Sharepoint 2007 Security Highlights

From the Sharepoint Team Blog

We have been running through a wide variety of the security configuration testing on the way to our Beta 2 release, so I thought it would be good to post an update on some of the new things we are doing since it is one of the things we get commonly asked about.SharePoint 2003 has a robust security model for grouping SharePoint rights into Site Groups and granting Permissions on sites, lists and libraries to users and/or these groups. Here’s my take on the “Top 5” about was in new in Windows SharePoint Services v3 and Office SharePoint Server 2007:

1) Pluggable Authentication – We build on the new ASP.NET provider model so you can use another directory or database, which may be useful for a secure, large scale internet site with an existing customer database (e.g. CMS scenario). We are adding LDAP support to Office SharePoint Server 2007 both with an authentication provider and direct import into the user profile store for targeting, people search, etc. WSS and SPS SP2 added ADFS support for trust between independent organizations (e.g. a reseller trusting their suppliers' directories on the extranet), and we’ll continue that.

2) Granular Security – You will be able to assign unique permissions to an individual document as well as inheriting from the parent directory or Document Library. This also lets us make the security and inheritance model in a complex site cleaner as part of unifying WSS webs with SPS areas and CMS channels. We are also providing an improved people and group picker throughout SharePoint that will make it easier to add users and groups from AD than in the past.

3) Server-Enforced Policy via Information Rights Management – If you are not familiar with Windows Rights Management Services, check out its integration with the Information Rights Management capabilities in Office 2003. It lets you put a digital envelope around an e-mail or Office document that limits what people can do with it (e.g. edit, copy, print, forward), when the document expires, whether the software needs to check back with the SharePoint server for the latest updates, etc. We utilize this functionality all the time inside Microsoft when sharing confidential training information with our salesforce with an expiration date targeted for when we’ll have public content available. In the next release of SharePoint Server 2007, we’ll have server integration with Windows RMS and the extensibility to integrate with other rights management systems so IRM policies you set on SharePoint Document Libraries on the server will be enforced even after the content has left the site (simplistically, the IRM envelope on the downloaded file will match the server-side ACLs).

4) Pluggable Single Sign-On – SPS 2003 shipped with a secure credential cache, so users would not be prompted for multiple passwords for different back-ends from a “composite application” web part page. While you could write custom code in your web parts to use this cache, general purpose tools like our Data View Web Part did this automatically, saving complexity. In SharePoint Server 2007, we’re making this pluggable, so you can use custom or 3rd-party credential caching systems in addition to the one we ship.

5) Security Trimmed User Interface – In SPS 2003, users do not see search results (from not just SharePoint but Windows compatible file servers, Exchange, and Notes) that they did not have the rights to at least read. We have taken the model across the entire SharePoint interface – users will not see actions, links, content, etc. that they don’t have the rights to at least view. This will not only make the system more secure, but more convenient (no access denied when trying to do an operation on a list). In addition, we have added an explicit login/out link on the SharePoint chrome, which can be handy for developers and IT trying out multiple security contexts.

You can find this article here.

Computer developer/consultant from Portugal. You can find me at

Posted in CMS, Sharepoint, Sharepoint
2 comments on “Sharepoint 2007 Security Highlights
  1. Jason says:

    A very interesting post, thank you for sharing…:)

  2. Al Pathew says:

    hi ricardo,

    I have several things to mention here. I have my sharepoint site ( hosted at ASPHostCentral ( and frankly speaking, initially my search function was not working on my site.

    The team at ASPHostCentral told me that they did some modification into the Windows Registry Key and the Search function is now working fine. FYI, I am using WSS 3.0 and even it is MOSS 2007, you have to manually edit the Windows Registry Key in order for the Sech function to work.

    I am not sure that the team at ASPHostCentral did, but it is just working now. Two thumbs up for them. I am just paying an average $4.99/month to host this site and I am truly a happy camper….

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: