Securing Microsoft Office SharePoint Server 2007

SECURING MOSS 2007

MICROSOFT SHAREPOINT PRODUCTS AND TECHNOLOGIES: TOOLS FOR COLLABORATION

Collaboration has become an essential force in the workplace as groups of colleagues work together to solve problems, complete projects, and perform other essential day-to-day business operations. In today’s technology-driven marketplace, collaboration translates into team members working on projects, exchanging documents, and sharing ideas by e-mail or accessing documents on file shares.

In an effort to improve and foster collaboration on document-based processes, many organizations are deploying products such as Microsoft® Office SharePoint Server 2007 and Windows® SharePoint Services 3.0, which allow information workers throughout a company to collaborate and work jointly on documents, as well as to post files, participate in threaded discussions, link to dynamic Web content, and generate tables based on information in corporate databases.

Together, Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0 facilitate collaboration within an organization and with partners and customers.

Windows SharePoint Services provides a framework for building collaborative Web sites, making it possible for a company to share information and documents across teams, departments, and large organizations easily and reliably. Users can access Windows SharePoint Services Web sites through a Web browser or through the new collaboration features built into Microsoft Office 2003 and Microsoft Office 2007 products such as Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Excel 2003 and Microsoft Office Excel 2007. Site content is accessible from a Web browser and through clients that support Web Services, and document collaboration features allow for easy check-in, check-out, and version control.
Microsoft Office SharePoint Portal Server 2007 extends the capabilities of Windows SharePoint Services 3.0 by providing organization and management tools for SharePoint sites and by enabling teams to publish information captured in these sites to the entire organization. In this way, the combination of Windows SharePoint Services 3.0 and Microsoft Office SharePoint Portal Server 2007 technology facilitates smart, effective business operations. Furthermore, Microsoft Office SharePoint Portal Server 2007 takes advantage of the Windows SharePoint Services 3.0 platform to deliver cross-site search capability and line-of-business application integration.

Windows SharePoint Services stores all documents, lists, views, and configuration information in a Microsoft SQL Server™ database. When SharePoint Portal Server is deployed in conjunction with Windows SharePoint Services, SharePoint Portal Server takes advantage of the same SQL Server database architecture.

Because the SharePoint architecture relies on SQL Server for the document store, organizations must take specific measures to ensure that corporate security and antivirus policies extend to the collaborative environment. In particular, administrators should be aware that neither e-mail antivirus products nor typical file server antivirus products are adequate to protect and clean documents saved in SQL Server databases.

THREATS SPECIFIC TO SHAREPOINT
As the 2007 version of SharePoint products and technologies become a core component of collaborative efforts and business processes, they demand the same level of security that is applied to other mission-critical systems and servers. In particular, systems administrators must take specific steps to protect document repositories and other SharePoint data stores from viruses and malicious content.

SharePoint as a Threat Vector
Malicious content introduced to the corporate network through SharePoint document libraries can be devastating and costly. As a collaboration tool, SharePoint products and technologies increase the interaction between colleagues and become a potential propagation point for viruses and worms.

The mobile workplace is a main contributor to virus and worm propagation. Laptops connected in remote sites, such as home offices or hotels, can become infected. When these users reattach to the corporate network, infections can be transmitted to the corporate environment. Viruses that find a foothold in SharePoint sites are typically introduced in the following ways:

Saving infected files to the document library. A document author or reviewer could intentionally or inadvertently upload/edit a document from his/her desktop that contains an embedded virus, infectious macro, hot button, Trojan, etc.
Downloading/saving HTML Web pages to the document library. Team members collaborating on a project can save research-related HTML Web pages or documents directly to the SharePoint document library. These documents could contain embedded viruses, infectious macros, hot buttons, and/or Trojans that would infect the SharePoint document library.
Infection through mapping a network drive. Windows XP users can map a network drive to \\server\sites\teamsite. When a client computer is infected by a virus that attempts to propagate to network shares, the virus can propagate to SharePoint sites, as these sites are not detected by file server antivirus tools. Once the virus is within the SharePoint document library, only a SharePoint-specific antivirus solution can detect and clean it.

Why Current Virus Protection May Be Inadequate
One of the most common reasons that SharePoint products and technologies serve as a threat propagation vector is that administrators assume that current antivirus products deployed throughout the environment will protect the SharePoint deployment. Unfortunately, these tools do not provide the level of protection needed to prevent SharePoint-related infections.

File Server Antivirus. Administrators often rely on desktop and file server products to scan documents when they are uploaded or downloaded to the SharePoint document library. It is also an industry-wide practice to back up the document library in a similar manner as the file server. However, backup and restoration of documents from the SharePoint document library can fail when a file server product detects and cleans viruses. This happens when documents are cleaned locally on the file server by the file server antivirus, while the backed-up copy remains infected. During data restore, infected documents could be reinstated, or those that were successfully deleted could leave broken links that could cause restore failures. Deploying a SharePoint-specific antivirus solution enables backup and restoration to run smoothly.
Desktop Antivirus. When a user opens a document from a mapped folder on the desktop, the document is copied to the cache on the server and client. The desktop antivirus technology may detect an infection within the cached copy but cannot clean the stored copy in the SharePoint document library. Similarly, readers who have the latest desktop signatures can detect viruses when downloading documents from a SharePoint document library. However, depending on their access privileges, these users may be unable to clean the copies stored within SharePoint document libraries. These scenarios can be avoided by deploying SharePoint-specific antivirus technology.

SECURING SHAREPOINT
Because collaborative processes and mobile or remote workers have the potential to introduce new vectors for threat propagation, organizations that deploy the SharePoint products and technologies must include SharePoint Portal Server and Windows SharePoint Services in their security strategies. Protection of SharePoint deployments requires organizations to extend corporate security policies—including antivirus and content policies—to the collaborative environment. In addition, administrators should take specific steps to filter and manage content saved to SharePoint data stores and to implement antivirus tools designed specifically to protect SharePoint data stores.

Consistent Application of Security Policies
As collaboration and document-based processes become more integral to everyday business processes, organizations must be sure that their security policies adequately address the specific challenges raised by central document storage and collaborative workflow. The sections below outline two common elements of typical corporate security strategies that should be applied to SharePoint deployments.

Antivirus Policies
Antivirus protection is a standard element of most corporate security policies. Virtually all organizations have a multi-layer antivirus technology in place, deploying antivirus products at multiple points throughout the organization, such as on gateway servers, e-mail servers, desktops, and file servers. However, these virus protection efforts seldom encompass SharePoint Products and Technologies. This omission of SharePoint protection can expose an organization to myriad potential security risks.

Content Filtering and Monitoring
In addition to implementing antivirus tools to prevent virus propagation, SharePoint security should help enforce corporate policy compliance. For example, if policy prevents users from sharing .exe or .mp3 files via e-mail, users should be similarly precluded from sharing or storing these file types in via SharePoint document libraries. By extending common e-mail security practices to the SharePoint environment, organizations can ensure that this new collaborative technology is as secure and compliant as the rest of the enterprise.

The transmission of inappropriate content should also be addressed and prevented both by filtering document types and filename extensions and scanning document content and document names. SharePoint Portal Server includes basic document filtering tools within the portal; administrators are able to filter by document extension and document type. However, prudent administrators must deploy specialized tools to mitigate the potential dangers of malicious content within the documents themselves and to implement policy management, as well.

Forefront Security for SharePoint: Specialized Antivirus for Collaboration Security
Microsoft Forefront Security for SharePoint provides the critical antivirus protection and content control that administrators need to secure SharePoint document libraries. The solution offers comprehensive collaboration security using layered defences, corporate content policy enforcement, and optimization of SharePoint resources to help ensure that document libraries are secure and available at all times.

Layered Defences
Forefront Security for SharePoint incorporates and manages up to eight antivirus scan engines in a single product. Using multiple engines to scan each document as it is uploaded or downloaded to the document library helps improve detection rates and provide for greater reliability.

With multiple engines, businesses can benefit from the combined expertise of multiple virus researchers. Each antivirus vendor develops a unique set of detection technologies, which can include signatures, heuristics, and behavior-blocking techniques. By combining several detection technologies, the organization increases the chances of blocking a particular threat. The updates to these engines are also released at varying intervals, overlapping to provide the most comprehensive, up-to-date protection against the latest threats and reducing an organization’s overall window of vulnerability.

Because Forefront Security for SharePoint uses multiple engines, there is no single point of failure. If one engine fails or goes offline to update, other engines continue scanning.

Forefront Security for SharePoint scanning options include:

Real-time Scan. Forefront Security for SharePoint integrates with the Virus Scanning Application Programming Interface (VSAPI) to scan documents as they are uploaded and downloaded from document libraries. This helps block worm viruses and non-cleanable viruses from being uploaded, and helps remove cleanable viruses, such as macro viruses, so that the cleaned documents can then be posted to the document library.
Manual scan. Forefront Security for SharePoint also enables administrators to perform scheduled manual scans of document libraries. This is essential to help ensure that document libraries are kept clean of old viruses that might have not been detected earlier, for example because of the timing of signature updates. Furthermore, these manual scans can be used to strip documents that do not meet evolving company policies with regard to content and document type.

Server Optimization
Forefront Security for SharePoint provides tight integration with Microsoft Office SharePoint Portal Server 2007 and Windows SharePoint Services 3.0, optimizing server performance and providing protection that doesn’t overtax server resources. Forefront Security for SharePoint enables businesses to achieve the benefits of multiple-engine scanning without significant additional processing time or server performance degradation. To deliver more flexibility and control over security and server performance, Forefront Security for SharePoint provides control settings that allow administrators to configure how many engines are used for a given server. Administrators can choose from settings like “Maximum Certainty,” which scans with all available engines, or “Neutral,” which scans with approximately 50% of available engines.

Forefront Security for SharePoint features in-memory scanning, which eliminates the need to spool data to disk for virus scanning. Instead, it dynamically allocates available application memory to scan documents. This process provides real-time protection while maintaining server efficiency. Multi-threaded scanning also helps improve scanning performance with the ability to create multiple, simultaneous scanning threads for improved throughput.

Content Control
Forefront Security for SharePoint provides extensive content filtering, helping to block documents that contain inappropriate content. Forefront Security for SharePoint includes a set of predefined, customizable keyword dictionaries to target profanity, discriminatory language, and other unwanted content. Administrators also have the ability to build or import additional lists.

File filtering allows administrators to block files based on file name extension, type, name, and size. This enables organizations to set and manage policies for document posting. In many cases, this capability can also be used to help block new malicious attacks for which there is not yet an available signature.

Every time an antivirus and content-filtering solution intercepts a document, blocks it, and quarantines it, it is important for the administrator to be informed of these actions. Forefront Security for SharePoint uses the Web part services provided by SharePoint technologies to post messages regarding Forefront Security for SharePoint events. Notifications can also be posted on team sites and administrator workstations.

Localization
Forefront Security for SharePoint is localized in English, German, French, Japanese, Italian, Spanish, Korean, Chinese (Simplified), Chinese (Traditional), Portuguese (Brazil), and Russian, so administrators can manage their portal server security in the language of their own region.

CONCLUSION
As organizations embrace collaborative work practices and broadly deploy the 2007 version of SharePoint Products and Technologies, it is imperative that they recognize potential threats introduced my misuse of the technology or careless administration practices. The effective and efficient collaboration provided by SharePoint technologies must be coupled with an equally effective and efficient antivirus and content-filtering solution to help ensure the security and integrity of an enterprise’s documents and information.

It is strongly recommended that organizations that deploy the 2007 version of SharePoint Products and Technologies review corporate security policies to ensure they adequately address document storage and collaboration. Further, it is recommended that organizations deploy Forefront Security for SharePoint to provide the security and filtering capabilities that administrators need to help protect SharePoint environments, while maintaining the efficiency and ease of file and information sharing that users expect.

Company Mission Statement
To strive for growth in our customers, suppliers and employees and to conduct business
in an intelligent and responsible manner with the best intentions at all times.