SharePoint 2013 – Internet Facing Deployments

So you’re thinking about a SharePoint 2013 IFD? But just how secure is it? Well, the short answer is; very secure. However, there are some things that you might want to consider before chucking that web front-end server into your DMZ.

Firstly, put this phrase at the top of your draft planning document: “A door is always less secure than a wall”. It’s a cliché, but repeat that in every design decision you make and actually think about it. What are you opening, why are you opening it, what is the risk and do you actually need it? Yes, you already know that SharePoint has a wealth of great and powerful features. But realistically, which ones do you actually need in your IFD?

If you have adopted a least-privilege security model for SharePoint (and I really hope you have!) then good for you. But, your security is only as good as the weakest component – what about concepts such as the domain password policy and complexity for your Service Accounts? What malware protection are you running on those servers? How isolated is the network topology and what are the response procedures for detection of malicious activity?

Authentication providers! Sadly, I’ve had people literally yawn at me when I raise this topic. But it’s such an important concept and if you got this far into the post then you’re probably nodding right now, not yawning. For the non-2013 among you, Classic is now depreciated (thank you Microsoft!) and if you are 2007 or earlier, you should include migrating to Claims-based during your upgrade route to 2010 or 2013. I won’t go into the depth and breath of the wider authentication concept, mainly for brevity of this post, but please promise you will not deploy an IFD with zero thought to this and have read this Microsoft TechNet article.

I’ve seen some oversights in SharePoint IFDs and unless absolutely crucial, some common ones you will want to avoid are; disabling the CRL checks, adding HOSTS entries, disabling the loopback, no Group Policies and (worst of all) skipping firewall rules.

Here at risual, we take security seriously. We take the protection of your data even more seriously. If you feel you might have missed something or would like some assurance from a crack team of heavily experienced and certified consultants, get in touch!

About the author