Hemant's Blogs: March 2016

Monday, March 21, 2016

World Education Services Provides Very Limited Customer Support

World Education Services (WES) is the one of the organizations to evaluate academic credentials for education/admission purposes. Before actually paying money, end user will always want to know how to send documents. Some evaluation service providers accept email from reputed universities, others only go by sealed envelope in mail. If the perspective customer tries to contact WES for correspondence queries like the one mentioned above, they mark WES Reference Number mandatory as mentioned in Figure 1 below. This Reference Number is generated only after required payment is done. The user may not want to pay, until and unless all his doubts are clear. So, this contact form is useless in practical. Further, there is no phone number mentioned here on this page to contact customer service.

Figure 1. Information to be filled on Contact WES form.

Figure 2. Ugly error message displayed if virtual WES Reference number is given.

As per Krug (2014), hiding information like customer support number and asking information that is not really needed are some of the factors to diminish goodwill. Even if the queries being asked by the end user is hidden somewhere in the site, he is entitled to get help on what he has paid or intend to pay for.

References

Krug, S. (2014). Usability as common courtesy. In Don’t Make Me Think (pp. 152-153). San Francisco, CA: Peachpit.

Bank of America Website is not Responsive

If an end user with older screen resolutions try to visit Bank of America website, he will observe a scroll bar in the browser.

Figure 1. Scrollbar in the webpage since content didn’t adjust as per window size.

As per Rumsey, Roth, and Wallace (2013), Responsive web design (RWD) is a way of coding web pages so that they look good on any screen. This concept is not limited to a mobile device, but to all possible screen resolution based on any technology and hardware. As per Breeding (2015), access to Library Technology Guides in February 2015 was 63% desktop, 27% mobile, and 10% tablet and he supports Google decision to decrease page rank of websites with poor mobile usability. Bank of America may have answered Google by giving altogether different content location to mobile users, but desktop users / end users on devices with weird resolution are still suffering.

References

Kumar, H. (2016, March 20). Bank of America Website is not Responsive [Video file]. Retrieved March 20, 2016, from https://youtu.be/bH_4ns6wWP8

Breeding, M. (2015). Going mobile: How I made my own site responsive. Computers in Libraries, 35(4), 23-24,26. Retrieved from http://search.proquest.com/docview/1689887493?accountid=27424

Rumsey, E., Roth, L., & Wallace, W. S., M.S.L.S. (2013). Responsive web design for an academic health sciences library website. Journal of the Medical Library Association, 101(4), 239-240. Retrieved from http://search.proquest.com/docview/1491276028?accountid=27424

MakeMyTrip doesn’t maintain User Flow State across subsites

When an end user switch from one region subdomain to another on MakeMyTrip website, he is taken to home page every time. Say, the end user is on search result page on U.S. sub-domain, if he switch to Indian sub-domain, he will have to start again. This is described in Figure 1 below.

Figure 1. MakeMyTrip: Search preferences lost.

Alcántara-Pilar, del Barrio-García, Porcu, and Crespo-Almendros (2015) studied user flow state (hedonic motivation) in depth and found that it has deep impressions on end user’s loyalty and attitude towards a website. Above mentioned experience on MakeMyTrip may leave end user in confusion and he may have the tendency to switch to competitor right away.

References

Alcántara-Pilar, J. M., del Barrio-García, S., Porcu, L., & Crespo-Almendros, E. (2015). Motivational duality in online consumer behaviour: Website usability and flow state as moderating factors. International Journal of Business and Economics,14(1), 79-104. Retrieved from http://search.proquest.com/docview/1706969854?accountid=27424

Kumar, H. (2016, March 20). MakeMyTrip doesn’t maintain User Flow State across subsites [Video file]. Retrieved March 20, 2016, from https://youtu.be/p6sm0ipEC3U

Sunday, March 20, 2016

Fox News Navigation is Broken

Site Navigation in Fox News is not so smart for the user to navigate back from where it came. In the example in Figure 1 below, end user visited Home > U.S. > Environment. Just in three steps, he is lost. There is no site navigation or breadcrumb here. It seems to be, this website is optimized only for search engines, not for the end user to be a regular visitor.

Figure 1. Navigating three level down in Fox News website

As per Spencer (2008), breadcrumb links refer to a trail of category and subcategory links on a website just beneath the master head (main navigation). Keyword-rich breadcrumb links reinforce website's internal hierarchical linking structure to the search engines, as well as enhance its usability. Leave aside breadcrumb, main navigation is altogether missing on just third level in Fox News website.

References

Kumar, H. (2016, March 20). Fox News Navigation [Video file]. Retrieved March 20, 2016, from https://youtu.be/JiIUZCBm4jA

Spencer, S. (2008). The search is on. Multichannel Merchant, 25(4), 29-n/a. Retrieved from http://search.proquest.com/docview/195854706?accountid=27424

Unnecessary Hype up Apple iphone Features

On Apple official website, there are lots of features of all versions of iphone mentioned, which if studied in detail, don’t even make sense to perspective buyer. Possible reason behind, they hide proper help at right place, is to let the buyer be in confusion and seller take the advantage of this situation. For example, on the Apple website, where end user compare iPhone features with older models, some terms e.g. local tone mapping make no sense to an average end user, as mentioned in Figure 1. Even if end user search for this term in search box, nothing much helpful is available.

Figure 1. Apple must help end user to understand what a feature means, they claim to be present in a product.

As per Kantner, Shroyer, and Rosenbaum (2002), the way end user is trying to seek help for products is changing drastically. Help and documentation about the product should be done in a way which faces least resistance by the end user to understand. Apple must provide end user with running help for the features in a product. This could either take the negotiations in positive direction for seller or may be, in negative direction if user choose not spend money for a feature claimed. But in any case, some kind of running help as suggested in Figure 1 will definitely lead to better satisfaction as a whole.

References

Kantner, L., Shroyer, R., & Rosenbaum, R. (2002). Structured Heuristic Evaluation of Online Documentation. Retrieved March 19, 2016, from http://teced.com/wp-content/uploads/2011/06/kantner_HE_of_online_doc.pdf

Saturday, March 19, 2016

People Search Filters Missing in Bing Search

Biggest problem with Bing search Engine is that, they are busy copying Google features without a thought in head. People search is an example that supports this fact. Search results layout for a person name in Google and Bing is almost the same. Good thing is that by keyword, both search engines know that, end user is searching for a person, at least. But, the most important thing, effectiveness of search results is diminished by missing person filters.

Figure 1. Bing Search results for a person name.

Figure 2. Google Search results for a person name.

Figure 3. Suggested dynamic filter features for search results page – action: search person name.

As per Thurow and Musica (2009), while studying a search engine, its effectiveness, efficiency, learnability, memorability, error prevention & recovery and satisfaction is taken into account. By copying Google as described in Figure 1 and Figure 2 above, Bing Search Engine is trying to cater learnability only. There should be something more Bing must plan to cater to go above and beyond Google. With dynamic filtering suggestion described in Figure 3 above, Bing could achieve better effectiveness and satisfaction.

References

Thurow, S., & Musica, N. (2009). When Search Meets Web Usability. Retrieved March 19, 2016, from http://deca.cuc.edu.cn/Community/cfs-filesystemfile.ashx/__key/CommunityServer.Components.PostAttachments/00.00.00.11.64/When.Search.Meets.Web.Usability.pdf

Google Calendar Won’t Let You Print All Search Results

This is a very common use case, where you want to print large number of events in Google Calendar. But print view of this tool is not optimized for printing. Suppose, a user has many (33 in current example in Figure 1 below) events upcoming for a search keyword, if he tries to print the results, he may only get few of the events (13 in the Figure 1 example below) in the paper print he takes.

Figure 1. Google Calendar is not optimized for printing.

As per Leavitt and Shneiderman (2013), dimensions of content should be adjusted to fit most common page size while printing. But Google Calendar print style sheet is not smart enough to remove scroll bars while printing.

References

Leavitt, M., & Shneiderman, B. (2013). Research-Based Web Design & Usability Guidelines. Retrieved March 19, 2016, from http://www.usability.gov/sites/default/files/documents/guidelines_book.pdf

Author Commentary Options Missing in Blogger

According to research by Salas-Rueda (2016), audio-visual content facilitates the teaching-learning process. Blogger gives the facility to insert a YouTube video, as mentioned in Figure 1. But, the steps involved in attaching a video may be, publishing a video (lengthy process in itself) and then refer it here.

Figure 1. Option to attach video in Blogger.com with possible improvement.

As per Nielsen (1995), a system should cater both inexperienced and experienced users. Had there been a webcam option in Blogger for videos, it would have been more flexible and efficient to use.

References

Nielson, J. (1995, January 1). 10 Usability Heuristics for User Interface Design. Retrieved March 02, 2016, from https://www.nngroup.com/articles/ten-usability-heuristics/

Salas-Rueda, R. (2016). The impact of usable system for regression analysis in higher education. International Journal of Educational Technology in Higher Education, 13(1), 1-10.

Sunday, March 13, 2016

Strictly JavaScript Income Tax Calculator

This example explains how to use the right conditions at right place.

"use strict"; // undeclared variables prohibited.
var $ = function (id) {
return document.getElementById(id);
};

window.onload = function () {
$("calculate").onclick = calculateTax;
$("reset").onclick = resetInputValues;

};
// this method is called on click of reset button
function resetInputValues() {
$("tax").value = "";
$("income").value = "";
$("mymessage").innerHTML = "";
return;
}

// this method is called on click of calculate button
function calculateTax() {
//input validation
var mySalary = $("income").value.trim();
if (isNaN(mySalary)) {
window.alert("Invalid input.");
return;
}
mySalary = parseFloat(mySalary);

var taxPaid = 0;

if (mySalary > 413200) {
taxPaid = (mySalary - 413200) * 0.396 + 119996.25;
}
else if (mySalary > 411500) {
taxPaid = (mySalary - 411500) * 0.35 + 119401.25;
}
else if (mySalary > 189300) {
taxPaid = (mySalary - 189300) * 0.33 + 46075.25;
}
else if (mySalary > 90750) {
taxPaid = (mySalary - 90750) * 0.28 + 18481.25;
}
else if (mySalary > 37450) {
taxPaid = (mySalary - 37450) * 0.25 + 5156.25;
}
else if (mySalary > 9225) {
taxPaid = (mySalary - 9225) * 0.15 + 922.50;
}
else {
taxPaid = mySalary * 0.10;
}

$("tax").value = taxPaid.toFixed(2);
$("mymessage").innerHTML = taxPaid + " is rounded to " + $("tax").value;

}

Sample strictly JavaScript Monthly Balance Calculator

Save this folder somewhere you can edit and play around with these files.

Some of the learning :

1. how to set undeclared variables prohibited
2. handle arrays
3. playing around with dates in jacascript. new Date, setYear, setMonth, setDate, getDateParts, getFullYear, getMonth, getDate
Especially the formatting.
4. classes and objects in JavaScript
5. parseInt, parseFloat

and so on

balance.js:

"use strict"; // undeclared variables prohibited.

// get element by id
var $ = function (id) { return document.getElementById(id); };

//creates the grid to display based on transList array available in memory ctrl F5 to start over.
var updateDisplay = function () {
var html = "<tr><th>Date</th><th>Amount</th><th>Balance</th></tr>";
var html = html.concat("<tr><td></td><td></td><td>0</td></tr>"); // initially balance is zero.

var count = getTransaction();//get number of elements in transList array.
var total = 0;

//itrate transList to create actual transaction grid
for (var i = 0; i < count; i++) {
var trans = getTransaction(i);//get i+1 element in transList array.
total = calculateBalance(trans["type"], trans["amount"], total);//get cumulative balance after current transaction.
//system allows blank value in date, if blank is passed as input, itmeans current date. If type is withdrawal amount is displayed like, (amount).
// date format id MMM DD YYYY ( e.g. Feb 29 2016). future and past dates are allowed.
html = html.concat("<tr><td>", trans["dateDisplay"], "</td><td>", trans["amountDisplay"], "</td><td>", formatTotal(total), "</td></tr>");
}
// set the html calculated to UI.
$("transactions").innerHTML = html;

};

//if date input field is blank(noTrim) , it means user wants to enter current date
var getValidDateString = function () {
var dtParts; //undefined
//if user wants current date
if ($("date").value === "") {
dtParts = getDateParts();
} else {
dtParts = getDateParts($("date").value);
}
//if user wants current date, almost no chance that dtParts remains undefined
//but if user enters some value it must be a valid date in format MM/DD/YYYY or else dtParts is undefined
if (typeof dtParts !== "undefined") {
//return valid date entered/ assumed in format MMM DD YYYY
return months[dtParts[0] - 1] + " " + ((dtParts[1] < 10 ? "0" : "") + dtParts[1]) + " " + dtParts[2];
}
alert("Please enter date in format MM/DD/YYYY e.g. 02/28/2017. You may leave blank if transaction happened today.");// Instrictions
$("date").focus(); // take user to date input field to re-enter.

};

// there is almost no chance of error here, since dropdown has only two options
var getValidType = function (type) {

if ($("type").value === "deposit" || $("type").value === "withdrawal")
return $("type").value;

alert("Invalid Type.");
$("type").focus();

}
//if user enters some random text or he tries to give negative values, this will throw alert.
var getValidateAmount = function () {

//check if not a number.
if (isNaN($("amount").value)) {
alert("Invalid amount.");
$("amount").focus();
return;
}
//round to two decimals
var returnValue = parseFloat($("amount").value, 10).toFixed(2);//string here to return
//negative value not allowed, since it means withdrawal, denoted by transaction type
if (parseFloat($("amount").value, 10) < 0) {
alert("If it is a withdrawal, select withdrawal in Type dropdown and enter a positive amount here.");
$("amount").focus();
return;
}
return returnValue;
}

var add = function () {
var cType = getValidType();
var cAmount = getValidateAmount();
var cDateString = getValidDateString();
if (typeof cType === "undefined" || typeof cAmount === "undefined" || typeof cDateString === "undefined")
return;
//till this point we are ready with valid inputs(assumed/actual).
addTransaction(cType, cAmount, cDateString);
//now update display to include just added transaction.
updateDisplay();
};

//bind add function to click of add button on load of window
window.onload = function () {
$("add").onclick = add;
updateDisplay();

};

library_balance.js

"use strict"; // undeclared variables prohibited.

//no form input fields reffered here to make it look like a library.

var transList = []; // array to store transactions

// short form of months to be displayed. This is needed because old browsers don't support toLocaleDateString
//can't use substring on date string, because it contains "," which is not presented in date in screenshot
var months = ["Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"];

//transaction is the class will be used to insert objects in transList
function transaction(type, amount, date) {
this.type = type; // deposit or withdrawal - string
this.amount = amount; //string
this.amountDisplay = (type === "deposit") ? amount : "(" + amount + ")"; // display (amount) for withdrawal
this.dateDisplay = date;//date is already validated and converted to format to be displayed

};

//if input is undefined, it will consider current date as input
//input is string/nothing
//outout is 01/01/2001 > [ 1, 1, 2001] ie. [ month, day, year]
var getDateParts = function (dateValue) {

if (typeof dateValue === "undefined") {
var currentdate = new Date();
//month is done + 1 because it returns one less number than actual month e.g. 2 for march
return [currentdate.getMonth() + 1, currentdate.getDate(), currentdate.getFullYear()];
}
var datereg = /^\d{1,2}\/\d{1,2}\/\d{4}$/; //e.g. 99/99/1111
if (dateValue.match(datereg)) {
var splitDateInput = dateValue.split("/");
var monthPart = parseInt(splitDateInput[0], 10);// e.g. 99
var dayPart = parseInt(splitDateInput[1], 10);// e.g. 99
var yrPart = parseInt(splitDateInput[2], 10);// e.g. 1111
var date = new Date();// gives current date
date.setYear(yrPart);
date.setMonth(monthPart - 1);
date.setDate(dayPart);
// now test data ( 99/99/1111) gives date as Sat Jun 07 1119 00:00:00 GMT-0400 (Eastern Daylight Time)
//so now compare with inputs again.
//good thing is leap check is also done in below if condition, like 02/29/2015 will fail here.
if (date.getFullYear() === yrPart && date.getMonth() + 1 === monthPart && date.getDate() === dayPart) {
return [monthPart, dayPart, yrPart];
}
//if input was valid ,an array containing month, day , year numbers is returned
//or else nothing - undefined

}

}

//input integer/nothing
//output is a transaction object
var getTransaction = function (index) {
if (typeof index === "undefined") {
return transList.length;
}
else if (index < transList.length) {
return transList[index];
}

};

//now add transaction is simple, inputs must be valid, simply add an object of type transaction to transList
//input string, string , string
var addTransaction = function (type, amount, date) {

transList.push(new transaction(type, amount, date));
};

//this adds amount to total for deposit
// and subtract amount from deposit for withdrawal
//input string, string, string
//output string
var calculateBalance = function (type, amount, total) {
//amount = parseFloat(parseFloat(amount, 10).toFixed(2), 10);
// total = parseFloat(parseFloat(total, 10).toFixed(2), 10);
amount = parseFloat(amount, 10);
total = parseFloat(total, 10);
if (type === "deposit")
return (total + amount).toFixed(2);
else
return (total - amount).toFixed(2);
};

//used to format any string like -23.2222 to (23.22)
//or 23.2222 to 23.22
var formatTotal = function (am) {

am = parseFloat(am, 10);

return (am < 0) ? "(" + Math.abs(am).toFixed(2) + ")" : am.toFixed(2);

};

Sample Custom jQuery plugin

Download this folder somewhere you can open and edit the content
On $(document).ready , decorateTable custom jQuery plugin is applied on table with id "important" . This will apply even odd classes on the elements of this table . This custom plugin has three input settings parameters $('#important').decorateTable({ oddRow: 'oddAltered', evenRow: 'evenAltered', headerRow: 'headerAltered' });
default settings for custom plugin are : oddRow: 'odd', evenRow: 'even', headerRow: 'header'

altrow.js

"use strict";

$(document).ready(function () {

$('#important').decorateTable();

// if you want to give custom colour, give parameteres as mentioned below.

// $('#important').decorateTable({ oddRow: 'oddAltered', evenRow: 'evenAltered', headerRow: 'headerAltered' });

});

jquery.altrow.js

"use strict";

(function ($) {

$.fn.decorateTable = function (options) {

// default settings

var settings = $.extend({

oddRow: 'odd',

evenRow: 'even',

headerRow: 'header'

}, options);

// odd rows not having th element

//in table this (on which decorateTable plugin is applied)

$('tr:not(":has(th)"):odd', this).addClass(settings.evenRow); // class name is swithed to make it look like screenshot in the assignment

// even rows not having th element

//in table this (on which decorateTable plugin is applied)

$('tr:not(":has(th)"):even', this).addClass(settings.oddRow); // class name is swithed to make it look like screenshot in the assignment

//the row having th element (on which this plugin is applied)

$('tr:has(th)', this).addClass(settings.headerRow);

}

}(jQuery));

Simple example of $.ajax to get JSON (JQuery)

Download the files available in folder speakers
Save them somewhere you can access them over http.
On document ready, toobin.json is loaded and html elements inner html is replaced.
On click of elements in navigation chua.json, sampson.json, sorkin.json or toobin.json is loaded using $.ajax and elements in index.html are filled with html. Which json to load is being decided by title attribute of of the anchor clicked.

speakers.js

"use strict";

$(document).ready(function () {

//applies to all aside > nav > ul > li > a

$("aside > nav > ul > li > a").click(function () {

//fill this array with parts of json file path. please note, with json file location change, you will change it.

var pathparts = [];

pathparts.push(

"json_files/",

$(this).attr('title'),

".json"

);

consumeJSON(pathparts.join(""));

});

//anchor with title toobin

$("a[title='toobin']").click();

}); // end ready

function consumeJSON(jsonFileURL) {

$.ajax({

url: jsonFileURL,

//default method is GET so need not mention

dataType: "text", // you may pass json here and avoid parseJSON below

success: function (data) {

//data downloaded so we call parseJSON function

//and pass downloaded data

var json = $.parseJSON(data);

//use html() instead of text() below, note that input has html tags too. see the json also to observe these tags.

//each json has single element under speakers collection

// important : we could also prepare whole html and set html inside main element

$("main > h2").html(json.speakers[0].month + "<br/>" + json.speakers[0].speaker);

$("main > h1").html(json.speakers[0].title);

$("main > img").attr("src", json.speakers[0].image);

$("main > p").html(json.speakers[0].text);

}

});

}

Friday, March 11, 2016

Security in SharePoint 2013

Abstract

This paper explores SharePoint 2013 Service applications in depth along with accounts recommended to configure them to reduce chances of security vulnerabilities. The target audiences for this paper are SharePoint administrators and auditors unlike the previous paper in this series which covered overall Security Framework in SharePoint 2013. To secure the SharePoint environment, administrator must be aware of infrastructure; system & software configurations and define robust patch deployment strategies. This paper will explore here some of the most important configuration aspects at farm level to avoid security breaches.

Keywords: SharePoint Server 2013, Security, Service Applications, Service Accounts, Monitoring, Health Analyzer, SharePoint Administration

Service Applications in SharePoint 2013

Hemant Kumar

This paper gives an overview of all the available service applications in SharePoint 2013 which a SharePoint administrator and auditor must be aware of and covers most important things to be followed to keep environment secure in this context. This paper may be considered in continuation of “Security in SharePoint 2013” by Kumar (2016), where he addressed general audiences who are the stakeholders at any level in hierarchy in an organization, consuming SharePoint 2013. In contradiction to previous one, this paper is helpful only for limited audiences who have knowledge in SharePoint and Windows Server administration. Under SharePoint 2013, service applications are shared amongst all the front end web applications and more often ignored for security issues and practices to be followed, since they are not visible to day-to-day users and owners in the front end web application. Only when something goes wrong, these areas are revisited, but after potential business loss. To avoid disastrous situations and to keep system secure, the author explores mostly ignored topics in SharePoint farm administration here. It is most important to mention here that, with the topics mentioned here in this paper only, achieving certain level of compliance certifications may not be possible. This study may be helpful to avoid only few of vulnerabilities in the system at first place. This covers only a small part of the whole picture; things like network defense/attacks, firewall, possible ways to attack the system etc. are not covered here.

SharePoint 2013: Service Applications

Before author explores biggest mistake administrator does while farm configuration, which leads to major security breaches, names and purpose of each Service application must be understood.

SharePoint Server 20013 allows unique functionalities, for example search to be packaged as a readymade service, which may be deployed on same server or different server in the farm. This also means sharing the same service deployed amongst multiple front end SharePoint web applications is possible, and in some cases even outside the SharePoint farm. But configuring these services in the right manner is mandatory to avoid security breaches and healthy life span of main SharePoint web application whose features are dependent on the services consumed. Here author covers the most important and mostly used SharePoint Services.

Secure Store Service

As mentioned by Kumar (2016), this service may be considered in most layman term as an impersonation layer. Suppose there is particular module which may be executed by a specific user, but sharing credentials of this user amongst the group or to any other user is not possible for security reasons. A target application may be defined in Secure Store Service, to serve such sceneries in SharePoint. Audit logging of actions performed using Secure Store Service is disabled by default, enabling it may help track unauthorized information flow.

Good thing about Secure Store Service is that, it stores credentials of target user encrypted in a separate database, which may be even made more secured by deploying on separate server. Also, credentials fields supported are generic, user name, password, personal identification number, key, windows username, windows password, certificate and certificate password. Bad thing is, if Secure Store Service is hacked, and there are multiple sources of secured information configured to be accessed through this framework, the whole SharePoint farm is most unsecured place to think of.

Search Service

As mentioned by Kumar (2016), this service may be used to even crawl the external content along with SharePoint website sin the SharePoint Farm. This module is responsible for crawling information source, prepare and maintain indexes based on crawled information, search queries analytics and usage, search administration.

Administrator need to make sure, all the content in the target application being crawled is accessible to account with which crawling is being done, but it does not mean giving full permission on the target. Read permissions are sufficient. Sometimes, search services are configured to exist on front end server, where content source web application resides and Windows server prohibits accessing website on the same server by crawlers. Most prevalent solution is to “DisableLoopbackCheck” on front end server level. But as per Kumar (2011), this is not the secure way of implementing search in SharePoint. Another security concern with SharePoint Search Service crawler is that, it relies on custom headers to identify that target web application is SharePoint based. If administrator removes these headers as explained by Kumar (2013), search crawlers are not able to crawl fine grained objects like list item in SharePoint target, and if he doesn’t removes these headers, hackers can easily identify that target is SharePoint based.

User Profile Service

User profile service is used to keep data related to people in an organization. This may have been coming from Active Directory (AD) in parts or some other custom sources. SharePoint features like setting up audiences, my site for end users and social features are directly dependent on this service.

User profile database, synchronization database and social tagging database are created when this service is configured. A healthy and fully functional User Profile Service is dependent on Managed Metadata Service, Search Service and Business Connectivity Service to deliver full range of social features in SharePoint 2013.

Managed Metadata Service

This SharePoint service is responsible for sharing managed keywords and term sets across the multiple site collections across the boundaries. One of the most important use of defining taxonomies and term sets at single place is better and more organized search results. This makes information more meaningful to the end user.

Business Data Connectivity Service

As mentioned by Kumar (2016), content types are the ways to define information in consistent way across the SharePoint site collection. This service is used to define external Content Types to consume data from external line of business. The way this service is configured, is highly dependent on what type of existing or future external to SharePoint solutions and organization consumes and what will be the business flow.

Word Automation Services

This service is responsible for server side conversions of Word documents. This service is able to cater both synchronous and asynchronous operations on documents in SharePoint 2013. For asynchronous operations, this service is dependent on SharePoint Timer Jobs.

User Profile Synchronization Service

This service supplements User Profile Service described above, to facilitate user information import from other systems. These systems may be Active Directory Domain Service, SAP, SQL Server or else.

Machine Translation Service

This service is used to automatically translate content in SharePoint with help of Microsoft Online Translator Tool. This is the most helpful feature in multilingual scenarios in SharePoint 2013.

Work Management Service

This service is responsible for task aggregation at central location. My site and new feed experience are the examples. Be it Exchange, Project Server or to-do and tasks in SharePoint, with help of Search Service and User Profile Service, and user may get everything at one place.

Visio Graphics Service

Visio diagrams may be rendered in SharePoint 2013, with help of this service. This service is dependent on State Service for its normal operation.

State Service

This service is responsible for storing temporary data across related requests over http. Many services and functionalities like Visio Graphics Services, SharePoint Health Reports and many more won’t work without this being configured.

Microsoft SharePoint Foundation Sandboxed Code Service

Traditional custom solutions and webParts used to run under w3wp process earlier, with help of these new service; administrators may actually limit the resources per application basis and they run under a different process altogether to give better security and isolation. The new model available is based on this service.

Access Database Service 2010 and Access Services

In SharePoint 2013, under new app model, for each Access app created a new SQL DB is generated by Access Services. This is a very fast and user friendly way for user to create and publish relational database and content in a web user friendly way. Access Services are responsible for creating and customizing Access apps. Access Database Service 2010 is provided for backward compatibility.

App Management & Microsoft SharePoint Foundation Subscription Settings Service

Providing this feature and service in SharePoint 2013 is a step towards Google Play store and Apple Play Store like mythology from Microsoft in SharePoint, where publishing and buying apps online is facilitated. App Management Service works in conjunction with Microsoft SharePoint Foundation Subscription Settings Service is the backend engine to support this feature

Central Administration Service

Stopping this service on all servers in farm sufficient to screw up a SharePoint 2013 whole farm, an administrator without knowledge in PowerShell may be stuck without this service running.

Claims to Windows Token Service

As the name suggests it’s a part of Windows Identity Foundation on the server. This service is responsible for impersonations required for accessing backend resources by SharePoint and other products.

Distributed Cache Service

This service is required by many services to operate or give better performance for others, few examples of features depending on this services are OneNote, security trimming, news feeds, social features, page load performance and so on.

Document Conversions Launcher and Document Conversions Load Balancer Service

Document Conversions Launcher Service schedules and initiates the document conversions. When SharePoint Foundation passes a document conversion request to the document conversion launcher service, the service must call the appropriate document converter. The load balancing of incoming requests is taken care of by Document Conversions Load Balancer Service.

Excel Calculation Service

Excel calculation Service in SharePoint 2013 may be taken as more of business intelligence tool to share and render workbooks as a web page content directly.

Lotus Notes Connector Service

Since for Lotus notes the platform of development and terminology is different, to support big name sin market, Microsoft altogether built a connector in SharePoint 2013 for functionalities like crawl the content inside Lotus notes.

Microsoft SharePoint Foundation Incoming E-Mail Service

Suppose end user wants to use SharePoint as a dropbox where he could email content and get it follow the further publishing work flow, yes it is possible with help of this service only.

Microsoft SharePoint Foundation Web Application Service

This service provides connect between SharePoint and IIS. Without this service running, not even a web application could be created.

Microsoft SharePoint Foundation Workflow Timer Service

This service is responsible for timed events and workflows related to list and documents in the site collections.

PerformancePoint Service

This service is responsible for monitoring and related data analysis including rich dashboards and tools to consume this information.

PowerPoint Conversion Service

This service is responsible for server side conversions of PowerPoint slides to different formats.

Request Management Service

This service is only configured through PowerShell, and is responsible for request routing based on the type of request, to the right server in the farm.

Farm Level Accounts

The most common flaw in SharePoint Service application configuration observed is using single account for all the operations. Think of the situation, this single account is compromised.

SQL Server Service Account

This is the account is used for setting up Windows Services (named MSSQLSERVER, SQLSERVERAGENT) running on SQL server. Request Manager is functionality in SharePoint Server 2013 that enables administrators to manage incoming requests and determine how SharePoint Server 2013 routes these requests. If this account is not configured correctly, backup and restores from external resources are affected. This is preferred to be domain account, but not a requirement.

Setup User Account

This is the account is used for initial setups and initial configuration wizards execution. This account must be in administrative group on all the servers and part of securityadmin & dbcreator server roles on SQL box. If the administrator plans to run PowerShell scripts which directly affects this is supposed to be db_owner on the target. This must be a domain account.

Server Farm Account

This is important to understand that, the moment a server is added to SharePoint farm, this account gets additional privileges over the server resources. This account is responsible to configure and mange server farms in future, acts as application pool identity on IIS for central administrative web application and configured to run SharePoint Foundation Workflow Timer Service right from the beginning. The importance and of this account in security may be estimated by the fact that this account is having dbcreator, securityadmin and db_owner roles on all SQL server where all the database and underlying configuration of SharePoint exist. If credentials of this account are leaked, nothing is left to protect anymore. This must be a domain user account.

Service Application Accounts

Above mentioned three accounts are required before even starting deploying SharePoint on a fresh environment. The most common mistake, as described previously in this paper, administrator does is, they don’t go further and setup additional accounts mentioned below: Here the author explores service accounts in terms of application pools and account for unattended services. Say, administrator is having single server to run all the services, single server may have multiple Application Pools on the same server, or in case, multiple servers are provided, each group of services under same application pool may be shifted, or even divided. The purpose is to get basic idea, which services may reside together and share resources without breaching security and which one requires domain account for normal operations to be achieved.

Service Application Account for Application Pool 1

Unless there is a specific security reason, justified per business needs, a single application pool in IIS may host end point for Access Services, Word Automation Services, Usage and Health Data Collection Service, Secure Store Service, Business Data Connectivity service, User Profile Service and Visio Graphics Service. Being under same Application Identity pool means these services are sharing resources. The account being used to run this category may be a local account. They are grouped together here because they don’t mandate the use of a domain account and they may reside together. But administrator is allowed to use a unique domain account if need be.

Service Application Account for Application Pool 2

Excel Services, Managed Metadata Service, PerformancePoint Service and Search Service endpoints may reside together on a single application pool identity, but that must be running with a domain account. Unless, there is a need due to business rules or performance constraint, these services may share single application pool in IIS.

Service Application Account for Application Pool 3

Security Token Service, Application Discovery and Load Balancer Service endpoints may reside together on a single application pool identity. This account must be the Farm Service Account and the SharePoint Products Configuration Wizard automatically creates this application pool. This need not be a domain account.

Unattended Service Account 1

Under Excel Services, this account is must to perform actions like refreshing worksheet data when authentication type specified is none or non-Window credentials are input. This must be a domain user account.

Unattended Service Account 2

Under PerformancePoint Services, this account is used to authenticate with data sources. This must be a domain user account.

Unattended Service Account 3

Under Visio Graphics Services, this account is used to refresh data from non-SharePoint data sources. This need not be a domain user account but this decision is dependent upon which type of data source application uses.

Content Access Account for Search

This account is used by SharePoint Search to crawl content from different sources. The source may be an external content or inside the local farm. This account has read permission on all the content to crawled, no matter what type of account it may be. But as mentioned by Catrinescu (2013), this should be a domain user account. This must not be part of farm administrator group. This issue is caught very common in security audits.

Search Service Account

Please note, this account is different from Content Access Account for Search and Service Application Account for Application Pool 2 described above. This is used to run actual Search Service Engine. This must be a domain user account. This must not be part of farm administrator group. This issue is caught very common in security audits.

User Profile Synchronization Account

Please note, this account is different from Service Application Account for Application Pool 1 which is used to run web application end point hosting User Profile Service. Unlike the App pool 1 account; this must be a domain user account as per Catrinescu (2013). Also, it should have “log on locally” permission on the computer running the instance of the User Profile Synchronization Service.

User Profile Connection Account

Please note, this account is different from Service Application Account for Application Pool 1 which is used to run web application end point hosting User Profile Service and User Profile Synchronization Account which is used run Synchronization Service. This must be a domain user account as per Catrinescu (2013). There may be the case, for each connection established with remote directory service; there is a different connection account. This account must have replicate directory changes permission on the domains under consideration.

App Management Service Account

Type of this account depends on SharePoint Catalog and SharePoint Store being consumed to install apps in local farm. This account is responsible for App management in SharePoint.

PowerPoint Conversion Account

This account is responsible for Microsoft PowerPoint presentations conversion to different formats using PowerPoint conversion service engine. There is no specific requirement for this to be domain account unless required by organization specific architecture.

Machine Translation Account

This account is responsible for automatic translations in SharePoint. There is no specific requirement for this to be domain account unless required by organization specific architecture.

Distributed Cache Account

This account is used to run Distributed cache service responsible for catering in-memory to various features like authentication, security trimming by other services e.g. search results, page load performance, newsfeed and so on. There is no specific requirement for this to be domain account unless required by organization specific architecture.

Work Management Account

All the task aggregations by work management service are performed using this account sources being SharePoint products, Microsoft Exchange Server, Microsoft Project Server and so on. The type of account used greatly depends upon the sources consumed.

Access Services 2013 Account

This account is responsible for views, edits and all kind of interactions with Access 2013 database in browser using SharePoint 2013. There is no specific requirement for this to be domain account unless required by organization specific architecture.

SharePoint Health Analyzer

While auditing any SharePoint 2013 environment for security and other issues, this may be the best place to start with. The reports available under this section in central administration are based on 63 automated rules defined by Microsoft. All the rules may be disabled, if done so by administrator, this must be reported in audits and cross questioned with administrators. For example, the default rule, “Accounts used by application pools or service identities are in the local machine Administrators group” as per Microsoft (2013), available under “SharePoint Health Analyzer rules reference”, if disabled may open gateways to attack.

Under Central administration, administrator may visit Monitoring > Health Analyzer > Review problems and solutions, to figure out what is going wrong. Since this data comes from a SharePoint List present in Central administration, even he can enable email alerts on item created in this SharePoint List, if paid monitoring tools are not available.

Definitely, this Health Analyzer does not cover everything, but help to detect a lot more than what administrator could achieve manually.

Conclusions and Future Study

This paper covers only SharePoint Service Applications, accounts categories recommended to be used in configuring these service applications & application pools in IIS and brief overview of Health Analyzer. But this does not cover all the vulnerabilities that might be present in the system. For example, there might be many Windows Services and components running on the servers in farm, (with current features required by the organization,) may not be required, and so must be stopped to reduce the attack vectors. SQL Server may be exposed on default ports and many firewall rules may not have been even thought of by the administrator. And so on.

All in all, this paper covers much, but to secure the SharePoint environment as a whole, one more research on the whole infrastructure is highly recommended.

References

Catrinescu, V. (2013, January 07). SharePoint 2013 Service Accounts Best Practices. Retrieved May 08, 2016, from https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html

Cleary, L. (2016, May 02). Penetration Testing SharePoint. Retrieved May 08, 2016, from https://www.pluralsight.com/courses/penetration-testing-sharepoint

Collins, J. (2016, April 14). SharePoint Environment Auditing. Retrieved May 08, 2016, from https://www.pluralsight.com/courses/sharepoint-environment-auditing

Ehrenberg, J. (2015, April 01). SharePoint Health Analyzer rules reference (SharePoint 2013). Retrieved May 08, 2016, from https://jimehrenberg.wordpress.com/2015/04/01/sharepoint-health-analyzer-rules-reference-sharepoint-2013/

Fakos, A., & Philipp, J. (2013, November 28). Getting a handle on SharePoint security complexity. Retrieved May 08, 2016, from https://www.owasp.org/images/0/09/OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf

Kumar, H. (2011, June 14). SharePoint disable loopback check | Specify Host Names. Retrieved May 08, 2016, from https://hemantrohtak.blogspot.com/2011/06/sharepoint-disable-loopback-check.html

Kumar, H. (2013, January 07). SharePoint 2010 Enterprise Search | SharePoint Crawl Exceptional Behaviour. Retrieved May 08, 2016, from https://hemantrohtak.blogspot.com/2013/01/sharepoint-2010-enterprise-search.html

Kumar, H. (2016, March 11). Security in SharePoint 2013. Retrieved May 08, 2016, from https://hemantrohtak.blogspot.com/2016/03/security-in-sharepoint-2013.html

Lozzi, D. (2013, April 03). Overview of SharePoint 2013’s Services. Retrieved May 08, 2016, from https://davidlozzi.com/2013/04/03/overview-of-sharepoint-2013s-services/

Matthews, P. (2015, January 21). Setting up Word Automation Service for SharePoint 2013. Retrieved May 08, 2016, from https://cann0nf0dder.wordpress.com/2015/01/21/setting-up-word-automation-service-for-sharepoint-2013/

Microsoft. (2013, December 18). SharePoint Health Analyzer rules reference (SharePoint 2013). Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ff686816.aspx

Microsoft. (2013, December 18). Overview of managed metadata service applications in SharePoint Server 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ee424403.aspx

Microsoft. (2013, December 18). Manage service applications in SharePoint 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ee704544.aspx

Microsoft. (2014, March 11). Share service applications across farms in SharePoint 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ff621100.aspx

Microsoft. (2014, August 26). Plan for administrative and service accounts in SharePoint 2013. Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/cc263445.aspx