Site Quotas And Site Maintenance In SharePoint 2013

Every site and site collection in your SharePoint 2013 farm makes use of system resources, such as storage space, processing, and network. If websites are unused or abandoned they utilize resources but don’t deliver any company value, and so they are a waste. Out-of-control websites utilize system resources beyond exactly what your initial plan could have assigned to them. In both cases, access to system resources is being denied and efficiency will suffer, overhead increases, and manageability decreases. To assist you prevent these issues, you should plan for handling your websites and site collections.

The first step in controlling the amount of resources that your sites and website collections use is to establish and apply quota templates. Quotas let you control the amount of data a site collection can hold and then lock the site to additional material when website storage space reaches an optimum size. With quotas you can also manage the amount of resources, such as processor and memory, that a website or site collection can utilize. Quotas let you set storage limit values and cautioning restriction values in addition to resource usage limitations which applications can not surpass. When you set up and use quotas, you reduce concerns positioned by out-of-control website collections. When you perform your data source and server capability planning, determine exactly what size restrictions  you wish to implement. Develop various quota templates for different website kinds. Whenever you develop a site collection from Central Administration, you can specify on which quota template it is based. Offer adequate space for affordable growth in sites. Depending on exactly what each website is made use of for, storage space needs can differ substantially. Sites are designed to expand in time as they are used. A quota limitation of 120 MB is unlikely to be sufficient storage space to start with for most sites, and is unlikely to be anywhere near enough for a website that has a long life. Enable sensible notice in between the warning email message and locking the site for surpassing its quota. Archive out-of-date content or websites. However, if you are going to archive or erase obsolete content or websites, make sure that users comprehend that plan and that you do these actions only at predictable times. Regularly testimonial site consents and develop a plan for routine backups of website content. Identify or find how commonly backups will be made, and the process for recovering material when required.

Quotas prevent site collections as a whole from overrunning the limits you set, just within a site collection, some sites and pages will be used more than others. In order to stabilize your system resources you should know highly utilized pages and sites and of underused or deserted sites. The highly made use of sites might require more resources and underused or abandoned ones need to be archived or deleted. One part of your site upkeep plan must be a plan for the best ways to manage the size and variety of website collections in your environment. This is most important if you are enabling Self-Service Site Management. Most organizations want to be able to forecast and control just how much growth they can expect from websites because of the impact that they can have on database resources. For example, if a particular content database contains 100 websites, and among those websites is taking up more than 50 percent of the area, then that site collection might have to be transferred to a various content database. This will make sure that you preserve some space for added development, while maintaining the capability to back up and restore the databases.

In SharePoint 2013 use reports enable you to track task on pages with variety of hits and number of one-of-a-kind users for a site or site collection on a daily and regular monthly basis. Prior to you can see the reports, a farm administrator must configure use and information collection. You should plan how you will handle sites that become inactive after a project has ended, or sites that users developed just to check out some ideas, and afterwards deserted. Website use verification and removal can assist you keep your environment cleaner, by helping you recognize when sites are not needed.

Share

Excel Services Security Best Practices Authentication And Accounts

When you use Excel Calculation Services to open up Excel workbooks, they should be stored in the SharePoint Sever 2010 content database. This is due to the fact that the SharePoint Foundation 2010 will maintain the access control list for the files. You can also open workbooks from UNC paths or HTTP websites with the use of Excel Calculation Services. However, it is best if you use the SharePoint Server 2010 content database when you want to store workbooks. The authentication for user access for any SharePoint portal site has to be performed with the  SharePoint Foundation 2010. This is the default that will be used for the Integrated Windows authentication too. Excel Services Applications also support generic forms based authentication. Yet you will need to configure SharePoint Foundation 2010 if you want to use such generic forms based authentication.

Through claims authentication you will be able to improve security so that you can authenticate your farms, Office Business Applications, and Share Point services from various environments. With the use of Excel Service Application you can use claims based authentication for the various scenarios relating to deployment. It doesn’t matter if you are using a single server or a farm environment. Plus, the authorization and authentication of users in regards to content and resources is going to be better secured within in SharePoint Server 2010 when you have claims based authentication in place.

There can be embedded data in the workbooks that connects and links to other files. All of that information is stored in the data connection libraries. When you refresh the embedded direct data connection may be used as a method of sending a query for data to the data connection library. It can also be used to get a query to the .odc file. This contains information for the connection as well. If you want to configure the Excel Services Application to external data sources you have to choose a setting in the External Data section of the Excel Services Add Trust file Location page. This is on the SharePoint Central Administration web application.

In order to configure administrative settings for Excel Services Application you need to refer to the Manage Excel Services Authentication. The deployments of farms that are intertwined with connections are going to use SharePiont Server 2010 claims based authentication. The Excel Calculation Services will retrieve the connecting information. There are credentials in place to store or integrate the data. All of those connections have credentials that can be used with claims based authentication. The deployments can be scaled when you have multiple servers in place.

If you are talking about deployment for a standalone server, then you need to rely on claims based authentication. When you have a data connection associated with a workbook that is opened in Excel Calculation Services it is best to used stored credentials. That will result in Excel Calculation Services to retrieve the credentials it needs for validation. From there those credentials will be used to authenticate the data source. Only then will the data connection be successfully established.

There are three types of data authentication that are supported by Excel Services Applications. They include:

  • Integrated Windows
  • Secure Store Service
  • None

It is recommended that you use Kerberos for the security configuring with Integrated Windows authentication. This is because SharePoint Server 2010 relies on a claims based authentication. All of the Excel Services Applications are also claims based. You will find that Integrated Windows authentication is exclusively in place for SharePoint Server 2010 and IIS Authentication Settings. With the use of Secure Store Service authentication a user is able to access multiple resources from various systems. They are able to do so without the need for providing their credentials to be authenticated more than once. With SharePoint 2010 the Secure Store Service includes a Window service and a database of secured credentials. The use of the plug in functions for the Secure Store Service, there is the ability to introduce the Secure Store Service provider of your choice with the Excel Services Application. It is important to note that the SharePoint Server 2010 also includes a Secure Store Service provider that is able to successfully work with Excel Services Application.

With any Secure Store Services though that you select to use with Excel Services Application, there will be credentials in place. The credential type should be in place with both Windows and other alternatives. That will allow the Excel Services Application to successfully use the Secure Store Service data base in order to authenticate before connecting and to be able to retrieve credentials. Individual mapping as well as group mapping is supported through SharePoint Server 2010. The Secure Store Service offers a set of credentials that will be used for the Application ID’s for all of the resources in the SharePoint Server 2010 Secure Store Service database.

In regards to individual mapping, there is a secure layer that will validate the credentials of a user against multiple listings for Application ID’s. This type of mapping can be useful if you need to have the log in information for an individual before they can gain access to any types of resources which are shared.

Group mapping is more commonly used though. This includes a secure layer that checks for group credentials compared to those of multiple domains. However, each user has a set of credentials that can be unique with the Application ID’s. You will find that group maps are easier to maintain than those that are individual. You will also find that you get better overall performance.

If you want to enable the Secure Store Service function for SharePoint Server 2010 you will need to create a new Secure Store Service. This takes place in the SharePoint Central Administration website.

You have the option of selecting none as the type of authentication method you would like in place as you deploy the Excel Services Application. When this occurs an inbound connection will be used to connect to the database that has been specified in the string. It is important to understand that the connection strings are passed to the database provider. They aren’t part of the Excel Services Application. When you have connection strings in place, they can specify that a requirement that has to be present is Integrated Windows Authentication. These connection strings are also able to contain the specific password and user name for a given user. When that is the case Excel Services Application will require what is equivalent to an unattended service account for the authentication method.

Should the provider of the database make the determination that the string for the connection has Integrated Windows Authentication, then the database can authorize access for that user. The connection will be established through the use of a security context relating to an unattended account.

A type of privileged account that is encrypted for security is the Unattended Service Account. This has been discussed in several other posts. The Secure Store Service for it will have credentials that are found in Excel Calculation Services. This makes it possible to replicate what has been established for a secure data connection to be completed. This is the process when the environment isn’t one which is Windows based. If the Unattended Service Account isn’t configured, then the data connection will fail. This is because the Secure Store Service can’t be authenticated from such an environment and though this method for authentication. The process of replicating the Unattended Service Account protects what is found in the SharePoint Server 2010 database.

It can’t be accessed from unauthorized connections that are using Excel Calculation Services for the task of opening external data connections. An Unattended Service Account results in external data queries operating under a low permissions account for security. This is opposed to it operating from the security of the Excel Calculation Services. It is possible to configure the Unattended Service Account as a domain account or a local computer account. It is important to make sure the configuration is the same for all of the application servers that run Excel Calculation Services. These credentials will always be cached for each workbook session. When a workbook is loaded  through the data connection using an Unattended Service Account, the account will be obtained from the Secure Store that was used. The credentials won’t be cached globally. It is possible to restrict the permissions of the Unattended Service Account so that only logging in can be accomplished on a given network.

Share

Secure Store Service Best Practices In SharePoint 2010

With Microsoft SharePoint Server 2010 the legacy single sign on feature has been replaced. The Secure Store Service (SSS) has been introduced to offer a claims authorization service. This includes a database that is secure for the use of storing credentials associated with any given application identification.

The application identification can be used to authorize access to external data sources. As you learn about the Secure Store Service, how to prepare it, ID’s, mapping, and claims authentication you will quickly realize what a valuable access it happens to be.

 The Secure Store Service is a type of service that allows for authorization to be conducted on the application server in the SharePoint server farm. This provides a database that is used for credentials to be securely stored though the use of password and identity verification of the user. With SharePoint Server 2010 there is the use of the Secure Store Database. It is used to store and to retrieve credentials for accessing external data sources. The Secure Store Service also provides support for the storage of credentials to multiple back end systems. They can have multiple application ID’s too.

 There are some very important issues that you need to take into consideration when you are preparing for the Secure Storage Service to be implemented. You need to run the Secure Store Service in an application that isn’t being used for any other services, this is both a logical and technical restraint. You need to create the Secure Store Service database on an application that is running SQL server. You don’t want to use the same SQL server application though that is being used for your content database. Prior to generating your new key for encrypting, you need to back up the Secure Store Service database. It is recommended that you do so right after it is created too. Each time you create a new key, you want those credentials to be encrypted again with it. You never want the key refresh to fail as this can result in the credentials failing to allow you to have access. Never store the backup media to the encrypted key in the same location as the backup for the Secure Store Service database. This is an additional layer of protection that can prevent your database information from being compromised by an unauthorized user.

 There are application ID’s for each of the Secure Storage Service entries. They are used to retrieve a given set of credentials from the Secure Store Database. Each of the application ID’s can be set up with given permissions that have to be applied. This will restrict the users or groups that are able to successfully access those credentials stored within the application ID. The application can be used to retrieve a given data source. These application ID’s are also used to map out users within given sets of credentials. It can be set up for mapping to occur both for individuals and for groups. With individual mapping each user has their own set of credentials that are different from others. If there is a group then each user that belongs to that group gets mapped with the same credentials.

 There are individual mappings and group mapping to consider. The Secure Store Service supports both of them and maintains credentials for the application ID’s of the resources that are stored in the Secure Store database. With individual credentials of an application, they are retrieved from the application ID. This type of individual mapping is beneficial when a user logs in using information to personally identify themselves. With group mapping there is a layer of security in place that will check the credentials of the group. It will look for multiple domain users and compare them to a given set of credentials that are in place to identify a application ID which is stored in the Secure Store database. It is easier to maintain group mapping versus individual mappings so keep that in mind if you are after optimal performance.

Claims authentication can occur within Secure Store Service. It is able to accept security tokens and to decipher the encrypted application ID. From there it is able to look up the information for verification of authentication. With SharePoint Server Security Token Service, a token is created in response to a request for authentication. The Secure Store Service deciphers the token so that it can successfully read the value of the application ID. The Secure Store Service uses that application ID in order to successfully retrieve the credentials that are in the Secure Store database. These credentials will be used to authorize access to the various resources offered.

Share