The SPS AKL (SharePoint Portal Server Anti-Key Logger) is an application meant to facilitate key logger detection routines by leveraging windows services, along with removal, and recommended preventions options through multiple modules. There are three main modules that complete the system.
- Check Process Service Module – Runs against the current services located on the machine to detect whether a key logger is present on the target machine
- Detected Keylog Attempt Module and Actions Management – A management interface for if and when a key logger is detected on one of your SharePoint machines. It will provide you insight into the key logger, and options available to work with the malware.
- SharePoint Server Administrators
- SharePoint Server Custodians
- Systems Administrators
- Security Officers
Key loggers are becoming commonplace methods for intruders to gain access to unauthorized systems by recording user keystrokes as they occur on the arbitrary machine, or in our case, our SharePoint Portal or Windows SharePoint Services server. Protecting your server from key loggers is a fairly crucial measure in any security structure, ensuring your full control of your machines without worrying about compromising it to hackers.
Key loggers can exist on two different levels, both on a hardware and software level. There are a range of available hardware key loggers, ranging from those which are fairly easily to detect such as those that attach inline between the keyboard cable and those which bind to a port where the keyboard is installed, or those which are placed directly into the keyboard or laptop machine. Retrieving the data from the target machine can vary heavily depending on the application used, which has its own implications. The most common way is to slip a Trojan or other remote access application that allows the user direct access to the machine to query the log generated by the key logger. Because SharePoint machines are often hooked into MS exchange servers, typically the information can automatically be sent via using email, which is slightly more elegant than the former technique because it lessens the trail detection and gives less evidence to forensic computer analysts.
Key loggers at first glance appear to be for malicious purposes, but this is not entirely the case. Against the authors ethics and beliefs, as well as several others, various corporations have been installing hard key loggers into their machines to capture exact employee activity and report on arbitrary data. The laws regarding this are fairly blatant, as it is typically the companies property any and all information that is created, stored, or possibly sent from the host machine remains the property of company (this is a fairly grey issue) and therefore there are no legal ramifications that prevent organizations from doing so. The FBI has even been known to leverage key logging technology to break down encrypted communications by those participating in illegal activity (the most famous of which, is Magic Latern).
Securing your SharePoint environment for key logger is as important as web and network layer security. The SPS AKL is composed of two main modules that help you harden your SharePoint environment, one for detection and another for management. The central processing portions are kept as a windows service that will need to be installed.
In order to install the Anti-Keylogger service:
- Select Start
- Choose Run
- Enter the following command: C:\Program Files\ARB Security Solutions\SPS AKL\SharePoint AKL Service.exe /INSTALL
This will allow you to manage the services from the services.msc Snap-In, where you should be able to control it at a more granular level in regards to starting options.
Once you have the service installed, the other tools are easy to use. Select the SPS AKL from the programs fly out, and you will notice a new item is appended to your task bar. From here you can either check the current processes for key loggers, or you can bring up the main interface which will allow you to resolve key logging issues.
From the icon, you can bring up the selection interface by right clicking on it
It is suggested to just leave the interface in the task bar state in so that you can receive notifications regarding key loggers as they arise.