Plan security for an external anonymous access environment (Windows SharePoint Services)
Applies To: Windows SharePoint Services 3.0
Topic Last Modified: 2009-04-15
In this article:
Protect back-end servers
Configure anonymous access
Secure the Central Administration site
Disable incoming e-mail
Secure design checklist
Plan security hardening for server roles
Plan secure configurations for Windows SharePoint Services features
Security guidance for an external anonymous access environment is targeted to allow anonymous access to content while protecting back-end servers in the farm from direct user access or malicious actions targeted through front-end Web servers. In an environment where multiple farms might be deployed to support authoring, staging, and publishing, the guidance for this environment is intended for the published farm (the farm that is anonymously accessed by users).
There are several unique recommendations for an external anonymous access environment. Some of these recommendations might not be practical for all solutions.
Protect back-end servers
Hosting sites for anonymous use requires Internet-facing servers. You can limit the exposure to traffic from the Internet by protecting back-end servers, including application servers (search) and servers that host databases:
Protecting database servers At a minimum, place a firewall between front-end Web servers and servers that host databases. Some environments dictate that database servers be hosted in an internal network instead of directly in an extranet environment.
Protect the index role The index component communicates through a front-end Web server to crawl content in sites. To protect this communication channel, consider configuring a dedicated front-end Web server for use by one or more index servers. This isolates crawling communication to a front-end Web server that is not accessible to users. Additionally, configure Internet Information Services (IIS) to restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it. Providing a front-end Web server dedicated to content crawling also improves performance by reducing the load on the main front-end Web servers, thereby improving the user experience.
Configure anonymous access
For content to be available for anonymous access, the following must be configured:
The site or site collection must be configured to allow anonymous access.
At least one zone in the Web application must be configured to allow anonymous access.
Enable anonymous access only for Web applications that require unauthenticated access. If you want to use authentication for personalization, implement forms authentication by using a simple database authentication provider.
Secure the Central Administration site
Because external users have access to the network zone, it is important to secure the Central Administration site to block external access and secure internal access:
Ensure that the Central Administration site is not hosted on a front-end Web server.
Block external access to the Central Administration site. This can be achieved by placing a firewall between front-end Web servers and the server that hosts the Central Administration site.
Configure the Central Administration site by using Secure Sockets Layer (SSL). This ensures that communication from the internal network to the Central Administration site is secured.
Disable incoming e-mail
Do not use e-mail integration for incoming e-mail. This protects your environment from risks associated with e-mail sent from anonymous sources on the Internet. If you do allow incoming e-mail, configure the Central Administration site to enable anonymous e-mail. While this option is available, it is not very secure.
Secure design checklist
Use this design checklist together with the checklists in Review the secure topology design checklists (Windows SharePoint Services).
Topology
[ ] |
Protect back-end servers by placing at least one firewall between front-end Web servers and the application and database servers. |
[ ] |
Plan a dedicated front-end Web server for crawling content. Do not include this front-end Web server in the end-user front-end Web rotation. |
Logical architecture
[ ] |
Enable anonymous access only for Web application zones that host sites or site collections that are configured to allow anonymous access. For more information, see Plan authentication methods (Windows SharePoint Services). |
[ ] |
Use SSL to secure content deployment. |
[ ] |
Block access to the Central Administration site and configure SSL for the site. |
Plan security hardening for server roles
The following table describes additional hardening recommendations for an external anonymous access environment.
| Component | Recommendation |
|---|---|
Ports |
Block external access to the port for the Central Administration site. |
Protocols |
Disable SMTP. |
IIS |
If you are configuring a dedicated front-end Web server for indexing, configure IIS to restrict SiteData.asmx (the crawler SOAP service) to allow only the index server (or other crawlers) to access it. |
Plan secure configurations for Windows SharePoint Services features
No additional guidance is recommended for this environment.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
Planning and architecture for Windows SharePoint Services 3.0, part 2
Planning an Extranet Environment for Windows SharePoint Services
See the full list of available books at Downloadable books for Windows SharePoint Services.