All posts tagged Security

SSL and SharePoint 2013

A new best practice emerges in SharePoint 2013 that will change how some companies are deploying SharePoint today. That new best practice is to ensure that every single web application is SSL encrypted with said SSL now terminated on the SharePoint web front ends.


Secure Sockets Layer (SSL) is a requirement for web applications that are deployed in scenarios that support server-to-server authentication and app authentication. This is such a scenario. As a prerequisite for configuring Task Synchronization, the computer that is running SharePoint Server must have SSL configured.

Continue reading →

Managed Account Password Management

I like the idea of SharePoint managing my passwords for me. I like the idea of no human knowing what the service account passwords are so that they are forced to log into their own admin account before modifying anything within SharePoint. The problem with this is that I just can’t trust SharePoint to handle this for me and even if I do it is very difficult to have a recovery strategy.

I’ve now been bitten by this issue twice in two separate environments. I can’t say what causes it but for some reason the Farm account fails to update cleanly and Central Administration is completely unaccessible. Thank goodness for my old friend PowerShell.

So you’re either here because your farm is inaccessible or you’re here because you need the PowerShell for resetting a managed account password. Either way… here you go.

Modify Password for Managed Account using PowerShell

$pw = ConvertTo-SecureString -String p@ssword1 -AsPlainText -Force
$account = Get-SPManagedAccount DOMAIN\User
Set-SPManagedAccount -Identity $account -NewPassword $pw -ConfirmPassword $pw -SetNewPassword

Now… if this fails for you because you can’t access the farm due to permissions issues then you have a much larger issue on your hands. You can try to give a user access to the content and configuration databases, local administrator rights and Shell Admin role within SQL Server but honestly I haven’t tested that scenario yet.

For now I’m recommending that companies do not utilize the automatic password management features of SharePoint 2010.

SharePoint – Limited Access – What is it?

This has been around for a while but since I still get questions about it from clients I figured I would post an explanation that may be a little more visual that other explanations.

When you start customizing security on your SharePoint sites by breaking inheritance at different levels you may start to see your nice clean permission lists be infiltrated by “Limited Access”. MSDN explains the “Limited Access” permission level as:

Allows access to shared resources in the Web site so users can access an item within the site. Designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document, without giving users access to the entire site. Cannot be customized or deleted.

Let’s look at a scenario: Continue reading →

Setting up Anonymous Access

I always seem to leave out a step when configuring anonymous access for a SharePoint site so I’ve finally put together a full guide so I don’t leave out any steps in the future.

Deactivate Hidden Features

If you are getting “Access Denied” for lists and libraries then you probably for got this step. There is a hidden feature that secures the lists and libraries by default for all sites that have anonymous access enabled. If you have already enabled anonymous access prior to deactivating this feature then you will need to turn all anonymous access off and back on to refresh this functionality.

  1. For each site collection that requires anonymous access execute the following stsadm command.
    stsadm -o deactivatefeature -url http://sitecollection -name ViewFormPagesLockDown

Continue reading →

SharePoint Permission Strings

SharePoint uses permission or rights strings in numerous places including setting permissions for Custom Actions in your feature XML. A colleague asked this question recently and I had to lookup the answer so I decided I would post for my own reference.
Continue reading →

Creating MySites Programmatically

Instead of asking every user to click on “My Site” and have the site provisioned for them it’s sometimes nice to already have the site created… or create it as part of the Employee Intake process. This is especially true if the My Site plays a role in a custom application as it did for one of my clients.

Continue reading →