The SharePoint Sentinel is meant to enhance visibility and control into running processes on a SharePoint server in order to prevent malicious activity. The methods suggested will:
- Provide control over server processes by invoking two lists, a black and white list, which can provide an administrator tools to regulate processor activity.
- Easy controls to start and halt the SharePoint Sentinel (process protection agent)
- Alerts of malicious processes
- Monitoring log to keep relevant records
- SharePoint Administrators
- Systems Administrators
- Server Custodians
Monitoring your server processes is a fairly important part of any security framework, be it for process auditing or just having some sort of agent that will alert you to malicious processes, similar a detection engine with AV software. Monitoring your processes can not only provide insight into providing security for your SharePoint environment, but can also tell you efficiency information such as detecting run-away processes and aggregate task usage. The fairly limited Windows Snap-In for it (within the task manager), only allows you to monitor and kill tasks, and to promote good process management there should be a method to easily place processes within a white list (good processes) and blacklist (bad processes), such as placing the SharePoint SSO service within the white list, the gatherer, or any SharePoint related processes that you are using within your farm. Following you can bootstrap other processes that you don’t want to be activated and they will be protected by the Sentinel, negating the need to audit them since it would essentially provide real time protection.
The SharePoint Sentinel is split up into three main portions:
- Process Management
- Process Configuration
From the Process Configuration Screen you can find a quick interface to set properties between your processes so that you can be certain of what is allowed and denied. All of your available processes will be listed, which you can move from allow or deny lists, which you can work with more granularly once you invoke the appropriate screen.
This will move the processes into the appropriate lists forms, where you can work with the specified processes in bulk. There is a list available to represent the white list, and another to represent the blacklist.
Once you find a process you want to move, select it.
And it will move it the list that you specify. On these forms you can work with your choices at a more granular level, and make moves in bulk.
Once you are satisfied with your choices, you can activate the Sentinel which will begin monitoring for you.
If for any reason you want to disable the Sentinel, just select the deactivate and it will halt protection.
Once you have the Sentinel activated, you can leave open the log screen to keep a running account of what is occurring, or simply minimize the application to place it within the task bar.
Using the SharePoint Sentinel can be a powerful tool to prevent malicious activity when used in conjunction with anti-virus software, and can detect malicious process activity similar to commercial AV software, however is by no means a standalone AV scanner.