Cyberattack protection by default and other enhancements to SharePoint Server - September 2023

Author: Troy Starr, product manager in the SharePoint Server team

In this article:

• Cyberattack protection through AMSI
  
• SharePoint Server Subscription Edition Version 23H2 feature update
  

Customers rely on SharePoint Server to power a variety of critical on-premises collaboration and business productivity scenarios. Two years ago, we shared our vision to transform SharePoint Server into a more agile product with continuous innovation that emphasizes the specific needs of our on-premises customers. SharePoint Server Subscription Edition, which is our latest version of SharePoint Server, was launched to turn that vision into reality. Since that time we've released multiple feature updates for SharePoint Server Subscription Edition, bringing new and enhanced feature experiences to our on-premises customers.

Today we're delighted to share our latest step in this journey with a variety of announcements for SharePoint Server. While the majority of our investments continue to be focused on SharePoint Server Subscription Edition, we're also announcing security investments for SharePoint Server 2019 and SharePoint Server 2016.

Cybersecurity protection through AMSI

Why do we need additional cybersecurity protection?

Microsoft’s greatest responsibility is to keep our customers secure and this is a responsibility that we take seriously. In the past this involved identifying security issues in our products through internal security reviews and testing, as well as receiving vulnerability reports from partners in the security community. Product teams would then fix security vulnerabilities by releasing security updates for customers to install. While this approach represents a good foundation, it places a significant responsibility on customers to stay up to date with the latest security updates.

But this approach can't always protect customers from security attacks. Sometimes bad actors launch zero day attacks, exploiting security vulnerabilities that the software vendor isn't aware of and hasn't had the opportunity to develop a fix for yet. And even in the cases where software vendors have developed and released a fix for security vulnerabilities, customers may not have installed the latest security updates and therefore may still be vulnerable. This gives a window of opportunity for attackers to exploit these vulnerabilities to infect critical systems, steal customer data, or take actions to harm users and their data.

The need to minimize this window of opportunity for attackers to exploit vulnerabilities was clear. So the SharePoint team worked with partner security teams at Microsoft to explore new approaches.

Antimalware Scan Interface (AMSI) integration

The result of this partnership was to integrate cyberattack detection and protection capabilities directly into SharePoint Server. Microsoft first introduced Antimalware Scan Interface (AMSI) protection in SharePoint Server Subscription Edition via our Version 22H2 feature update. We then expanded the feature to SharePoint Server 2019 and SharePoint Server 2016 earlier this year.

How does AMSI protection work? It allows SharePoint Server to work with AMSI-compatible antimalware solutions such as Microsoft Defender to scan all web requests sent to SharePoint Server. Antimalware solutions examine each web request against their own signatures and heuristics to determine if a request is potentially malicious. If it's determined to be potentially malicious, they will block the web request before it's handed off to SharePoint Server to be processed.

The benefit of this approach is that antimalware signatures can be updated and distributed much more rapidly than product fixes for security vulnerabilities. And antimalware signature updates typically don't rely on customers to install them - they're updated automatically as needed. So customers can be protected from both old threats and emerging threats 24x7.

In fact, Microsoft already exercised this capability to protect customers against a recent security vulnerability. Microsoft released a security fix for CVE-2023-20357 in its June 2023 security update for SharePoint Server 2019. Under normal circumstances, customers would have to install this security update (or a newer security update) to be protected from this vulnerability. But customers who enabled AMSI integration and are using Microsoft Defender as their antimalware solution are also protected from this vulnerability, even if they haven't installed that security update. This is because Microsoft Defender can recognize attempts to exploit this vulnerability and will block those requests from being processed by SharePoint Server. While we still encourage customers to install the latest security updates, this demonstration of how we can leverage AMSI to block exploitation of a real security vulnerability is a great example of its future potential.

Enabling AMSI integration by default

Up until now, AMSI integration was an optional feature in SharePoint Server Subscription Edition, 2016, and 2016. Customers had to choose to enable its protection. If they were unaware that this feature had been introduced, they'd miss out on these benefits. This doesn't meet our goals of keeping customers secure by default.

So today we’re taking the important step of enabling AMSI protection by default. Starting with the September 2023 security updates we’re releasing for SharePoint Server Subscription Edition, 2019, and 2016, AMSI integration will be enabled on all web applications by default. Customers only need to install these security updates and run the SharePoint Products Configuration Wizard (or equivalent PowerShell cmdlets) to trigger the upgrade action that makes this change.

If for some reason customers don’t want AMSI protection, they still have the ability to disable it on a per-web application basis by following the steps in our Configure AMSI integration with SharePoint Server article. Future SharePoint updates won’t change this setting as long as customers have already run the upgrade action first introduced in the September 2023 security updates.

Introducing the AMSI health analyzer rule

Enabling AMSI protection by default isn’t the only enhancement we’re making to AMSI integration in SharePoint Server. Because this is such an important security feature, customers want assurance that it’s working correctly. That’s why we're also introducing a new SharePoint health analyzer rule for SharePoint Server Subscription Edition, 2019, and 2016.

This health analyzer rule will check to see if AMSI integration is enabled on any web application in the farm. If it is, the health analyzer rule will send simulated web requests through AMSI and verify that AMSI has successfully scanned it. If any web requests aren’t successfully scanned, the health analyzer rule will create a report in Central Administration which lists which servers in the farm experienced a failure and recommended steps to fix it.

SharePoint Server Subscription Edition Version 23H2 feature update

In addition to the significant security investments described above, we’re also proud to introduce the following new feature experiences and enhancements for SharePoint Server Subscription Edition in our Version 23H2 feature update. This feature update is now available in the security update for SharePoint Server Subscription Edition: September 12, 2023 (KB5002474), and will be included in each monthly public update going forward.

Custom branding in the Suite Bar

The SharePoint Server modern UX provides a powerful yet intuitive user interface that scales from desktop to mobile devices. However, the architecture of the modern UX limited the opportunities for organizations to apply custom branding to the Suite Bar, which is the global navigation bar that provides access to the App Launcher, contextual settings menu, and user welcome control in SharePoint sites.

SharePoint Server Subscription Edition Version 23H2 introduces the ability for organizations to apply custom branding in the Suite Bar to better align with their branding standards. SharePoint farm administrators will be able to specify custom text, logos, hyperlinks, and color schemes in the Suite Bar that apply to all sites within a web application.

SharePoint People Picker supports LDAPS (TLS connection encryption)

As organizations become more aware of the risks of unencrypted communication over a network, some are choosing to implement policies that require encryption for all network connections. HTTP is one of the most common protocols that organizations want to protect, but there are other network communication protocols as well. One of those is the Lightweight Directory Access Protocol (LDAP), which is used by applications to access directory services. The SharePoint People Picker feature uses LDAP to look up users and groups in Active Directory forests and domains. LDAP is not an encrypted protocol by default, although there are several options to enable encryption with it.

To better support organizations that want to require encryption for LDAP traffic, the SharePoint People Picker feature has added support for Secure LDAP (LDAPS) in SharePoint Server Subscription Edition Version 23H2. This allows the People Picker to use TLS connection encryption to protect LDAP traffic to TCP ports 636 and 3269.

Search crawler uses HTTP 1.1 by default

Previously, a SharePoint Search Service Application would crawl HTTP or HTTPS-based content sources using the HTTP 1.0 protocol. Although this is a valid version of the HTTP protocol, some network and security infrastructure may choose to block requests that use this protocol version.

To ensure better compatibility with modern network and security infrastructure, SharePoint Search Service Applications will now crawl HTTP and HTTPS-based content sources using the HTTP 1.1 protocol by default. HTTP 1.1 is a well-supported protocol across the ecosystem and we don't anticipate any negative impact as a result of this change in our default behavior.

Customers who wish to directly control which HTTP protocol version is used for each of their content sources can do so through new PowerShell cmdlet parameters.

SharePoint Framework (SPFx) component upgrades

SharePoint Server Subscription Edition Version 23H2 adds support for React version 16 and Office UI Fabric React 7, allowing developers to utilize these newer component versions in their SharePoint Framework solutions. Microsoft will continue to improve and expand the capabilities of SharePoint Framework in SharePoint Server Subscription Edition in future feature updates.

Manage feature release rings through PowerShell

When Microsoft released the Version 22H2 feature update for SharePoint Server Subscription Edition, it included the concept of feature release rings to support its new evergreen experience. Feature release rings allow Microsoft to introduce new feature experiences in stages. New feature experiences that are ready for production use are typically first introduced in the Early release ring. Once the new feature experiences are ready for all customers to use by default, they’re moved into the Standard release ring.

SharePoint Server Subscription Edition farms are in the Standard release ring by default, but organizations can choose to move their SharePoint farms to Early release or Standard release at any time. Up until now, organizations could only make this choice through the Feature Release Preference page in SharePoint Central Administration. This made it challenging to configure this preference in scripted deployments. Microsoft now adds new PowerShell cmdlets to manage the feature release preference in the farm.

For more information about these new feature experiences, see New and improved features in SharePoint Server Subscription Edition 23H2.

As you can see, Microsoft remains committed to delivering important innovation to our on-premises customers, from core infrastructure and security enhancements to delightful new end user experiences. We look forward to sharing even more new feature experiences with you in our next feature update, coming in the first half of next year.

Continue reading...