Shortcuts in Microsoft SharePoint

Over the last couple of years, I have reviewed many Microsoft SharePoint Farms. Very few have been great, some have been good, most have left little to be desired. Microsoft SharePoint is fairly easy to install but it does take some dedication to the product in order to install it correctly. Most organizations either take shortcuts out of the lack of experience or because they don’t believe their environment or network is in harms way. No matter the reason, the content in this blog is dedicated to providing quick lessons on what should be done and also showing why. Hopefully, it will help those interested in building solutions that are as secure as the technology allows them to be.

Shannon Bray, Microsoft Certified Master

Advertisements

The Aftermath of Launching the SharePoint Farm Configuration Wizard

After installing Microsoft SharePoint and executing the Products and Configuration Wizard, a browser is opened asking if you would like to start the SharePoint Farm Configuration Wizard. If you have been a consultant in Microsoft SharePoint for any period of time, you have certainly heard that using the Farm Configuration Wizard to build non-evaluation or demo sites isn’t a great idea. I have reviewed many SharePoint Farms out there and a great number have indeed been installed using this. After talking to the client, I often find out that they paid someone to do this and often time the engagement took weeks. One of the benefits of the Farm Configuration Wizard is that pretty much anyone can do it without knowing anything about Microsoft SharePoint and have things up and running. The bad part about it is that pretty much anyone can do it without knowing anything about Microsoft SharePoint. But how does one get something that was not recommended to something better? Here we will talk about the affects of the Farm Configuration Wizard and how to address the issues. What I won’t tell you is if it is a bad idea or not because to me, as long as you understand how it configures things then the decision should be yours.

FCW_1

Now before we go to far, there is a “right way” and a “wrong way” to run the Farm Configuration Wizard. The wrong way is to use the same Farm Account (aka Data Access Account) to configure all of the services. This is a little tougher to clean up. It is critical that you create a new SharePoint Managed Account. If you do not, the SharePoint Farm Account is used for absolutely everything! You also want to make sure that the account you use for your Farm Account, isn’t used by anything else and doesn’t have administration rights to anything. The single exception to this rule is that the Farm Account has to be given Local Admin rights to the server that is going to run the User Profile Synchronization Service. It has to be a Local Admin only during the provisioning.

FCW_Services

The first tell-tale sign that the Farm Configuration Wizard was used to create your farm is the name of the databases. The wizard applies a GUID behind the database names. While it is quite ugly, technically there is nothing wrong with it. If a service is provisioned multiple times, it would take some work (or Windows PowerShell) to determine which database went with which.

FCW_Databases

The nice thing about the database naming convention of the Farm Configuration Wizard is that now I have a pretty good idea of how the rest of the farm is configured without having to look at much.  My biggest issue with this type of install in a production environment is that there is a good chance that

  • Everything is built as non-encrypted SharePoint sites.
  • The SharePoint Services and the SharePoint Web Content Applications are using a shared account
  • The wizard does assign ALL of the services to the same Application Pool which is not bad; However, one of these services is the Secure Store Service. Microsoft makes the following recommendation: “Because Secure Store deals with sensitive information, we recommend that you use a separate application server just for the Secure Store Service for better security.”

In reality, I’m not sure either of these last two bullets actually provide any additional security as getting the credentials to a Managed Account is fairly simple. If everything is being hosted over non-encrypted websites, security probably isn’t your priority anyway ~ though, it should be!

FCW_IIS

The next service to review is Enterprise Search. The Farm Configuration Wizard has configured the Search Content account as the Services Account. This really isn’t that big of an issue as you would most likely need to come in and change this no matter how the service was built. The key here is that:

  •  The Search Content account will need to have permissions to read content on your network if you want it searched. This means that you wouldn’t want to use a SharePoint Managed Account to do this because of the ease of gaining these credentials. In addition, the Search Content account doesn’t honor the Managed Account contract any way which means that if you change the account password, Search will be broken until you come in and change the Search Content account.
  • The User Profile Service Application (UPA) is also configured for the Service Account to search people, so once you fix the Search Content account, that must be updated in the UPA as well. I have seen several references that say you should delete the UPA and recreate it, but no one says why so I doubt the validity of that statement in the 2013 product. I’ll look more into this.

So in wrapping up, the Farm Configuration Wizard is more of a security hole than anything; it is far removed from the least privileges model but the wizard isn’t designed for security. It is designed to help get you up and running quickly. While the wizard is able to use an additional account other than the Farm Account, many implementations do not exercise this so the Farm Account is over used. When a separate account is used, it too gets used for a little more than it should. No matter how you look at it, Microsoft SharePoint requires some planning beyond just running the wizard. Once this is done, Central Administration and the other web applications should be over SSL. If the sites aren’t being exposed outside, then this is even easier since a domain CA will function just fine.

SharePoint 2013 Ports, Proxies and Protocols Diagram

Lesson: You should know which ports, proxies, and protocols are needed for your particular scenario. Include them in your documentation!

Marek Samaj created a diagram of the Microsoft SharePoint 2013 ports, proxies, and protocols and did a fantastic job. I am posting the diagram here so that I have it with other information that I use on often.

3250_SharePoint-2013-Ports-Proxies-Protocols-fix

Marek Samaj: Original Source