Today I read an article on the CIO Sweden website (http://cio.idg.se/2.1782/1.210276/trend-micro-varnar-for-sakerhetsrisker-med-sharepoint) about that Trend Micro is warning for security risks with SharePoint. I agree with Kudret Karan, at Trend Micro that SharePoint sometimes if forgotten when it comes to secure the company network and its information. If you read my blog before you know that I have talked about the importance of proper governance and I would say that much of this actually falls back on this as well.

It should however be clear that this is not about security holes in SharePoint but rather a question about architecture and security pitfalls. Because, if you plan your deployment well, you can secure you Environment quite easy.  Here are 5 things to consider when securing SharePoint.

Antivirus
Even if you have antivirus software on your clients and servers you should seriously consider to install an antivirus software on your SharePoint Servers. Every well known antivirus software vendor has a version for SharePoint today. I have used Microsoft Forefront a couple of times and it works perfect. What’s also good with this one is that if you have enterprise CAL’s you probably have this already in some kind of SA agreement or likewise.

Allowed file types
From the Central Administration you can set up what kind of files are allowed to upload or not. By default file types like .exe and .bat is not allowed but you should review this list so that it match your policies.

Secure external access
If your SharePoint environment is available to your end users via an extranet, you should really make sure that it’s properly secured. The most classified information you have should not be stored in an environment that is accessible from internet at all. If you have information that you want to have accessible from internet you should look in to Zones and proper set up of your Web applications to secure your environment.

Security Review
One thing that is missing out of the box in both WSS and Moss is a good way to do a security review. You should in you governance plan have at least an annual security review. There are a couple of tools available and it might be fairly easy to build something that might work for a smaller set up. In a coming post I will talk about Sushi, a codeplex project that could get you started.

IRM (Information Rights Management)
Finally I would like to mention the IRM. It’s not anything that protects you from viruses or threats but it helps you secure the content and even if your environment is only accessible from inside, you might want to secure some high confidential information with IRM. In that way you can encrypt the information with RSA 1024 bit encryption and you can then decide what the reader can do with the document e.g. save it, print it, forward it etc.