Monthly Archives: December 2009

Understanding SharePoint Application Security and Elevating Privileges

This post was prompted because of a particularly challenging bit of security that I needed to traverse. I needed some way of presenting the status of a Content Deployment Job (configured in Central Administration) in the Web Application that it relates to.

Seems pretty straight forward?
Well, its not, and this article will hopefully explain why.

RunWithElevatedPrivileges and Application Pool Accounts
So the first thing I looked at was using the good old SPSecurity.RunWithElevatedPrivileges method. This is a well known (and on occassion heavily used) practice for getting around security in SharePoint. But does everyone understand exactly what it does?

In a nut-shell, this method simply changes the currently impersonated user from the currently logged in user to an account called “SharePoint\System” (a.k.a. “System Account”).

This account doesn’t actually exist, and anyone inspecting the WindowsIdentity or SPUser object in any great detail will spot that this account doesn’t actually have a valid SID (Security Identifier). This is because it represents a placeholder.. a flag in SharePoint that tells it to impersonate the Application Pool Account instead of the currently logged in user.

The Application Pool Account has full SharePoint permissions to the Web Application (effectively making it a Site Collection Administrator in every single Site Collection).

So what does this actually mean?

SQL Server Permissions
Believe it or not, SQL Server permissions in SharePoint are extremely simple.

Taking the 3 core databases for each SharePoint Farm:

1. Farm Configuration Database
This contains the core configuration information (servers, URLs, accounts) for the entire SharePoint Farm.

The Setup Account has DBOwner permissions.

All application pools accounts are added to a Database Role called WSS_Content_Application_Pools which has severely locked down read privileges.

2. Central Administration Content Database
This is effectively the content database for the Central Administration site. This contains the SPSite / SPWeb / SPList objects that store all of the content related settings (including Content Deployment Jobs).

Again, the Setup Account (which incidentally will be running the Central Administration Application Pool!) has DBOwner permissions.

All application pools accounts are added to a Database Role called WSS_Content_Application_Pools which has severely locked down read privileges.

3. Web Application Content Database
This is the database (or mulitple databases) that contain the Site Collection content for the Web Application.

Here the Application Pool Account (for that specific Web Application) is granted DBOwner permissions. No other accounts are specified!

That is pretty much it. From a security (and “least privileged” perspective) it’s a very robust setup. If your application pool is compromised then the application pool account only has SQL permissions to it’s own content database.

According to best practice, every Web Application should have it’s own application pool account, which again makes sense according to the model above, limiting the surface area for any attack (as one web application being compromised would not have any impact on the other application pools).

This should also make it obvious why you should never make an Application Pool Account a Local or Farm Administrator! You are essentially breaking the security model if you do this (and massively widening the exposed area of your system if that account is ever exposed!).

NTLM authentication and “Double Hop”
The first thing that should scream at you here is that none of the SharePoint user accounts have ANY permissions in SQL. Every single SQL query is executed within a SharePoint Web Application using the Application Pool account!

The reason for this is clear once you understand the limitations of NTLM authentication.

Basically, when you log in to a SharePoint web site, you authenticate with the Web Server (IIS). There is no way for IIS to pass through credentials back to SQL Server because NTLM only supports “single hop” authentication (i.e. from one single machine – the browser – to another machine – the web server). For “double-hop” you need a more robust authentication method such as Kerberos (i.e. from one machine – the browser – hop to another machine – the web server – hop a second time to a third machine – the database server?).

Note – This is why you need Kerberos to use pass-through authentication with 3rd party systems (such as CRM or other LOB systems).

Thats all great .. but what do I care?
Well, this all nails down to where the object is that you are trying to access, what the SQL permissions are on that object.

Lets take the example of accessing a Content Deployment Job.

The first problem you will hit is that your account needs to be a Farm Administrator. We already know that making the Application Pool an admin account is bad for security.

So as an alternative you could use ASP.Net Impersonation to get around the SharePoint API, but as we discussed above, this doesn’t solve the NTLM “single-hop” problem (your query is still going to execute in SQL using the Application Pool account, regardless of which account you are impersonating!)

Using .Net Reflector (tsk!) tells us that the Content Deployment Job information is stored in an SPList in the Central Administration Content Database. Using RunWithElevatedPrivileges simply executes using the Application Pool account (which we know from the SQL Permissions above, has very limited permissions).

So lets assume you tried to use Impersonation … what happens?

Well, you get a nasty “Exception in HRESULT” error message.
Delving in to the SharePoint Diagnostics Logs tells something like “ does not have EXECUTE permissions on ‘proc_EnumLists’ in “.

Basically running that code tries to execute a Stored Procedure in SQL in the Central Admin database which the Application Pool Account doesn’t have access to! Your code managed to fool the SharePoint API into thinking you have permissions, but good old SQL Server stops you short (just as it should … good server!)

So what can I do?
Well, the first thing to note is that you won’t always run into this problem.
Many of the Farm level options (including access SSP and User Profile properties) can be gotten around in other ways, but when something like the above happens, your options are limited to 3 potential solutions:

  1. Ignore all of the best practice. Make your application pool account an administrator, and spend your days hiding from the network security admins and hoping it doesn’t all go wrong.
  2. Create a dedicated Web Service, which executes as an admin account. Use this to farm out your “privileged” code, and make sure you lock it down tight as a drum so you can’t get to it from outside of the SharePoint farm!
  3. Don’t do it .. and tell your users that it was a stupid idea in the first place!

Now I admit, Options 1 and 3 probably won’t go down too well, and Option 2 is the best option but still has it’s issues (running a Web Service as an admin account is still a security risk, if a smaller one than running the entire public facing Application Pool as an admin account!)

Summary
We ended up opting for Option 2, admittedly locking it down so that the URL was never published and it would only accept connections from other servers in the farm (so that end users could never access it).

Hopefully you now have a better grasp of SharePoint Application Security, what that super-method “SPSecurity.RunWithElevatedPrivileges” is actually doing and why it doesn’t always work!

Comments a feedback welcome! 🙂

SharePoint 2010 Visual Studio Extensions (SPVSX) 1.0 Released!

Thats right, the first version of the SPVSX project has been released:

It’s a great project, aiming to provide extensive tools and functionality for Visual Studio 2010, such as quick deployment and a whole host of extra Templates for SharePoint 2010 items.

This project has been so far championed by my friends and colleagues; Wes Hackett, Matt Smith and Glyn Clough.

I’m currently out of the picture for a bit doing a handful of large project for a client in Reading, but hopefully I’ll be able to join them and start contributing myself in the new year!

Go check it out, its free to use and we’d welcome any feedback!

Debugging VSIX Projects in Visual Studio 2010

This all came about because I’ve been working on the SharePoint 2010 Visual Studio 2010 Extensions Codeplex project with Wes Hackett, Matt Smith and Glyn Clough.

The new Visual Studio 2010 SDK (Beta 2) allows you to create VSIX projects (or Visual Studio Extensibility Projects) which are what enable deploying customisations to Visual Studio itself.

The problem comes trying to debug them (i.e. pressing F5). If you don’t set the project up properly then Visual Studio 2010 complains that it can’t start debugging because the DLL is missing.

The trick is setting the “Debug” options in the VSIX project properties.Full details (including screenshots) can be found on Wes Hackett’s blog post.

Saved me some hours there! Cheers Wes!

Is software development like construction?

I often find myself explaining software development in the veign of construction, especially because my job title is “Architect” and therefore most people automatically assume I use CAD to draw housing designs all day.

It’s not a perfect model, and not intended to be the explanation for all projects, but this did get me thinking about other parts of the construction business. What about other roles?

Disclaimer – I don’t work in construction, so please excuse any faux pas in assumptions about terminology or process 🙂

——————————

Architect [Solutions Architect]
This is my role. The key skills here are the overall “vision” and solid grounding in all disciplines. You don’t have to be a master of all trades (although it obviously helps) but the main thing here is being able to see the “bigger picture”.

An architect needs to be able to understand what the client wants, and bring together all elements of the requirement to create a design that provides what they want on the budget that is available.

An Architect requires enough technical knowledge to be able to provide options, direction and advice.

e.g. “the design is a 5 bedroom house with 3 bathrooms. I know enough to tell you the walls / fittings of each room, and how much floorspace you need, and what the best fit is between technology and practicality”.

SME Engineers [Technical Architects]
These are the subject matter experts. They have years of experience in a specific area (e.g. Plumbing, Electrics, Foundations) and are masters of their trade.

Typically involved in larger projects or for short technical consultation engagements.

e.g. “from the design I recommend you need X strength re-inforced steel beams” … “you will need N-feet of wiring and a specific type of fuse and junction box”

Note – On smaller projects Technical Architects will often take the same role as Technical Leads.

Foreman [Development Technical Leads]
These people know their trade well enough to know how to do a good job, and are also natural team leaders. They make sure that the labourers do the right work, and to the right standards, according to plan.

They are also capable of recommending solutions to problems “on the job”.

e.g. “the current design doesn’t work, but I know it will if you move that window 3-feet to the right / change the materials”

Note – On smaller projects Technical Leads will often take the same role as Technical Architects.

Labourers [Developers]
This is where the actual build gets done. You will have the people who do the same jobs on each project. They are good at it and fast too. Because they do this all the time, the chances are they will actually be quicker than the Architects / Engineers and Foreman too!

You will also have in this category the less experienced apprentices (Junior Developers) who are learning on the job.

e.g. Brick Layers / Plumbers / Plasterers / Electricians

Project Managers
These people spend their tmie making sure that scheduling is on track and keeping touch with the client. They make sure that everything happens at the right time and in the right order.

If the cement doesn’t turn up, or the wrong type of window frames have been ordered then it’s usually the Project Manager’s fault.

Consultants
You always have consultants, but the distinction between a consultant and another SME (such as Engineers or Architects) is that Consultants provide consultation for the client.

This is not always the case (consultants have a valued place for internal engagements and aiding the project team too!) but generally the main focus is to help the client to understand the requirements, the solution and to provide that much needed face for clients to ask technical questions (and get a lamens response).

——————————

I thought this was an interesting excercise, and certainly helps me to explain what I do to people in a way that they can understand. So few of the great-unwashed masses understand software development, at least this means I don’t need to say “I work in IT” and leave it there 🙂

Of course, some people tend to wear multiple hats and do lots of different jobs … but it also helps to describe in context (just because you are a “Developer” doesn’t mean you can do SQL, C#, CSS and XSLT … in much the same way you wouldn’t expect a builder to be able to do brickwork, plumbing, electrics and plastering!)

How do you present CAPTCHA accessibly?

Following on from my presentation this week on Building an Accessible SharePoint System I had an interesting query from one of the attendees regarding accessible CAPTCHA methods.

For those who haven’t come across the term, CAPTCHA refers to the method of challenging users with a query that a human could pass but computers cannot (typically represented by images that display distorted text).

The query related directly to accessibility, and specifically how would you achieve CAPTCHA methods in an accessible way?

CAPTCHA themselves have the following statement on their website:

“CAPTCHAs must be accessible. CAPTCHAs based solely on reading text — or other visual-perception tasks — prevent visually impaired users from accessing the protected resource. Such CAPTCHAs may make a site incompatible with Section 508 in the United States. Any implementation of a CAPTCHA should allow blind users to get around the barrier, for example, by permitting users to opt for an audio or sound CAPTCHA”

This of course does not account for users who are both visually impaired and audible impaired (for example, a user who was both blind and deaf).

The solution to this could include a number of workarounds, including mathematical questions (“what is one plus two?”) or more “natural language” queries (“What is the colour of the sky on a clear day?”) but these could also present other problems.

Firstly generating enough of these prompts to disrupt predicting the responses to them would be problematic. You then have to consider cultural and language barriers, as well as other impairments such as textual or numerical dyslexia.
It’s certainly a difficult topic and one that is a challenge to get right without either leaving your site in an inaccessible state or leaving it open to programmatic mis-use.

To find out more about CAPTCHA you can visit the CAPTCHA Website or the CAPTCHA Wikipedia article.

Building an Accessible SharePoint System – Slide Decks, Source Code and Downloads (SUGUK London – November 25th)

First of all a big thank you to everyone who attended the session, and many thanks to Chris O’Brien for his presentation on ECM in SharePoint 2010 and also to Matt Taylor for pulling the strings behind the scenes and getting it organised!

You can find links to all of the Slide Decks and Source Code that was used in the Building Accessible SharePoint Systems session below.

There is loads of material, with links to all of the tools and websites I mentioned including the Disability Discrimination Act, the WCAG 2.0 and WAI ARIA guidelines, the new online SharePoint 2010 SDK and the ASP.Net 4.0 Whitepaper … plus links to all of the tools that were mentioned.

The slides also include notes on each of the topics and the demo notes refer to the source files that were used in the demo!

In the mean time if anyone wants to contact me with any questions feel free to use the medium of your choice:

Email: martin.hatch@contentandcode.com
Twitter: @MartinHatch

Cheers, thanks for coming and hope to see you all again soon!

Files
Let me know if you have any trouble accessing them.

Otherwise you can get the individual files below:
[Update – some of the links were broken before – fixed now!]

Thanks again!

Why I chose Blogger?

I’ve already had this question asked to me, and my blog only moved yesterday! Why did I move from the “Microsoft” Live Spaces to the “Google” Blogger / Blogspot?

Unfortunately it was depressingly simple. I got fed up with the lack of features on Live Spaces. My more popular posts were being flooded with spam comments, I had no way of changing the URL (even within the spaces namespace, let alone use my own custom one!) and I was quite limited in terms of available templates.

The main features I like with Blogger are therefore:

  • Moderation of comments and support for blocking “bots” from posting comments
  • Ability to control comments on a post by post basis!
  • Ability to control URL
  • Support for custom domain names
  • Complete control over HTML template / colours / styles
  • Multiple {Tags | Labels | Categories} per post (why does Live Spaces only allow 1??)
  • Better post navigation (tag clouds and tree-view for post archive)
  • Improved analytics (or .. more accurately Google Analytics, which I probably could have used on Live Spaces but the built-in statistics for Live Spaces are extremely poor). 
  • Improved Text Editor for posting new posts (better paragraph / styling support, ability to post an older publishing date and AutoSave is awesome!)

In the end it seemed like a no brainer. I’ve been putting it off mainly because I didn’t want to have to go around updating all my links (plus my Google and Bing rankings will probably takes ages to catch up again).

But now I’ve taken the plunge I’m much happier, just got to put some elbow grease into getting it ship-shape in terms of styling and links (not to mention plenty of new posts too!)

New Blog Launched!

This marks the birth of my new blog; www.martinhatch.com 🙂

I’ve still got some styling work to do (so you can expect that to change yet!) but otherwise have my brand new shiny blog.

It’s powered by BlogSpot/Blogger (a.k.a. Google) and if you were wondering why, it’s because I get more finite control over the layout, I get better reporting (Google Analytics) and I can have my own domain name 🙂

So come, enjoy and be merry!

SharePoint 2010 and Office 2010 Beta released!

Yep, Microsoft have got slightly ahead of expectations and the official public beta release of SharePoint 2010 and Office 2010 is now out (although you need a TechNet or MSDN subscription at the moment!).

You can find the download information as well as more details on the relevant websites:

For those of you who have access to the Technical Preview of SharePoint 2010 you can expect to see quite a few changes and improvements in the beta version. For those of you who haven’t seen either, you’re in for a treat!

« Older Entries