Saturday, September 27, 2008

SharePoint - the First Commandment

I - Thou shalt use SSL for all SharePoint sites

Like a I said a couple of posts ago, I've been spending a lot of time with SharePoint lately. One of the things that I have decided is important is that all SharePoint sites should start out at the very beginning with SSL encryption. SharePoint suffers from a couple of irritations and one of the big ones is that sites don't want to be renamed much. There are too many things that default to hard coded links so you need to pick the right URL to use from the start. And, since you are logging on with your network credentials, why pass them in plain text? At least make a malicious user work for it.

So, what is the best way to set this up? When you run the MOSS 2007 installer, you are really just installing the basic SharePoint infrastructure and you are not installing a specific site. Once you install the software, it sets up the Central Administration website (and no other site) and from there you configure things like e-mail settings, search settings, and so on. After all of that is done, you then create a Web Application that will actually host the site. The terminology in v3.0 and MOSS 2007 is different than previous versions but a web application was referred to as virtual server in previos versions. You create a new web application and the options are there to use SSL for and port 443.

You can create this web application before you install a certificate. Once IIS is restarted, you can go to the IIS console, select the new SharePoint website, and walk through the SSL certification steps to get the certificate installed.

There will be no site to see on the Web Application until after you create a Site Collection on the new web application. You can't test your site, certificate, or anything like that until after you create the site collection.

For once, the MOSS 2007 / SharePoint installer does not overwrite the Default Website so after you create a new web application, it will sit next to the Default Website instead of overwriting it. This will be really, really useful. From the IIS console, open the default website. Go to the Home Directory tab. Change the radio button to redirect traffic and enter in the full URL of the SSL site you created. If you do that, IIS will redirect all traffic from the default, port 80, non SSL site to the new SSL site you created so that when people forget to put in HTTPS, they still go to the right place.

which are the one thing that an attacker really wants, you should make them work for it.

No comments: