SharePoint University

Hello All,

I am searching for articles on TechNet and other resources about " What do I need to impement WSS as an Internet Site?".

I did some Form Authentication and I know how to use my domain name to direct to my site but i just need to know what do I need to do before that.

What should I need to do to Harden the server? what are the the pre-steps before i direct my domain name to the WSS server?

If someone knows where can I read about it, i will be glad to hear.

Thanks in advance,

oh, and btw, I don't use AD.

1st, do you have the ability to get an ISA server?  That would be the best security for an External facing SharePoint site.  Next, I would purchase a SSL certificate from Verisign and setup the site to include SSL (port 443) so that the forms based authentication passwords don't get sent via clear text.  Then I would follow the steps in TechNet for securing an Extranet (http://technet.microsoft.com/en-us/library/cc287860.aspx).  Specifically look at the Roadmap to security content for Windows SharePoint Services.

HTH,

Jeremy

Thanks Jermey.

I don't have any chance to deploy an ISA server although it sounds tempting :)

Except that, SSL, well, it isn't THAT neccesery in this case but I guess that my scenario it quite typical.

I have a Work station computer with Win 2003 Server, IIS, SMTP server (relaying to another computer) and ofcourse WSS 3 with a few Team sites on it.

I am searching for a "kind-of" check list that I need to do like: Selecting/Deselecting features and functions on IIS, on WSS Central administration and stuff like that.

I am sure that there are other people who wants to put their WSS server online and just have a nice Web Site.

The roadmap on TechNet is talking about server farm and etc'. i only have a computer with WSS 3 and SQL express :)

Any ideas?

I would create two different zones in the WSS Admin, one for the internal network and one that has annonymous access enabled for external access.  I would then setup FBA with the users that will be editing the WSS site...

Here is what I did for the extranet that I was developing...

1. Create a database that will store all the information, credentials, roles, and users for the forms based authentication site.
1. Run "%windir%\Microsoft.Net\Framework\v2.0.50727\aspnet_regsql.exe
2. Follow the online prompts choosing your Database server, and the Database name

1. Configure Membership & Role Providers
1. Open Visual Studio 2005
2. Create a new ASP.NET Web Site
3. Add a connection string to the web.config file (see sidebar)
4. Under <system.web>
1. Add the membership provider to the web.config file (see sidebar)
2. Add the role provider to the web.config file (see sidebar)
1. Things to take note on
1. Name and connectionString
1. Default entries are in machine.config
2. Make sure that your names are unique
1. Launch ASP.NET 2.0 Web Administration site from VS2005 (Website --> ASP.NET Configuration)
2. Switch from Integrated Authentication to Forms Authentication
1. Select "Security"
2. Select "Select Authentication Type" in Users container
3. Select "From the Internet"
4. Select "Done"
1. Create a User
1. Select "Security"
2. Select "Create User"
3. Enter in Username, Password, Email, etc.
1. Test the providers
1. Select "Provider" tab
2. Select "Select a Different Provider For Each Feature (Advanced)"
3. Select "Test" for the provider that was created

1. Create Web applications for each type of Authentication needed
1. Intranet
1. Create a Web Application
2. Set the "Load Balanced URL Zone" to Default
1. Internet
1. Extend a Web Application
2. Select the original web application to the Intranet site
3. Set the "Anonymous Access" to No
4. Set the "Load Balanced URL Zone" to Internet

1. Configure the web applications to communicate with the ASP.NET 2.0 Forms Authentication Data Store
1. Modify web.config files for Intranet, and Internet
1. Add the connectionString to each site
1. Just after the </SharePoint> tag and opening <system.web> tag
1. Add the membership and role provider markup
1. Just after the <system.web> tag
1. Modify web.config file for Central Administration Site
1. Add the connectionString to each site
1. Just after the </SharePoint> tag and opening <system.web> tag
1. Add the membership and role provider markup
1. Just after the <system.web> tag
2. Change the <roleManager>  tag to: <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

1. Enable Forms Authentication on the external facing Web Applications
1. Browse to Central Administration website
2. Select the Application Management tab
3. Select Authentication Providers
4. Select each external facing zone
1. Authentication Type: Forms
2. Enable Anonymous Access
3. Membership Provider Name: WSPSqlMembershipProvider
4. Role Manager name: WSPRoleProvider
1. Grant access to the user from above by going to the intranet site and adding the user
2. Test by going to the site URL and logging in as the user created from above

1. Enable Anonymous Access
1. Create a second user in ASP.NET DB for administration of the FBA side of the site
2. Grant second user Full Control on the site via Web Application policies
1. Browse to Central Administration website
2. Select Application Management
3. Select Policy for Web Application
4. Select the correct Web Application
5. Select Add Users from the toolbar
6. Select the Internet Zone or the external facing zone
7. Click Next
8. Enter in the Administrator user for Choose Users
9. Select Full Control
10. Click Finish
1. Browse to the External facing site
2. Login using the Administrator account from step b
3. Select Site Actions - Site Settings
4. Modify all Site Settings
5. Select Advanced Permissions
6. Select Settings then select Anonymous Access
7. Change Anonymous Access Setting to Entire Web Site and click OK

1. Configure a section of the site for authenticated users only

I pulled this from Andrew Connells blog, plus I added a little to what he was talking about...

Hope this help. 

Here is the web.config additions that I also made...

Hey Jeremy,

Thanks for answering.

Actually, i know how to use FBA (but always happy to learn more :) )

I need help with Hardening the WSS server.

Securing the IIS and stuff like this

I have an article about Hardening but i don't know what is relevant for WSS

 The NSA has some fairly good documentation on how to harden servers:

http://www.nsa.gov/SNAC/

Give this a shot.

Be careful though. Following these guidelines too closely might lock your server down too much.

 Thanks Mate.

I will give it a shot.

Have a good weekend.

Why not try Microsoft Basline Security Analyser? I've used to to harden/audit a number of servers (Sharepoint and otherwise) - it automates a lot of the stuff you used to check by hand in the NT4 days ;)

I'm just an old-school DoD admin.

 Plus, the MBSA is nice, but it can only really tell you if you have weak passwords or if your server isn't patched. It doesn't have you change DCOM settings, modify registry keys, make changes to the local security policy, etc.

The MBSA is fine if you're trying to tighten up a machine on an Internal network. For anything External, I trust the NSA guides.