Everyone can agree that SharePoint is a great platform to facilitate collaboration amongst team members. One of the main benefits of collaborating using SharePoint is working on documents together with your team. The workflow for collaborating on documents is something like this:
  1. Create the document and edit initial draft.
  2. Upload to SharePoint document library.
  3. Send email to colleagues on document location.
  4. Reviewers provide feedback and update the document as needed.

All this is great, but in the world that we live in, security is an important issue to consider, even amongst your team mates. Of course we all trust the people we work with, but sometimes there are just bad apples out there.

In the steps mentioned above, step 2 is where trouble can come in. Once a bad file is uploaded onto SharePoint, unknowing colleagues that download the document will catch the cold and spread the disease. This becomes an even bigger problem if SharePoint is configured for extranet access where people outside of the network without the same security restrictions can upload files.

So ignoring my dramatic example, what facilities does SharePoint provide to help prevent such security breaches? The good news is that SharePoint has 2 built in features that will help with this:

  • Blocked file types
  • Antivirus

These are 2 broad features, that I will split the discussion of into 2 posts: this post will discuss the Blocked file types while my next post will describe the Antivirus support.

Both of these are configured through the Operations tab in Central Administration.

 

If you click the Blocked file types link, this will bring you to the configuration page where you can edit the list of file types not allowed on your SharePoint server.

 

So what does Blocked file types do? Blocked file types is a simple method of allowing only certain file types to be uploaded onto SharePoint. While this doesn't completely prevent files with viruses from being uploaded, it makes it less likely that a user will unknowingly click on such files and infect his own machine. For example, EXE files are by default a part of the blocked file list and cannot be uploaded directly. SharePoint responds to EXE uploads with the following message:

 

If an EXE file named "2006 Budget.exe" was uploaded onto SharePoint, the company financial officer may not notice the EXE and accidentally click on the file, thus executing the rogue application causing havok on his machine.

However, a malicious user could simple rename the file "2006 Budget.exe.xls", which would bypass SharePoint's file extension check and allow the file to be uploaded. Although the file uploaded is actually an EXE, the file extension is what determines how a file is executed. So instead of running the EXE directly, Excel will attempt to open the file and thankfully fail since it is not a recognized format.

 

Still, having an EXE on your server is not something IT will like. Who knows, the next day, someone may find an exploit within SharePoint that lets any process to run. When that day comes, you don't want to be around!

So as you can see, Blocked file types allows for a simple way to mitigate some the risk of uploading rogue files. As I mentioned, even though the risk is somewhat less, rogue files can still be uploaded onto the server. If some other server-side security hole is found, the rogue file on the server can potentially cause problems on the server, leading to even more security problems and potentially loss of data. That is how the other security feature of SharePoint comes into play which I will elaborate more on in the second part of this post.