2.5.0 McAfee Security for Microsoft SharePoint McAfee Security for Microsoft SharePoint 2.5.0 Best ... SQL permissions in this guide for ... use “netstat –an” to check to see

Best Practices Guide

McAfee Security for Microsoft SharePoint2.5.0

COPYRIGHTCopyright © 2010 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or byany means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Security for Microsoft SharePoint 2.5.0 Best Practices Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Overview 7

2 Pre-installation Instructions 9User roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Standalone McAfee Security for Microsoft SharePoint . . . . . . . . . . . . . . . . . . . 10

SharePoint installation in single server mode . . . . . . . . . . . . . . . . . . . 10SharePoint installation in a farm . . . . . . . . . . . . . . . . . . . . . . . . 11

McAfee Security for Microsoft SharePoint managed through ePolicy Orchestrator . . . . . . . . 16

3 Post-installation Instructions 17Standalone McAfee Security for Microsoft SharePoint . . . . . . . . . . . . . . . . . . . 17

Testing the on-access scan . . . . . . . . . . . . . . . . . . . . . . . . . . 17Testing the on-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . 18

McAfee Security for Microsoft SharePoint managed through ePolicy Orchestrator . . . . . . . . 19

4 Product Configurations 21McAfee Global Threat Intelligence file reputation technology . . . . . . . . . . . . . . . . 21Scan policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

On-access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22On-demand policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

On-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Distributing on-demand scans . . . . . . . . . . . . . . . . . . . . . . . . . 24Scheduling scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Recommended configurations for Settings and Diagnostics . . . . . . . . . . . . . . . . . 26

Index 27

McAfee Security for Microsoft SharePoint 2.5.0 Best Practices Guide 3

Preface

This section provides information on the organization of this guide and its related productdocumentation details.

Contents

About this guide Finding product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a Product, then select a Version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFinding product documentation


http://mysupport.mcafee.com

1 Overview

This chapter introduces McAfee Security for Microsoft SharePoint 2.5 and gives you an overview of theBest Practices Guide.

About McAfee Security for Microsoft SharePoint

McAfee Security for Microsoft SharePoint (previously known as McAfee PortalShield) providescomprehensive security for information stored on the following Microsoft SharePoint products:

• Microsoft SharePoint Server 2003/Windows SharePoint Services 2.0

• Microsoft Office SharePoint Server 2007/Windows SharePoint Services 3.0

• Microsoft SharePoint Server 2010/Windows SharePoint Foundation 2010

Following is a typical dashboard screen that is displayed on launching McAfee Security for MicrosoftSharePoint. It provides administrators with the latest statistics of detected items, information on scanand DAT updates, product version and license information, and the details of the recently scanned items.

1


About the Best Practices Guide

This guide highlights the best practices for using McAfee Security for Microsoft SharePoint version 2.5as a standalone product or when managed through McAfee ePolicy Orchestrator.

Benefits and risks of some of the product configurations that might not seem straight-forward areexplained further in this guide. You can gauge which configuration best suits your environment.

If you are managing McAfee Security for Microsoft SharePoint using ePolicy Orchestrator, we presumeyou are familiar with using ePolicy Orchestrator and are primarily focusing on safeguarding yourSharePoint servers on the managed nodes using the McAfee Security for Microsoft SharePoint software.

1 Overview


2 Pre-installation Instructions

This chapter covers the roles of users associated with McAfee Security for Microsoft SharePoint. It alsoprovides a list of actions you must perform before installing McAfee Security for Microsoft SharePoint.

Contents

User roles Standalone McAfee Security for Microsoft SharePoint McAfee Security for Microsoft SharePoint managed through ePolicy Orchestrator

User rolesThis section lists the roles of users associated with McAfee Security for Microsoft SharePoint.

Role Description

SharePoint Farmadministrator (Fullpermissions)

Domain account with full administrator permissions for all Windows serversand farm level services in the SharePoint server farm. This account needsto be specified during the McAfee Security for Microsoft SharePointinstallation.

SharePointadministrator (Fullpermissions)

Domain account with full administrator permissions for SharePoint installedon a single server. This account needs to be specified during the McAfeeSecurity for Microsoft SharePoint installation.

Custom user (Minimumpermissions)

Domain account with the minimum permissions/least privileges required forMcAfee Security for Microsoft SharePoint to run. This account needs to bespecified during the McAfee Security for Microsoft SharePoint installation.Refer the section Creating a customized domain user account with the leastSQL permissions in this guide for instructions on creating a "Custom user"with minimum permissions to run McAfee Security for Microsoft SharePoint.

Windows administrator Account that is a member of local administrator’s group to launch theMcAfee Security for Microsoft SharePoint installer. This might be the sameas the farm administrator account if being used for installing McAfeeSecurity for Microsoft SharePoint. However, if the “Custom User” is beingused to run McAfee Security for Microsoft SharePoint, you need a Windowsadministrator account to run the installer.

ePolicy Orchestratoradministrator

To deploy, manage, and administer McAfee Security for MicrosoftSharePoint from ePolicy Orchestrator server.

2


Standalone McAfee Security for Microsoft SharePointThis section provides a list of actions you must perform before installing McAfee Security for MicrosoftSharePoint, when the SharePoint server is deployed in a single server mode or in a farm.

SharePoint installation in single server mode When the SharePoint server is installed in a single server mode, here's a checklist of instructions youcan use before installing McAfee Security for Microsoft SharePoint.

Instructions Checklist

[ ] Ensure your system meets the minimum hardware and software requirements for installingMcAfee Security for Microsoft SharePoint. Refer the Hardware and Software Requirements section inthe User Guide.

[ ] Ensure you have the Windows administrator credentials to install McAfee Security for MicrosoftSharePoint. This account must be a member of Windows administrator's group and the credentialsare required for launching the product installer.

• For future reference, please make a note of the Windows administrator user name here with thedomain name _________________________________

• Also ensure you remember the password for this account.

[ ] Ensure you have the SharePoint administrator credentials to supply to the McAfee Security forMicrosoft SharePoint installer. This account must be a member of the local administrator group on theSharePoint server and database server for remote database access.

• For future reference, please make a note of the SharePoint administrator account name here withthe domain name _________________________________


[ ] Uninstall any previous versions of the product prior to the PortalShield 2.0 Service Pack 1 release.

PortalShield 2.0 Service Pack 1 will automatically be upgraded to McAfee Security for MicrosoftSharePoint 2.5.

[ ] Choose open/unused port on the server where you want to host the McAfee Security for MicrosoftSharePoint site. You can use the default port 45900 if available. Telnet a port using the Windowscommand prompt to check if it is open.

• From a remote server, use the command telnet <host name or IP address> <Port>• Connection refused means that the port is available (open).

• Accepted means that the port is in use and not available.

• Timeout means that a firewall is blocking the access.

• From the same server, use “netstat –an” to check to see if 45900 port is listening.

It is a good practice to have the McAfee Security for Microsoft SharePointinstalled in the default directory of the system drive. However, you canselect another location as per your requirements.

2 Pre-installation InstructionsStandalone McAfee Security for Microsoft SharePoint


SharePoint installation in a farm This section provides a list of actions you must perform before installing McAfee Security for MicrosoftSharePoint when the SharePoint server is installed in a farm.

Recommendation: McAfee recommends that you install McAfee Security for Microsoft SharePointwith SharePoint Farm administrator credentials. McAfee Security for Microsoft SharePoint should beinstalled on the following servers within the server farm:

• All Web Front-End (WFE) servers that host Portal sites.

• All WFE servers that host Windows SharePoint Services team sites.

• When a WFE server redirects traffic to another SharePoint role in the farm, McAfee Security forMicrosoft SharePoint must be installed on both the WFE server and the destination SharePoint role.This is because the redirected traffic does not pass through McAfee Security for MicrosoftSharePoint on the WFE.

McAfee Security for Microsoft SharePoint is not required on the server types below:

• Application servers

When you configure on-demand or scheduled scans in an environmentwhere McAfee Security for Microsoft SharePoint is not installed on theapplication servers, the entire database contents are retrieved from theapplication servers and streamed over the network to the WFE forscanning. In such cases, it can be beneficial to install McAfee Security forMicrosoft SharePoint locally on the application servers to minimizebandwidth usage.

• Search Servers

• Index Management Servers

If you choose to install McAfee Security for Microsoft SharePoint on anIndexing Server, ensure that indexing is scheduled to occur duringoff-peak hours to minimize the impact of on-access scanning on serverperformance.

• Job Servers

• Microsoft SQL Servers

If your organization's policy restricts you from using SharePoint Farm administrator credentials or ifyou do not want to use them for other reasons, you can create a customized normal domain useraccount [referred to as Custom User (Minimum permissions) in this guide] with the minimumpermissions required for McAfee Security for Microsoft SharePoint to run. Refer the Creating acustomized domain user account with the least SQL permissions section in this guide for instructions.

Instructions for the recommended credentials McAfee recommends that you have the SharePoint Farm administrator credentials before installingMcAfee Security for Microsoft SharePoint in a SharePoint farm.

With administrator credentials, here's a checklist of instructions you can use before installing McAfeeSecurity for Microsoft SharePoint.

Pre-installation InstructionsStandalone McAfee Security for Microsoft SharePoint 2



[ ] Ensure your system meets the minimum hardware and software requirements for installingMcAfee Security for Microsoft SharePoint. Refer the Hardware and Software Requirements section inthe User Guide.

[ ] Ensure you have the Windows administrator credentials to install McAfee Security for MicrosoftSharePoint. This account must be a member of Windows administrator's group and the credentialsare required for launching the product installer.

• For future reference, please make a note of the Windows administrator user name here with thedomain name _________________________________


[ ] Ensure you have the SharePoint Farm administrator credentials to supply to the McAfee Securityfor Microsoft SharePoint installer. This account must be a member of the local administrator group onthe SharePoint server and database server for remote database access. If your organization's policyprevents you from using administrative credentials or if you do not want to use them for otherreasons, refer the section Creating a customized domain user account with the least SQL permissionsin this guide for instructions on creating a "Custom user" with minimum permissions to run McAfeeSecurity for Microsoft SharePoint.

• For future reference, please make a note of the SharePoint Farm administrator account name /Custom user account name here with the domain name _________________________________


[ ] Uninstall any previous versions of the product prior to the PortalShield 2.0 Service Pack 1 release.









Creating a customized domain user account with the least SQL permissionsThis section provides instructions on creating a customized normal domain user account with the leastSQL permissions if your organization's policy restricts you from using administrator credentials or ifyou do not want to use them for other reasons.

1. ACTIVE DIRECTORY

1.1 Create new domain user account in Active Directory. (For example: MSMSDBAccnt)

1.2 Assign the account with privileges equivalent to the members of the "Users" group.

1.3 Product installer prompts to type the account credentials while configuring the database accessaccount for remote SQL connection.

Setting these account credentials apply only to:

• Microsoft SharePoint Server 2003 and Windows SharePointServices 2.0 installations that use a remote SQL databaseserver.

• Microsoft Office SharePoint Server 2007 and WindowsSharePoint Services 3.0 (Local and Remote SQL installation).

• Microsoft SharePoint Server 2010 and SharePoint Foundation2010 (Local and Remote SQL installation).

2. SQL SERVER

2.1 SQL server administrator rights are required to make group updates. Following changes to bedone under SQL server security:

Alternatively, SharePoint administrators can script these manual steps ofassigning SQL server permissions for group updates.

Changes

2.1.1 Add the custom user account (for example: MSMSDBAccnt) to be used for McAfee Security forMicrosoft SharePoint database access account. Provide the "public" permissions to the user.

2.1.2 Under user mapping, select:

• All SharePoint content databases corresponding to web applications.

• Content database corresponding to your administrator web application.

• SharePoint configuration database.

2.2 Following permissions are required to be granted:

2.2.1 Assign the following securables with “Execute “rights for SharePoint configuration database (Theexact list might be slightly different).

Securables

proc_getObjectsByBaseClass proc_getSiteMap

proc_getSiteSubset proc_getObjectsByClass

proc_getSiteMapById proc_getSiteNames

proc_getSiteCount



2.2.2 For each web content database and administrator content database, assign the followingsecurables with “execute” rights. (The exact list may be slightly different based on the environmentand applications deployed in SharePoint farm. Please monitor the event viewer regularly to fine tunethis list).

Securables

proc_AddDocument proc_GetLinkInfoSingleDoc

proc_AL proc_ListAllWebsOfSite

proc_AddListItem proc_ListUrls

proc_DeleteUrl proc_SecUpdateUserActiveStatus

proc_DirtyDependents proc_SecGetSiteGroupByTitle

proc_FetchDocForHttpGet proc_SecGetUserPermissionOnGroup

proc_FetchDocForUpdate proc_UpdateVirusInfo

proc_GetSiteFlags proc_GetListMetaDataAndEventReceivers

proc_GetTpWebMetaDataAndListMetaData proc_GetListFields

proc_GetUrlDocId proc_UpdateDirtyDocument

proc_GetDocsMetaInfo proc_UpdateListItem

proc_GetParentWebUrl proc_SecGetIndividualUrlSecurityCheckEventReceivers

proc_GenerateNextId UserData ( Under Views Section)

proc_GetWebMetainfo

2.2.3 For each web content database and administrator content database, assign the "execute" rightson this object (Step: Go to Programmability | Functions | Scalar-Valued Functions for each db).

• fn_GetFullUrl

2.3 No requirement for local administrator group membership.

3. SHAREPOINT SERVER

3.1 No requirement for local administrator group membership by the domain user account (Forexample: MSMSDBAccnt) used by McAfee Security for Microsoft SharePoint.

3.2 No requirement for interactive login.

3.3 No requirement for Site Collection administrator.

3.4 Create a new Permission Policy Level (For example: MSMS-Permissions) and grant the followingpermissions. These permissions are the minimal set for McAfee Security for Microsoft SharePoint towork with the SharePoint Object model and iterate over the SharePoint store to do scan and clean.(SharePoint Farm administrator rights are required to make this change).



Permissions

3.4.1 Under Site collection Permissions grant "Site Collection Auditor" permission. Site collectionauditors have Full Read access for the entire site collection including reading permissions andconfiguration data. McAfee Security for Microsoft SharePoint requires this as it monitors theSharePoint anti-virus settings to determine whether real-time scan is enabled or disabled.

3.4.2 In "List permissions" section, grant the following permissions:

• Manage List — Required for replacing/deleting infected content added as an attachment underitems in “Discussions”.

• Override Check Out — Required to forcefully check in a document detected as infected andperform the action as per policy.

• Add Items — Required for replacing the infected file with a file containing replacement alertmessage.

• Edit Items — Required for updating the checked out documents while forcefully checking in with acheckin comment.

• Delete Items — Required for removing an infected list item (document).

• View Items — Required for the target picker while defining a scan target.

3.4.3 Under Site Permissions, grant "View Pages - View pages in a website" permission. Without this,McAfee Security for Microsoft SharePoint is unable to iterate over the site in on-demand scan tasks.

3.4.4 Save the newly created permission policy level.

3.5 For each Web application created in the SharePoint Farm:

Instructions

3.5.1 Update the Web application policy for the respective web application to add the productdatabase access account (For example: MSMSDBAccnt) with Permission Policy Level created earlier(For example: MSMS-Permissions).

3.5.2 Update the Web application policy to cover any web applications that are added in future.

This will not cover the "Central Admin" application - which will not bescanned unless Option1 above is chosen. Alternatively, we can add theproduct database access account (For example: MSMSDBAccnt) as asecondary site collection administrator account on the "Central Admin"web application alone.

3.6 Manual steps may be possible for scripting. Local administrator rights or GPOs are required tomake these group updates. Update the IIS and SharePoint user groups on each SharePoint Server byadding the McAfee Security for Microsoft SharePoint database access account (For example:MSMSDBAccnt).

User groups

3.6.1 IIS_WPG (for IIS 6) and IIS_IUSRS (IIS7)

3.6.2 WSS_WPG

3.7 Add “Modify” permission allowing the product database access account (For example:MSMSDBAccnt) read/ delete access to the McAfee Security for Microsoft SharePoint bin folder.(<Product Install Location>\Bin). (Manual steps may be possible for scripting. Local adminpermission or GPOs are required to make the changes).

This folder is specific to McAfee Security for Microsoft SharePoint. For example: For defaultinstallation, the bin folder path will be C:\Program Files\McAfee\McAfee PortalShield\Bin



Reason: This permission is required if on-demand scans are scheduled via ePolicy Orchestrator.During runtime, ePolicy Orchestrator passes the configuration details needed for the on-demand scanto the McAfee agent plug-in, which will place the configuration details in a file in the product binfolder with a “.tmp” extension. The on-demand process (RunScheduled.exe) reads the configurationfrom this file and then deletes it.

If using a regular domain account (For example: MSMSDBAccnt), the account will not have read/delete access for the “bin” folder. Hence “Modify” access needs to be added for the product databaseaccess account (For example: MSMSDBAccnt) on the “bin” folder. This can be done after installationor via GPOs (Group Policy Objects).

Alternatively, scripting for manual steps 3.4, 3.5 & 3.6 are possible forSharePoint administration and requires SharePoint administrator rightsto make the changes.

McAfee Security for Microsoft SharePoint managed throughePolicy Orchestrator

Here's a checklist of actions you can use before deploying McAfee Security for Microsoft SharePointusing ePolicy Orchestrator 4.0 or 4.5.


[ ] Use administrator credentials of the ePolicy Orchestrator server.

[ ] Add manageable nodes to the ePolicy Orchestrator server on which you want to deploy McAfeeSecurity for Microsoft SharePoint. Refer the ePolicy Orchestrator product documentation forinstructions.

[ ] Deploy McAfee Agent 4.0 or later on your managed nodes running Microsoft SharePoint. Refer theMcAfee Agent product documentation for installation instructions.

[ ] Ensure you have administrator credentials for each SharePoint server in single server mode orfarm environment. These credentials must be provided while deploying for Microsoft OfficeSharePoint Server 2007 or SharePoint 2010 (using command line option).

(Command line parameters are separated by a space). For example: REMOTESQLUSER="DomainName\UserName or HostName\UserName" REMOTESQLPWD="password" IISPORT=45900 (Optional).

For more information on the command line usage, refer the Installing McAfee Security for MicrosoftSharePoint on Managed Nodes section in User Guide.

[ ] Remove any previous versions of the product from ePolicy Orchestrator prior to the PortalShield2.0 Service Pack 1 release.







2 Pre-installation InstructionsMcAfee Security for Microsoft SharePoint managed through ePolicy Orchestrator


3 Post-installation Instructions

This chapter provides instructions on verifying your McAfee Security for Microsoft SharePoint installation.

Contents

Standalone McAfee Security for Microsoft SharePoint McAfee Security for Microsoft SharePoint managed through ePolicy Orchestrator

Standalone McAfee Security for Microsoft SharePointAfter installing McAfee Security for Microsoft SharePoint as a standalone product, you can verify if theon-access and on-demand scanning works properly.

To test the on-access scanning, upload the standard EICAR anti-virus test file on SharePoint server.

To test the on-demand scanning, disable on-access scanning, upload an EICAR test file, and schedulean on-demand scan to run immediately.

EICAR test file is NOT A VIRUS.

Testing the on-access scan After installing McAfee Security for Microsoft SharePoint, we recommend that you test the installationto ensure that the software is installed properly and can detect viruses and other unwanted content ina file/document.

Before you begin

• Update McAfee Security for Microsoft SharePoint with the latest DATs by clicking UpdateNow on the dashboard.

• In SharePoint server, select the Scan documents on upload and Scan documents on download options.

• If you have any other security software installed on your server (such as McAfeeVirusScan Enterprise), disable its on-access scanner during this process. This is toprevent the file being identified by the other security software.

Task

1 Launch the Microsoft SharePoint server.

2 Copy the following line into its own file, then save the file with the name EICAR.TXT:X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*The file size will be 68 or 70 bytes.

3 Launch the McAfee Security for Microsoft SharePoint software and upload the EICAR.TXT file toyour Microsoft SharePoint server.

3


By default, on-access scanning in McAfee Security for Microsoft SharePoint is configured to Prevent Upload/Download of the Item. Hence McAfee Security for Microsoft SharePoint will prevent the file to be stored inSharePoint.

View the scan results in McAfee Security for Microsoft SharePoint dashboard; Statistics counter will beincremented. For details, see the Recently Scanned Items section. It will have an entry with a red icon.

Testing the on-demand scan After testing the on-access scanning, we recommend you to test the on-demand scanning too.

Before you begin

Before testing the on-demand scanning, do one of the following:

• Click On-Access Settings on McAfee Security for Microsoft SharePoint dashboard to displaythe Configure anti-virus settings page of SharePoint server. Deselect Scan documents on upload andScan documents on download.

• If you have any other security software installed on your server (such as McAfeeVirusScan Enterprise), disable its scanners during this process. This is to prevent the filebeing identified by the other security software.

Task

1 Delete any EICAR file if present in the document store, then upload a new EICAR file.

2 Schedule an on-demand scan to run immediately for that document store (using the Run Now option).

For instructions, please refer the McAfee Security for MicrosoftSharePoint 2.5.0 User Guide.

The McAfee Security for Microsoft SharePoint software displays an alert that the EICAR test file wasfound (as per the default on-demand policy setting Replace item with an alert).

If an error message is displayed, check the SharePoint databasecredentials you entered during installation and ensure they are correct.To modify the credentials in case they are incorrect, you can run the"SetSQLAct.exe" utility in command line. This utility is located in<installation folder>\bin.

Usage is as follows:

SetSQLAct.exe /USER= <user name> /PASSWORD=<password> /DOMAIN=<domain>

3 View the scan results in McAfee Security for Microsoft SharePoint dashboard; Statistics counter willbe incremented. For details, see the Recently Scanned Items section. It will have an entry with a red icon.

4 Delete the file when you have finished testing your installation to avoid alarming unsuspecting users.

5 If you disabled on-access scanning before testing on-demand scanning, ensure you re-enableon-access scanning to provide real-time protection against viruses and unwanted files and contentwithin your SharePoint computer.

6 If you have disabled any other anti-virus software during these tests, re-enable them.

3 Post-installation InstructionsStandalone McAfee Security for Microsoft SharePoint


McAfee Security for Microsoft SharePoint managed throughePolicy Orchestrator

After deploying McAfee Security for Microsoft SharePoint on managed nodes, you can verify theon-demand scanning, details of managed nodes. You can also enforce policies to verify the reports onePolicy Orchestrator server or the managed nodes.

Testing the on-demand scan

To test on-demand scanning, upload an EICAR test file on the SharePoint server, then schedule anon-demand scan to run immediately. Refer the McAfee Security for Microsoft SharePoint 2.5.0 UserGuide for instructions on scheduling on-demand scan tasks using ePolicy Orchestrator versions 4.0and 4.5.

Details of managed nodes

Verify the details of a managed node in System Tree by clicking on it.

Setting policies

For instructions on creating and enforcing policies, refer the McAfee Security for Microsoft SharePoint2.5.0 User Guide. To verify these policies, see the policy reports. Reports extension must be installedon ePolicy Orchestrator to view these reports.

Post-installation InstructionsMcAfee Security for Microsoft SharePoint managed through ePolicy Orchestrator 3


4 Product Configurations

This chapter describes Artemis Technology and provides recommendations for configuring theon-access and on-demand scan policy, and the Settings and Diagnostics feature.

Contents

McAfee Global Threat Intelligence file reputation technology Scan policies On-demand scan Recommended configurations for Settings and Diagnostics

McAfee Global Threat Intelligence file reputation technologyThis section provides recommendations for selecting a sensitivity level for McAfee Global ThreatIntelligence File Reputation.

McAfee Global Threat Intelligence File Reputation safeguards your SharePoint Server by providingreal-time security from the ever-evolving threats.

It enables the leverage of threat intelligence gathered by McAfee Labs to prevent damage and datatheft even before a signature or DAT update is available.

In case of an upgrade from PortalShield 2.0 Service Pack 1 to McAfeeSecurity for Microsoft SharePoint 2.5, the McAfee Global ThreatIntelligence file reputation is enabled by default to provide additionalcoverage for file-based malware. In case of slow DNS lookups in yourenvironment, you may experience slow on-demand scanning.

Sensitivity Level Description

Disabled McAfee Global Threat Intelligence File Reputation feature is turned off.

Very Low Equivalent to next days DATs. Get tomorrow's protection today. Recommendedinitial configuration.

Low Protection in addition to DATs.

Medium Used when the risk of regular exposure to malware is greater than the risk of afalse positive.

4


Sensitivity Level Description

High Recommended for use in SharePoint Repositories which are regularly infected.

Very High Recommended for use in On-Demand Scans on SharePoint Repositories.

You can also refer to the following McAfee KnowledgeBase articles:

• https://kc.mcafee.com/corporate/index?page=content&id=KB53733 for information on uploadingArtemisTest.zip file (test file) to your SharePoint server fortesting the McAfee Global Threat Intelligence file reputationtechnology.

• https://kc.mcafee.com/corporate/index?page=content&id=KB68631 for more information on the bestpractices of Global Threat Intelligence File Reputation feature.

Scan policiesThis chapter provides best practices for configuring on-access and on-demand scan policies.

Contents

On-access policy On-demand policy

On-access policy Here are the best practices for configuring on-access policies. However, this can vary as per yourrequirements.

The following configuration identifies and eliminates viruses and other malicious programs from beinguploaded to your SharePoint servers in real-time.

• Always enable the anti-virus scanner, content scanning, and file filtering scanners for on-accesspolicy. For true file type detection in file filtering, enable content scanning.

• Select the High Protection option to maximize the protection level of the anti-virus scanner.

• Select the Quarantine option always so that you can retrieve the files from the quarantine databaselater if required.

For instructions, refer the Anti-Virus Scanner section in McAfee Security for Microsoft SharePoint 2.5.0User Guide.

On-demand policyHere are the best practices for configuring on-demand policies. However, this can vary as per yourrequirements.

Apart from safeguarding your SharePoint servers from viruses and other malicious programs, thefollowing configuration scans the textual data (content) in files stored in SharePoint servers.

4 Product ConfigurationsScan policies


https://kc.mcafee.com/corporate/index?page=content&id=KB53733




• Always enable the anti-virus scanner, content scanning, and file filtering scanners for on-demandpolicy. For true file type detection in file filtering, enable content scanning.

• Select the High Protection option to maximize the protection level of the anti-virus scanner.

• Select the Quarantine option always so that you can retrieve the files from the quarantine databaselater if required.

For instructions, refer the Core Scanners section in McAfee Security for Microsoft SharePoint 2.5.0User Guide.

Product ConfigurationsScan policies 4


On-demand scanThis section provides instructions on distributing on-demand scan tasks across SharePoint servers in afarm environment. It also describes the best practices of scheduling on-demand scan tasks for higherperformance.

Distributing on-demand scansFollowing is an example illustrating the farm deployment of McAfee Security for Microsoft SharePoint inan organization.

Task

1 Install McAfee Security for Microsoft SharePoint on the servers numbered from 1 to 5 in thefollowing figure.

These servers are typically the front-end web servers and application servers.

For information on which servers in a SharePoint farm you require toinstall McAfee Security for Microsoft SharePoint, refer the McAfeeKnowledgeBase article at https://kc.mcafee.com/corporate/index?page=content&id=KB52773.

2 Distribute on-demand scanning across various McAfee Security for Microsoft SharePoint installations.

For example: In the above figure, suppose 15 different sites (site1 to site15) are created on theSharePoint farm. By default, you will schedule an on-demand scan on a single WFE server thatwould iterate over the 15 sites. However, for better performance, you should schedule on-demandscan to run on each of the MSMS servers by dividing the total number of sites across them. Forinstance, schedule scan for site1, site2, and site3 from SharePoint server 1 and for site4, site5, and

4 Product ConfigurationsOn-demand scan




site6 from SharePoint server 2 and so on. Ideally if there was some location benefit, you wouldschedule the on-demand scan on the McAfee Security for Microsoft SharePoint instance as close tothe target sites as possible.

To distribute on-demand scans across SharePoint servers using ePolicyOrchestrator, schedule on-demand scan tasks for the configured policies.For instructions, refer the ePolicy Orchestrator product documentation.

Scheduling scans This section provides recommendations for scheduling on-demand scans for increased performance.

• Separate the internal and external facing SharePoint sites.

• Schedule on-demand scans during non-peak hours like weekends or during the maintenance period.

• When scheduling an on-demand scan for the first time, schedule a full on-demand scan.Subsequently, you can use Incremental scanning to scan only the new or modified items on yourSharePoint server rather than re-scanning the entire server. You can select to scan from the lastscanned date or even scan by specifying the date and time of the last scan.

• In case of a larger database or server, use Resumable scanning. In resumable on-demand scan,while a scan in progress is stopped, McAfee Security for Microsoft SharePoint saves the currentstate of the scan task. When the same task is started later, scan will resume from the last scannedfolder. In the event of a signature (DAT)update while a scan is paused, McAfee Security forMicrosoft SharePoint provides an option to restart the scan with the updated DATs.

Resumable scanning, incremental scanning and file extension exclusionare not supported if you are using SharePoint Server 2003.

Product ConfigurationsOn-demand scan 4


Recommended configurations for Settings and Diagnostics This section provides recommended configurations for Settings and Diagnostics features of McAfeeSecurity for Microsoft SharePoint.

Feature/Option Name Description Recommendations/BestPractices

Detected Items This option allows you toconfigure settings for the localdatabase of quarantined items.

• Database location — Werecommend that you retainthe default quarantinedatabase location (productinstallation folder). However,in case of a disk spaceconstraint, you can selectanother location.

• Maximum query size (records) —Optimal value for displayingmaximum records on the userinterface in detected items is1000.

Purge of old items frequency andOptimization frequency aredatabase operations. Youmust not schedule theseoperations to run at thesame time because one ofthe operations will belocked by the database.Schedule optimization afterpurging the old items.

UI preferences This option allows you toconfigure user interface refresh,report, metric, graph and chartsettings.

Always enable the Show recentlyscanned items option to include theRecently Scanned Items tab inReports section on thedashboard.

Diagnostics This option allows you to specifythe level of debug loggingrequired, the maximum size ofdebug files, and where theyshould be saved.

We recommend that you disabledebug logging by selecting Nonefrom the Level drop-down menu.Enable it only when asked byMcAfee Technical Support forcollecting logs.

Import and Export Configuration This option allows you to copythe configuration of one McAfeeSecurity for Microsoft SharePointto another.

Before clicking Restore Default,export your currentconfiguration if you have set, sothat you have a backup and notlose your configuration.

User Settings This option allows you toprevent or allow the upload of adocument which failed to scan,retrieve the anti-virus settingsfrom the SharePoint server whenrequired, specify the maximumsize of quarantined items andscanner counts, and add/removethe application pools.

Add all application pools to berecycled where SharePoint sitesare running. This is a goodpractice specially in case offrequent DAT updates.

4 Product ConfigurationsRecommended configurations for Settings and Diagnostics


Index

A

about this guide 5

B

best practicesconfiguring on-access policies 22

configuring on-demand policies 22

schedule on-demand scan for increased performance 25

settings and diagnostics 26

best practices guideaudience 7overview 7

C

conventions and icons used in this guide 5create customized normal domain user account

least SQL permissions 13

D

deployment through ePolicy Orchestratormanaged nodes details 19

post-installation instructions 19

pre-installation instructions 16

settings policies 19

system details 19

test on-demand scan 19

distribute on-demand scan load 24

distribute scan loadSharePoint in farm 24

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

E

EICARtest file 17

I

introductionMcAfee Security for Microsoft SharePoint 7

M

managed nodes detailsdeployment through ePolicy Orchestrator 19

McAfee Global Threat Intelligence file reputationsensitivity level 21

McAfee Security for Microsoft SharePointdashboard 7introduction 7

McAfee ServicePortal, accessing 6modify database credentials 18

O

overviewbest practices guide 7

P

post-installation instructionsdeployment through ePolicy Orchestrator 19

standalone product 17

pre-installation instructionsdeployment through ePolicy Orchestrator 16

single SharePoint server mode 10

R

recommended credentials 11

S

scan documents on download 17, 18

scan documents on upload 17, 18

ServicePortal, finding product documentation 6SetSQLAct.exe utility 18

settings and diagnosticsrecommended configurations 26

settings policiesdeployment through ePolicy Orchestrator 19

SharePoint Central Administration 18

SharePoint installationin farm 11

T

Technical Support, finding product information 6


test on-demand scandeployment through ePolicy Orchestrator 19

testing installation 17

testing on-access scan 17, 18

U

user roles 9

V

verify on-access scanning 17

verify on-demand scanning 17

Index


Documents

2.5.0 McAfee Security for Microsoft SharePoint McAfee Security for Microsoft SharePoint 2.5.0 Best ... SQL permissions in this guide for ... use “netstat –an” to check to see