1


1

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft Office Groove 2007, and Microsoft Office Groove Server 2007 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


Table of Contents

Overview

GES Security Provisions and Practices

Security Management

Physical Security

Network and System Security

Operational Security

Application Security

Groove Server Security Provisions

Groove Server Manager Security

Groove Server Relay Security

Groove's Built-in Security

Administrative Measures

Additional Resources

Overview

The Microsoft® servers that host Office Groove® Enterprise Services 2007 provide management and relay services to IT departments responsible for deploying and maintaining Groove collaboration and communication software in an enterprise. By employing hosted services instead of onsite Groove Servers, administrators rely on the hosting environment to provide the necessary security and protection to help ensure the integrity of their data.

Data security across the Internet relies on several layers of protection, from the physical and network levels to the application level. Protection measures range from controlling physical access to server hardware, to filtering and blocking transmissions over specific ports, to the application level where authentication schemes and cryptographic keys are used to protect data resources and prevent unauthorized access. The hosting environment for Office Groove Enterprise Services is provisioned to address these and related security issues, providing protection at all levels including physical, network, operational, and application.

GES Security Provisions and Practices

This discussion outlines the security measures in place for Groove Enterprise Services (GES) and recommends steps that administrators can take to maximize data protection within their Groove domains. For security and confidentiality reasons, this document is an overview and subject to change.

Security Management

A strong foundation of systems and documented processes underlies security management of the hosting environment for Groove Enterprise Services (GES). Windows Live security specialists support all Microsoft Online Services, including GES. This team of more than 50 security professionals is responsible for security programs and policies, compliance management, risk assessment and management, incident response, and security training and awareness.

Data center services (such as security guard and Help desk services) are provided by Microsoft employees. Third-party vendors are NOT employed for these tasks.

Formal documentation on file at the hosting data center includes the following:

  • Completed background checks on all staff.
  • Confidential agreements signed by employees.
  • Published security policies and procedures with signed agreement by staff.
  • Incident Response guidelines for responding to security breaches and emergencies.
  • Procedures for managing changes and upgrades to the hosting environment.

Physical Security

The Groove Servers that host Groove Enterprise Services are installed in physically secure facilities, accessible only to authorized personnel. Facilities meet industry standards for resistance to natural disasters.

In addition, sites are configured with the necessary mirrored and backup servers, installed with redundant hard drives to help sustain service in the event of unavoidable outages. With the necessary administrative backups in place, systems are equipped to protect against data loss and facilitate disaster recovery.

The following perimeter security measures are in effect:

• Exterior fences with controlled access.

• External close circuit TV surveillance.

• Guard service control 24 hours per day, every day of the year

The following facility security measures are also in effect:

• External close circuit TV surveillance.

• The GES data center is a dedicated facility.

• A receptionist/checkpoint is present in the building lobby.

• Locked doors are alarmed.

• Facility access (including to the server room and utility areas) is controlled by key card and biometric systems.

• All badge-reader access is recorded 24 hours per day. Access control system logs are audited by security and facilities managers and retained for at least one year.

• Space below floors and above ceilings of restricted areas are blocked.

• Uninterrupted Power Supply (UPS), supported by redundant power grids and generators.

• Standard cooling system in place.

• Standard fire suppression system in place.

• Video surveillance systems installed throughout facility, with real-time monitoring.

• Access procedures require that all visitors may be admitted by Microsoft management only, must be documented within Microsoft ticketing systems, and must read and sign data center rules and procedures before access.

Note Specific seismic protection is not currently a part of the hosting environment.

Network and System Security

A basic form of security for Internet transmissions is the blocking or filtering of data from unknown or suspect sources. This is accomplished by restricting the number of open communications ports on a server, limiting inbound transmissions to those protocols supported by the few open ports.

In the Groove Enterprise Services configuration, Groove management servers are located in a perimeter network (sometimes called a perimeter security zone), behind a firewall that allows only TCP inbound traffic over ports 80/TCP, 443/TCP, and 2492/TCP. This condition limits inbound transmissions to HTTP traffic, allowing Groove client-to-Groove Manager and other HTTP communications while blocking transmissions using non-HTTP protocols.

Groove clients communicate with Groove relay servers, also located in a perimeter network, over ports 2492/TCP, 443/TCP, and Port 80/TCP. Port 2492/TCP supports Groove's preferred and most efficient protocol, its native Simple Symmetric Transfer (SSTP) protocol. If port 2492 is unavailable, ports 443 or port 80 may be used, in that order of preference.

Some of the network and system security processes in place include the following:

• Terminal services provide for remote access by authorized personnel, managed via a dedicated user and resource domain. Operating system images are hardened by disabling unnecessary services, application of software, and security patches.

• All operating systems within the environment are controlled by a central platform software team, which pro-actively monitors for updates to the operating system and platform-level software, as well as to network and storage devices. Firewalls are in place to protect Internet access points and computer workstations. Additional firewalls or routers are also in place to segment areas of the network that require more protection.

• Anti-virus protection is in place for computer workstations and servers. Virus definition files are automatically propagated from a central service via direct feed from an anti-virus software provider.

• Intrusion detection is provided in the form of network probes, host-based probes, event correlation, and emergency response monitoring and alerts, provided by a dedicated Operations team 24 hours per day, 365 days a year. In addition, system configuration and vulnerability scans are performed daily. Designated internal staff members are responsible for correcting identified vulnerabilities.

• System audit logs run regularly. Designated staff members perform the audits and review the logs daily.

Operational Security

The staff is supplied with documented procedures for managing changes to the hosting server environment, including access control changes, system upgrades and configuration changes, network and bandwidth changes, and emergency repairs.

Identified security patches are deployed via formal Operational Change Control procedures. Patches may be deployed manually or via automated mechanisms.

Groove hosting systems are backed up, according to the following stipulations:

• Backed-up data encrypted and password protected.

• Backup disks are stored off-site in a secure location, transported to the facility via white glove service provided by an off-site vendor.

• Backup disks are wiped or replaced at regular intervals.

• Data restorations are checked regularly.

In addition, the following processes are in place to protect data integrity.

• Assessment management tools and processes facilitate tracking of hard drives, documentation, and backups.

• Disaster recovery and contingency plans are in place.

Application Security

Groove system applications provide the following security measures:

• Authentication via user identities and passwords.

Note Token and biometrics are available for users of Office Groove 2007, but not for administrators of Groove Enterprise Services.

• Data confidentiality measures, including strong symmetric key encryption during data transmission and encryption of data stored on hard drive.

• Data and administrative access controls.

• Role-based authorization levels.

• Account lockout provisions.

• Audit logging capability.

The following sections provide more detail about Groove server and client security provisions. Groove product Help and administrator guides provide additional information

Groove Server Security Provisions

Two applications drive the Groove Servers that host Groove Enterprise Services: Groove Server Manager and Groove Server Relay. Each of these is designed to help ensure the security and integrity of information resources within an enterprise, as described below.

Groove Server Manager Security

Groove Server Manager (the Groove management server application) employs a combination of encryption and certification to provide a foundation for securing data exchange within its network of server and client devices. Encryption and certification are implemented as follows:

• Critical server information (such as encryption keys, signature keys, and passwords) stored in the SQL database is encrypted.

• The Groove implementation of Public Key Infrastructure (PKI) provides certificates (signed contact information) that enable automatic user authentication within and across management domains.

In addition, Groove Server Manager is configured in accordance with the following best practices:

• Groove management servers are located in a perimeter network.

• Secure Socket Layer (SSL) technology is enabled on each IIS server to help protect the Groove Manager administrative Web site. SSL provides a mechanism to verify the identity of the servers and to encrypt the messages between them. To accomplish this, it uses a public key infrastructure (PKI) system based on digital certificates.

• Windows Live ID (formerly Passport) authentication is employed for Groove Manager login.

• Role-based Administrative Control is enabled, restricting access to Groove Manager server-level and domain controls to designated administrators.

• The latest Critical Update Package and Security Rollups are installed on the servers.

• Groove servers are installed on equipment with redundant hardware systems and hard drives, to protect the operating system and data from damage or loss as a result of hardware component failure.

• Anti-virus software is installed on Groove management server machines.

To take advantage of security and protections built into the server hosting environment, follow the recommendations in ‘Administrative Measures’ at the end of this article.

Groove Server Relay Security

Groove Server Relay (the Groove relay application) enables continual communications among Groove clients, even when clients are offline or network failures interrupt connections. Groove relay servers use public key cryptography for initial authentication of devices and users via its primary protocol (SSTP), and for authentication of transactions received from Groove Manager via SOAP.

Other security features are built in to Groove relay servers, including:

• Device authentication when dequeueing device-targeted data (including Groove workspace and contact information) from the relay server.

• User account authentication when dequeueing identity-targeted data (including Groove instant messages and invitations) from the relay server.

• Server authentication when dequeueing both device-targeted and identity-targeted data.

Groove stores the public key certificate of each relay server to which it is provisioned. Groove clients are provisioned with relay servers via a Microsoft provisioning server. Groove uses the public key of the designated primary (or Home) relay to initiate secure registration of the new account’s identity and device(s). Henceforth, communication between the managed account and its primary relay server is authenticated and secured.

When a Groove user account registers with a relay server, the account establishes a shared secret key with the relay server that provides a mutually authenticated link for all relay-to-client communication. The secret key is shared solely with that user account over the life of the account and prevents unauthorized dequeuing from the relay.

Groove Relay can access only the message header information that is needed to locate and properly route enqueued data to authenticated dequeuing devices (or a target device's relay server in the case of single-hop fanout). Groove data is strongly encrypted end-to-end and Groove Relay is not party to the encryption keys used to secure Groove data. Data that is temporarily stored on the relay server cannot be accessed.

In addition, Groove Server Relay is configured in accordance with the following best practices:

• Groove relay servers are located in a perimeter network.

• The latest Critical Update Package and Security Rollups are installed on the servers.

• Groove servers are installed on equipment with redundant hardware systems and hard drives, to protect the operating system and data from damage or loss as a result of hardware component failure.

• Anti-virus software is installed on Groove Server Relay machines. Real-time scanning of portions of the relay server's data drive may be disabled.

• To take advantage of security and protections built into the server hosting environment, follow the recommendations in Administrative Measures.

Groove's Built-in Security

Securing Internet communications is based on achieving four main objectives: authentication of users and devices, confidentiality of communications, data integrity, and authorization. How you meet these objectives depends mostly on the software you are using.

Groove client software addresses fundamental security issues via the following built-in mechanisms:

• Data encryption helps assure confidentiality of all information exchanges, whether on a LAN or across the Internet.

• Groove accounts can be protected by login credentials (passwords or Smart Cards).

• Built-in authentication systems allow users to verify the identity of Groove users.

• Role-based access control, defined by Groove workspace managers, determines how workspace members access and interact with content.

• Progressive slow-down of the password window display after repeated incorrect password attempts protects against external parties using password discovery scripts to access Groove.

• Users with Office-compatible antivirus software on their Groove devices can enable automatic virus filtering of files in their Groove account preferences.

• Workspace version restrictions allow users to create workspaces supported only in the current or a later version of Groove, and to accept invitations only to workspaces that were created in the current or a later version of Groove. Administrators can enable this restriction by setting a Groove Manager domain policy accordingly.

• File type restrictions limit the types of allowed files to those specified in Microsoft Office as “safe for sharing.” Administrators can enable this restriction by setting a Groove Manager domain policy.

• Groove users can select options for restricting the delivery of Groove messages from other Groove users. For example, Groove can be configured to accept messages from only “known Groove contacts”, that is, contacts who are either in a user’s contact list, verified by the user or administrator, or who are members of at least one of the user’s workspaces.

Administrative Measures

Security is an especially important consideration when distributing Groove user account configuration codes that enable the deployment of managed identities among your PC users. Employ your company’s strictest security standards for distributing user identity data whether by e-mail or other distribution method.

In addition, you can configure policies in Groove Server Manager further secure your Groove environment. These include the following:

• Device password policies help ensure that Groove login practices (passwords or smart cards) meet requirements in place at an organization.