SharePoint 2010 : Operations Management with the SharePoint Central Administration Tool (part 5) - Reviewing Security Settings in SPCA

Reviewing Security Settings in SPCA

The Security page in SPCA, as shown in Figure 22, contains all security-related items available for configuration in SPCA.

Figure 22. Viewing the security items in SPCA.

Users

Within the first category on the Security page, labeled Users, all security settings related to not only users, but also specific user groups are listed. This includes the following:

• Manage the farm administrators group— Enables full farm administrators to be defined.

• Approve or reject distribution groups— Distribution groups automatically added by the Directory Management Service are listed in this area if the farm is configured to require administrator approval for new distribution groups. The Directory Management Service is enabled from within the incoming email settings in SPCA.

• Specify web application user policy— Permission for an individual user or a group to override security within a web application can be set in this area. For example, the Search Crawling Account can be configured to have read access to all content within the entire web application to enable it to be crawled.

General Security

Within the second category on the Security page, labeled General Security, all other security settings that don’t fit into either the first or third category are listed, including the following:

• Configure managed accounts— This area is highly useful for SharePoint admins, because it allows for the concept of a managed account to be configured. A managed account is a service account that can be set to automatically have its password changed, as shown in Figure 23. Managed accounts can be set for all SharePoint service accounts, such as the Crawl account, Search account, accounts for \service applications, and App Pool identity accounts.

  Figure 23. Creating a new managed account in SPCA.

  

• Configure service accounts— Enables specific services in Windows Server to be updated with the credentials of a specific managed account used as the service account. This enables services that run with the credentials of a user to be automatically updated per best practices.

• Configure password change settings— Enables administrators to determine what the individual settings for password changes are, such as who is notified via email of the changes and how many seconds to wait before notifying services of the change.

• Specify authentication providers— Enable administrators to define more than one authentication directory to use to gain access to SharePoint content, as shown in Figure 24.
  

  Figure 24. Modifying authentication providers.

  

• Manage trust— Within this area, different farms can be “trusted,” allowing for their content to be intermingled with the farm and allowing for sharing of information between the farms. The trust relationships to other farms must be set up using PKI certificates and requires a common trusted root certificate when creating the trust, as shown in Figure 25. Trusts are required to consume information from another farm.

  Figure 25. Adding a trust to a different farm.

  
  
  

• Manage antivirus settings— Antivirus settings are provided in SPCA as part of the built-in antivirus Application Programming Interface (API). Note that just because the API is there does not mean that antivirus functionality is available out-of-the-box. To enable antivirus, a supported antivirus product, such as Microsoft’s Forefront Protection 2010 for SharePoint, must be installed.
  

• Define blocked file types— The default list of file type extensions that are blocked in SharePoint is defined in this area. It can be modified as necessary.

• Manage web part security— The security settings related to web parts, such as whether users can create connections between web parts, are listed in this area.

• Configure self-service site creation— Also linked to from the Application Management area of SPCA, enables specific users with the proper rights to create their own subsites.

Information Policy

Within the third category on the Security page, labeled Information Policy, information about enabling Information Rights Management (IRM) to enable document libraries to be secured using Active Directory Rights Management Services (AD RMS) is provided.

• Configure information rights management— Enables IRM settings to be enabled or disabled within SharePoint, depending on whether AD RMS is already deployed within the AD forest or whether SharePoint should manually address the server, as shown in Figure 26.

  Figure 26. Configuring IRM settings in SPCA.

  

• Configure information management policy— Individual IRM policies for SharePoint, such as policies for labels, barcodes, auditing, and retention, can be defined within this area.