Security and Protection for Groove Enterprise Services


Updated: April 1, 2008

Applies To: Groove Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2009-01-05

The Microsoft® servers that host Office Groove® Enterprise Services 2007 provide management and relay services to IT departments responsible for deploying and maintaining Groove collaboration and communication software in an enterprise. By employing hosted services instead of onsite Groove Servers, administrators rely on the hosting environment to provide the necessary security and protection to help ensure the integrity of their data. This discussion outlines the measures in place for Groove Enterprise Services and recommends steps that administrators can take to maximize data protection within their Groove domains. For security and confidentiality reasons, this document is an overview and subject to change at any time.

Data security across the Internet relies on several layers of protection, from the physical and network levels to the application level. Protection measures range from controlling physical access to server hardware, to filtering and blocking transmissions over specific ports, to the application level where authentication schemes and cryptographic keys are used to protect data resources and prevent unauthorized access. This article discusses these and other aspects of Groove security:

A strong foundation of systems and documented processes underlies security management of the hosting environment for Groove Enterprise Services (GES). Windows Live security specialists support all Microsoft Online Services, including GES. This team of more than 50 security professionals is responsible for security programs and policies, compliance management, risk assessment and management, incident response, and security training and awareness.

Data center services (such as security guard and Help desk services) are provided by Microsoft employees. Third-party vendors are NOT employed for these tasks.

Formal documentation on file at the hosting data center includes the following:

  • Completed background checks on all staff.

  • Confidential agreements signed by employees.

  • Published security policies and procedures with signed agreement by staff.

  • Incident Response guidelines for responding to security breaches and emergencies.

  • Procedures for managing changes and upgrades to the hosting environment.

The Groove Servers that host Groove Enterprise Services are installed in physically secure facilities, accessible only to authorized personnel. Facilities meet industry standards for resistance to natural disasters.

In addition, sites are configured with the necessary mirrored and backup servers, installed with redundant hard drives to help sustain service in the event of unavoidable outages. With the necessary administrative backups in place, systems are equipped to protect against data loss and facilitate disaster recovery.

The following perimeter security measures are in effect:

  • Exterior fences with controlled access.

  • External close circuit TV surveillance.

  • Guard service control 24 hours per day, every day of the year

The following facility security measures are in effect:

  • The GES data center is a dedicated facility.

  • A receptionist/checkpoint is present in the building lobby.

  • Locked doors are alarmed.

  • Facility access (including to the server room and utility areas) is controlled by key card and biometric systems.

  • All badge-reader access is recorded 24 hours per day. Access control system logs are audited by security and facilities managers and retained for at least one year.

  • Space below floors and above ceilings of restricted areas are blocked.

  • Uninterrupted Power Supply (UPS), supported by redundant power grids and generators.

  • Standard cooling system in place.

  • Standard fire suppression system in place.

  • Video surveillance systems installed throughout facility, with real-time monitoring.

  • Access procedures require that all visitors may be admitted by Microsoft management only, must be documented within Microsoft ticketing systems, and must read and sign data center rules and procedures before access.

Specific seismic protection is not currently a part of the hosting environment.

A basic form of security for Internet transmissions is the blocking or filtering of data from unknown or suspect sources. This is accomplished by restricting the number of open communications ports on a server, limiting inbound transmissions to those protocols supported by the few open ports.

In the Groove Enterprise Services configuration, Groove management servers are located in a perimeter network (sometimes called a perimeter security zone), behind a firewall that allows only TCP inbound traffic over ports 80/TCP, 443/TCP, and 2492/TCP. This condition limits inbound transmissions to HTTP traffic, allowing Groove client-to-Groove Manager and other HTTP communications while blocking transmissions using non-HTTP protocols.

Groove clients communicate with Groove relay servers, also located in a perimeter network, over ports 2492/TCP, 443/TCP, and Port 80/TCP. Port 2492/TCP supports Groove's preferred and most efficient protocol, its native Simple Symmetric Transfer (SSTP) protocol. If port 2492 is unavailable, ports 443 or port 80 may be used, in that order of preference.

Some of the network and system security processes in place include the following:

  • Terminal services provide for remote access by authorized personnel, managed via a dedicated user and resource domain. Operating system images are hardened by disabling unnecessary services, application of software, and security patches.

  • All operating systems within the environment are controlled by a central platform software team, which pro-actively monitors for updates to the operating system and platform-level software, as well as to network and storage devices. Firewalls are in place to protect Internet access points and computer workstations. Additional firewalls or routers are also in place to segment areas of the network that require more protection.

  • Anti-virus protection is in place for computer workstations and servers. Virus definition files are automatically propagated from a central service via direct feed from an anti-virus software provider.

  • Intrusion detection is provided in the form of network probes, host-based probes, event correlation, and emergency response monitoring and alerts, provided by a dedicated Operations team 24 hours per day, 365 days a year. In addition, system configuration and vulnerability scans are performed daily. Designated internal staff members are responsible for correcting identified vulnerabilities.

  • System audit logs run regularly. Designated staff members perform the audits and review the logs daily.

The staff is supplied with documented procedures for managing changes to the hosting server environment, including access control changes, system upgrades and configuration changes, network and bandwidth changes, and emergency repairs.

Identified security patches are deployed via formal Operational Change Control procedures. Patches may be deployed manually or via automated mechanisms.

Groove hosting systems are backed up, according to the following stipulations:

  • Backed-up data encrypted and password protected.

  • Backup disks are stored off-site in a secure location, transported to the facility via white glove service provided by an off-site vendor.

  • Backup disks are wiped or replaced at regular intervals.

  • Data restorations are checked regularly.

In addition, the following processes are in place to protect data integrity:

  • Assessment management tools and processes facilitate tracking of hard drives, documentation, and backups.

  • Disaster recovery and contingency plans are in place.

To manage access privileges and jurisdiction, the duties of system operation, administration, and security are performed by separate divisions of staff.

Groove system applications provide the following security measures:

  • Authentication via user identities and passwords.

    Token and biometrics are available for users of Office Groove 2007, but not for administrators of Groove Enterprise Services.
  • Data confidentiality measures, including strong symmetric key encryption during data transmission and encryption of data stored on hard drive.

  • Data and administrative access controls.

  • Role-based authorization levels.

  • Account lockout provisions.

  • Audit logging capability.

The following sections provide more detail about Groove server and client security provisions. Groove product Help and administrator guides provide additional information.

Two applications drive the Groove Servers that host Groove Enterprise Services: Groove Server Manager and Groove Server Relay. Each of these is designed to help ensure the security and integrity of information resources within an enterprise, as described below:

Groove Server Manager Security

Groove Server Relay Security

Groove Server Manager (the Groove management server application) employs a combination of encryption and certification to provide a foundation for securing data exchange within its network of server and client devices. Encryption and certification are implemented as follows:

  • The Groove implementation of Public Key Infrastructure (PKI) provides certificates (signed contact information) that enable automatic user authentication within and across management domains.

In addition, Groove Server Manager is configured in accordance with the following best practices:

  • Groove management servers are located in a perimeter network.

  • Secure Socket Layer (SSL) technology is enabled on each IIS server to help protect the Groove Manager administrative Web site. SSL provides a mechanism to verify the identity of the servers and to encrypt the messages between them. To accomplish this, it uses a public key infrastructure (PKI) system based on digital certificates.

  • Windows Live ID (formerly Passport) authentication is employed for Groove Manager login.

  • Role-based Administrative Control is enabled, restricting access to Groove Manager server-level and domain controls to designated administrators.

  • The latest Critical Update Package and Security Rollups are installed on the servers.

  • Groove servers are installed on equipment with redundant hardware systems and hard drives, to protect the operating system and data from damage or loss as a result of hardware component failure.

  • Anti-virus software is installed on Groove management server machines.

  • To take advantage of security and protections built into the server hosting environment, follow the recommendations in Administrative Measures.

Groove Server Relay (the Groove relay application) enables continual communications among Groove clients, even when clients are offline or network failures interrupt connections. Groove relay servers use public key cryptography for initial authentication of devices and users via its primary protocol (SSTP), and for authentication of transactions received from Groove Manager via SOAP.

Other security features are built in to Groove relay servers, including:

  • Device authentication when dequeueing device-targeted data (including Groove workspace and contact information) from the relay server.

  • User account authentication when dequeueing identity-targeted data (including Groove instant messages and invitations) from the relay server.

  • Server authentication when dequeueing both device-targeted and identity-targeted data.

Groove stores the public key certificate of each relay server to which it is provisioned. Groove clients are provisioned with relay servers via a Microsoft provisioning server. Groove uses the public key of the designated primary (or Home) relay to initiate secure registration of the new account’s identity and device(s). Henceforth, communication between the Groove account and its relay server is authenticated and secured.

When a Groove user account registers with a relay server, the account establishes a shared secret key with the relay server that provides a mutually authenticated link for all relay-to-client communication. The secret key is shared solely with that user account over the life of the account and prevents unauthorized dequeuing from the relay.

Groove Relay can access only the message header information that is needed to locate and properly route enqueued data to authenticated dequeuing devices (or a target device's relay server in the case of single-hop fanout). Groove data is strongly encrypted end-to-end and Groove Relay is not party to the encryption keys used to secure Groove data. Data that is temporarily stored on the relay server cannot be accessed.

In addition, Groove Server Relay is configured in accordance with the following best practices:

  • Groove relay servers are located in a perimeter network.

  • The latest Critical Update Package and Security Rollups are installed on the servers.

  • Groove servers are installed on equipment with redundant hardware systems and hard drives, to protect the operating system and data from damage or loss as a result of hardware component failure.

  • Anti-virus software is installed on Groove Server Relay machines. Real-time scanning of portions of the relay server's data drive may be disabled.

  • To take advantage of security and protections built into the server hosting environment, follow the recommendations in Administrative Measures.

Securing Internet communications is based on achieving four main objectives: authentication of users and devices, confidentiality of communications, data integrity, and authorization. How you meet these objectives depends mostly on the software you are using.

Groove client software addresses fundamental security issues via the following built-in mechanisms:

  • Data encryption helps assure confidentiality of all information exchanges, whether on a LAN or across the Internet.

  • Groove accounts can be protected by login credentials (passwords or Smart Cards).

  • Built-in authentication systems allow Groove users to verify the identity of other Groove users.

  • Role-based access control, defined by Groove workspace managers, determines how workspace members access and interact with content.

  • Progressive slow-down of the password window display after repeated incorrect password attempts protects against external parties using password discovery scripts to access Groove.

  • Users with Office-compatible antivirus software on their Groove devices can enable automatic virus filtering of files in their Groove account preferences.

  • Workspace version restrictions allow users to create workspaces supported only in the current or a later version of Groove, and to accept invitations only to workspaces that were created in the current or a later version of Groove. Administrators can enable this restriction by setting a Groove Manager domain policy accordingly.

  • File type restrictions limit the types of allowed files to those specified in Microsoft Office as “safe for sharing.” Administrators can enable this restriction by setting a Groove Manager domain policy.

  • Groove users can select options for restricting the delivery of Groove messages from other Groove users. For example, Groove can be configured to accept messages from only “known Groove contacts”, that is, contacts who are either in a user’s contact list, verified by the user or administrator, or who are members of at least one of the user’s workspaces.

Security is an especially important consideration when distributing Groove user account configuration codes that enable the deployment of managed identities among your PC users.

Important policies that you can configure will help further secure your Groove environment:

  • Device password policies help ensure that Groove login practices (passwords or smart cards) meet requirements in place at an organization.

  • Account lockout policies deter fraudulent Groove login attempts.

  • Peer authentication policies control communications among Groove users in different management domains.

  • Password (or smart card) credential reset policies allow for safe reset of user login credentials.

  • Role-based administrator access control allows the designation of administrators with varying levels of Groove management responsibility.

  • Groove user account backup policies help secure vital account information by providing for scheduled account backups.

In addition, for your own protection, follow these best practices:

  • Make sure to keep labeled copies of any certificates or private keys you use in a known secure location (such as on disk in a locked cabinet or in a directory on a secure private network). You may need access to these old certificates or private keys in the future (for example, if you need to recover client data but the client has an older version of the data recovery certificate).

  • Establish further administrative roles, governing access to Groove Manager machines, access to server-level controls, and access to management domain controls.