| The following are some additional security measures that can be taken to further ensure the integrity of your information. Controlling Web/Search Engine Indexing If you are providing Internet access to your SharePoint Portal Server, your site will probably be located and crawled by Internet portal sites and search engine WebCrawler bots. These so-called Web Robots perform a function similar to the content crawling function of SharePoint Portal Server ”they locate a Web site and follow all available links on the site, indexing what they find as they go. Managing this external search activity is important if you wish to restrict access to your site's pages, or to control what information on your Web site is recorded by search engines for inclusion in their indexes. Most search engines and Web portals observe a set of standard methods for telling their Web Robots what your preferences are when they reach your site. If no specific directives are given to the contrary, most Web Robots will consider themselves welcome and will interrogate your site according to their design and objectives. To prevent this, you must instruct Web Robots to limit the scope of their crawling or prevent it altogether. The most common method of controlling Web Robots involves the use of a file in the site's root directory called ROBOTS.TXT. This file can include restrictions on directories, exclusions for certain file types, or other limitations you wish observed when crawling your site. Web Robots should request this file when they first contact the server and process whatever directives you have in it. The following is a sample file instructing bots not to index the site http://www.mydomain.com/: # robots.txt file for http://www.mydomain.com/ # directive that no robots should visit this site User-agent: * Disallow: / If you are unable to use a ROBOTS.TXT file, for example if you do not have administrative access to the Web site root directory, there are alternative methods that are generally effective. The most common alternative is the use of META tags in the header of the site's HTML documents. The following example is the equivalent of the ROBOTS.TXT example file above: <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"> HTML pages that include this tag should be neither indexed nor analyzed for links by Web Robots. Physical Security An often overlooked security measure is to limit physical access to server systems by locating them in a controlled environment. While network and logical security precautions may deter attempts at circumventing the access restrictions placed on your information, a knowledgeable person who can lay their hands on your server is often capable of gaining access to any information they choose. The two most critical methods of physical tampering are from the system console and the floppy/boot drive. It is not uncommon for system administrators to leave servers unattended while logged in to the console with administrative privileges. A savvy passerby could easily load the administrative tools and create new administrative accounts, change access permissions, or destroy valuable data. Locking server consoles when administrative users are not present and limiting access to those consoles greatly reduce the likelihood of this type of security incursion. Additionally, if a savvy user can insert a bootable floppy into a server and power cycle it, it is possible to load Trojan software or run security hacking tools before the server operating system can be loaded and its security features enabled. Patches and Updates It is important for server administrators to keep their systems up to date with the most current available security patches and bug fixes. There are a number of open security forums and notification services available on the Internet, and software vendors often regularly post update information to their support Web sites when new bugs have been identified. Since SPS runs on Microsoft IIS, it is particularly important to apply system published updates when available (http://windowsupdate.microsoft.com/). Microsoft Security (http://www.microsoft.com/security/) also posts security bulletins and strategy information that is invaluable for any server administrator.  | 
