Updated – Maximizing SharePoint Security whitepaper 1.1

I updated Maximizing SharePoint Security whitepaper with the following changes:

  • Add CIS SharePoint benchmark
  • Add link for more security headers like HTTP Public Key Pinning and others
  • Add more security controls in SharePoint configurations
  • Fix Search Crawl Rules

You can download the document from this URL https://gallery.technet.microsoft.com/Maximizing-SharePoint-cf7f7efc

 

Advertisements

httpOnly attribute and Out of the box SharePoint workflow

HTTPOnlyCookies attribute is a good security control but if you enable it in SharePoint it will prevent or cause an error when you are creating out of the box SharePoint workflows.

Error :

“Application error when access /_layouts/15/CstWrkflIP.aspx, Error=Value cannot be null. ….”

Fix:

Remove this attribute httpOnlyCookies=”true” from web.config and accept the risk or extend the SharePoint web application and only remove it from internal access website.

SharePoint Server 2016 Security

SharePoint Server 2016 and Office Online Server support TLS 1.2 connection encryption by default so you can disable all old protocols safely.

Workflow Manager supports SSL 3.0 (It’s recommended to disable it) and  TLS 1.0 but it can communicate with SharePoint through TLS 1.2

https://technet.microsoft.com/en-us/library/mt757255(v=office.16).aspx

https://technet.microsoft.com/en-us/library/mt346121(v=office.16).aspx#encrypted

New features in SharePoint 2016

Learn about the most important new features in SharePoint Server 2016 as following :

MinRole

It is a set of predefined server roles, newly introduced in SharePoint Server 2016. SharePoint will automatically configure the services based on the server’s role. The performance of the farm is optimized based on that topology

https://technet.microsoft.com/en-us/library/mt346114(v=office.16).aspx

https://technet.microsoft.com/en-us/library/mt667910(v=office.16).aspx

SharePoint Add-ins

The name “apps for SharePoint” is changing to “SharePoint Add-ins”.

SharePoint Add-ins are self-contained extensions of SharePoint websites that you create, and that run without custom code on the SharePoint server

https://msdn.microsoft.com/en-us/library/office/fp179930.aspx

Zero-Downtime Patching

To patch a server in a SharePoint Server 2016 farm by using Zero Downtime Patching

https://technet.microsoft.com/EN-US/library/mt767550(v=office.16).aspx

https://blogs.technet.microsoft.com/stefan_gossner/2016/04/29/sharepoint-2016-zero-downtime-patching-demystified/

Fast Site Collection Creation

Fast Site Collection Creation is a new capability in SharePoint Server 2016 IT Preview that improves Site Collection creation performance by reducing Feature activation overhead

https://blogs.technet.microsoft.com/wbaer/2015/08/26/fast-site-collection-creation-in-sharepoint-server-2016-it-preview/

Project Server 2016 installer is fully integrated into SharePoint 2016

The Project Server 2016 installer is fully integrated into SharePoint 2016—a separate installer no longer needs to be run on each server in the farm

https://blogs.office.com/2016/03/16/project-server-2016-rtm-is-now-available/

Finally , check this link for more details about new and improved features in SharePoint Server 2016

https://technet.microsoft.com/en-us/library/mt346121(v=office.16).aspx

 

Office Online Server (OOS)

Do you remember Office Web Apps in SharePoint 2013 , Microsoft changed its name to Office Online Server but it doesn’t mean this is not on premises.

As Office web apps , You can View and Create/Edit (need a license) the following documents types:

  • Word
  • PowerPoint
  • Excel
  • OneNote

This product is not only for SharePoint , you can use it with other Microsoft products like exchange , Skype , .. and that’s why it needs a separate server.

Also it provides your search preview feature and mandatory for SharePoint 2016 BI.

For more information https://blogs.office.com/2016/05/04/office-online-server-now-available/

 

Associated services in SharePoint Server 2016

Learn about the MinRole feature in SharePoint Server 2016 and the services that are associated with each server role type :

https://technet.microsoft.com/en-us/library/mt667910(v=office.16).aspx

The good news that you don’t need to know where to provision the services , SharePoint 2016 know where to provision them , for examples :

  1. If you have frontend and application roles servers and you want to create Access Database Service 2010 then SharePoint 2016 will start the service in frontend server only even if you created from Application server using power shell or Central administrator
  2. If you have fronted and application roles servers and you want to create Business Connectivity Service then SharePoint 2016 will start the service in frontend and application servers even if you created from Application server only using power shell or Central administrator

SHAREPOINT 2016 Boundaries

Learn about the tested performance and capacity limits of SharePoint Server 2016 and how limits relate to acceptable performance :

https://technet.microsoft.com/en-us/library/cc262787(v=office.16).aspx

The most important :

  • 20 Web applications per farm
  • 750000 Site collections per farm
  • 250000 Sites per site collection
  • 10 Application pools per web server
  • 500 Content databases per farm
  • 4 TB per content database

 

SharePoint 2016 Installation

These are some tips related to SharePoint 2016 installation represents the new differences only between this version and old versions.

Note: Still You can go with Legacy topologies like in SharePoint 2013/2010.

Untitled2.png

Untitled.png

  • You can change between these roles from Central admin

Untitled3.png

  • Also you can check if server is compliant with its defined role

Untitled4.png

SharePoint Timer service issues

I recently came across an issue with SharePoint 2010 , this issue related to SharePoint Timer service which cause many things to stop functioning in the right way for example deploying WSP solution will be stacked in “deploying” status or “retracting” status or for example if you run “Reanalyze Now” in health check items , it will not update the status and the button will be disabled for long time …etc.

02

In my case , I tried the solutions suggested in this post “SharePoint 2010 Troubleshooting: Solution deployment stuck on deploying” but no succeed result

http://social.technet.microsoft.com/wiki/contents/articles/21350.sharepoint-2010-troubleshooting-solution-deployment-stuck-on-deploying.aspx

After more investigation , I found this issue in the server with Visual Studio 2010 installed on it , when I restarted the SharePoint Timer service I got this error “System.Security.Cryptography.CryptographicException …”

01

The fix for this issue described in this post “System.Security.Cryptography.CryptographicException – Keyset does not exist”

https://blogs.technet.microsoft.com/stefan_gossner/2010/05/10/common-problem-with-sharepoint-2010-system-security-cryptography-cryptographicexception-keyset-does-not-exist/

but this is not the fix for the real issue which cause the job timers to stuck.

The real issue was,SPTimerServiceInstance wasn’t online in all servers after patching the SharePoint servers so to fix the issue , just run the following power shell in all SharePoint servers to make sure it’s online in all servers:

$farm  = Get-SPFarm
$disabledTimers = $farm.TimerService.Instances | where {$_.Status -ne “Online”}
if ($disabledTimers -ne $null)
{
foreach ($timer in $disabledTimers)
{
Write-Host “Timer service instance on server ” $timer.Server.Name ” is not Online. Current status:” $timer.Status
Write-Host “Attempting to set the status of the service instance to online”
$timer.Status = [Microsoft.SharePoint.Administration.SPObjectStatus]::Online
$timer.Update()
}
}

Then restart the SPTimer Windows service manually.

For more information about this issue check this post “SharePoint Server 2010: Timer Jobs not Functioning After Applying Updates”

https://blogs.msdn.microsoft.com/tehnoonr/2011/09/07/sharepoint-server-2010-timer-jobs-not-functioning-after-applying-updates/

SharePoint Configuration wizard failed at step 9

There are common issues appear when you run SharePoint Configuration wizard after updating or patching the servers and these issues always failed at step 9 and then failed with unclear error or reason.

To go around these issues try the following fixes:

  1. Try to restart the server and re-run SharePoint Configuration Wizard.
  2. Try to open the Diagnostics log and search for The object LDAP://CN=Microsoft SharePoint Products and if you found it then apply this fix
    https://blogs.msdn.microsoft.com/opal/2010/04/18/track-sharepoint-2010-installations-by-service-connection-point-ad-marker/
  3. Try to run Configuration Wizard from Powershell using this command
    Psconfig.exe -cmd upgrade -inplace b2b -wait -force
    because it will show the exception in obvious way
    For example
    3
    As you see , Exception “There was no endpoint …” then apply this fix
    http://sharepointviews.com/system-servicemodel-endpointnotfoundexception-psconfig-sharepoint-20102013/