Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Written By Randy Franklin Smith President Monterey Technology Group, Inc.

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Contents
Abstract ................................................................................................................................................................ 2 Introduction .......................................................................................................................................................... 3 The Unique Challenges of Protecting Unstructured Data ...................................................................................... 3 Understanding the Security Requirements of Unstructured Data ........................................................................... 3 Three Questions to Answer ................................................................................................................................. 4 Three Places to Look........................................................................................................................................... 4 Problems with Using Native Logging to Audit Documents.................................................................................. 5 Introduction ......................................................................................................................................................... 5 Windows File Servers .......................................................................................................................................... 5 Low-level Auditing Means Too Many Events ..................................................................................................... 5 Log Entries are Cryptic ..................................................................................................................................... 5 Permission Changes Generate Even More Events ............................................................................................ 6 File Sharing Appliances ....................................................................................................................................... 7 All the Challenges of Windows File Servers ...................................................................................................... 7 Plus More Challenges ...................................................................................................................................... 7 SharePoint .......................................................................................................................................................... 8 Advantages of SharePoint for Auditing Documents ........................................................................................... 8 Challenges of SharePoint for Auditing Documents ............................................................................................ 8 The Solution: Quest ChangeAuditor .................................................................................................................... 9 Solving the Problems of Native Auditing Tools...................................................................................................... 9 ChangeAuditor Capabilities ............................................................................................................................... 10 Quest ChangeAuditor for Windows File Servers ................................................................................................. 10 Quest ChangeAuditor for EMC and NetApp........................................................................................................ 12 Quest ChangeAuditor for SharePoint ................................................................................................................. 13 Conclusion.......................................................................................................................................................... 15 About the Author ................................................................................................................................................ 16

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Abstract
Unstructured data is a critical security risk and compliance concern for organizations. Your companys emails, documents and spreadsheets contain readily digestible, business-critical information, and your organization is generating more much more of those documents every day. How are you protecting that data? Unfortunately, as this technical brief explains, native auditing tools are cumbersome to use and limited in their functionality. Fortunately, Quest ChangeAuditor offers a comprehensive, easy-to-use alternative that delivers the tracking, auditing, alerting and reporting you need to ensure security and regulatory compliance.

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Introduction
The Unique Challenges of Protecting Unstructured Data
Unstructured data comes in many forms, including emails, documents and spreadsheets (hereafter referred to collectively as documents). This unstructured data is a giant security risk and compliance concern for organizations today for two reasons: the high information quality of these documents and the sheer amount of unstructured data.

High information quality Documents typically contain a much higher level of exploitable information than
the raw data found in databases and applications. For instance, a competitor would probably prefer to have an analysis written by a market analyst, complete with her conclusions, rather than the several gigabytes of data warehouse content that the analyst sifted through to produce the report. Moreover, important decisions and plans and the background behind them may be found nowhere but in documents. Therefore, while documents may not be the original record for many transactions and application records, they do contain an organizations most sensitive information in a format that is most easily consumed by criminal entities, the public or foreign states, which makes their security a critical business concern.

Sheer volume In addition, the amount of unstructured data that organizations must govern and protect today
is massive. In fact, according to Gartner Group, unstructured data accounts for 80% of business information at todays organizations, and, moreover, it is growing 1050x faster than structured data, which easily translates to growth of 800% over the next five years. 1 This means that sensitive data resides in highly exploitable formats all over todays information systems. Regulatory requirements and information security risk management apply equally to unstructured and structured data. In the end, information is information, regardless of format, and it must be protected. To protect information, you have to know what is happening to it. Therefore, organizations must establish an audit trail of access, modification and access control changes. Such an audit trail is a fundamental requirement for compliance regulations and commonly accepted information security practices.

Understanding the Security Requirements of Unstructured Data

Much attention has been focused on securing and protecting one type of unstructured data: email. Therefore, email archival and security solutions are fairly mature and have seen wide adoption. It is easier to secure email content than other documents because email is fairly centralized on email servers and in a handful (if not just one) email client application. Documents, on the other hand, reside in a variety of repositories and are accessed by a wide variety of client applications. Almost all organizations use Word, Excel, PowerPoint and Acrobat PDF files. Depending on industry, other file types are in play, such as AutoCAD documents. Malicious entities are specifically looking for and stealing documents of these file types. In fact, the recent Flame advanced persistent threat (APT) had a special module that scanned these file types and created catalogs with short document summaries that were sent back to Flames command and control servers for analysis by Flames operators and selection of desirable files for subsequent exfiltration.

1 http://www.computerworld.com/s/article/352399/XP_Deadline_Haunts_IT?source=CTWNLE_nlt_msft_2010-10-25.

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

But unstructured information should not be classified only in terms of application or file format. More important are the informations type, sensitivity and security requirements. For instance, documents may contain human resource information, customer data, patient health details, financial reports, product designs, marketing plans, intellectual property and trade secrets. Some information, like that for financial reporting, may not be particularly confidential but its integrity is paramount. On the other hand, we may not be particularly worried about someone improperly modifying customer information, but its confidentiality must be safeguarded.

Three Questions to Answer

To protect the confidentiality and integrity of documents the audit trail for unstructured data typically needs to answer three basic questions:

Whos been viewing these files? This of course applies to information types requiring confidentiality, such as
information about people (employees, customers, patients, students, members, alumni, and so on) and productrelated information (marketing plans, product design and other intellectual property).

Whos been modifying these files? The integrity requirement is often overlooked but it is the very basis of
financial reporting legislation like Sarbanes-Oxley.

What access control changes have occurred on these files? This question is critical to all documents deemed
sensitive, whether for confidentiality or integrity reasons, because a files permissions determine who can access and modify the information.

Three Places to Look

Answering these three questions requires taking into account the three main repositories where documents reside today:

Windows file servers In many organizations, Windows file servers (and earlier Netware servers) were the
only place where unstructured data existed. But to deal with new requirements and complexities, two other file repositories have gained prominence.

File-sharing appliances As the number of servers constantly increased and organizations recognized the total
cost of ownership associated with a full server operating system, it became apparent that a simpler appliance model was sufficient for providing basic shared volume file storage. Such appliances had a smaller physical footprint and promised to require less management by IT staff. Accordingly, over the past few years, much of the new storage added for unstructured data has been provisioned in the form of EMC and NetApp appliances.

SharePoint While basic file sharing provides a central place to store files, there is a growing need for content
management, versioning, collaboration and workflow for documents. Many organizations are increasingly using SharePoint document libraries to store and manage unstructured document data.

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Problems with Using Native Logging to Audit Documents

Introduction
To secure these repositories of unstructured data, organizations need to establish an audit trail of access, modification and access control changes. Such an audit trail is a fundamental requirement for compliance regulations and commonly accepted information security practices. All three of the major technologies used to store unstructured document data Windows file servers, file sharing appliances and SharePoint provide native audit capabilities, but it is impractical to rely on them for the critical audit trail required by todays compliance requirements. Lets look at the specific limitations of each technology.

Windows File Servers

Low-level Auditing Means Too Many Events Windows provides file system auditing through the Windows Security Log and the audit policy that determines which events are logged. Windows audits file access at the point that an application attempts to open a file for some type of operation (e.g., read, write or delete). Many applications, like Microsoft Office, open and close files many times for operations that appear to the users to be a single step. For instance, saving a Word document can easily create 12 (nearly identical) events in the Security Log. In fact, the low-level, literal nature of file system auditing means that Windows generates massive amounts of nearly identical events. Log Entries Are Cryptic In addition, the Windows Security Log is known for being cryptic and hard to understand. A key example is permission changes. Below is a permission change event generated by Windows auditing for the document Budget.doc:

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Permissions on an object were changed. Subject: Security ID: WIN-R9H529RIO4Y\Administrator Account Name: Administrator Account Domain: WIN-R9H529RIO4Y Logon ID: 0x1fd23 Object: Object Server: Security Object Type: File Object Name: C:\filesshares\financial\budget.doc Handle ID: 0x564 Process: Process ID: 0x8c0 Process Name: C:\Windows\explorer.exe Permissions Change: Original Security Descriptor: D:PAI(A;;FA;;;LA)(A;;FA;;;SY) (A;;FA;;;BA) New Security Descriptor: D:PARAI(A;;FA;;;SY)(A;;FA;;;BA)

As you can see, the event clearly identifies the file and the user who made the permission change. But what are the old and new permissions? The information is there in the Original and New security descriptors, but it is unreadable to human eyes because the permissions are expressed in SDDL (Security Descriptor Definition Language), which requires significant mental activity and time to translate into readable English. Permission Changes Generate Even More Events Moreover, permission changes also generate massive amounts of events because of how permission inheritance works in Windows. When you change permissions on a folder, that change is propagated down to all child objects and a folder high in your file system hierarchy may have tens or even hundreds of thousands of files beneath it. There is no way to disable auditing of inherited permissions, so a single permission change from the point of view of the administrator may cause thousands of audit events as the permission change trickles down subfolders and files.

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

File Sharing Appliances

All the Challenges of Windows File Servers Since file sharing appliances like those from EMC and NetApp are designed to replace and resemble a Windows file server and coexist in a Windows network, all of the issues just described apply to appliances as well. In other words, auditing documents with file sharing appliances produces massive event logs full of cryptic data. Plus More Challenges But file sharing appliances introduce some additional challenges, both minor and major. First, configuration of auditing and security log parameters can differ from Windows file servers, which creates additional complexity for IT staff. For instance, NetApp appliances support configuration of some audit policy settings by centralized group policy but other settings must be configured on the actual Filer appliance through cifs settings. An even more serious problem is that much of the functionality in appliances is based on Windows 2000/2003 functionality, such as the event ID schema. Windows 2008 servers use a new four-digit event ID schema for all Security Log events, while many appliances still generate the old three-digit event IDs of Windows 2003. Besides different ID numbers, these events have a slightly different format, which means that any filtering, alerting or reporting criteria must take into account both versions of each file access event. Windows 2008 File Access Event Same Event from Windows 2003 and Many File Sharing Appliances An attempt was made to access an object. Subject: Security ID: ACME\Administrator Account Name: Administrator Account Domain: ACME Logon ID: 0x1f41e Object: Object Server: Security Object Type: File Object Name: C:\sharedFiles\MasterEncryptionCode.txt Handle ID: 0x40 Process Information: Process ID: 0x1ac Process Name: C:\Windows\System32\cmd.exe Access Request Information: Accesses: DELETE Access Mask: 0x10000 Object Access Attempt: Object Server:Security Handle ID:144 Object Type:File Process ID:3156 Image File Name:C:\WINDOWS\system32\notepad.exe Accesses:WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) Access Mask:0x6

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

SharePoint
Advantages of SharePoint for Auditing Documents SharePoint provides important advantages for unstructured data and document management, especially for document lifecycle and integrity. For example, trying to establish an audit trail of modifications to documents stored on file servers or appliances is impractical for many file formats most notably, Microsoft Office documents. Whenever a user simply opens a document to read it, Windows and appliances log multiple modification events on that file for that user. This is because Office always modifies some metadata (e.g., who currently has the file open) even if the user actually makes no changes to the document. Therefore there is no way to distinguish between actual document changes and simple metadata updates. SharePoint offers a solution for this because Office and other applications use WebDAV for document I/O and is much more conservative with its updates to the document. In addition, SharePoint document libraries support versioning and check-in/check-out functionality. Because these operations are all trackable events, it is actually possible to identify and track actual modifications. Challenges of SharePoint for Auditing Documents However, SharePoints native audit functionality has significant limitations:

The audit log is buried in the SharePoint content database. To ensure the integrity of audit trails, logs must
be moved from the system where they are generated to a separate and secure archive. However, in SharePoint, the audit log isn't really a log it's a table in the SharePoint database. This makes it inaccessible for most log management solutions. This inability to collect the SharePoint audit log into a separate, secure log archive compromises its value as a high integrity audit trail.

SharePoint's audit log has no reporting. In Windows SharePoint Services, the log is totally inaccessible, and in
Office SharePoint Services, it's exposed only through a few rudimentary, impractical Excel reports. To illustrate, the following is an event (the viewing of a document) from the SharePoint audit log as shown in Excel:

SharePoint Foundation (aka Windows SharePoint Services) provides no interface for enabling auditing
at all. The audit log is there, but without custom programming, there's no way to turn it on, much less access the logs.

The built-in trimming feature of SharePoint's audit log can delete audit events before they are exported.
Some editions of SharePoint provide automatic log trimming of old events, but there is no way to ensure that events have been archived first.

SharePoint provides no way to manage audit policy. In a SharePoint farm, each site collection has its own
audit policy. Administrators have no way to enforce consistent audit policy across all site collections. When a new site collection is created, administrators must remember to access the site collection's audit settings page and enable auditing or the site will be unmonitored. This is especially troublesome for farms with self-service site collection enabled because new sites can be created directly by users without administrator involvement.

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

The Solution: Quest ChangeAuditor

Solving the Problems of Native Auditing Tools
Quest ChangeAuditor audits, alerts and reports on all changes and deletions made to Active Directory, Exchange, SharePoint, VMware, EMC, NetApp, SQL Server and Windows file servers all in real time and without enabling native auditing. A central console eliminates the need and complexity for multiple IT audit solutions. ChangeAuditor includes modules for Windows File Servers, SharePoint, EMC and NetApp, so no matter where your unstructured data resides, you have a consistent, unified window into whats happening to your documents. With ChangeAuditor, you can answer all three of the questions required to protect the confidentiality and integrity of documents:

Whos been viewing these files? Whos been modifying these files? What access control changes have occurred on these files?
ChangeAuditor fulfills the compliance and security requirement to audit unstructured data without the problems associated with native audit logging discussed above: Native Auditing Problem Windows generates massive amounts of nearly identical events. ChangeAuditor Solution ChangeAuditor captures change information without the need for native auditing, resulting in significant performance improvements and storage optimization. In addition, highly configurable audit policy allows administrators to exclude high traffic or safe accounts from being audited if desired, which keeps the audit database from becoming overloaded with unnecessary event information (noise). The Windows Security Log is cryptic and hard to understand. Windows 2008 servers and file sharing appliances use different event ID schemas. Logs and audit configuration are inaccessible external to SharePoint without special log binding agents. ChangeAuditor events are easy to understand and meaningful there is no SDDL or other cryptic content. The same event format is used for all object change and access events across all ChangeAuditor modules. ChangeAuditor stores audit data in one centralized and secure database. This provides the necessary separation of duties (SoD) between SharePoint administrators and security staff tasked with monitoring. Different methods and arcane knowledge are required to accurately configure auditing on each platform. ChangeAuditors central console eliminates the need for the complexity of multiple IT auditing solutions.

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

ChangeAuditor Capabilities ChangeAuditor Capabilities at a Glance

Auditing & Compliance ChangeAuditor can generate easy-to-understand and meaningful security and compliance reports on the fly. Built-in compliance library reports that are easy to customize make it simple to prove compliance for standards such as SOX, HIPAA, Payment Card Industry Data Security Standards (PCI DSS), Federal Information Security Management Act (FISMA) and SAS 70. Analysis ChangeAuditor analyzes critical configuration changes to your Windows environment, and then translates raw data into meaningful, intelligent data to help safeguard the security and compliance of your infrastructure. Real-time Alerting ChangeAuditor offers real-time alerts, Smart Alert technology, and in-depth reports on the activities taking place in your environment. Change Management ChangeAuditor helps tighten enterprise-wide change control policies by tracking user and administrator activity for account lockouts and access to critical settings. Guard your Windows environment from exposure to suspicious behavior or unauthorized access, and maintain compliance with corporate and government standards. Performance Optimization Native tools make it next to impossible to report and analyze what is happening on your network. Active Directory queries and native auditing put a strain on even the most efficient and bestarchitected networks, making it difficult to provide first-class service to your users, plan for migrations or disaster recoveries, and perform directory consolidations. ChangeAuditor, on the other hand, reduces the performance drag on servers by collecting events without the use of native auditing tools.

Quest ChangeAuditor for Windows File Servers

ChangeAuditor for Windows File Servers proactively tracks, audits, reports and alerts on vital changes in real time without the overhead of native auditing. You will instantly know who made what change when, where and from which workstation, and get the original and current values for fast troubleshooting. Then you can automatically generate intelligent, in-depth forensics for auditors and management, reducing the risks associated with day-to-day modifications. ChangeAuditor for Windows File Servers provides:

At-a-glance display User and administrator activity is tracked with detailed information including who, what,
when, where and from which workstation for change events, plus the original and current values for permission and ownership changes.

Real-time and "smart" alerts An alert is sent immediately when critical items are changed or when patterns of
changes occur, enabling administrators to respond without delay.

10

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Object protection Your most critical files and folders are protected from being modified or accidentally deleted. Better performance and reduced storage requirement ChangeAuditor captures change information without
the need for native auditing, resulting in significant performance improvements and storage optimization.

Centralized auditing You can manage, monitor and audit all file server changes from a single, easy-to-use
console, which streamlines the management of multiple servers and locations.

Configurable auditing Administrators can exclude high traffic or safe accounts from being audited, which
keeps the audit database from becoming overloaded with unnecessary event information.

Share auditing ChangeAuditor tracks all events related to shares, so access to shared files can be maintained. Reporting ChangeAuditor includes a comprehensive library of built-in reports that can easily be customized. Role-based access Auditors can run searches and reports without being allowed to make any configuration
changes to the application, and without requiring assistance from the administrator.

Figure 1. ChangeAuditor for Windows File Servers makes it easy to understand any change to your file servers.

11

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Quest ChangeAuditor for EMC and NetApp

The ChangeAuditor agents for EMC and NetApp provide the same real-time tracking, auditing, reporting and alerting as ChangeAuditor for Windows File Servers, also without the overhead of native auditing. Simply provision the ChangeAuditor agent on a Windows server near the appliances to be monitored, and audit activity is rolled up to the same ChangeAuditor Coordinator as all your other ChangeAuditor agents giving you a comprehensive view of all activity affecting unstructured data across your network.

Figure 2. ChangeAuditor offers agents for EMC and NetApp, giving you a complete view of all changes to unstructured documents in your environment.

12

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Quest ChangeAuditor for SharePoint

ChangeAuditor for SharePoint enables you to audit SharePoint faster, easier and more securely than native tools. It tracks, audits, reports on and alerts on changes to SharePoint farms, servers, sites, users, permissions and more in real time. It also translates events into simple terms, stores data in one centralized and secure database, and generates intelligent, in-depth reports to protect against policy violations, delivering the SharePoint tracking and governance organizations need today. With ChangeAuditor for SharePoint, youll have confidence that your organization can pass its next audit. ChangeAuditor for SharePoint provides:

Web-browser access You can run searches from anywhere using any Web browser, eliminating the need for
additional installations of ChangeAuditor consoles or configuration of user rights.

At-a-glance display ChangeAuditor tracks all user and administrator activity and provides detailed information,
including who, what, when, where and from which workstation, plus original and current values for all changes.

Server configuration change auditing ChangeAuditor tracks changes to SharePoint server configuration and
security changes that involve SharePoint users, permissions, farms, servers, site collections, lists and documents, which protects against system performance issues and security gaps.

Real-time and smart alerts Alerts are sent immediately to email and smartphones when critical items are
changed or when patterns of changes occur, which enables administrators to respond without delay whether in the office or out.

Event filter Searches from multiple SharePoint farms, servers and sites can be narrowed by event type, data
range, user account, and objects, enabling administrators to quickly pinpoint the source of a problem by eliminating the noise from safe, routine events.

Centralized auditing ChangeAuditor stores audit data in one centralized and secure database, providing the
necessary separation of duties (SoD) between SharePoint administrators and security staff tasked with monitoring.

Rapid reporting Preconfigured and customizable reports enable administrators to quickly satisfy auditor
requests and get back to their regular duties.

Dashboard reporting On the spot dashboard reporting on all or specific audited data enables upper management to gain swift insight to audited data without having to understand any architecture or administration.

Role-based access Role-based access enables auditors to run searches and reports but prevents them from
making any configuration changes to the application, so they can obtain the information they need without assistance from an administrator.

13

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Figure 3. ChangeAuditor for SharePoint tracks, audits, reports on and alerts on changes to SharePoint farms, servers, sites, users, permissions and more in real time.

14

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Conclusion
Protecting unstructured data is a security and compliance requirement that organizations cannot ignore. But document auditing presents difficult challenges that cannot be addressed with native auditing. In fact, event logging and change reporting for enterprise applications and services is cumbersome, time-consuming and, in some cases, impossible using native IT auditing tools. Because theres no central console, youve got to repeat the process for each server, and you end up with a huge volume of data and a myriad of reports. That means proving compliance or reacting quickly to events is a constant challenge. Your data security is also at risk because native event details are sparse and difficult to interpret. As a result, you may not find out about problems until it is too late. And because native tools cannot prevent a privileged user from clearing an event log, you could lose log data defeating the purpose of auditing in the first place. Fortunately theres Quest ChangeAuditor. With this awarding-winning tool, you can easily install, deploy and manage your environment from one central console. Tracking create, delete, modification and access attempts could not be any easier, and understanding what happened is a breeze because each event is displayed in simple terms, giving you the requisite six Ws: who, what, when, where, workstation and why, plus the previous and current settings. This breadth of data enables you to take immediate action when issues arise. Whether you are trying to meet mounting compliance demands or satisfy internal security policies, ChangeAuditor is the solution you can rely on. And you will avoid the drain that is placed on your systems when native auditing is enabled. Rely on ChangeAuditor to help you:

Achieve your complex compliance audit challenges with built-in reports for SOX, PCI DSS, HIPAA, FISMA, SAS
70 and more

Simplify IT governance to prevent internal and external security breaches Increase performance across the enterprise with change management software that offers detailed before and
after analysis with strong controls

Provide auditing and protection over unstructured data wherever it resides on your network

15

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

About the Author

Randy Franklin Smith is president of Monterey Technology Group, Inc. and creator of the UltimateWindowsSecurity.com Web site and training course series. Randy specializes in Windows security and is a Systems Security Certified Professional (SSCP), a Microsoft Most Valued Professional (MVP), and a Certified Information Systems Auditor (CISA). Randy is also the award-winning author of almost 300 articles on Windows security issues for publications such as Windows IT Pro, for which he is a contributing editor and the author of the popular Windows Security log series. Randy can be reached at rsmith@ultimatewindowssecurity.com.

16

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

2012 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the written permission of Quest Software, Inc. (Quest). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.

Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. UpdatedSeptember 2012

17

TECHNICAL BRIEF

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

About Quest Software, Inc. Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management, data protection, identity and access management, monitoring, user workspace management to Windows management. For more information, visit www.quest.com. Contacting Quest Software PHONE 800.306.9329 (United States and Canada)

If you are located outside North America, you can find your local office information on our Web site. EMAIL MAIL sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at https://support.quest.com. SupportLink gives users of Quest Software products the ability to: Search Quests online Knowledgebase Download the latest releases, documentation and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information and policies and procedures. TBV-ProUnstDataFileServNetAppEMCSharePoint-US-TG-20120829

18