Follow me on Twitter @AntonioMaio2

Thursday, December 5, 2013

Securing SharePoint 2013: Protect Against Malware and Compliance Issues

A Look at Trend Micro™ PortalProtect™ for SharePoint

This article is the fifth in a series where I introduce concepts and considerations for securing Microsoft SharePoint 2013.  These articles serve as an introduction to those new to SharePoint or to those with SharePoint up and running who are looking at built-in features and third-party solutions to secure their sensitive information. 

In this post, I look at a third party product that helps protect against malware and non-compliant content in SharePoint.  Specifically we’ll look at Trend Micro™ PortalProtect™ for SharePoint.


SharePoint Content Sources and the Risks They Pose
Microsoft SharePoint has greatly increased our ability to collaborate and share content, both within our organization and outside of the business.  As a result, we see content from many sources being stored in SharePoint and shared with wider and more diverse audiences, for example:

·        Content coming from within our organization, from internal information workers who are creating content
·        Content coming from the web, when internal employees download content and store it for future reference
·        Content coming from partners, when SharePoint is used as an extranet to facilitate inter-organization collaboration
·        Content coming from end customers, such as comments, blog feedback or news feed items when SharePoint is used as a public web site

SharePoint makes it extremely easy for individuals to create and collect information, which in turn drives people to spend more time searching, organizing and managing information.  As well, it makes it very easy to create new web portals (public facing web sites, extranets, team sites, etc.) in which people can easily share that information with a wide audience.  These great benefits also mean that we lose some control over where content is coming from.  As a result, this creates risks for the organization that must be managed, especially when the organization stores sensitive information in SharePoint.

In particular, when content comes from varied sources there are risks that this content can contain information that does not comply with regulations that are important to the business.  As well, there are risks that incoming content can contain malware – viruses, trojans or worms that can either steal sensitive information like credentials or intellectual property, or that can corrupt information.

Microsoft SharePoint 2013 out of the box does not provide features that are designed to protect against such risks.  As well, Microsoft has stopped shipping “Forefront for SharePoint” which had provided some measure of protection in past versions.  As a result, we must look to third party solutions to ensure that sensitive information in SharePoint both complies with regulatory standards and is free of malware.  Earlier this year I had the opportunity to participate in the beta testing program for such a solution - Trend Micro™ PortalProtect™ for SharePoint.  I spent some time testing the product and will provide some insight into its features and benefits in this article.

Trend Micro PortalProtect for SharePoint – Benefits
PortalProtect version 2.1 provides some great new benefits over previous versions including support for SharePoint 2013 (both standard and enterprise server, as well as Foundation) and 5 new data loss prevention policy templates for compliance with industry standard regulations. Other benefits include:
·       According to the Trend Micro web site PortalProtect delivers 206% better performance over Microsoft Forefront. These are some impressive numbers and there is a commissioned independent report which details the test results – it can be found here: http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_portalprotect-performance-report_analyst-principled-tech.pdf. Everyone should of course verify these results in your own SharePoint environment.
·        PortalProtect keeps malicious URLs out of SharePoint
·        PortalProtect content filtering protects web pages (blogs, wikis, discussions) as well as list items and documents
·        PortalProtect integrates security policies with Active Directory (AD), SharePoint Users/Groups, and SharePoint sites

Deploying Portal Protect
Deploying PortalProtect to my SharePoint farm was extremely easy.  It includes an easy to use setup wizard and installs as a full-trust farm solution.  As such you do need farm administrator access to install the solution.  In total, the installation took about 15 minutes and didn’t run into any issues in a simple farm configuration (1 WFE and a separate SQL Server database VM).

You will be asked for a license key during the install.  If you do not have a valid key at the time of deployment it will install in trial mode and allow a trial to be run for 1 month. 

How It Works
Its main function is to scan and block content and, it can be configured to take various actions when a file is blocked or if a virus is detected. As well, PortalProtect can send notifications of these events to administrators or other recipients when they occur.  PortalProtect protects content within SharePoint in a number of ways including:
·        Scanning files or web content to determine whether content violates pre-configured policies. When a policy violation is detected PortalProtect will apply an action to either quarantine or delete content depending on how the policy is configured.
·        PortalProtect can scan files for malware and viruses, according to pre-configured policies.  If a file is found to be infected with malware Portal Protect will apply an action to either clean, delete, quarantine or ignore content depending on how the policy is configured.
·        PortalProtect can scan URLs in Web content to detect malicious URLs, and if found it will take actions such as blocking access to a URL.
·        PortalProtect can block files based on their file extension, file name, or actual file type. When it detects a file type that violates a policy it will take an action such as quarantine or delete.

Note: SharePoint 2010 and 2013 does have a built in feature to block files based on file extension which can be configured in SharePoint Central Admin under Manage Web Applications.  Although useful in that it stops specific file types from being uploaded or downloaded from SharePoint, it is limited to checking file extensions only.

Scanning SharePoint Content for Regulatory Compliance
When it comes to ensuring that SharePoint content complies with industry regulations, this product is quite impressive!  It will scan documents, list items and web content on site pages for policy compliance.  It will scan existing content in SharePoint as well as when new content is added to or retrieved from SharePoint.  It allows administrators to create new policies, and it includes several important pre-configured policy templates for SharePoint administrators to choose from.  As well, it allows policies to be configured with a robust set of conditions, exceptions, policy actions and notification options.

Adding a new policy allows administrators to select the keywords or patterns (regular expressions) that a policy will scan for. These patterns can include social security numbers, credit card numbers, identity card numbers, phone numbers, etc.  You can configure the number of occurrences of a pattern in order to trigger a policy violation.  PortalProtect provides a synonym checking feature that enables you to extend the reach of your policies.  As well, administrators can configure policy exceptions.  Policy exceptions work with real-time policy scanning only and they allow specific Active Directory users/groups or SharePoint users/groups to be excluded from policy enforcement.

Note: Portal Protect only provides real-time policy exceptions for SharePoint 2013 Server, SharePoint 2010 Server and Foundation 2013 and 2010.  As well, exceptions do not support AD users and groups across a forest nor do they support global AD groups.

PortalProtect 2.1 includes 5 new pre-configured policy templates for the following compliance regulations:
·        GLBA (Gram-Leach-Bliley financial services modernization act of 1999)
·        HIPAA (Health Insurance Portability and Accountability Act)
·        PCI-DSS (The Payment Card Industry Data and Security Standard)
·        SB-1386 (California law regulating the privacy of personal information)
·        US PII (Personally identifiable information)

These policy templates provide an easy way for organizations to validate content for compliance with regulations that may be critical to their business.  That said, I would caution any business against relying 100% on any automated template-driven solution to ensure compliance.  Automated solutions can produce false-positive results, and regulations do evolve over time.  Compliance with such regulations often involves careful planning, legal counsel and multiple levels of protection.

Unfortunately administrators cannot add additional keywords or patterns to these pre-configured templates. Allowing SharePoint administrators to make these types of modifications to policy templates would be a great enhance in a future version of PortalProtect, especially since the nature of sensitive information is unique to each business.

Scanning SharePoint Content for Malware
This latest release of PortalProtect includes the most recent version of Trend Micro’s robust scanning engine.  At the root of any antivirus program sits 2 components: a scanning engine and a database of virus signatures. Together, these two components work to identify and clean infected files. Whenever PortalProtect detects a file type that it has been configured to scan it copies the file to a temporary location and opens the copy for virus scanning. If the file is clean, PortalProtect deletes the copy and releases the original for access through typical SharePoint methods. However, if a virus is detected PortalProtect applies a pre-configured action: clean, delete, quarantine, or ignore. Deleted and quarantined files are not delivered to the intended recipient. Files set to be cleaned are opened, and any viruses are removed. Not all viruses however can be cleaned. For example, some viruses corrupt the host file, making it unusable - trojans, worms, and mass mailers do not infect a host file and therefore cannot be cleaned. Whatever the configured action, all detections are written to a virus log and administrators can receive automatic notifications of such incidents.

PortalProtect includes a great feature called IntelliScan™ which helps it to minimize usage of system resources and scan files more efficiently.  This feature examines files to assess their true file type (relying not only on file extension) and ensures that it is only scanning files types that are actually susceptible to viruses.

PortalProtect will scan an extensive number of compressed file formats.  However it will not scan files that are encrypted or password protected.  For these file types administrators can specify which action should be taken: block, quarantine, pass, delete, or rename.

The Trend Micro scanning engine can be configured to perform the following types of scans:
·        Real-time Scan – This feature will scan files when they are checked in, checked out, saved or opened/downloaded. All incoming or outgoing files are scanned for viruses or other malicious code.
·        Manual Scan (Scan Now) – This feature provides an immediate way to scan existing content in SharePoint.  It can be used to scan all or a portion of the content within a site immediately, depending on the configuration.
·        Scheduled Scan – Scans can also be scheduled to occur at pre-configured times or frequencies.  A scheduled scan can be used to automate routine security tasks, to improve antivirus management efficiency, and to give you more control over your antivirus policy.
PortalProtect can process multiple requests simultaneously and requests can be prioritized.  However, it is recommended that manual scans and scheduled scans are not performed during peak SharePoint usage periods. 

It is also recommended that organizations use a combination of these scanning types to better ensure the security and compliance of content within Microsoft SharePoint environments. A manual scan can help protect existing content already stored in SharePoint.  Real-time scanning protects against new threats as new content comes into SharePoint.  Finally, scheduled scans can ensure that security and compliance are automated, helping to continually maintain a strong security posture.

Putting It All Together
Overall, this product does exactly what it says it does and it does it well – it helps to protect information in SharePoint by scanning content for compliance issues and it protects SharePoint content from malware.   

The deployment of the product is very easy.  As well, configuration and management of policies was straightforward through the Web Management Console provided.  PortalProtect now supports Microsoft SharePoint 2013 and provides new compliance templates for important regulatory standards, which are both great advancements. For many organizations Microsoft SharePoint represents the central repository for storing critical business information, and having a solution which protects those assets from compliance violations and malware is critical to protecting the business.  Trend Micro has provided a robust security solution with PortalProtect which is very much worth considering.

   -Antonio

Disclaimer:  In the spirit of full disclosure its important to note that the author of this post was not paid for this article, nor was the article solicited by the third party solution provider.  This is an independent product review based solely on my testing experience with the product deployed to my personal SharePoint lab environments.  All SharePoint environments are configured and deployed differently and your experiences in using this product may vary.