Authorized Web Parts and Applications

Because SharePoint Server 2007 is designed with a distributed administrative architecture, keep in mind that authorized users will be able to install Web Parts on a site. Authorized users can very easily download Web Parts that have been created on the Internet and then install those parts on their sites. Remember that site and portal administrators delegate the right to add Web Parts to a Web Parts page, and there are protections in place for the administrator to control how much a Web Part can do. Liberal delegation of this right might lead to compromised security in your SharePoint implementation. Unsuspecting users could download an infected or a compromised Web Part, install it, and expose your critical information to hackers on the outside.

Points to consider when creating policies in this area include the following:

• Prohibit downloading third-party software to your corporate systems.

• Require users to scan downloaded Web Parts before using them in a production system.

• Testing for viruses must be performed on a noncabled, stand-alone server.

• Multiple virus screenings must be performed on all downloaded software from the Internet to corporate systems.

• Virus scanning software must be employed on all SharePoint Server 2007 systems.

• Require that all third-party Web Parts be run in a test environment prior to deployment in a production environment.