Secure the Groove Server Manager installation

 

Applies to: Groove Server 2010

Topic Last Modified: 2010-05-26

This article describes how to help secure the SQL server back end, IIS front end, and administrative Web pages for Groove Server Manager. In addition, to these guidelines, follow your organization’s best practices in administering enterprise servers.

In this article:

  • Before you begin

  • Secure the SQL back end

  • Secure the IIS front end

  • Secure the Groove Server Manager administrative Web site

Before you begin

Before you start this procedure, install Groove Server Manager as described in Install Groove Server 2010 Manager.

Secure the SQL back end

This section recommends measures for securing the SQL back end that supports Groove Server Manager.

To maximize security protections for the SQL back end of Groove Server Manager, follow these steps

  1. Address the requirements in Before you begin.

  2. Securely configure the network and operating system as your first line of protection, as you would with As with any enterprise server.

  3. Isolate the SQL Server behind a port-restricted and IP address-restricted firewall.

  4. Ensure that SQL Server authentication options are configured for Mixed Mode to support SQL Server Authentication.

  5. Always install the latest Critical Update Package and Security Rollup on the SQL Server.

  6. Follow the standards in place at your organization for safeguarding corporate data resources.

Secure the IIS front end

The Groove Server Manager installer implements important security protections on the IIS server. The following section explains how to confirm and improve this protection.

To ensure security protection for the IIS front end of Groove Server Manager, follow these steps

  1. Verify that SSL is implemented for Groove Server Manager as follows:

    1. Select IIS Manager from the Windows Administrative Tools and navigate to the GMS Website.

    2. From the Groove Manager root directory in IIS, right-click and select Properties, select the Directory Security tab, and ensure that an SSL (x.509) certificate is in place for the Groove Server Manager Web site. You can use either the Web Server Certificate Wizard and Microsoft Certificate Services, or an outside certification authority (CA) to obtain a certificate. For more information about how to set up SSL, see How to implement SSL in IIS (https://support.microsoft.com/kb/299875).

    3. If the Groove account auto-configuration feature should be used, from the AutoActivate directory, right-click and select Properties, and then ensure that settings are configured to enable SSL and require 128-bit encryption.

      Note

      A valid SSL certificate is required for successful Groove auto-account configuration.

      For information about Groove auto-account configuration, see Automate SharePoint Workspace account configuration/restoration.

  2. Verify the system authentication as follows:

    1. Select IIS Manager from Windows Administrative Tools and navigate to the GMS Website.

    2. Ensure that authentication for the Groove Server Manager Web site root directory is set to Anonymous access, and disable all other authentication schemes.

    3. Ensure that Integrated Windows Authentication is enabled for the administrative GMS directory of the Groove Server Manager Web site, and disable all other authentication schemes, including Anonymous access.

    4. To support Automatic Account Configuration/Restore, ensure that authentication for the Manager Website (the gmsClient\secure directory) is set to Integrated Windows authentication and disable all other authentication schemes, including Anonymous access.

    5. Configure IIS logon accounts (local or domain logons as needed) for Groove Server Manager administrators.

  3. Backup the following Groove Server Manager registry key and record the backup directory name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\14.0\Groove\ManagementServer

  4. Ensure that your port settings follow Windows Firewall restrictions and Groove Server Manager requirements, as described in Plan port configurations for Groove Server.

  5. Always install the latest Critical Update Package and Security Rollup on the IIS server.

  6. Follow the standards in place at your organization for safeguarding corporate content resources.

Secure the Groove Server Manager administrative Web site

This section recommends the following steps to better secure your Groove Server Administrative Web site.

To enable role-based access to Groove Server Manager administration, follow these steps

  1. From your Groove Server Manager administrative Web site, select the server in the navigation pane on the left and then click the Roles tab.

  2. Define an initial administrator role and enable Role-based access control, as described in Managing administrative roles for Groove Server Manager.

When you have secured your management environment, configure the domain, as described in Configure Groove Server 2010 Manager.