Wednesday, October 30, 2013

SharePoint 2013 Ports and Protocols

The following is a list of ports and protocols which SharePoint 2013 Farms utilize.

This can be leveraged as a guide for configuring firewalls and/or security hardening of the farm.

  • TCP 80, TCP 443 (SSL)
  • Custom ports for search crawling, if configured (such as for crawling a file share or a website on a non-default port)
  • Ports used by the search index component — TCP 16500-16519 (intra-farm only)
  • Ports required for the AppFabric Caching Service — TCP 22233-22236
  • Ports required for Windows Communication Foundation communication — TCP 808
  • Ports required for communication between Web servers and service applications (the default is HTTP):
    • HTTP binding: TCP 32843
    • HTTPS binding: TCP 32844
    • net.tcp binding: TCP 32845 (only if a third party has implemented this option for a service application)
  • Ports required for synchronizing profiles between SharePoint 2013 and Active Directory Domain Services (AD DS) on the server that runs the Forefront Identity Management agent:
    • TCP 5725
    • TCP&UDP 389 (LDAP service)
    • TCP&UDP 88 (Kerberos)
    • TCP&UDP 53 (DNS)
    • UDP 464 (Kerberos Change Password)

  • Default ports for SQL Server communication — TCP 1433, UDP 1434. If these ports are blocked on the SQL Server computer (recommended) and databases are installed on a named instance, configure a SQL Server client alias for connecting to the named instance.
  • Microsoft SharePoint Foundation User Code Service (for sandbox solutions) — TCP 32846. This port must be open for outbound connections on all Web servers. This port must be open for inbound connections on Web servers or application servers where this service is turned on.
  • Ensure that ports remain open for Web applications that are accessible to users.
  • Block external access to the port that is used for the Central Administration site.
  • SMTP for e-mail integration — TCP 25

Thursday, October 24, 2013

SharePoint 2010 / 2013 - Create, Add or Promote User Account to Farm Admin Account Rights

As we all know, adding user accounts to the Farm Administrators Group in SharePoint does NOT give those user accounts the same access/rights/security as the Farm Admin Account.

The Farm Admin has additional SQL rights/roles on the databases (config and content), as well as being added to multiple local server groups, providing access to the Sharepoint Powershell snap-in Admin Group.

Octavie has a great post on this. Take a look for more info:

Metalogix Acquires Idera’s SharePoint Business Including Market-Leading SharePoint Backup and Diagnostic Manager

Metalogix has been steadily buying up hefty swaths of the Microsoft SharePoint ecosystem — and it's now bought up Idera's SharePoint business. It includes tools that focus on backup, maintenance, security and governance.

"Metalogix suite of best-in-class SharePoint products now includes Idera’s SharePoint Backup product, the industry’s fastest SharePoint backup technology, which delivers instant deployments and full farm protection of business critical content. Metalogix will integrate SharePoint Backup with Metalogix StoragePoint, the industry-leading storage optimization technology, to provide lightning-fast speeds for the backup and recovery of terabytes of content in just minutes, instead of hours or days."

"Once the tools from Idera and Axceler are fully integrated with Metalogix, the company will focus innovation on cloud and mobile technology. The Axceler integration is right on schedule, and there's a webinar coming up in November that will more fully detail the company's plans."
- Metalogix Press Release, October 23, 2013

With over 14,000 customers, in 86 countries on 7 continents, Metalogix is the fastest growing SharePoint-focused Independent Software Vendor (ISV) in the world and a partner to get to know in the SharePoint space...

Take a look at Metalogix's SharePoint offerings for managing your SharePoint Farms/environments/implementations..

Thursday, October 10, 2013

Network & Server Best Practices and Hardening for Microsoft Products

While researching standards around enterprise-level server hardening and high availability best practices, I came across a couple of good documents/links.

Active Directory to SharePoint to networking best practices and security considerations for a full Microsoft implementation.

Microsoft High Availability Strategy 

Includes SharePoint, Exchange, Windows Server, SQL, Hyper V and clustering. Provides a logical overview of the many high-availability tools, solutions, and programs available from Microsoft.
Best Practices for Securing Active Directory
Contains recommendations to enhance the security of Active Directory installations, discusses common attacks against Active Directory and countermeasures to reduce the attack surface, and offers recommendations for recovery.
Contains a list of companies that produce patch and vulnerability management software.
Provides background information that helps you to identify the users and groups that are granted elevated privileges in Active Directory and on domain-joined systems. These accounts typically present the greatest risk because they can be leveraged by attackers to compromise and even destroy your Active Directory installation.
Contains information about protected groups in Active Directory.
Provides guidelines to secure the built-in Administrator account in each domain in a forest.
Provides step-by-step instructions to help secure the Enterprise Admins group in an Active Directory forest.
Provides step-by-step instructions to help secure the Domain Admins group in each domain in a forest.
Provides step-by-step instructions to help secure the built-in Administrators group in each domain in a forest.
Provides step-by-step instructions to help secure local Administrator accounts and groups on domain-joined systems.
Provides information and steps to create accounts that have limited privileges and can be stringently controlled, but can be used to populate privileged groups in Active Directory when temporary elevation is required.
Contains a list of third-party, role-based access control (RBAC) software vendors and their solutions.
Contains a list of third-party privileged identity management (PIM) software vendors and their offerings.
Lists events for which you should monitor in your environment.
Contains a list of recommended reading. Also contains a list of links to external documents and their URLs so that readers of hard copies of this document can access this information.

Network Management System: Best Practices
ISO Network Management Model - How to increase the overall effectiveness of current netork management tools and practices.
The goal of fault management is to detect, log, notify users of, and (to the extent possible) automatically fix network problems to keep the network running effectively
The goal of configuration management is to monitor network and system configuration information so that the effects on network operation of various versions of hardware and software elements can be tracked and managed.
The goal of performance management is to ensure system and resource availability through SLA's, monitoring and reporting.
The goal of security management is to control access to network resources according to local guidelines so that the network cannot be sabotaged (intentionally or unintentionally).
Accounting management is the process used to measure network utilization parameters so that individual or group users on the network can be regulated appropriately for the purposes of accounting or chargeback.