Security: Microsoft Groove Enterprise Services

  • Article

We've released a new security paper on our TechCenter that covers Groove Enterprise Services. Nothing like a little security reading to get you all fired up, right? Its a short paper, only 9 or 10 pages, but if you run Microsoft Office Enterprise 2007, Microsoft Office Groove 2007, or Microsoft Office Live Groove, this information is relevant to you.

In the paper, Microsoft Office Groove Enterprise Services Security, we detail the steps we take to protect our hosting environment for the Groove Relay and Groove Manager servers. Many of the steps we take will also apply to customers that deploy their own servers.

Remember that their are three infrastructure options available to our customers (described in an earlier post). If you use Office Live Groove, access to the hosted Relay infrastructure is included in your subscription. If you are an Office Enterprise or Office Groove 2007 customer, you are most likely "managed" by a Groove "domain" which sets policies on your Groove client. That domain might be hosted by Microsoft (, ie, Enterprise Services) or deployed on site in your infrastructure (Groove Server 2007 Relay and Manager). 

Either way, protecting the infrastructure is clearly an important part of the overall security story. The paper describes the security practices that are in place at our MSN datacenter, as well as the security features of the Groove software. Some excerpts from the paper are included below.

Regarding Microsoft Groove Enterprise Services, "Some of the network and system security processes in place include the following:

  • Terminal services provide for remote access by authorized personnel, managed via a dedicated user and resource domain. Operating system images are hardened by disabling unnecessary services, application of software, and security patches.
  • All operating systems within the environment are controlled by a central platform software team, which pro-actively monitors for updates to the operating system and platform-level software, as well as to network and storage devices. Firewalls are in place to protect Internet access points and computer workstations. Additional firewalls or routers are also in place to segment areas of the network that require more protection.
  • Anti-virus protection is in place for computer workstations and servers. Virus definition files are automatically propagated from a central service via direct feed from an anti-virus software provider.
  • Intrusion detection is provided in the form of network probes, host-based probes, event correlation, and emergency response monitoring and alerts, provided by a dedicated Operations team 24 hours per day, 365 days a year. In addition, system configuration and vulnerability scans are performed daily. Designated internal staff members are responsible for correcting identified vulnerabilities.
  • System audit logs run regularly. Designated staff members perform the audits and review the logs daily."

There are other security features that are built into the Groove Server and client. This is particularly interesting at the interface between Office Groove 2007 (the client) and the Office Groove Server components, such as Relay and Manager. For example,

"Device authentication when dequeueing device-targeted data (including Groove workspace and contact information) from the relay server.

User account authentication when dequeueing identity-targeted data (including Groove instant messages and invitations) from the relay server.

Server authentication when dequeueing both device-targeted and identity-targeted data."

If you are thinking about Microsoft Groove 2007, this paper will be an important part of your evaluation. 

Available now on the Groove TechCenter or directly from the technical library

--abbott

link to this article: https://blogs.technet.com/groove/archive/2007/09/20/security-microsoft-groove-enterprise-services.aspx