Making SharePoint Resources Safe for Remote Workers
By Joe Licari, Director, Microsoft Security Product Management
See other Security Tip of the Month columns
Collaboration has become an essential force in the workplace as groups of colleagues work together to solve problems, complete projects, and perform other essential day-to-day business operations. Using products such as Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0, information workers throughout a company can work jointly on documents as well as post files, participate in threaded discussions, link to dynamic Web content, and generate tables based on information in corporate databases.
Unfortunately, this collaborative environment is often limited to on-network use or is accessible only via cumbersome virtual private network (VPN) schemes from fully managed client machines. Wouldn’t it be great if you could safely access your SharePoint portal from anywhere at any time?
Microsoft has the tools to make that happen. By combining the Microsoft Intelligent Application Gateway 2007 with Microsoft Forefront Security for SharePoint, you can:
Increase productivity: allow users to access SharePoint resources from any Internet connection.
Enhance the end-user experience: maintain the familiar look and functionality of the SharePoint site while working off the network.
Bolster security: help ensure that access to resources is secured and document content clean and free from malware.
Two Products, Two Purposes
The Intelligent Application Gateway 2007 (IAG) is a comprehensive, secure remote access gateway that provides secure socket layer (SSL)-based application access and protection with endpoint security management. Using a specially designed Intelligent Application Optimizer for SharePoint 2007, IAG gives you the tools to let users access SharePoint resources safely and securely.
Microsoft Forefront Security for SharePoint manages and integrates eight industry-leading antivirus scan engines (one from Microsoft and seven from third-party antivirus labs)to help provide comprehensive protection against the latest threats, inappropriate content, and disclosure of confidential information -- helping ensure that documents are safe before they are saved to or retrieved from the SharePoint document library.
Together these products will allow you to open your SharePoint resources to much wider use. The following provides a brief overview of what you can do with IAG and Forefront. There are links to more detailed information at the end of this article.
The nature of the SSL VPN is inherently productive. With no need for client-side software or configuration, users can get to critical corporate resources -- in this case, the SharePoint portal -- from any browser on any computer, whether that’s a machine at home, in an airport or hotel, at a customer site, or anywhere else. But easy connectivity is just the beginning.
The IAG adds a host of productivity enhancing features to that. Single-Sign On means one entry of user name and password grants access to all defined resources, and endpoint applications like Microsoft Office Outlook can be accessed directly. Host Address Translation ensures that SharePoint links which normally would not work over the Internet resolve successfully. Successful link resolution is one of the most frustrating challenges when providing remote access to internal applications, but with IAG links will “just work.” Microsoft Office integration means that Microsoft Office 2003 and 2007 Microsoft Office applications will work successfully across the SSL VPN.
Enhance the End User Experience
Remote solutions often involve presenting the user with a different interface than what they see when on the network. This can lead to increased help-desk calls and user frustration. With the Intelligent Application Gateway, users can see their SharePoint portal exactly as it appears when they are in the office, plus a special IAG toolbar (see Figure 1). Alternately, a built-in portal page can be used to provide easy point-and-click access to multiple applications (see Figure 2).
Password Change Management also enhances usability. Road warriors may go weeks without being on the network. This can lead to situations where passwords expire and users are locked out of critical applications. With IAG, users can be prompted when their passwords are nearing expiration and they can update them directly through the SSL VPN. Password management includes Active Directory service and Radius support, and it also works with resetting token PINs for third-party authentication schemes.
As the above sections show, the IAG can offer easy–to-use, anywhere access to SharePoint and other internal resources. But the overriding question here remains: how well is this secured?
The scope of this article does not allow for details on all the security features provided by the IAG and Forefront, but I will touch on a number of the highlights.
Any Internet access to corporate resources requires a firewall, and the SSL VPN of the IAG includes an application-level firewall that subjects incoming requests to stringent security checks before relaying any data to application servers on the internal network. Preexisting rule sets for applications like Windows SharePoint Services or Microsoft Office Outlook Web Access help prevent application-level attacks based on malformed URLs. Only legitimate requests can be sent to the application.
Security policies differentiate access attempts from trusted and non-trusted machines and apply different levels of permission and trust based on the source (see Figure 3). Also, connecting machines can be checked for the presence of specific operating systems, antimalware software, and personal firewalls. Machines that fit the profile can be granted full access; machines that deviate can be given limited permissions or blocked completely.
A key part of anywhere access is the ability to reach corporate resources from unmanaged machines, yet these machines pose significant problems, especially when they are public. IAG mitigates these problems through a number of features. Secure logoff forces re-authentication after a predefined time period, thus minimizing the window of opportunity for hijacking or taking over an abandoned session. To avoid dropping a session in the middle of activity (such as when writing a long e-mail message), a pop-up window lets the user prolong the session.
A SharePoint Log Out button is also added to the SharePoint portal window, giving users the opportunity to end their sessions manually (see Figure 4). That’s when the Attachment Wiper goes to work, clearing sensitive information left on the client, including: user credentials, cookies, auto-complete forms, auto-complete URLs, and URL history. The Attachment Wiper uses a “file shredding” mode by default, meaning that data cannot even be retrieved from the hard disk using specialized equipment.
IAG protects against “over the shoulder” attacks, which could occur if a non-trusted person is watching a session in an Internet café or similar public location. Host address translation (HAT) hides all information related to the internal network from external users; hackers and other unauthorized parties never see anything that could help them launch attacks against internal resources.
With all these protections around access, there is still one security hole left to plug -- the threat from malicious content. And that’s where Forefront Security for SharePoint comes into play.
Forefront Security for SharePoint incorporates eight antivirus scan engines in a single product and it uses up to five of them at a time. (The engines are from: AhnLab, Authentium, CA, Kaspersky, Microsoft, Norman, Sophos and VIrusBuster.) Using multiple engines provides defense-in-depth, an approach that Microsoft promotes as a smart and effective security strategy. All documents being uploaded to or downloaded from the document library can be scanned for viruses by five engines, each with unique detection capabilities (see Figure 5). This is critical when opening the SharePoint portal to external access because there is no way to ensure that a connecting computer is properly protected from viruses.
Forefront Security for SharePoint also offers proactive protection by allowing you to block specific types of files that may be dangerous, such as .exe, .vbs, and .bat. And while SharePoint provides the native ability to block files by extension name, Forefront goes a step further and examines the file type directly, meaning that simple tricks like changing the file extension will not evade Forefront defenses. Forefront will also examine files embedded in ZIP and other compression formats, as well as malware embedded into documents such as Office files. Document keyword scanning provides a mechanism to help ensure that documents copied to SharePoint do not violate company policies around offensive language, confidential data, and so forth.
There’s no need to keep your employees away from valuable corporate resources. With the right tools, accessing SharePoint portals remotely is user-friendly, enhances productivity, and -- most importantly -- is well guarded. Set your workers free!
For More Information
To find out how much more the Intelligent Application Gateway and Forefront Security for SharePoint have to offer, and to download evaluation software, follow these links.