Introduction to MOSS Security Architecture

Introduction to MOSS Security Architecture

The Microsoft Office Server System (SharePoint 2007) has many exciting new security mechanisms built into it that allows one to build a highly guarded collaboration environment that provide a unique, fluid user experience for all of the stored content. In previous versions of SharePoint, sometimes implementing very granular security options had the negative side effect of degrading the rich communications and collaborations feature of the product, required heavy development efforts, or additional hardware and software purchase.
 
Changes To The MOSS Security Architecture

 

There are however unique security features built into MOSS currently that allow one of the most robust, however secure, information worker centric environments to procure virtual teams within an organization. Building on technologies such as Windows Rights Management, Information Rights Management, and powerful permissions management, many afflictions that typically affect collaboration platforms can be solved through intuitive, internal security mechanisms.

Some of the MOSS security architectural possibilities are very industry exciting, specifically for those organizations that have to conform to certain business and legal regulations that stipulate certain privacy and security requirements, providing built in mechanisms for such popular regulations such as HIPPA and SOX.

Examples of Enhanced Security Provided by ASP.NET 2.0

Some of the greatest security enhancements in MOSS spawn from its new architecture and web application structure.

  • Since SharePoint relies on view states by default, and in the new version of Sharepoint this is protected through various hashing mechanisms through minor effort can be encrypted using some attributes, most notably the viewStateEncryptionMode attribute in machine.config of your SharePoint server.
  • Since one of the greatest enhancements is the introduction of forms based authentication possibilities into a SharePoint environment, forms authentication cookies and related authentication tickets are encrypted instead of being stored in plaintext, protecting authentication assets.
  • There are several options for enabling a session states (regardless of where the session information is stored), and therefore out-of-process session state assets are protected by the ASP.NET 2.0 framework, the backbone of MOSS.
  • For the pluggable authentication options of MOSS, if you are implementing a membership and role provider that is outside of the realm of the default windows authentication routines (which is, by default enabled), the related role manager cookies are encrypted. Along the same lines, if you have anonymous MOSS zones or a perimeter facing site with anonymous authentication enabled, those relevant cookies can be encrypted. For the membership providers, since they are stored in a variety of different systems, these passwords are stored hashed, if a heightened security option is more desirable, these passwords can be encrypted as well.

Why Was The Security Architecture Of SharePoint Changed?

There are several stages in order to implement sheltered knowledge management systems and secure collaborations environments, regardless of network architecture and operational access goals. SharePoint attacks are becoming increasingly relevant towards business operations and strategic business data warehousing as the product becomes increasingly commonplace throughout a variety of industries for an assortment of reasons.
 
Steps In Securing a SharePoint Environment
The first step in securing a SharePoint environment is to implement standards and policies with an environment, and just having these policies in place is not enough, they have to be enforced and adhered to by both portal users and administrators. These policies can vary in purpose and intent, as shown here in this index of SharePoint policies.
The second step is to investigate, implement, and maintain sister security and disaster recovery based server systems that will integrate and enhance your environment on a variety of levels.
 
Most Popular Security Shifts in SharePoint
Being built upon the new ASP.NET 2.0 platform offers SharePoint some unique security features that birth the possibility of several very lucrative environments. The two that are immediately evident are:
  • Forms-Based Authentication (FBA)
  • Pluggable Provider Model (Membership, Role, Session, and Profiles)

These two new options are incredibly popular options since they were the most requested features in previous version of SharePoint, and coupling the two options allows users to have an extranet / perimeter facing deployment that is unique and tailored to each specific instance.

Reasons SharePoint is Subject For Attack
The two most commonplace reasons SharePoint is a subject for attack are:
 
Data Theft Since SharePoint acts as an aggregator and warehouse for several layers of business information, a third party may try to capture vital enterprise data for any number of purposes, ranging from sale of this information to competitors or simply trying to pry into day-to-day operations.
 
Corporate Espionage Taking down a portal from an operational standpoint for businesses that are heavily dependent on it for operations can prove disastrous, and beneficial to a competitor that can take advantage of a weakened business state. This type of intended disruption has been well-documented throughout history through other systems (mostly through the battles between smaller communications companies in California, see here for more information regarding those DDoD attacks), and has translated over to SharePoint environments.
 
There are three main levels (tiers) of SharePoint security each of which has to be tackled individually and methodically maintained (loosely based on the OSI model):
  • Network Level
  • Web Application Level
  • Database Level
However, with certain procedures in place the threats to a portal can become vastly mitigated and an organization can collaborate in confidence.
Share

Redirector WebPart SP Solution File Download

So, I am making available to the public the Redirector SharePoint WebPart that I wrote for a buddy who works at a fairly large financial firm (read this post for the complete story on that mess), it’s not very fancy, and the functionality that it introduces into a SharePoint is relatively simple in purpose. I had talked about it before in this post, but only had released the WebPart assembly and not the actual SharePoint solution file which is pretty significant for getting the thing off the ground in your environment.The code itself I will most likely look at optimizing /refactoring at a later date, but for the time being the functionality is there and you can put it to use (as always, I would recommend that you test the WebPart in a staging or development environment before you push it to production). Anyways, it’s free and you can use it at your own discretion, there is no license limit that is placed on it etc. (as with everything distributed on this site), and it is distributed via a SharePoint solution file (.wsp).

To install the WebPart is relatively straightforward, and requires working the SharePoint solution and SharePoint Feature functionality. If desired, a majority of this could just be put into a .bat file. Let’s firstly look at how to deploy the WebPart, and then we can go about examining the business requirement target and why one would possibly use the Redirector WebPart. I think its easier to talk about once you see it actually deployed.

The first thing that you must do is navigate to the directory where STSADM is located. Generally this is in the C: directory.

[code]

C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN

[/code]

Once you see that you can get access to STSADM, you can start to trip the relevant operations. The first thing that you should do is to add the solution file to the SharePoint solution store using the addsolution command.

[code]

stsadm -o addsolution -filename RedirectorWebPart.wsp

[/code]

Following, execute the timer job. This is necessary if the administrative service is not enabled, as the timer job will be created however it will not be put to work.

[code]

stsadm -o execadmsvcjobs

[/code]

Now that the solution file is installed, you must deploy the solutions to the relevant web applications. You will notice some interesting switches during this process, mainly that we are deploying it immediately as opposed to scheduling a time (as you see through the SharePoint UI fairly frequently), that we are allowing Code Access Security policies (so that the WebPart can be run from the bin directory as opposed to the GAC which would otherwise post a security risk), and the deployment target is fairly vast.

[code]

stsadm -o deploysolution -name RedirectorWebPart.wsp -immediate -allowCasPolicies -allcontenturls

[/code]

As before, we are going to force the timer jobs to execute following all at once so are changes take effect immediately.

[code]

stsadm -o execadmsvcjobs

[/code]

Lastly, we must active the feature that the Redirector WebPart is dependent on. This is accomplished using the activatefeature command. Once the feature has become activated, you will be able to use the WebPart in the relevant site that you wish.

[code]

stsadm -o activatefeature -name RedirectorWebPart -url

[/code]

Now that you have the WebPart deployed, I guess I should explain what the hell the WebPart does. The business problem that the Redirector WebPart looks to solve is very, very simple in purpose. Often times information workers find transversing a large SharePoint instance difficult, an issue that gets even more complex and convoluted when your MOSS instance becomes an enterprise EIM (Enterprise Information Management) system that becomes an intrinsic part of your and your user’s arbitrary business operations. Generally, one of the most difficult tasks that you encounter when you roll out SharePoint is gathering appropriate end-user adoption of the collaborative technology, since often times finding the information that information workers want tends to be rather difficult since they are not used to the built-in SharePoint facilities. End-user adoption therefore implies meaning getting your users to their information that they want faster and more efficiently. This is a fairly basic principle of all knowledge management centric systems (for more information regarding formal knowledge management theory, you can view some of the research that I have done on the subject here for my course Applicable Knowledge Management in The Workspace at FSU.

Introduction to Knowledge Management Systems

Developing Knowledge Management Structure

Formation and Elicitation of Knowledge Management

Building Effective Communications Using Fitting Skills

Knowledge Management Schemes)

Some of it is brief explanations of past research (and researchers) into the subject, however I think that you will find that in concept it will demonstrate the overall architecture of a beneficial KM system and the intrinsic pieces that go into one).

The enterprise search features that are integrated into SharePoint are certainly one method that will get users to where they need to go and closer to the information that the desire in a large environment. However, in environments that instigate multiple site collections, usually the search scopes that are being used vary heavily since it is a site collection by site collection search configuration (which is a PITA). This by no means implies that the search features that SharePoint provides are not a powerful concept that should be exploited in your environment; rather, this is solely a supplement to those concepts albeit a large technology gap.

If there are multiple site collections in the SharePoint architecture / instance, it is common that the site collection holds a specific purpose. Meaning, some architects choose to divvy site collections based on organizational structure and role, such as specifying a site collection for each department, etc. or something similar. This can be any arbitrary purpose; however it tends to follow some sort of naming convention. Although most architects will argue this is not a beneficial architecture for an overall SharePoint strategy, it is relatively common in environments that don’t have the time / resources that need to be dedicated to study pre-existing business processes and tailor the SharePoint instance around those parameters accordingly. Since SharePoint has become an intranet platform for SME (Small to Medium Enterprises) in the Microsoft market they must be taken into consideration.

This is what the Redirector WebPart is assuming that you are doing, but this by no means implies that it requires site collections. You could use it just as effectively with sites. What it does is provide you a limited amount of automatic redirections (10 at the most, if you need more email me), that are based on a SharePoint profile property. For example, you could set the Master Profile Operator to Department (this is actual set as the default in the WebPart class constructor). Then, you could define several profile operators, such as Sales. When a user within their SharePoint profiles have the Department value set to Sales, you can redirect them (if the redirection condition is activated), to http://yoursharepointsite/sites/sales/default.aspx without them seeing the core site collection (you will see this in more detail later).

There are two modes of operations for the WebPart, one for administrators, and another for normal users. Administrators should not be immediately redirected, as they are responsible for maintenance of the root site as well as the configuration and management of the Redirector WebPart. Therefore, administrators are presented with a dashboard of all the current active redirections. Normal users that are not administrators however are instead redirected to whatever conditions are set in the WebPart properties. This is accomplished with a simple method that will trigger the check.

But what if the user doesn’t have anything set for the property in their profile? This is where the default redirection property comes into play. If the profile property returns as NOTFOUND then the user is redirected to whatever you place into the WebPart properties as the default redirection site. It is just a catch all to problems as they may occur.

You can also enable debugging within the WebPart properties. Simple debugging will display miscellaneous information under the WebPart, and if you want to email for help with the WebPart, I am going to ask you to send me this information so enable it first.

You can also manage the appearance of the administrative dashboard directly from the WebPart properties. The label properties (i.e. the string text) that appears throughout the WebPart can be customized to whatever you want, you aren’t limited to those that I have chosen (because I hate when WebParts have hard-coded strings personally, I think the complete appearance should always be manageable by the administrator at the very least, with just immutable methods).

So here is an example use case. I have one account, whose parameters are:

Username: Administrator

Role: SharePoint Farm / Core Site Collection Administrator

Then I have another John Doe account that works in the Sales department at my organization. Because the sales department generally will only use their specified site collection as opposed to having an interest in the other various business units site collections, it makes sense to just dump the users there.

Username: John Doe

Role : Reader Finance Site Collection

I am making these as just local accounts, as you can see:

I also have two site collections, one is the core site collection, and the other is the sales site collection. Ideally, when the John Doe user first enters the core site collection (since it is the URL that is distributed through all the internal marketing material), they should just be redirected to the sales site collection (or site, whatever your choice is).

As you can see, John Doe is a in the Members group of the sales site collection:

As I am logged in as the administrator, I am not redirected to any site collection, but instead presented with a dashboard view of all the configurations I have made previously. The first thing that I should look into doing is setting up the Global WebPart parameters which will contain things like the root site name (makes it easier to setup the redirections), and if I should have a default redirection instance setup in case none of my redirections are true for users (i.e. returns NOTFOUND).

All my global information is setup, and now I can configure the first redirection condition the WebPart will capture. Since John Doe is in the sales department, I am going to configure my first redirection so that it will look at the SharePoint Profile operator Department for the string Sales. If Department equals Sales then I want the user redirected to the sales site collection located at: /sites/sales/ as you can see in the following site collection creation screen (John Doe is a member of this site collection).

So my Redirection property should look like:

After this property is committed, you will see the Redirection Dashboard adjust so that you see that there is redirection condition that has been enabled. Within the dashboard, you are able to see the profile operator that is being looked up, the property that is being used for comparison, and what site the resulting match will end up with.

Within this condition activated as such, whenever John Doe comes into the friendly core site collection URL, he will be automatically dumped into the sales site collection.

Anyways, once you get to play with it, you will understand how it works. Feel free to email me if you have problems, or if you have suggestions for improvements. I am going to be focusing on my next WebPart project, so I might not be super responsive, but I am always up for improving past freeware WebParts. I will forward to developing more user interaction WebParts that help user adoption, so check back to sharepointsecurity.com and sharepointsecurity.com/blog frequently for updates (or subscribe to my RSS feeds if that is your cup of tea).

Download the SharePoint Solution (.wsp) file

Please read this if you want to know the legal policy of ARB Security Solutions Provided Freeware.

Share

SharePoint Knowledge Management Accelerator for Healthcare

The Knowledge Management Accelerator for Healthcare is an attempt to implement a framework that uses KP cubed architecture in order to break down business data into identifiable organizational assets.

KM is knowledge Management that works with healthcare systems, and it consists of human elements and processing. At one time, particular accomplishment issues restricted the healthcare changeable, including restricting cost and care to patients. As advances took place however, the administrative of healthcare as well as clinical aspects evolved with differentiating changes, while redefining doctrines of competing nature, changing the outlook of the treatment in healthcare and administration. Today, healthcare atmosphere treat patients by predicting illnesses before they arrive and preventing them to progress. Thus, the system works to manage the patient’s health by instigating healthier tactics and enforcing the action throughout the lifespan. The approach required substantial investments and intelligence assets. The key focus in the Knowledge Management-KM system is lagging the intellect of the hospital’s KM from deterioration.

Many hospitals lack knowledge of the usage of their achieved information bottom. The information is often left behind since employees’ abrasion causes deterioration, and the high rates of turnover, and cost-effective measures, including wrongfully submitted documentation, have brought down the insight and need for KM.

Certain tools in KM, such as metrics center on the hospitals gain, storage, and retrieving of intelligent benefits. The focus is tangibly constructed with other tools to make the system work, including enhancing strategic for learning, planning and making decisions.

The concept lengthens the skills of logic, and productively designing plans in growth and development.

The Knowledge Management-KM views the knowledge assets and management tool for gain. The improvement of healthcare and patient care directs toward the proportional hospital assets of intellect. The skillfully KM tool promotes expertise, while promoting employees to stay focused while capturing the reflections of its strategy, practicing devices, policy scheme, and capturing the information at each level of the patient care and healthcare activity level.

The insubstantial benefit of KM to employees’ care for fundamental novelty in that it goes forward in planning, interchanging in management, culture of hospital, while giving a balance approach.

KM is vital for developing sharing of knowledge attitudes and competence in patient care.

Sharing is essential in managing the KM assets since it reduces or increases cost, ‘cycle time,’ and improves the hospitals investments, satisfaction, indexing, and leaves room for healthier paramedical intellect and medical treatment.

At one time, KM was only available to a hand full of practitioners. Over the past few years however, researchers exploded and brought forth new light and applications. A measure of concern in the strategy of KM is pending for few practitioners, which poses a threat, since it may affect the reproduction of intelligence, entirety of excellence management, and the business of re-engineering. Discipline becomes an interest, since it must sustain at a particular level to remove any flaws from the concept simultaneously while delivering a measure of value to the business.

Ironically, however, as the disciplinary begins to work, interest of the concept is lost, and additional failures become apparent, thus, the true benefit is lost.

This leads to a breaking point, since ambitiously and interest of KM starting points in healthcare evolves at various levels, and may work technically, but it will not continue working in an economical sense. With this in mind, we can see that the healthcare systems continue to be enormous gear for repayments in healthcare expenses. , social workers, and healthcare networks including medical experts will remain aware of the power and tools available to them over the Internet.

The outlook is not completely unenthusiastic, even if it changes gradually from the first pattern.

Though substantial development has been reached, it will take extensive work to deliver KM promising value. In the end, in order to understand the true value of KM, healthcare experts must find motivation while including organization, sharing, and creating. The majority forecasting models have been urbanized in healthcare in the previous era.

The models given ear to how exploitation of arrangement designs includes pay, deductibles, et cetera, and would manipulate deployment of behaviors and to regulate for case-mix and risks for the reason of forecasting global expenses and placing sets on capitation repayment rates.

Until currently, little interest was applied in predictable tools to individuals for the reason of reduction of cost and improving care of individuals. The lack of interest was primarily due to absence of the tools, which could be precisely predicted in future individuality of patient use, precisely for patients that had no current use.

In terms of general understanding, the current use of particular types of health services is best predicted of future usage. The methods of prediction of future usage of particular services, while there is no current usage existing of similar service tend to produce results that are meaningless to program managers in healthcare. Currently, the rapid increase in generation and data collection, researchers are capable of exploring patterns hidden with large databases.

Substantial quantities of healthcare data, is available within databases that could be utilized for discovering knowledge. The diversity and complexity of healthcare data demands concentration for usage of statistical techniques.

Decision trees present challenges of unique quality in data analysis, which are extremely opposite of linear regression techniques. The decision trees make available unique models especially suited for this particular analysis strategy. These analyses demonstrate the CART data mining methods and how they can be employed to extract knowledge from incorporated healthcare datasets, which concern future mental health usage in population, including those that have no current mental health usages.

The tools could be utilized in identifying patients likely to require mental health usage in the future, based on non-mental healthcare utilization prior to entry into the mental health systems. The managerial aspects would obviously vary from health plans from this technique, but various approaches could be propositioned. Identification of this technique could be utilized to notify mangers and others. The purpose is for the need of intervention sooner, and identifying patients and sending information packages on availability of behavior health services, sending the packages early, while encouraging patients to call for appointments. The patients are encouraged to call when feeling depressed or anxious over recent changes in healthcare events, and behavior health providers utilizing a list of identified patients could make outreach calls to the patients in need. Such intervention strategies can reduce costs while improving quality of life for those suffering serious mental and physical health conditions. Speaking irrespectively, the explicit techniques implemented in data mining techniques are noteworthy and the idea has brought forth a widespread outcome of application of ALL techniques, since it has brought forth innovative knowledge.

The newly creation of knowledge growing extant knowledge base of orgs, not only adds value to intangible assets, it also increases overall organizational value of new managerial techniques, such as balance scorecards, which it has demonstrated.

Today’s knowledge-base economy sustains strategic returns as it gains more from organization knowledge assets, than from traditional types of assets within organizations. In today’s economy, the processing, tools, and techniques serve to develop knowledge assets in organizations, thus increasing value of strategic necessity and competitiveness.

Healthcare is recognized for utilizing leading-edge medical technologies, while embracing innovative scientific discoveries, enabling healthier cures for disease and better solutions for enabling early detection of most life-threatening diseases.

The healthcare industry has been extremely slow to adopt key business processes, in both the US and globally. The process of knowledge management has crept along, and the techniques, including data mining, all have moved along slowly.

With this in mind, making more of an investment is indispensable in business processing and techniques. Furthermore, the notion and investment is a strategic vital comeback for the US healthcare industry, if the industry is to achieve premier standings with respective high-value, high quality, and high-accessibility of healthcare delivery systems.

A final report composed by the Committee on the Quality of Healthcare in America, noted that improvements of patient care integrally links to providing high-quality healthcare. Furthermore, to achieve high quality of healthcare, the committee recognized six key aims in the healthcare industry, including the changes necessary to make healthcare more sufficiently:

1. Safe environment: preventing injuries to patients from the care that is intended to assist them,

2. Effective: providing services based on scientific knowledge to all who could benefit and refrain from providing services to those who will not benefit (i.e., avoiding under-use and overuse),

3. Patient-centered: providing care that is respectful of and responsive to individual patient preferences, needs, and values and ensuring that patient values guide all clinical decisions

4. timely: reducing waiting and sometimes harmful delays for both those receiving care and those who give care

5. Efficient: avoiding waste

6. Equitable: providing care that does not vary in quality based on personal characteristics.

The poor quality healthcare is related to the highly fragmented delivery system in the healthcare system, since it lacks rudimentary clinical information capable of issue productive results, since it its poorly designed care process characterizes unnecessary duplications of services, which leads to long waiting time and delays.

The applications and development of sophisticated information systems is indispensable to tackle these quality matters and to improve competence. Up till now, healthcare delivery has been comparatively untouched by the transformation of information technology, new business administration processes, such as knowledge management or innovative techniques, such as data mining, which are transformed in many areas of business today.

Healthcare groups are encountering a quite a rebellion, since the industry is fueled by economic pressures and reexamination of the principles of distribution of care. These corporations are also committing to the attacks from technology. As laggards, the healthcare delivery institution often faces the adoption of the prevailing innovations in information technology. The impact of the World Wide Net and innovations in telecommunications, computing, and the enduring arrival of micro-devices are commencing to be touched in healthcare delivery.

The force of these effects are found in the confluence of the technology itself, with innovations in marketing, management, and the altering perspective of the healthcare consumers. Currently there is a rising trend of increased consciousness, empowerment, and changes in the attitudes of healthcare consumers concerning the delivery of healthcare services.

The intersection of this brunt of changes is producing a tremendous enlargement in knowledge flowing through the healthcare system. Starting at the bedside to medical school, onward to the examining room, and to the medical encounters, including family and patient roles, the delivery of healthcare services, has new facets to our knowledge regarding healthcare and its delivery.

Medical knowledge has placed medical professions in confrontation, since KM is on the rise. Genetic researching, innovative drugs, and expansion of field research in areas of biotech and biomedical engineering creates strong needs in management. Today, medical professions, particularly students are equipped with PDA’s, and other miniature- information tech devices that permit them to access vast arrays of knowledge.

Healthcare delivery, as well as its followers and professionals, we now can produce added knowledge in a day than in hundreds—possibly thousands—of years in humane history. Just imagine producing more automobiles in one day, in what could take a hundred years to design. Our highways and byways would clog immediately, and it would create a task so horrible to sort out the traffic jam, that it would lead to frustration beyond human capacity. A comparable state of affairs occurs in the growth of knowledge in the healthcare delivery arena.

Since the healthcare delivery industry is jammed with the continuing production of knowledge, there is a desperate need for knowledge management, especially management capable of inserting order into the developing confusion in the making. In view of the fact that healthcare is notoriously sluggish in adopting such innovations, we are now beginning to understand the original forays of these orgs into the epoch of knowledge management systems. The healthcare system is taking careful baby-steps and currently very little systematic exertion that documents such a passage into an innovative era of managing knowledge.

In the final examination, healthcare delivery is the manipulation of knowledge and the management of organizations— including healthcare organizations — is the administration of knowledge. We are now apprehending that unless groups are competent of efficiently managing the knowledge they need to act and to survive, they are destined to catastrophe. This manuscript offers a considerate array of topics, ranging from the principles of knowledge management, e-health organizations, knowledge management infrastructure, and how to start and progress-knowledge management systems. It’s an original effort to create responsiveness of the importance of knowledge management in healthcare delivery. It’s also the reverberation of a call to other scholars inviting them to join in discovering the fundamental and rapidly growing areas of knowledge management in healthcare delivery organizations.

Share