Old Posts

May, 2008 (8)
February, 2008 (1)
January, 2008 (6)
October, 2007 (3)
September, 2007 (2)
August, 2007 (2)
July, 2007 (1)
June, 2007 (4)
May, 2007 (4)

 Tuesday, May 06, 2008
MOSS 2007 Logical Architecture - Part 2 - Web Applications and Zone Policy

In my last post I covered a little bit about Zones and Authentication providers, the next chunk of knowledge that I would like to instill is Web Applications and Web Application Policy (or Zone Policy).

 

A Web Application is an IIS website with a unique domain name, looking at our all encompassing diagram from Part 1 the web applications are the shaded grey areas (which are labeled as Application Pools).

A Web Application can and should be given different application pool accounts to help secure the system. In the sample application the Intranet site is hosted in a different Web Application than the Team and MySites.

To recap, a Web Application is used to isolate content, isolate users so that we can enforce permissions. There are other benefits as well, but they don't really concern us at this stage in the planning process.

 

That leads into the next chunk of information: Zone Policy or web application policy.

The concept is that Zone Policy enforces permissions at the web application level, I might have understated that, so here it is again in different words: Zone Policy will override all other security settings.

 

Now that we have these concepts covered, if we look back at out requirements from Part 1, it starts to become clear what we need to start thinking about:

  • Members of golf clubs, should use a web application with a Zone Policy that prevents write operations.

Just to touch on this point again and to stress the concept, no matter what a site collection administrator does, whatever human error is made in assigning permissions, a golf club member will never be able to write to this site.

 

Lets play devils advocate for a second and assume we took the approach of just using the permissions of the site collection, how do you prevent a user accidentally assigning permissions to someone who should not have them? By now your saying to yourself: Zone Policy.

 

I'd also like to share a practice that our team uses when we manage a MOSS instance, we use Zone Policy to prevent our Farm administrators from making silly mistakes. We setup a zone like admin.domainname and assign permissions via Zone Policy to the admins, rather than making the farm admin group the site collection administrator. We do this so that the farm admins are forced to think about what they are doing, rather than just blindly browsing as an admin.

 

I'm working on getting some screencasts up to help drive home the points that I'm making, so keep an eye out for them. Next time we will look at Site Collections.


Tuesday, May 06, 2008 9:24:12 AM UTC  #    Comments [0]  Sharepoint

Sign In