Managing Security and Accessibility for your SharePoint Extranet
May 30, 2012 Leave a comment
Although most organizations’ initial implementations of SharePoint are internally-focused intranets or collaboration sites, many soon have the desire to create extranets to extend their SharePoint use beyond their corporate boundaries. Extranets can be extremely useful for providing access to vital but non-public information to employees who work off-site; sharing project-related information with customers, partners or vendors; and more. Just like intranets, your SharePoint extranets can even be branded with your company’s look and feel (for more information, see our previous two-part blog on Branding Your SharePoint Site).
Two Key Extranet Issues: Security and Accessibility
When you use SharePoint on your internal network it is protected by your corporate fire walls. As soon as you create an extranet and make potentially sensitive information available externally, however, security becomes a major concern. The question becomes: How do you protect information while still making it accessible? The answer is to do the following:
- Use Dedicated Servers – For maximum security, your extranet should be set up on separate, dedicated servers that are only used for the extranet. Although not as secure, your extranet can also be hosted on partitioned internal servers. In this case, be sure to follow Microsoft’s security recommendations.
- Authenticate All Users– Who are the people that are requesting access to your extranet, and how do you know that they are who they claim to be? For intranets, the accounts through which users are authenticated are usually held in Active Directory. For extranets, we generally recommend one of four main options:
- Active Directory – Set up a separate Active Directory just for your extranet. In this case you’ll be responsible for setting up the accounts, managing the passwords, providing assistance to those who forget their passwords, etc. If you choose to go this route you may want to take advantage of one of the many third party account management software solutions that provide the forms, processes, etc. to make implementation easier.
- Local SQL Database – Less complex to set up and maintain than Active Directory, but still requires your company to host and manage the authentication accounts internally.
- LiveID – For those who do not want to manage the accounts internally, Microsoft’s LiveID authentication service can be a good solution. While the accounts are all managed externally by Microsoft, you will still need to map these external IDs into your SharePoint IDs.
- Active Directory Federation Services (ADFS) – For situations in which an extranet is set up specifically to share information between your organization and a partner organization, ADFS can be used. ADFS enables logins to be shared between two organizations, so that the request for authentication gets passed back to the external organization’s Active Directory servers.
- Control Access through Authorization – While authentication verifies a user’s identity, authorization verifies that a given user is authorized to access a given piece of information. This is managed in the same way that it is for internal SharePoint sites: by the site owner. Site owners are responsible for setting up the policies for granting access to different folders, sites or pieces of information based on information in the user’s account.
- Restrict Information Use Through Rights Management – Rights management can be used to restrict how the information in a given file can be used. For example, you may want to enable someone to view a file but restrict them from altering it, printing it out or emailing it to someone else.
Microsoft’s Information Rights Management (IRM) integrates with Office documents and can be used to set policies regarding what is allowed to be done with particular files. It also integrates with SharePoint, enabling you to configure the rights policies for entire SharePoint folders. In addition, IRM allows you to specify different rights for different groups of users.
It should be noted, however, that the IRM technology does not provide 100% protection. For example, your IRM policies cannot prevent a person from taking a screen shot – or even a photograph – of a document and forwarding or printing that image. It also won’t prevent a person from handwriting the words that are on the screen and keeping a record in that way.
Many organizations find SharePoint extranets extremely useful. The capabilities are the same as what is available for intranets; the difference is the audience and how they gain access. Properly managing security and accessibility enables you to make the most of your company’s extranet sites.
Lance Elworth, SharePoint Architect