Microsoft

Blog Categories

Subscribe to RSS feed

Archives

Follow Microsoft Technologies on Pinterest

Posts Tagged ‘security’

SharePoint Online eDiscovery Center For All Your Legal Needs

ediscovery Featured

Ever have requests to furnish old emails, messages, documents to your HR or legal teams? In this digital era, we experience an overflow of electronic information in forms of email, documents, IM conversations, etc. It can be chaotic when you are expected to look for content from several years in the past. Have you ever wondered what it would be like if you had a tool to help with ESI (electronic stored information) to collect, classify, and analyze? Even better, a tool that allows you to then preview and preserve for as long as your corporate policies allow?

The most-affected workgroups are Legal, IT, and the governance, risk, and compliance folks, who must manage all of the data legal and compliance groups are desperately trying to search. Now with Office 365, you can do just that and more. Office 365 equips you with an eDiscovery center to manage preservation, search, and export of content stored in Exchange and SharePoint, across SharePoint farms and Exchange servers.

eDiscovery2

Your SharePoint Online tenant comes with a pre-created eDiscovery center. What it needs from you is, configuring discovery sets and setting up your search queries in order to export the results. With SharePoint Online you can run an eDiscovery case on SharePoint, Exchange, Lync, and on premises File Shares at the same time, from one management console. This lets you search, preserve, and export all relevant content from all these repositories. For every discovery case, you would create a new case site where it is possible to conduct searches, place content on hold, and export content. There are new capabilities in eDiscovery you need to be aware of:

  • eDiscovery Sets: Combinations of sources, filters, and whether to preserve content. eDiscovery Sets are used to identify and preserve content.
  • In-Place Hold: Now you can preserve sites and mailboxes using search filters. Preservation works behind the scenes… people can work on their documents and delete email and not even know it is turned on, but for eDiscovery, you have the data you need in an immutable store.

eDiscovery3

 

  • Query: Search experience which is eDiscovery focused. This reduces the output data and help you find the content you are looking for.
  • Export: Download all of the data  directly to a local machine with an offline copy of native documents, email PSTs, archived MHT web pages, and CSV files for SharePoint lists.

eDiscovery4

eDiscovery5

After searching for relevant content in a eDiscovery set, you may want to put content on hold. This enables the original content to always there when your legal department asks for it. The eDiscovery center allows you to put SharePoint sites and Exchange mailboxes on hold, without disrupting the business.  Putting a SharePoint site on hold creates a hidden document library. This enables the user to still modify any content item subject to the legal hold while keeping the original copy of the item in that hidden library. Exchange mailboxes apply the same principle by creating a hidden folder where items are actually moved to when a user deletes an item.

This post guided you through the benefits and process to setup eDiscovery and empower your legal department to query and export content to help in any litigation or compliance needs. In the next few posts, I’ll dive into some other advanced security features in Office 365.

How Secure is Your Cloud? – Introduction to Office 365 Security

Who owns the data we store in your service? Will you use our data to build advertising products? Do you offer privacy controls in your service? Do we have visibility to know where our data is stored? Can we get our data out of your service if we decide to leave?

These questions are top of mind for any organization that is considering Office 365. Luckily for you, Microsoft publishes the Office 365 Trust Center to answer those and many more questions about security on the Office 365 service.

Office 365Microsoft has 4 core tenants for its approach to earning and maintaining your trust:

1. Built-in Security

  • Service-level security through defense-in-depth
  • Customer controls within the service
  • Security hardening and operational best practices

At the service level, Office 365 uses the defense-in-depth approach to provide physical, logical, and data layers of security features and operational best practices. In addition, Office 365 gives you enterprise-grade, user and admin controls to further secure your environment.

Physical Security – 24-hour monitoring of data centers, Multi-factor authentication, including biometric scanning for data center access, Internal data center network is segregated from the external network, Role separation renders location of specific customer data unintelligible to the personnel that have physical access, Faulty drives and hardware are demagnetized and destroyed

Logical Security – Lock box processes for strictly supervised escalation process greatly limits human access to your data, Servers run only processes on whitelist, Read the rest of this post »

SharePoint Online (O365) adds security and compliance services

In the past month, Microsoft has added two key new service capabilities to SharePoint Online and Rights Management that provide a more robust secure computing experience.  The first is the introduction of data loss prevention and the second is the improvements in protecting content across all platforms including OS X Support.

Data Loss Prevention

DLPSharePoint Online now provides the ability to perform a legal audit to determine the amount of risk posed by data stored on SharePoint sites and OneDrive, commonly known as data loss prevention or DLP. This capability provides the ability to identifying 51 built-in sensitive information types such as credit cards, passport numbers, and Social Security numbers. Once discovered there is the ability to perform an audit and export a report with suspect content.

There is future capabilities for policy creation that automatically detects sensitive content and applies protection, such as deletion or quarantine for review.

For more information about Using DLP in SharePoint Online, review this TechNet article
For more information about the Using 51 DLP Information Types, review this TechNet article.

Read the rest of this post »

Top Five Reasons to Upgrade from Windows XP

# 5 – Familiarity

One of the reasons organizations have tended to stay with XP for so long is their employees are familiar with it. Like an old friend, it’s comfortable and easy to deal with. However churn among your IT administrators and other employees has changed the dynamic. Most people are now more familiar with newer operating systems. When new associates sit down in front of XP, it is likely to be dramatically different (and disappointing) than the more up to date operating systems they use at home and at their previous job.

#4 – Speed and Productivity

Windows XP typically takes at least 30 seconds to boot and often much longer. Windows 8.1 can boot in about 10 seconds. That 20 seconds can easily turn into 5 minutes or more of lost productivity every day when you walk away to do something else while XP boots.

#3 – Web Browsers and New Applications

More applications, business and personal, will be developed to be used via a web browser. It takes extra time to develop new applications which are compatible with old browser versions. Over the short term, many new applications just won’t work with XP.

#2 – Office 2013 and Office 365

Office 2013 and Office 365 ProPlus are not supported on Windows XP. Office 365 only supports software and operating systems which are still in mainstream support. The cloud and other popular software packages are leaving you behind!

 

(Drumroll please…)

#1 – Security

The XP operating system came to market in 2001. Time Warner and AOL merged that year. Although XP lasted longer than that disaster, the security implications of sticking with XP any longer could likely create a security disaster in your desktop environment. Hackers now know every way to compromise your OS. Do you think they are not already taking advantage of this potential bonanza?

 Conclusion

Don’t put it off any longer. Perficient has the experience and talented staff to help you ease this transition.

Integrating ASP.NET MVC authentication with SiteMinder SSO

SiteMinder is an enterprise-class secure single sign-on solution by CA (Computer Associates) which is employed by many large companies to secure their intranet access and provide single sign-on functionality to various intranet applications.  SiteMinder has a broad support for different application frameworks which is making possible to use in heterogeneous enterprise environment.
For example, when SiteMinder is used to secure ASP.NET/IIS application then it’s normally configured as IIS handler. For example (in web.config):

<add name="handler-wa-32" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Program Files\CA\webagent\win32\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,bitness32" />
sso SiteMinder module is intercepting every request to ASP.NET application resource and authenticating and authorizing user. If user is authenticated and authorized successfully then SiteMinder is passing the request further down the pipeline to ASP.NET.
So, how too integrate SiteMinder authentication with ASP.NET MVC authentication? SiteMinder is doing a great job for handling it on it’s own, but quite often MVC application will need to doit’s own, custom authorization in order to grant or deny user access to different resources, depending on user role.

Read the rest of this post »

ASP.NET MVC anti-forgery token demystified – part 3: AJAX

AJAX This blog post is third and final in series about MVC anti-forgery (CSRF) token.
Part 1.
Part 2.As we talked about it earlier, MVC have a great built-in functionality for securing form posts with anti-forgery tokens and it’s even possible make it work across multiple web applications.

However, these days modern web applications tend to have more asynchronous (AJAX) communication between browser and web server   than traditional HTML form posts where the whole page is reloaded. The question is, can built-in MVC components to be used for CSRF validation when browser code is using AJAX to post to the server?

Obviously, it can’t be used directly because @Html.AntiForgeryToken only works when it’s placed inside HTML form and that form is submitted to the server. In case of AJAX post there is no form, so the AJAX controller method will not receive a form CSRF token (cookie token though will flow with the AJAX post normally).  However,  we can make it work with a little of extra coding…

Read the rest of this post »

ASP.NET MVC anti-forgery token demystified – part 2: inside

Mechanic-Under-Hood In the previous installment of this post series I talked about CSRF attack and how to prevent it using ASP.NET MVC built in components. Today I want to dive deeper into the framework code and show you what’s under the hood to anti-forgery token implementation in MVC.

Some time ago Microsoft took a huge step forward and open sourced complete ASP.NET MVC and Web API stack. Now developers can see what’s actually happens inside the framework and don’t have to rely solely on Microsoft documentation. The source code for MVC stack is located at http://aspnetwebstack.codeplex.com/.

As you recall, there are two components that provide CRSF protection when used together – AntiForgeryToken methjod of Html helper (@Html.AntiForgeryToken()) which should be called from inside HTML in Razor view and ValidateAntiForgeryTokenAttribute ([ValidateAntiForgeryToken]) which should be applied to controller to validate tokens. Both of these classes are actually a thin wrappers on top of the AntiForgery class. AntiForgery class is a static class which is encapsulating all functionality for generating and validating tokens. Source code could be found there. This is a public class and could be used directly if somebody will decide to implement a custom generation and validation of anti-forgery tokens. In turn, AntiForgery is using other helper classes like AntiForgeryWorker and TokenValidator. Unlike AntiForgery these classes are internal and can’t be used directly by application code.

So, why it’s important to look into internal implementation of anti-forgery token generation and validation?

Read the rest of this post »

ASP.NET MVC anti-forgery token demystified – part 1: what is it?

Securing your web application is now more important than ever because various security attacks are growing in numbers and becoming more sophisticated and frequent. One of the most common types of attacks is Cross Site Request Forgery (CSRF) attack. In this kind of attack malicious web sites are hijacking a previously authenticated user sessions to exploit your web site.csrf

Consider the following example: you web site is using ASP.NET Forms Authentication. User is authenticated on login page and user authenticated session is maintained using standard  .ASPXAUTH cookie. Without closing the browser window or logging off your site user is visiting a malicious site which  can (using social engineering, like displaying some sort of a false message to the user) now cross-post to your site (using a standard HTTP form post) and that post will be bearing a valid .ASPXAUTH cookie issued by your site. So, unless your web site employs some special measures, your web site server code will not be able to distinguish a valid post from your web site from a post from malicious site.  Note, that implementing HTTPS on every page your your site will not solve this issue as malicious site can post over HTTPS too. HTTPS can only prevent the traffic between your web site and web client to be hijacked and analyzed, but in case of CSRF attack the attacker doesn’t need to analyze your traffic, it just reuses the authenticated user session.

csrf - explained Read the rest of this post »

Coin — One card to rule them all?

What is Coin?  Coin is a brilliant new technology that allows users to consolidate all of their cards into a single Coin card.  A Coin card is not your traditional credit card.  It is an electronic device the size of a credit card with a programmable magnetic strip.  Any card with a magnetic strip whether that be a debit/credit card, gift card or preferred customer card, can be put on your Coin card.

The Coin card works over Bluetooth and is paired with your phone.  Using your phone and an adapter supplied by Coin, a user swipes their cards which gets loaded into your Coin account.  When a debit card is neededCoin Credit Card instead of a credit card, make the selection on your phone.  The Coin app will send the information to your card and it will be ready for use with that specific card information.  Loose your phone or your card?  Have your wallet stolen?  That is OK.  Coin has security configurations that will deactivate the card automatically if it loses communication with your phone for too long.  It sounds as if Coin has thought a lot about security, at least from the physical security point of view.  What about digitally?

We live in a world where data breach is common.  A new story about a large company being hacked with customer information stolen seems to happen semi-regularly.  Many times the stolen data is not encrypted and this non-encrypted data contains anything from credit card information to email addresses.  Is it safe to put all of my banking, credit and preferred customer information in a single location?  It is a risky move to digitally putting all your eggs in one basket.  If Coin was hacked and your data was stolen what would happen?  It is essentially the same thing as having your entire wallet stolen.

Coin appears to be prepared for this.  Coin does not state what user data is stored with them but they do state all user data in the cloud, on the mobile app or on the card itself  is encrypted using at least 128-bit encryption.  In addition any information transferred via Bluetooth is also encrypted so personal data could not be used if it were captured during transmission.  This means that if the data is stolen from the cloud, phone or card it is virtually worthless without the decryption key.

Coin has put the right foot forward in their vision of plastic card consolidation.  The strong encryption shows they are serious about data security.  With the configurable lockout and deactivation features they are making every effort to physically secure the device from theft or being lost.  The technology being used is not new but the way it is being used is both new and unique.  If Coin is as secure as they claim and the concept takes off expect the popularity to grow exponentially along with the copy cats.  The card itself is still in pre-order and is set to be released this summer.  You can find out more about Coin here.

A digital renaissance in public school innovation and technology

One of the primary methods that schools can innovate is with technology. I live in an area where they’re trying to provide technology to all students by providing laptops or tablets from kindergarten to seniors in high school, all grades K through 12. In any one school district they now have to manage these devices and make sure they are working correctly on a day-to-day basis or the students will not be able to complete their school work. The area I live in is calling this initiative the “Digital Renaissance”. Overall I think this is a great initiative, though I have several concerns.

Decision making on cost

As far as device choice goes schools are going to buy whatever they can get the best deal on. Which isn’t always going to provide the best device. This initiative is one area in which I believe Windows 8 and Surface-like devices could offer amazing benefits. I also believe device selection plays into other areas as well.

education

Security and consumerism in technology

The students being given devices to learn are now more like employees for the school system and should be treated as such. How will the schools secure the devices so that students can’t install applications or updates that don’t help with their studies? Most consumer-based devices will not have the features required to secure them properly and stop these “employees” from being able to improperly use these devices.

Students are going to try to find ways to use these devices in an unknown number of ways. Think of all the different ways children use smart phones and the trouble they get themselves into. To summarize, how is the school system going to filter the students’ activities on these devices? Read the rest of this post »