Ways. to Shore Up. Security. Your. ABSTRACT: By Trish Crespo

Transcription

1 6 Ways to Shore Up Your Security ABSTRACT: By Trish Crespo February 04 Microsoft's SharePoint collaboration software is an excellent tool for enterprise users, but some individuals have pointed to it as the source of data leaks incorrectly so. SharePoint requires the same security planning applied to any other network asset. It also must be properly implemented to prevent hackers from taking advantage of default or misconfigured settings. Six ideas are offered here to help IT professionals bolster their SharePoint security.

2 content Six Ways to Shore Up Your SharePoint Security Is SharePoint Secure?... What is the Nature of Your SharePoint Project?.... Anti-virus Compatibility.... SQL Security.... Least-Privileged Administration Claims-Based Authentication Information Rights Management Patching and Updates... Making SharePoint Safe and Secure... About Datavail... 4

3 Read the headlines and you will find yet another business has fallen victim to a data leak. A couple of headlines have pointed the finger at Microsoft's SharePoint collaboration software as a culprit. Is it really fair to blame a leak on a non-security product, much less one from a trusted vendor? The real reason for these data leaks is a lack of security planning and proper implementation. First, it is important to evaluate how you will implement SharePoint. This includes looking at existing security tools and infrastructure, as well as current policies and procedures. Then, we'll examine some very basic and practical steps you and your team can take to secure SharePoint and the databases connected to it. Disclaimer: Any computer system or environment can be hacked, even with proper configurations in place. The goals of a comprehensive security protocol or plan are to make it difficult for an unwanted intruder or hacker to peruse your data; to identify security attacks or breaches as quickly as possible; to patch any holes that are discovered; and to purge any malicious code from the system. Here are some of the major points that should be considered for applying security within a SharePoint environment. Is SharePoint Secure? When IT professionals think about the security of a given piece of software or hardware, they often ask the wrong questions. As Simon Hepburn, director of bsolve, in a piece written on ITWeb, observes: Strangely, I find many organizations are concerned about the security related to their cloud services. In response to this, I would simply say that Microsoft is an industry leader in cloud security and implements policies and controls on par with, or better than, on-premise data centers of even the most sophisticated organizations. Also, as most security experts would confirm, the major weakness regarding security usually relates to people themselves and not the systems they use. To secure SharePoint, you need to be certain your organization has a comprehensive network security policy and structure. Then, you must establish policies regarding individual or group access, or file privileges within the SharePoint environment. What is the Nature of Your SharePoint Project? Knowing the nature of your SharePoint project is important because it gives you an idea of where and how security should be applied. For example, if your business will be using SharePoint for an external-facing website, you will want to consider identifying an authentication method for external access, locking down entry fields to mitigate possible SQL injection attempts, and configuring the firewall. You will also need to know what type of content will be stored in SharePoint. If your organization intends to use SharePoint to store sensitive information, for example, classified documents, financial information, or personally identifiable information, you will need to ensure storage locations have stringent access control. If your organization is subject to any regulations regarding data retention and storage, it must comply with those laws. So, how can I apply security to SharePoint without hindering its purpose? Great question! Yes, SharePoint is all about sharing, but that does not mean the content within it can be freely distributed outside of set boundaries. Further, it does not mean that anything can be uploaded. SharePoint has a number of security features that should be enabled to maintain control over data and minimize exploitation. Anti-virus Compatibility Guess what? SharePoint and anti-virus are friends! Every version of SharePoint can easily integrate with your existing anti-virus software. This integration allows for anti-virus scanning of documents both as they are uploaded and downloaded. It can also attempt to clean or delete infected files. Other anti-virus protection features, such as scheduled scans, should be carefully reviewed and considered when configuring the anti-virus settings. A couple of other points to consider: The anti-virus application you are using must be installed on all machines running Windows SharePoint Services. Some folders may need to be excluded from scanning to prevent unexpected, unwanted behaviors. SQL Security No one needs to tell you how important databases are to the functionality of SharePoint. Don't let them fall victim to malicious attacks. You can apply a simple level of security to your SQL databases for starters. First, simply change the default TCP ports your network uses. Hackers know all about the default port settings, so it is a great idea to change the default listening ports and manually configure your firewall to allow access. Another security measure you can easily implement is to run SQL Server services by granting each of the user accounts minimal permissions. Least-Privileged Administration No one likes it when there is a lot of overhead associated with network administration, but if it means reducing the chance that an exploit can be used to penetrate the network, it may be worth the extra effort. Implementing Least-Privileged administration in SharePoint is accomplished by creating accounts that give the user only the permissions required to perform a given task. Using this approach ensures no single account can compromise or result in the take-down of the environment. When implementing Least-Privileged administration, certain roles are assigned to specific accounts. Normally there are a couple of standard accounts used for the installation and configuration of SharePoint; however, with a Least-Privileged implementation, you will have accounts dedicated to Service Apps, Web Apps, Farm service, and even an account for Crawl. As Steve Wright and Corey Erkes note on TechNet: 4 SharePoint security can become a larger issue as time goes on if you don t develop and constantly govern an effective security process up front. A breakdown in security can cause unwarranted access to SharePoint configuration options Claims-Based Authentication To increase security across your SharePoint environment you may want to start using Active Directory Federation Service and consider configuring zones in your web applications. Active Directory Federation Service will integrate with your existing Active Directory. It can also be expanded, providing claims-based authentication for external users. Forms-based claims are not recommended for authentication since the credentials are sent as plain text, which is very easy for sniffers to capture. You will want to make sure that the form of authentication you choose will provide an effective defense for your network. You also will want to create and configure additional zones in order to control the varied paths to your sites. The additional zones available in SharePoint are Intranet, Extranet, Internet, and Custom. The good news is that claims-based authentication works across all of these zones! Page Six Ways to Shore Up Your SharePoint Security 04 Datavail, Inc. All rights reserved. Six Ways to Shore Up Your SharePoint Security Page

4 5 Information Rights Management One little-known but effective security measure is Information Rights Management, a subset of Digital Rights Management. When implemented, it limits or prohibits access to or use of files. SharePoint offers file security via Information Rights Management with the following features: Encrypting downloaded files. Limiting who and which technology can decrypt files. Limiting a user's rights to files (for example, the user is not able to print or copy text from a file). Making SharePoint Safe and Secure The approach Datavail takes is unique. We get to know your organization, your operating environment, and its processes to better understand the challenges and problems you are facing. Our experts ask the right questions, discovering the factors at the heart of the issues you face. Then, we present a solution tailored specifically to your operation. As you can see there are quite a few security measures that can be easily and relatively painlessly implemented across a SharePoint environment. These measures are, however, not all inclusive. To learn more about our SharePoint managed services, call Datavail toll-free at (866) Prefer to chat online? We have experts available 4x7x65 to answer your questions on our chat line at Remember, with SharePoint you can find a way to balance the desire to share data throughout the organization with the very important and critical need to secure it. It's very easy to install SharePoint, but it is not quite as easy to find all the possible vulnerable points in your organization's security. Trish Crespo Implementing Information Rights Management for SharePoint does require the network to have a server dedicated to the Rights Management Service role. Information Rights Management can be applied to any Library or List within SharePoint. SharePoint Online Information Rights Management relies on the Windows Azure Active Directory Rights Management. 6 Trish Crespo has more than years of experience in the IT industry consisting of SharePoint administration and IT Service Management. Her previous position was with Glacier Technologies as a System s Architect for SharePoint 00 & 0. She has experience as a federal employee and as a government contractor leveraging SharePoint for business solutions. For the better part of her career she served for years in the United States Air Force as a Data Center Supervisor and IT Security Officer. Trish is certified in ITIL v and has working knowledge of ISO/IEC 700:005 implementations. Datavail Corporation is one of the largest providers of remote database administration (DBA) services in North America, offering database design and architecture, administration and 4x7 support. The company specializes in Oracle, Oracle E-Business Suite, Microsoft SQL Server, MySQL, MongoDB, DB and SharePoint, and provides flexible on-site/off-site, onshore/offshore service delivery options to meet each customer s unique business needs. Finally, an important but frequently overlooked task is staying atop patches and updates. This must be routine to ensure the security of both your SharePoint and network environments. It may not be a glamorous task, but it is an essential one. Keeping systems up to date is absolutely critical to keeping the network secure. Doing it ensures that any known system flaws or vulnerabilities will be corrected. If you fail to apply critical patches and updates in a timely fashion, you will definitely be leaving your environment open to exploitation. In a SharePoint environment you must stay on top of updates for SQL, SharePoint, Windows Server, and other applicable enterprise software. Page Lead SharePoint Administrator for Datavail ABOUT DATAVAIL Patching and Updates Keep in mind that any application patches and updates should be installed using a testing environment before they are deployed into a development or production environment. Doing so prevents any patch or upgrade related issues from affecting business operations. BIOGRAPHY CONTACT US General Inquiries: Fax Number: info@datavail.com Whether deliberate or inadvertent, human action is a variable with the potential to change or thwart any security you have in place. Often, one singularly determined individual or a lone insecure password is all that is needed to infiltrate an organization. This white paper should get you started in the right direction with security and also help eliminate your SharePoint insecurity! Six Ways to Shore Up Your SharePoint Security 04 Datavail, Inc. All rights reserved. Corporate Headquarters: Datavail Corporation 800 Ridge Parkway Suite 5 Broomfield, CO 800 Bangalore Office Majestic Terrace - Plot 6B Phase - Opposite Post Office/Police Station Electronic City Bangalore , Karnataka Database Operations Control Center: Datavail Infotech Pvt. Ltd rd Floor, Unit No. B- Ashar IT Park, Road No. 6Z Wagale Estate Thane (West), Thane Direct Telephone Number: Seattle Office 408 4th Avenue, Suite 00 Seattle, WA 980 Six Ways to Shore Up Your SharePoint Security New York Office W 4th Street, Suite 40 New York, NY 00 Page 4

5 datavail.com