The following security recommendations for MOSS 2007 features are listed on the TechNet site here.
|Feature or area||Description and recommendation|
|Authorization||Assign permissions to groups instead of individual accounts.|
|Permission levels||Assign users the least permissions required to complete their tasks.|
|Administration||Use access permissions to secure the Central Administration site and allow administrators to connect to the site remotely (as opposed to enabling the Central Administration site for local computer use only). This alleviates the requirement for administrators to log on locally to the computer that is hosting Central Administration. Configuring Terminal Services access to the computer creates a greater security risk than leaving the Central Administration Web site available for remote access.|
|Web Part storage and security||
|User profiles||The User Profile and Properties content access account is used to connect to and import data from a directory service. If you do not provide credentials for this account, the default content access account is used instead. You can specify a different account for each directory service. For a more secure environment, use an account that has read access to the directory service. Do not give the default content access account access to the directory service. For more information, see Plan for administrative and service accounts (Office SharePoint Server).|
|Self-service site creation||You can use the Self-Service Site Management page to allow users to create and manage their own top-level Web sites automatically. When you enable self-service site creation for a Web application, users can create their own top-level Web sites under a specific path (by default, the /sites path). When self-service site creation is enabled, an announcement is added to the top-level site at the root path of the Web application, and users who have permissions to view that announcement can link to the new site.
Whether you should enable self-service site creation depends on the environment:
|Site directory||Some site templates include a site directory. A site directory is a Web page of site links that are approved. Anybody can submit a site for consideration in the site directory. Only site directory administrators can approve and add sites to the site directory.
|RSS Web Part||By default, the RSS Web Part can access only anonymous feeds. To allow authenticated feeds (such as feeds to authenticated SharePoint site content), you must grant the Web server computers access to the appropriate server computers by using constrained delegation in the Active Directory directory service.|
|Content caching of pages with personalized content||You can use output caching to optimize performance for sites that display some personalized content. In this scenario, post-cache substitution is used to ensure that the personalized content is refreshed for the user. Consequently, if the entire page or most of the page includes personalized content, performance does not greatly improve if you use output caching.
If you plan to enable output caching on pages with personalized content, ensure that sites that display personalized content support post-cache substitution if the following conditions apply:
In this scenario, anonymous users all see identical content. The content that authenticated users see depends on whether personalized content is displayed and if post-cache substation is supported for this content:
|Content deployment||If you are not using the content deployment feature, do not permit the server farm to accept incoming content deployment jobs from another farm The default setting is to reject incoming content deployment jobs.|
|InfoPath Forms Server||
|InfoPath data connections||
|Excel Calculation Services data access||There are two data access models you can use for any of the Excel Services in Microsoft Office SharePoint Server 2007 server farm topologies: trusted subsystem and constrained Kerberos delegation.
|Excel Calculation Services secure communication||You can use Internet Protocol security (IPsec) or SSL to encrypt data transmission among Excel Services application servers, data sources, client computers, and front-end Web servers. To require encrypted data transmission between client computers and front-end Web servers, on the Shared Services Administration Web site, on the Excel Services Settings page, change the Connection Encryption setting from Not required to Required. Not Required is the default setting. If you change the Connection Encryption setting to Required, the Excel Calculation Services application server only allows data transmission between client computers and front-end Web servers over SSL connections.
If you decide to require encrypted data transmission, you must manually configure IPsec or SSL. You can require encrypted connections between client computers and front-end Web servers while allowing unencrypted connections between front-end Web servers and Excel Calculation Services application servers.”
I have been talking about starting a User Group and finally it has become a reality. If you are from the greater Seattle area, you are invited to join the Seattle Windows Networking User Group.
The purpose of this user group is to bring IT professionals together from various public and private sectors to collaborate on Windows networking technologies. Whether you are already in the IT industry or contemplating a change in your career, you will benefit from joining this User Group by interacting and networking with other technologists.
WNUG is primarily focused on Microsoft networking technologies, such as Windows Server 2008/2003, Windows 7/Vista/XP, Active Directory, SharePoint, Exchange, SQL Server, ISA Server, SMS, etc. The goal is to provide useful information to IT professionals so that they can better configure, deploy, maintain, support, manage, troubleshoot and secure Microsoft networking products and utilities.
WNUG will hold its inaugural meeting at the Lincoln Square Center in Bellevue, just across from the Bellevue Square mall, on Tuesday November 18, 2008 from 6:00pm-7:30pm.
The User Group membership is open to general public and its free for registered users. YOU MUST BE A REGISTERED MEMBER IN ORDER TO ATTEND THE MEETINGS. Registration will allow you to attend the meetings, benefit from specials and giveaways, and have access to certain resources on the User Group Web site.
If you are interested in joining the group and networking with other IT professionals in the Puget Sound area, please go to http://www.WinNetUserGroup.com and click on “Join the group” button. Feel free to pass this information to your colleagues.
Here’s a good document on Microsoft TechNet that discusses service account planning in MOSS 2007. The article is full of nice tips, such as “do not use the same account that is used to run Setup to perform administration tasks.” Here’s some info on SQL authentication:
“Using SQL authentication requires additional setup and configuration:
When SQL authentication is used:
You can read the entire article here.
Based on what I see in various forums, there is a lot of confusion on setting up POP3 on Exchange Server 2007 in general. One common error that is mentioned a lot is:
550: 5.7.1 Unable to Relay
This is not the only scenario that you will see the above error. There are a lot of other scenarios as well. However, I will address one particular situation here.
Users are unable to use Outlook 2007 or Windows Mail to send out messages (or reply to the messages they have received). They get the above error.
Here is the scenario:
You have a single Exchange Server 2007 running on a Windows Server 2003 Domain Controller. All the latest service packs and updates have been installed.
1. EXTERNAL USERS: You are able to receive e-mails sent to your POP3 accounts from the external users but you cannot send out e-mails to them, or reply to their messages. You get the “Unable to relay” error.
2. INTERNAL USERS: You are able to send & receive e-mails to other users on your internal network using POP3 from Outlook 2007, Windows Mail and OWA.
You are able to send & receive messages to internal & external users when using OWA because you are not using POP3 when you use OWA. This may be the temporary workaround that you are using because you can ‘t use POP3 to send out messages to external users.
1. Go to Hub Transport under Server Configuration in Exchange Management Console.
2. On the Receive Connectors tab double-click the Default connector.
3. On the Permission Groups tab make sure that your Exchange Server has the following boxes checked:
- Anonymous users
- Exchange users
- Exchange servers
5. Restart Hub Transport service.
6. On the Outlook 2007 client go to the properties of the POP3 account. Click on More settings. On the Outgoing Server tab check the box “My outgoing server (SMTP) requires authentication”.
If you are using Windows Mail then the option is available on the Servers tab. Go to the properties of the POP3 account and check the box that says “My server requires authentication.”
Again, keep in mind this is not the only solution to this error. There are too many other possibilities and it’s almost impossible to cover them all but I am addressing one particular situation that you may find helpful.
If you are a network administrator managing Active Directory networks or even a SharePoint administrator, you have to deal with a lot of service accounts. You may be tempted to set your service account passwords in Active Directory to never expire but that’s a security risk. If the password expires and you reset the password, or you simply change the password after 90 days, you may experience problems with your service. When dealing with MOSS 2007, your design may require half a dozen service accounts, or who knows perhaps even more. If you don’t create separate service accounts you are in trouble, if you create too many then you have to find an easier way to manage them.
Well, these are the issues that require careful planning of service accounts. Check out Microsoft’s Services and Service Accounts Security Planning Guide. Hopefully you will find some useful information in this guide that will help you with managing your service accounts.
Copyright © 2013 Zubair Alexander. All rights reserved.
|« Sep||Nov »|
24 queries. 0.433 seconds