• Article

Setting SharePoint Workspace user verification policy

 

Applies to: SharePoint Workspace 2010, Groove Server 2010

Topic Last Modified: 2010-02-11

This article describes how to set a policy that prevents domain members from successful SharePoint Workspace logon unless their Windows operating system logon credentials were issued by specific Active Directory forests. Because specified forests can be those that you manage, this policy helps ensure that accounts and related workspace data function only with operating system logons that comply with password quality requirements managed by your organization.

These procedures require that Groove Server 2010 Manager is installed as described in Deployment for Groove Server 2010.

In this article:

  • Setting a SharePoint Workspace user verification policy

  • Managing user interaction with unknown identities

Setting a SharePoint Workspace user verification policy

You can set a security policy in Groove Server Manager that specifies how SharePoint Workspace handles domain member communication with unknown contacts.

For guidance about how to manage domain member interaction with unknown SharePoint Workspace contacts, see Managing user interaction with unknown identities.

To set SharePoint Workspace user verification policy

  1. Log on to the Groove Server Manager administrative Web site, expand Policies, and then click Default or another policy template.

  2. Click the Security Policies tab, and under User Verification Policy, select a user verification policy, using the following table for guidance, and then click Save Changes in the toolbar.

    Policy Description

    Do not warn or restrict members when communicating with any contacts.

    Specifies that SharePoint Workspace will not display warnings prior to communication with unverified identities.

    Warn member before communicating with contacts that have been neither administrator-certified nor manually verified by the member.

    Specifies that SharePoint Workspace will display a Verify Identity pop-up window, prompting users to verify an unknown identity before they try to communicate with that identity.

    Only allow members to communicate with administrator-certified contacts.

    Specifies that SharePoint Workspace will allow communications among administrator-certified identities only. Administrator-certified identities include fellow domain members and members of any cross-certified domains.

    For information about cross-certifying a domain, see Cross-certifying Groove Server Manager domains.

After SharePoint Workspace clients receive this policy from Groove Server Manager, they will handle contacts in domain member workspaces as required by the policy. This policy applies to domain members who are subject to this policy template. For information about assigning policy templates to domain members, see Deploying policies to SharePoint Workspace users.

Managing user interaction with unknown workspace identities

SharePoint Workspace contact lists can include workspace identities that are unknown to a domain member. Groove Server Manager provides a policy to help minimize security risks from domain member interaction with unknown workspace contacts. The policy lets you define how SharePoint Workspace warns of or prevents communication with identities that have not been verified by the domain member or certified by a domain administrator. The default setting for this policy is to allow domain members to communicate with any contacts. Tightening this policy helps create a more secure environment for collaboration in your organization. The Manager user verification policy overrides related settings on the SharePoint Workspace client.

For this discussion, an unknown identity is a SharePoint Workspace identity that has not been personally verified or administrator-certified. You can set a policy that requires SharePoint Workspace to intercept member attempts to communicate with unknown identities as follows:

  • Display a warning to domain members when they attempt to communicate with an unknown identity. The warning encourages members to verify the identity personally, and then to mark the identity as verified (usually distinguished in SharePoint Workspace by color). Members can verify other identities using any of the following methods:

    • Authenticating the user identity by confirming the identity’s digital fingerprint.

    • Checking the identity’s membership in familiar workspaces.

    • Contacting the user by telephone or otherwise verifying the identity outside of SharePoint Workspace.

  • Allow domain members to communicate only with administrator-certified contacts - those who are certified members of their domain or of a cross-certified domain.

The warning or prevention policy goes into effect when a domain member tries one of the actions listed in the following table:

User Action Identity Security Policy Effect

Sending an instant message or workspace (.grv) invitation (including light chat and MS Instant Messages), or replying to or forwarding an instant message.

Policy enacted when domain members attempt to send a Groove workspace message or invitation to recipients who are unverified or uncertified.

  • If a warning policy is in effect, SharePoint Workspace displays a verification pop-up window, prompting the sender to verify unknown users in the invitation list. The sender may choose not to.

  • If a prevention policy is in effect, SharePoint Workspace displays a pop-up window listing the uncertified users and explaining that communication with those users will not occur.

Confirming workspace invitations.

Policy enacted when domain members acceptance of a Groove workspace invitation sent from a contact whose identity is unverified and uncertified.

  • If a warning policy is in effect, SharePoint Workspace displays an invitation confirmation pop-up window to the domain member inviter. If the inviter confirms the acceptance, a Verify Identity pop-up window appears, prompting the inviter to manually verify the identity of the invitee. The inviter may choose not to.

  • If a prevention policy is in effect, SharePoint Workspace does not download the workspace to the domain member’s device.

Opening a workspace.

Appears to domain members when they attempt to open a workspace that contains Groove workspace contacts whose identities are unverified and uncertified.

  • If a warning policy is in effect, SharePoint Workspace displays a Verify Identity pop-up window, prompting the domain member who is opening the workspace to manually verify the identities of the unauthenticated contacts. The member may choose not to.

  • If a prevention policy is in effect, SharePoint Workspace displays a pop-up window upon user navigation to the workspace, explaining that some members of the space are uncertified. Members cannot access the space.

Creating a workspace.

Appears to domain members when they are about to send a SharePoint Workspace invitation (.grv file) to contacts whose identities are unverified and uncertified.

  • If a warning policy is in effect, SharePoint Workspace displays a Verify Identity pop-up window, prompting the inviter to manually verify the identities of the unauthenticated users in the invite list. The inviter may choose not to.

  • If a prevention policy is in effect, SharePoint Workspace displays a pop-up window stating that some invitation recipients are uncertified and prevents those contacts from joining the space.

Fetching a workspace

Appears to domain members when they attempt to fetch a workspace from SharePoint Workspace contacts whose identities are unverified and uncertified.

  • If a warning policy is in effect, SharePoint Workspace displays a Verify Identity pop-up window, prompting the domain member to manually verify the contact’s identity before fetching the workspace. The member may choose not to.

  • If a prevention policy is in effect, SharePoint Workspace displays a pop-up window explaining that the workspace member who is the source of the fetch is uncertified. The domain member must fetch from a certified workspace member.