membership database. In this section, I will detail how the Universal Membership Provider will add users and in the next article we can see important security centric user methods, notably encrypting passwords and password answers, and how to use the machine key or the .NET cryptographic hash algorithm to achieve this task......

Read More

It is relatively common with a corporate environment to use Active Directory as the method of network user management, for authentication to a variety of applications, one of which is typically SharePoint. With the new version of SharePoint, there is the ActiveDirectoryMembershipProvider, which provides all the features that are exploited through the use of custom as well as the standard SQL provider that is shipped with Microsoft Office SharePoint Server (MOSS)....

Read More

Session stating is an important concept in SharePoint, as well as ASP.NET 2.0 security as a whole. In the new version of SharePoint, session stating is something that is always present and usable, in every page that you call within an ASP.NET 2.0 application. The backbone of session stating is the session object, which is the place where one can store various session information related to a specific application. In regards to session stating, there are several robust configuration options that are available, however some noteworthy limitations that exist as well. The Session objects core property is the SessionID (which is referred to as the session identifier, which is Session.SessionID)....
Read More

There are several elements that exist in SharePoint that heavily relate to configuration, and if properly configured, your SharePoint, and ASP.NET 2.0 applications alike will be securely configured and perimeter facing ready. Some of the elements that are going to be detailed are not specific to SharePoint, but instead are related to ASP.NET 2.0, however understanding the overall concept will help you secure your collaboration environment.

Read More

A problem that people commonly encounter in a SharePoint site that they are facing externally on a perimeter is they want to use SharePoint MySites, however also want to implement a pluggable authentication provider that will allow them to give their external users easy access to the environment. The problem that arises is that when you implement pluggable providers, the mysite control that normally appears in a default sites:

< SharePoint:DelegateControl ControlId="GlobalSiteLink1" Scope="Farm" runat="server" id="DelegateControl1"/ >
(why it wasen't given a friendly name, I am not exactly sure)

will disappear when you install the pluggable provider and navigate to the default instance of your site......

Read More

In other articles in the site (notably here) there have been detailed explanations that go into using the AvtiveDirectoryMembershipProvider in your SharePoint environment and how to do so, and this provider is indeed incredibly central when implementing ADAM within your SharePoint environment for user authorization. However, it is necessary to implement a custom provider that will support the same role type functionality that is available to other providers to those same ADAM users, allowing one to bypass the limitation of only supporting assigning roles to actual domain accounts.....

Read More

Procuring ASP.NET 2.0 Forms Authentication

The Membership Class, which is detailed more exhaustively in other articles, uses the Membership Provider specified in WCAM and the web.config file of the relevant web application to work with the membership data store, and like the other classes relating to authentication, the methods of these classes are static. There are variety of features that are available in the membership class, but most notably these methods can be used to create and delete users (or catch membership exceptions) as well as retrieve and update data that is stored in the MembershipUser class. When implementing forms based authentication, the custom login form that is available within the internet presenence site, or when creating a custom login form use the ValidateUser method of this class to authenticate the user when the credentials are submitted.....

Read More

Implementing Pluggable Single Sign-On

The Microsoft SSO Service API is independent of the specific authentication mechanisms that are discussed in previous articles. The unique feature of the new MOSS SSO is that the Microsoft Single Sign On service is now a pluggable feature, by which you can leverage whichever SSO provider that you would like, be it a custom one that you have made or one provided by a third party. When doing so, the default SSO provider, SpsSsoProvider, will no longer be used. Because only one SSO service can be used, it is a one or other choice. A MOSS administrator/architect has to decided whether they want to bind the default SSO provider or use one of there one choosing, each which carries its own implications.....
Read More

Implementing Information Rights Management (IRM)

Distributing local information through unwanted channels is one of the largest problems that exist within a SharePoint environment. Because SharePoint is meant to provide users with large facilities in order to share and work with arbitrary business data, this can sometimes lead to users sharing information that should otherwise not be shared. A major method to procure added assurance that will help to eliminate intentional and/or accidental redistribution of sensitive or classified business information is to persistently protect the the business data under multiple circumstances, across multiple environments.....

Read More

Within a collaboration environment, it is common to have multiple types of entry for a singular web application that will resolve to the same content for varying types of users. For example, customers may enter through one URL to access an extranet that you output sales metrics through whereas end users enter through an intranet URL using local domain accounts to view those very same reports. In order to procure an environment where it becomes much easier to build grouping and sorting of these diverse entry points that although will bind to the same content, yet provide granular control that can hook to such things as security policies or authentication providers.....

Read More

Code Access Security in MOSS

Code Access Security (CAS) in relation to Microsoft Office SharePoint Server defines code access rights by means of permissions. A permission is a first-class object that represents a right to access certain resources. A FileIOPermission object for instance represents the right to perform certain operations on certain files. Permission objects actually represent sets of more primitive permissions, and it is always possible to take the union or intersection of two permission objects of the same type. A PermissionSet object groups permissions of different types.....



Trust levels are an integral portion of SharePoint security and how your application architecture will interact with users. Trust levels are integrally tied into the concept of Code Access Security (CAS) in SharePoint, and how that code interacts with various security decisions. Typically, when executing code in an application environment, the context of that application will assimilate the identity of the user, regardless of what the arbitrary application may be. This however differs in SharePoint, which leverages the concept of Code Access Security in order to determine what code should be run within the SharePoint environment. CAS, at first glance can appear very confusing, but rather, once the concept and architecture that builds CAS is understood it is a very powerful concept.....

Read More
One of the largest causes for complaints in previous versions of SharePoint was the lack of Securable Objects (SO) that existed only allowing end-users the option of securing items at the library level. Within SharePont 2007, this concept of Securable Objects is exposed and allows end users the option to bind a specific identity to a specific object. There are several different objects within MOSS that are allowed as securable procuring an environment that allows a very granular level of permissions.....

Read More

Our request will look something like POST /_vti_bin/_vti_aut/fp30reg.dl. A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account.

We are just going to execute a little code in order to fully trip the overflow and see if we can’t get into the server (see code at bottom of this article)......


Read More

The way that WebParts are programmed in WSS 3.0 has changed drastically, however the benefits of programming WebPart instead of standalone .NET application remains the same. One of the most important things that is covered with the introduction of WSS 3.0 is the legacy style of creating WebParts (although both inherit from the WebPart class, in 3.0 this class is located in System.Web.UI.WebControls.WebParts namespace, and in WSS 2.0 this base class was located in the Microsoft.SharePoint.Pages namespace) is still maintained, and although the environment may have changed, programmatic efforts will not have been wasted.....

Read More



The new version of WSS, Windows SharePoint Services 3.0, is integrated more tightly with the ASP.NET 2.0 framework model. Similar to the previous versions of SharePoint, the concepts of extending and de-extending websites with the SharePoint framework still exists, meaning that an administrator must still provision the WSS assets onto a an IIS website to have a full fledged WSS site, however the extending process is slightly different and the differences that segregated SPS areas and WSS site collection are now merged into one cohesive unit under site collections.....

Read More


Before getting started into creating the most secure MOSS or WSSv3 site that we can, it is prudent to firstly understand how SharePoint processes the relevant requests that it is handling and serving to external clients with an internet facing, as well as an internal site. When an initial request is made to SharePoint, it is possible that the request actual never makes it to have been parsed by the ASP.NET handler that will push out the relevant SharePoint page. The first layer of permissions processing that SharePoint will handle are those that are given by the Windows kernel, gaining support from that substance of the HTTP driver that will ultimately serve the request through the relevant pipe. This HTTP driver is known as http.sys which is the primary handler for the SharePoint request, and has some mechanisms that deal with information handling and serving that help to protect the overall server environment.....

Read More

The propriety information that MOSS propagates and builds upon is the essence of a collaboration enabled organization. Protecting this information should be the primary goal of an organizational after the proper enablement of it, safeguarding it from intruders and attacks that may have malicious intent. This is especially pertinent in the case of SharePoint where the integrity of the stored business data is nothing but operationally critical. In this, a simple principle should be maintained.....

Read More

Storing vital user information on your site in plaintext is incredibly poor security practice, and this concept transverse to the concept of membership providers that you use with MOSS / WSS v3. In previous sections, we used a hash method in order to protect our user important user information before placing it into the database. Now, we are going to go over how we are encoding (scrambling) this information, decoding it, and using a salt function that will give us an industry accepted approach to this paradigm.....

Read More

It is inevitable that collaboration systems within an organization at some point will become compromised. Although there may be numerous appropriate counter-measures set up in order to prevent SharePoint and network intrusions, it is never possible to have 100% secure collaboration system regardless of the industry that your organization is involved in.......

Read More

The OSI Model and SharePoint

The OSI model is the standard when it comes to routing, switching, and application service, along with several other services. It spans the entire network computing infrastructure to provide a standard by which network and application engineers and architect can communicate pertinent information back and forth between each other. Although several of the layers are to abstract for a SharePoint architect to be particularly concerned about, the provide a positive insight into the network to application architecture that builds the backbone of how SharePoint runs.....

Read More

Introduction To IPSec

For most organizations, the C and I of the CIA model (confidentiality and integrity) of he OSI model when transversing a network medium is extremely important. Therefore, it is crucial for each to protect frames as they are protected while in transit. The protection schemes defined will typically take place at the Layer 2 or Layer 3 of the OSI model.....

Read More


 What is Port Scanning and What Types of Port Scans Are There?

One of the most popular methods for finding susceptible server hosts that may be running collaboration software is port scanning. Port scanning in general is a practice for ascertaining potential faults by transferring an asset called  port  probes. Port scanners are often used by SharePoint administrators for general network discovery, however port scanning can also be leveraged for malicious intent for various network vulnerabilities. Additionally, port scanning can result in other detrimental effects, such as contributing to network congestion as well as the introduction of false positives in IDS systems.....
Read More


Security Management and Risk Management in SharePoint

Security management or Security Governance is a practice that is tailored to protect a companies assets. The practice of security management is built upon the basis of the CIA triad, which is discussed more exhaustibly in other sections. One of the largest practices that occurs during the defining of security governance within a SharePoint environment is performing risk management......

Read More


There are a variety of access control methodologies that one can implement within a MOSS environment. The type of access control that an organization will implement will greatly depend on the business structure, industry, and regulatory compliance considerations that have to be instigated. It is usually helpful however to start the access control process by creating an access control matrix......

Read More

BLP is a security model that relies on the overlying concept of state machine concepts, and focuses mostly on the C on the CIA triad.

By leveraging the concept of state machines in that a machine change can only occur at discrete points in time and that when the state of a machine can only be altered by a state transaction, this is a powerful security model.

This allows the environment to capture itself in its initial state where it is considered healthy and secure, and repeatedly capture the snapshots of the machine which are its states......

Read More




[ Go Back ]
Content ©
 MVP Remote Development

 MVP -- WSS




 TechNet Article

Read my article "7 New Features That Enhance Security In SharePoint" published in the Janurary issue of TechNet magazine Read Now

 Steps To SharePoint Security

Implement Internal SharePoint Security Model

Harden Your Environment With Tools and Policies

Monitor and Supervise With Server Utilities

 SharePoint Security Articles
The Definitive Guide To MOSS Pluggable Authentication Providers
The Active Directory Membership Provider and SharePoint Introduction
Introduction to and Building an ASP.NET 2.0 Custom Session State Provider
Considerations for Security Relating To Configuration Elements
Introduction to Microsoft Office SharePoint Server and WSSv3 Trust Levels and Code Access Security
 Example Attack on SharePoint With Chunked Encodes and Overflow

© 2006 ARB Security Solutions, LLC
ARB Security Solutions is not affiliated with or endorsed by Microsoft Corporation.
SharePoint is a trademark of Microsoft Corporation.     Legal Notices | Privacy 		SharePointSecurityFooter