The previous article brings out a picture of security that consists of five areas: infrastructure, application, database, content and compliance that you should be aware of when planning for information security in your SharePoint intranet collaboration. This article begins with the first area: network infrastructure & system (referred to network infrastructure or IT infrastructure as I think the term “infrastructure” is very general). This article won’t cover “security in depth” of network infrastructure, such as TCP/IP security, network package or OSI protection. If you are working in a large company, there should be a network & security team coordinating with you in protecting SharePoint.
- Intranet Collaboration Security in SharePoint – Part 1
- Intranet Collaboration Security in SharePoint – Part 2 (You are here)
- Intranet Collaboration Security in SharePoint – Part 3
Network infrastructure has many components combining together to make your network connectivity and communication between computers available. It also refers to software and operating systems. Infrastructure security is to protect the key components involved in building a whole SharePoint environment in your organizations. These components vary, such as router, firewall, detection system or so on. To be clearer, I consider dividing the network infrastructure security into three layers:
- Layer 1: Exterior perimeter
- Layer 2: Operating System & Application
- Layer 3: Internal workstation
Layer 1: Exterior perimeter
Basically, when you want to protect something, the first thing you often look at is the perimeter. In lots of action movies, you may have seen the protection of president or extremely expensive stuffs like diamond, picture. To protect these things, there must be a solid house that has four walls with many escorts guarding 24/7/365. If someone wants to murder the president, or steal the diamond, he need to penetrate over the perimeter without being detected by the sturdy escorts or all intrusion detection system, or intrusion prevention system, unless he will be taken down immediately.
In a related matter, SharePoint assets such as sensitive shared documents needs to be protected to avoid unauthorized anonymous outside the company stealing these documents. Depending on your budget or how important your information is, your network infrastructure may have expensive network devices (e.g. firewall hardware, IDS, IPS system…).
If you intend to build a DMZ to protect the application server, consider the fact that User Profile Synchronize service and People Picker can’t communicate with non-DMZ domain controller. In this case, you would have to build a replicated domain controller to facilitate the synchronization or allow required ports. If your SharePoint needs to communicate with cloud service (e.g., Windows Azure Media Service) through the Internet, ask the team who control firewall to allow your port. This article provides the list of SharePoint ports and protocols you may need to consider for allowance. Don’t let your network team alone!
There are lots of articles and books covering network security. These have the same design and concept so I couldn’t elaborate more. I strongly recommend you to read this book: Inside Network Perimeter Security. It provides the key concepts of network perimeter and how to design a secure perimeter to protect not only your network devices but also things that reside in the network.
Layer 2: Operating System & Application
As of the release of SharePoint 2010 edition, only 64-bit Windows Server is allowed. Although the architecture of 64-bit is more secure, the current Windows Server OS version installed may have vulnerabilities that potentially compromise your network configuration. Securing Windows Server OS is really essential to your SharePoint protection.
To eliminate potential threats and vulnerabilities, the process of hardening Windows Server system is importantly taken into account. The process typically contains checking security patch, update released by Microsoft, removing unnecessary application and software or automative scripts, or configuring permission and policy for user account. Microsoft provides a free tool named Microsoft Baseline Security Analyzer that allows you to do an assessment of the security configuration in Windows Server. It checks to see if your Windows Server hasn’t fully updated the latest security patches, and different configuration applied to different components (built-in Windows Firewall, Local administrator group, folder permission…etc.). Download this tool here.
Tevora – an information security consulting firm shares 10 common steps to harden Windows Server 2008.
- Configuring a security policy
- Disabling or delete unnecessary accounts, ports and services
- Uninstalling unnecessary applications
- Configuring the Windows Firewall with Advanced Security
- Configuring Auditing
- Disabling unnecessary shares
- Configuring encryption (BitLocker Drive Encryption or so on)
- Updating and Patching
- Installing Anti-virus software and Network Access Protection (NAP)
- Least privilege
The Information Security Office in the University of Texas at Austin provides an excellent Windows Server 2008 R2 Hardening checklist here too.
There is another tool named Security Configuration Wizard you should look into. This tool guides you through the process of creating a security policy, based on the roles performed by a given server.
In terms of updating and patching, make sure your mind doesn’t have something like patching is just to download patches from Microsoft Download center and then install them especially SharePoint. Todd Klindt – an internationally renowned SharePoint MVP wrote a good post about different types of patch and the considerations of patch installation. Let’s check it out!
If you are really afraid of your Windows Server operating system, I strongly recommend you to refer the Windows 2008 Security Technical Implementation Guide (STIG) that is developed by Defense Information Systems Agency for Defense of Department – USA or you may need to read the draft of Windows Server 2012 STIG.
Layer 3 – Internal workstation
You need to look into workstations (typically client computer) that have been already connected to your network. The hijacked computer may strongly affect to the whole environment in your company. The client I’ve recently engaged to recover SharePoint data were totally controlled by a programmatically written virus. All client computers were poisoned first, applications and servers in the same network then were hijacked. At the end of the day, the virus destroyed and heavily encrypted many critical Windows folder systems. From this story, I strongly recommend you not to look over hardening Windows client operating system. If your clients are running Windows XP, make sure you have plan for upgrade because Microsoft no longer supports it.
For anti-virus deployment at client level, select international trusted vendor such as Bitdefender, Kaspersky, Norton, or Symantec. For SharePoint-level anti-virus, we will talk later in the series.
There are lots of good references covering Windows 7 security. Here are some of them:
- Windows 7: Security and Protection
- Windows 7 Security Baseline
- Microsoft Windows 7 Security Technical Implementation Guide
The last thing that is worth looking into is the Network Access Protection feature in Windows Server. NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or to communicate on a network. For example, computers might be required to have antivirus software with the latest signature installed, current operating system updates installed, and a host-based firewall enabled. Learn more about NAP here.
Information security has become more important than you think. To keep the assets and people in your house safe, the first essential thing to do is at least build a solid perimeter that can prevent anonymous from breaking into your house. When it comes to network security, we can’t put a point in the end. It’s a very long story!
This article isn’t intended to provide a comprehensive guidance on network infrastructure security in SharePoint environment. It just gives you a ticket passing through the first area in the entire blueprint for SharePoint intranet collaboration security. Don’t be frustrated if this article is all about what you already know!