SharePoint Security Best Practices

Yes, you can have security and performance!

Microsoft has long used the same “object oriented” approach to security within its various “object namespaces”. SharePoint is no different. And Microsoft does have some SharePoint Security Best Practices you may want to consider.

Objects and Security

Ah… what is an “object namespace” you ask?

The Microsoft platform of integrated applications has layers. Each layer is an “object namespace”. For example, starting at the following diagram illustrates the concept.

Microsoft Object Namespace Stacks
Microsoft Object Namespace Stacks

Each layer is like a database. In fact, my long held view has been that the Microsoft platform of integrated applications is nothing but a whole bunch of interrelated databases, each with its own set of objects. Let’s take a simple one like the File System. The File System has three main “objects”

  • Volumes
  • Folders
  • Files

Each of the above namespace objects has its own Access Control List (ACL) containing individual Access Control Entries (ACE) that determine who can do what with and to an object, like a Volume, Folder, or File.

The second thing to understand is how a Microsoft Operating System processes an application like SharePoint’s request for given a user access to an object within its own object namespace. Granting or denying access to an object is a two part process:

  • the Operating System does one initial pass to compare the user’s Security Access Token IDs (User and Group) against the Objects Access Control List entries and extracts all of the matches to create a temporary access table which may or may not grant access
  • it then does a second pass to validate and verify that the user can do what they want to do with the object in question (ie: library document or list item)

Security and its effect on performance

What do you think happens when the object’s Access Control List is full of hundreds or thousands of Access Control Entries? It slows the validation and verification process down. And the larger the Access Control List the longer that process takes.

So how does this relate to the SharePoint object namespace when we are considering SharePoint Security Best Practices?

Remember that every SharePoint namespace object, including Site Collections, Sites, Libraries, Lists, Documents, and Items, each have their own individual Access Control List. If you start using Unique Permissions (non inherited Access Control Entries) on these objects over time the Access Control List gets very large with many entries because no one ever removes the old ones. Gradually over time it takes longer and longer and longer to access these objects because of the two phase process for object access validation and verification.

The SharePoint Security Best Practice, not just with SharePoint but with all Microsoft Object Namespaces, is to keep the Access Control List as small as possible so that the access validation and verification process is as fast as possible. In Article 2 I will demonstrate how to achieve this Microsoft recommended best practice in a SharePoint environment.

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.