A Simple and Practical Approach to Security

We all know of the importance of security and the unfortunate result of a breach. Too many organizations realize this after it is too late when their name is seen across the news channels has having lost their data to a hacker or even worse, from negligence. What about those that never make the headlines? The hackers that go undetected? So are you handling security effectively?

The challenge is that security is a question of balance and knowledge. We need to balance the correct measure of security with the asset that we are protecting. The most secure room is one that nobody can enter, but is that useful? When it comes to knowledge, we need to know not only how to properly implement effective security measures, but to also know what kind of threats we are protecting ourselves against. Keeping current on technologies and security best practices is a never ending quest that organizations must endure if they wish to protect their assets. Surprisingly, most organizations fail at the fundamentals, and not at the level that would be worthy of someone from the movie “Hackers”.

Lastly before jumping into the guidance, I feel I need to repeat something that everyone has heard – Security is everyone’s business. Quite often good security practices are left between the cracks of the blame game, where developers say that “Security is the IT admin’s job” and the IT admins say that “The software should already be secure without the need for me to configure a bunch of stuff”. The advice I have below may sound like it is administrator focused, but it is not. It applies to everyone, including the developer. Matter of fact, I think the developers need the advice below even more than the administrators since the systems that are built by developers need to not only follow the advice below during the building of the software, but also facilitate an administrator in performing any of the advice below as well.

A simple approach – There are 3 big pieces of advice I give my clients when discussing security best practices. They are:

  1. Answer the 3 basic questions
  2. Always follow the asset
  3. Keep current

Organizations that follow this guidance in one form or another tend to have successful security practices. Let me describe them, and I think you will see how simple they really are.

Answer the 3 basic questions – you need to always be able to answer these simple questions when it comes to security. Unfortunately, as you go down the list, you’ll notice how we typically get worse and worse in answering the questions. The three questions are:

What are the security requirements? – At a high level, who should have access to what? This is a question that is typically well answered by most organizations. For that reason, I won’t waste your time delving into it.

How do we know we meet them? – Simple put, every security plan needs to show that we actually meet the requirements that were outlined, so the question becomes how do we audit security? Auditing can range from simple user testing to in-depth security testing such as penetration testing. For the system implementers out there, this means that we need to ensure that we can successful audit our system. For the developers out there, it gets a bit more complex. Not only do we need to ensure that the administrators that are using our software can audit simple things like basic user security, but we need to also ensure that the code that we write can endure a variety of lower level hacking style attacks. The question remains the same though. If the requirement is that the code that I write is secure against hacking attempts, how do I know it is secure? Proper software testing is the key to that. Hopefully when I get a bit more time, I will follow that up with my other favourite rants on security on the importance of software testing, but for now the point is, you need to be able to answer YES to this question and be able to prove it.

The final question is the one that I think as an industry, we are the worst at.

When is the last time we checked? – We need to make auditing routine. If something changes, is it compliant with our security requirements? Quite often we see changes to systems to troubleshoot a problem or other reasons, elevate security in some form and it goes unnoticed and possibly unchanged. Having the ability to be notified or even block a process that is not security compliant is ideal. For software developers, that typically means that we need to incorporate those features into our software design. Does your software have an auditing feature? Has it undergone proper security testing? And by ‘proper’, I don’t mean relying on user testing.

Those 3 questions will help you solidify a basic approach to security. To help handling security at wider scale, such as throughout an organization, I present the second best practice.

Always follow the asset.

The asset in your organization is what you are trying to protect. For arguments sake, let’s start off with something like a credit card number. Most organizations would point to where it is stored, and say “Look! It’s encrypted where we store it!” However, if you trace the asset through its lifetime, you’ll often see other places where the credit card number exists where it is no longer encrypted. For example, when the person entered the credit card number into the screen, was it encrypted during the submission? Was it encrypted during transport between the client and the database? Is there other software, such as a payment application that reads the credit card number from the database and submits it for authorization? How secure is that? Quite often we secure an asset by securing its container. It is only when we follow the asset throughout its lifetime that we can better apply the appropriate security to all of the places where the asset can live, whether it be its storage container, or during its transmission between systems. When you follow the asset, you can ask the question “Is it secure here? What about here? Or here?” and readily identify the other places where an asset which needs to be secure, lives.

Another example that probably hits a little more closer to home, consider the way that document security is typically handled, as a file in a folder. Most organizations secure the folder, audit it, test it, and give themselves a giant pat on the back when they say “Yes, we’ve secured the document”. As a manager that has permissions to read the document, where does the document exist when I open it? Could I attach it to an email and send it to someone? What about copy it to a USB key to take home to work on there? How secure is the document now? Was the security on the folder effective? I think not. Security with this approach has ignored the fact that data “lives” in an organization. It moves, it breeds (gets copied if you’re not sure where I was going with that!), and an organization needs to “follow” this asset where ever it may live. Once you have an understanding of where it can live, then you can better apply the appropriate security.

Lastly, the final best practice and I think the most obvious – Keep current.

I think it goes without saying why this is important, so my point is this, and I’ll start with a quote by Peter Drucker, “Plans are only good intentions unless they immediately degenerate into hard work.” The common issue with keeping current is that we have to take the time to stay current and that time usually gets pushed aside for what we think are more important things. So the goal here is to ensure that an organization makes keeping current on security best practices part of its common practice. Perhaps by scheduling a monthly or weekly meeting where the focus is to share and discuss topics concerning security? Or maybe to attend a security conference or course? The goal here is to always extend the organizations knowledge with respect to security and never let it fall by the wayside.

I hope that this simple guidance will help you find a secure solution, and help avoid landing you on the front page of a newspaper!


Check me out on .NET Rocks!

Big thanks to Susan Ibach for hooking me up with the Carl Franklin and Richard Campbell of .NET Rocks, the online radio show for everything .NET related.

During the show I have a good chat with Carl and Richard about building SharePoint sites in the cloud. The conversation starts out talking about the state of SharePoint development – that the combination of SharePoint 2010 and Visual Studio 2010 really works! I also talk about Silverlight’s role in SharePoint as well as LightSwitch. Finally, We dig into the challenges around SharePoint in the cloud. After spending some time talking about SharePoint hosting options, we get into SharePoint Online, which is Microsoft’s SharePoint offering in Office 365. We chat about some of the challenges of SharePoint in the cloud, including multitenancy, claims-based security and scalability.

If you would like to check out out the show you can check it out here.  Don’t forget to give some kudos to Carl and Richard for doing a great job!

SharePoint: The Great Amplifier

SharePoint is an interesting platform and as it grows as a product and with its already incredible adoption, it becomes an important cornerstone for many organizations. Ask the people that work with it though, and you will find a much divided love it or hate it passion for the product.

But why hate it?

It has become my experience (which dates back to the site server/dashboard days), that many customers have difficulty in how to handle the product and I mean this within a number of ways. I now describe the problem as this:

SharePoint will amplify your problems.

So why do we hate it? I would hate anything that made my problems larger. But did SharePoint create the problem? That would be like blaming the carpenters hammer for building a crooked house. The problems are indeed our own doing in the majority of cases. In my experience, the most common problem areas that SharePoint seems to amplify are the following;

  1. Information Management
  2. Project Management
  3. Information Security
  4. Business Intelligence

It is without a doubt that this is not the definitive list of problem areas, but from my experience with SharePoint, it tends to be the key ones that help make or break one’s experience with SharePoint. So let’s take a look at them.

1. Information Management

In my mind, this is the biggest problem area and by a considerable margin. Why? Well, if you think about information management, it really encompasses all of the other areas. It is a really broad topic. What is surprising is as an industry whose core revolves around titles such as Information Management and Information Technology; you would think that we’d be better at it. Let’s look at an example: The shared documents library within the default team site is fairly widely used by organizations. At face value it seems like a perfect solution for the sharing of documents. After all, it is called the ‘shared documents’ library.

When I was a kid, I remember going to the library. I am talking about the real one that had shelves and shelves of books that you couldn’t carry around in your pocket. I won’t refer to those times as ‘the good old days’ because they simply weren’t. What fascinated me was the organization. I had the power as a kid, to walk in to the library and find various books on a topic that interested me, and to browse some additional information about each book before ever finding the book on the shelf. You might be thinking that I am referring to the ability to sit down in front of a computer and search, but I’m older than that. I’m referring to the cataloging system called the Dewey Decimal system.

That’s right, no computers. Yet I could search amongst a huge amount of material systematically and rapidly (for the times). 135 years later, and I’m watching organizations fumble with taxonomy and metadata like a new born driving a car.

So what’s the problem?

If we look at the shared documents library like a real library and a document like a book, if you let your employees simply start saving their document in the library it becomes almost the equivalent of having a library where you open up the front door, and chuck your book into the building. Imagine trying to find that book a week later. For the first hundred books or so, you might be ok, but what about the first thousand? Every time you see the default shared documents library being used, you should picture a real library, with nothing more than a mound of books in the middle of the room and people frantically trying to find things in the pile. The first thing that might come to many peoples mind is that “Well that is what we have Search for!” No we don’t. Well, not exactly. Search doesn’t organize our data for us; it makes the retrieval faster in larger systems. If you don’t believe me, do an internet search for a topic such as Shakespeare and tell me what the most current and correct material is on the subject. So how do we go from a pile of books on the floor, to nicely organized books on the proper shelves? The answer is 2/3rds metadata, and 1/3rd taxonomy.

Metadata is data that describes data. In the case of the Dewey Decimal system, that data helped to organize books into categories such as fiction or non-fiction, and provide additional tags such as animals, psychology, religion etc. so that you could much more easily identify basic keywords that described the material. In the library system, that information is collected, identified, and then recorded when the book is first brought into the library so that the material can be properly placed as well as be identified within a cataloging system to be more easily retrieved. Do your SharePoint libraries behave like that?

Taxonomy is the organization of metadata. In the example of the library, who determined that fiction and non-fiction should be one of the primary organizational metadata to categorize books? Why not hard cover and soft cover? Within your own organization, the determination of metadata and the taxonomy surrounding it is purely yours. It needs to reflect your organizational goals, which is why companies like Microsoft can’t exactly make that an OOTB feature. You simply have to address it, and unless you like sorting through a million books, you need to address it yesterday.

If you haven’t already addressed it, I can start you with a few tips.

Focus on process

Data is a byproduct of process. Data simply wouldn’t exist if it didn’t have somewhere to go or something to be done to it. Knowing and understanding the key processes in your organization is a must. What can be more difficult is the identification of key areas where your processes will likely change, or where you would like to change in the future. The reason we need to identify this as best as we can is so that we can better lay the ground work now. In other words, after we know what the current process is, we need to ask “What is likely to change? What additional information might be needed to identify problems or opportunities that we could leverage to further improve the process?” As an example, if we examine a simple project management site where we record change requests and have their statuses updated, could you easily identify the total amount of time it took to go from request to resolution? Could I easily identify the chain of events that happened after receiving a change request? And is either of those 2 details important to me or will be important to me in the future? Questions such as those will help take you beyond simply recording a change request and marking it as ‘resolved’. Better metadata = better taxonomy = better processes.

Have Multiple Taxonomies

Taxonomy is fairly simple in concept in that it is leveraged metadata. I think I’ve already established the importance of having some type of taxonomy. Although what I am about to say is really two versions of the same thing, for the sake of the SharePoint argument I am going to separate the taxonomies into 2 types; Navigational taxonomies and categorical taxonomies. The reason for the separation is so they can be planned according to their primary usage in that users are either finding the data they need, or working with the data to make decisions. By focusing on their usage, we can hopefully make a better taxonomy.

With navigational taxonomies our focus should be on the Use Cases that you have established for the project. By focusing on what people do with the site, we can streamline their access to their data. You won’t be able to establish that unless you understand what people do with your site, and Use Cases are the best way to establish that.

You should also support more than one navigational taxonomy since there isn’t only one way to complete a task. The goal of the menu navigation should be task focused, so how do we add a second navigational taxonomy? By adding more menus? No. In SharePoint, we can add these extra navigational taxonomies through the introduction of a Site Directory focused site, and/or through the use of custom search pages and results. Both of these options are relatively easy to implement and will allow your users a second and or third way to find a location in your growing architecture.

Categorical taxonomy can be a bit harder to implement since it deals directly with content. We need to collect metadata on content to better describe it, but what should that metadata be? How should it be best structured? Great questions and the first answer lies within understanding the various processes surrounding your data. How it will be used, what decisions need to be made on it, etc. The metadata from this is typically well understood and most organizations have little trouble in establishing what the metadata is rather they have trouble in establishing how to best implement it within SharePoint.

Let me give you some tips in establishing categorical taxonomies;

  • Use Content Types 

    Content types are a way of establishing a common structure that can be shared amongst lists and libraries. Use them if you want to establish some consistency.

  • Use the Managed Metadata Service (MMS) 

    You can think of the MMS as a place to store the common vocabulary for your organization which can be used and shared in a number of ways. Another advantage is that you can disseminate the administration of the terms to the people that use them and not IT. Be aware that the MMS interface within the Document Information Panel is only supported within Office 2010. 

  • Support Views 

    Views are a great way to change to look and organization of a list or library. They work by changing the display of the data, such as sort order, which columns are shown etc. Good views require good metadata. 

  • Support Soft Metadata 

    Hard metadata is metadata that directly fulfills a business requirement. In other words, it really needs to be there and usually in a very structured way where we control the terms and their usage. Soft metadata on the other hand is metadata that doesn’t have a direct business relationship but can offer some insight to the content. A good example would be in the way that we tag photos. Quite often we will need some hard metadata such as the date that the photo was taken and the location, but we want to support soft metadata so that users are able to tag the photo with open terms, such as ‘wildlife’ or ‘Christmas Party’. But why do we want to support this? To which my answer is ‘Do we really want to turn away free information?’ Granted there is a minimal support cost to this. In the end, we have content that is simply more usable, and with any luck, could be leveraged one day, so I often tout that the support costs are minimal with a potential for much gain, so why not. SharePoint 2010 can implement this many ways including using keywords, and/or open MMS term stores.


This has been a thorn in my side almost where ever I go. We are workers in the information age and so-called masters of information technologies, so why are we so bad at archiving strategies? A common dialog that I often have with my clients goes a little something like this. “Our data goes slow because we have a lot of it, over a million rows.”, “Why do you have over a million rows in your table?”, “We need to keep our data for X years.”, “Did anyone say you need to keep it in the same storage medium as the daily production data?”, “Ummm, no.”. Archiving data does not have to be offline, it can be online and accessible, it simply has a different purpose than your live day to day data, and most importantly it should be separated. Every time you add somewhere that users can add content, whether it be a list, or library, or database, or file share, you should think “How does this content retire?” and “When does it change its purpose?” After that, it is a matter of automating the process. Without an archival strategy you are setup for failure, it is just off in the distance. By accumulating data over time, you subsequently cause the live day to day data to slowly become harder to use when it is left in the same storage medium. It will go slow, and it will often get in the way of users trying to find the correct content while they are trying to accomplish their day to day tasks.

2. Project Management

There are some interesting numbers on the frequency in which SharePoint projects fail. I won’t bore you with numbers mainly because individually they succumb to a lot of subjectivity, but ask anyone that’s been around the block a few times and they will tell you that the majority of SharePoint projects fail. Why? Blaming SharePoint for a bad project is kind of like blaming a poor house design on the hammer in the carpenter’s hand. SharePoint is a tool, albeit a very complex one, but the result is always the result of its usage and rarely the tool itself. SharePoint has its quirks, the vast majority of products do and part of a proper SharePoint implementation is to address those quirks as best we can. But that’s not where projects tend to fail. The common culprits are the following;

Scope management

This is a really tough one to control in a SharePoint project. When the decision has been made to use SharePoint and people soon realize that it has the potential to solve the majority of your organizations problems, many organizations attempt to solve everything at once or in the reflex, choose to only solve a single problem with SharePoint.

SharePoint projects are commonly either scoped too large, or too small. Too large of a scope, and you will be overwhelmed with trying to coordinate a very complex solution. You will be bogged down with the intricate under wirings of your organization to the point that your project will be stuck in the requirement gathering stages for years. I’ve seen it. I’ve seen organizations that have planned for a year and not really yielded any results. On the other hand, organizations that start too small usually create an inadequate solution for growth. So where is the happy medium?

To properly manage scope within a SharePoint project you need to understand a bit of the big picture of your environment and then focus on one problem at a time. The best place I have found to start is by establishing proper Use Cases for your organization, and not just the ones you think should go into SharePoint. Properly created Use Cases are one of the most powerful architecture tools that we have in IT and is something that every IT department should have on hand already. They truly help focus our solutions to be task oriented and not data oriented. By understanding what our people do or need to be able to do, we can create a better solution for them. After collecting Use Cases, we need to establish an overall vision for the SharePoint solution. This can be a little bit daunting to staff that are new to SharePoint structures. If we look to our Use Cases, we can group the cases that are shared by common roles with the idea being that those roles should be able to complete those tasks as easily as possible. By grouping them, we can establish areas in SharePoint where an employee in that role can go to and complete those tasks. We now have an idea as to the scope of our project – make an area in SharePoint do cases x, y and z. Many areas can be identified with their Use Cases bound to them, and realistic timelines could be better established for each area.

Requirements Gathering

Most organizations feel they are pretty good at requirements gathering because they’ve been doing it for so long. In my experience, they’ve just established that they don’t understand process improvement. It is the question “How can we do this better?” where we establish our daily pursuit of perfection and question our assumed excellence. There is a lot of information elsewhere on different approaches, so I will cut this down as simply as I can. If you are not using an iterative process in your IT projects, you are doing it wrong, plain and simple.

Have an Architect

I should expand on this a bit. You should have a qualified SharePoint architect or architecture committee. “We don’t have one, so where can we find one?” Good luck. There are a lot of lousy consultants out there for various reasons, but you really need to have a good architect in an IT project that you do that understands the impact of various choices they make. When it comes to SharePoint, I offer this advice. Give your solution architect a business problem you wish for them to solve in SharePoint, and ask for 3 different answers and the pros and cons of each. If they can’t establish that minimum, RUN! They are obviously under-qualified to be supporting you. A really good architect should be able to rough out more than 3 different solutions.


Wow. This is one of my absolute worst pet peeves of the IT industry. If the only testing you are doing is User Acceptance Testing (UAT), and maybe some regression testing, you have really missed the boat. I have whole spiel on this topic in itself which I will save for another blog topic someday. When it comes to SharePoint, test your solutions including your code and go beyond the question of “Does it work”, and ask “Does it work well?”

Use SharePoint to run SharePoint

This is one of my favorites mainly because it is one of the most overlooked. I often ask my clients how someone in their organization would go about creating a new site, say, to manage a project as an example. The answer is typically that the person making the request would send an email to their manager, where it would eventually be forwarded to IT after a couple of emails going back and forth for approvals and information gathering, an IT staff member would then go and manually create a site for the requestor. My reply usually goes something along the lines of “So, you gather some required information, invoke a workflow with steps for approvals and further data collection, and create a site based on the data. Why isn’t that automated in SharePoint?” By using SharePoint to manage SharePoint, you can establish a more consistent structure and daily routine. In the above example, the data can be collected via a list. Workflows can be initiated for the approvals and further data collection and in the end a site could be created automatically as the final successful step in the workflow process. The result would allow IT staff to be involved less, the results to be more consistent since we reduce the amount of manual steps, and the process to flow much faster. Managing IT requests are also business procedures so don’t ignore them when developing your Use Cases for SharePoint.

3. Information Security

SharePoint has a confusing security architecture. A friend continually jokes that you can do it in SharePoint, as long as you know the 6 strategically placed security settings you need to set to allow users to interact with your content. I like to keep things simple. I always start addressing security by asking these 3 basic questions;

What are the requirements?

This question is pretty straight forward and we do it relatively well. Who gets access, and who doesn’t.

How do we know we meet the requirements?

This is one area that SharePoint poses some difficulty with since it lacks any worthwhile reporting tools and has enough security layers that are hidden in the UI that it feels like finding an answer to this question is akin to finding the meaning of life itself. Paired with the products inability to properly handle security inheritance and the lack of a proper method to deny permissions and you are on a never ending hunt for individualized permissions. Yuck. Unfortunately the best security reporting tools are third party. Your team needs to sit down and address how your organization will address security reporting and auditing.

When is the last time we checked?

Security audits are often checked at implementation, but rarely checked afterwards. Permission elevation happens for various reasons such as troubleshooting, making it necessary to schedule our audits. If running an audit is painful because we haven’t properly addressed the above question, then scheduling it will hurt that much more. Again, get a good security tool.

Information Security Tips

Here are a few tips on implementing security in SharePoint to help make things a little more manageable.

Libraries/Lists are for security

I am not a fan of the Shared Documents Library which comes as a default. If you have ever heard me talk on the subject, you know I get a bit worked up about it. I am a fan of lists/libraries in SharePoint and I completely understand Microsoft’s position in adding it. It was a necessary evil. The problem that I have with it is what most people put in it. It goes against pretty much every information management principal that we have. Many organizations use this library and why not? It says “Shared” and I want to share my stuff, so why not? The reasons are many, but at a simple level, you will end up with a folder structure that mimics your old file shares, and make it work by placing individual permissions on folders and files to compensate for your lack of proper architecture. If you think of lists and libraries as containers, which if you were paying attention earlier when I ranted about the importance of structure, you can shape these containers to better store its information. You can change the shape (think ‘content types’), and you can change the behaviour (think ‘workflows’ and ‘views’) to better aid the end user in the task they have at hand (think ‘Use Cases’). Coming back to permissions, if we have a container with similar information in it, we can control permissions to all of its content by controlling permissions to the container. In other words, permissions in SharePoint are best handled at the list and library level and not at the folder or file/item level. Which brings me to a solid point: If you are not sure how many libraries you should have, look at the common permissions to your content. If a group of people need read access to one type of content but not to another type of content, then the content should be in the same list/library and we can control permissions to the content by setting the permissions once on the list or library. So how many lists or libraries should you have? The answer is in how many groups of content with the same permissions you have. This is not always the answer, but it is a good starting point.

Use SharePoint groups as functional roles

SharePoint groups are best used to reflect functionality rather than entity. Since we typically utilize Active Directory groups, adding the AD groups to our SharePoint groups to reflect the same group would be redundant. For example, having a Sales group in AD, which we mimic and create a Sales group in SharePoint usually offers little benefit. Having a group in SharePoint that reflects their ability is preferred. For example, I can create a group in SharePoint called Sales Lead Generators that can better reflect what anyone in that group can ‘do’ rather than who they are. Not only does it simplify security administration, it makes audit reporting a lot easier to read and verify.


Information Rights Management has been around for some time now. Surprisingly, most organizations that want to secure documents rely on securing the folder or physical media where the file is stored. The problem is that this security simply doesn’t follow the document where ever it goes. IRM on the other hand, does! You just have to ask someone if their documents are just as secure after an employee that has proper permissions to the file copies it to a thumb drive, or inadvertently emails it to the wrong person. SharePoint and IRM integrate very well. You can check out more of it here.

4. Business Intelligence

Are there organizations out there that are really striving for Business Unintelligence? Wouldn’t everything that an organization does be in an effort to do something better? I love the term Business Intelligence (BI) mainly because of its massive overuse and its wide misunderstanding as ‘reporting’. So the question really becomes “How do we maximize our BI?” First, it is important to understand what BI really is. It is about making better decisions, period. If we have better data as well as a better understanding of such data, it would be logical to conclude that we would have a better decision right? Not necessarily. The theory is correct, but in practice most organizations fail to implement this properly by not focusing on the decision that they are trying to improve and instead only achieve in bombarding their key decision makers with an avalanche of reports. What is also surprising is that most of the decision makers in an organization are probably the ones asking for the reports in the first place. Let me give you an example. In a sales based business, you might see some monthly sales figures like this (overly simplified for the sake of discussion)

Sales Member Monthly Sales (Units)
John 5,437
Mary 8,350
Bob 3,043
Jim 7,410

Why do we need to see these sales figures? The typical answer you will get will be “Because I need to know if there are any problems and to see if we are doing better or worse than last month or last year.” So, with the above numbers, where is the problem? Most people would focus on Bob because his numbers are lower than the others. What isn’t shown with these numbers is that Bob is the newest of team and manages the smallest sales area. Can you still spot where the problem is in the above sales numbers? The typical failure in implementing a BI solution within SharePoint is usually in the disregard for a proper BI solution that focuses on those key decisions which strives to achieve a better decision by supplying as much data around the factors and drivers of the data as the data itself. Instead we see fancier reports of the above sales table and hope that our decision makers will ‘figure it out’. Another interesting point concerning SharePoint and BI integration is the potential for SharePoint to implement the decision. If our BI solution is focused on key decisions, a good solution should allow the user to implement the decision as quickly and easily as possible.


As you can see, SharePoint offers many challenges when deployed into an organization and requires due diligence to maximize your return. I hope that some of my tips may make their way into your organization and perhaps save you from some of the common pitfalls that have trapped others. There is good reason why SharePoint has become as popular as it has and hopefully you will be better able to get the most out of your implementation.

Musings of a Professional Geek.