Microsoft Office Tutorials and References
In Depth Information
The workbook author is the one who controls which query is performed. A malicious author can construct
a query that, when executed by another user, can either steal data or change the information in the
database. Here’s how it works:
A malicious user creates a workbook that performs a query to an external data source that
changes the database. For example, it might insert, update, or delete some records in a table.
The user doesn’t need to have permissions to the database.
The malicious user creates a SharePoint page containing an Excel EWA Web Part that opens
the workbook, which may have refresh on open.
The malicious user then sends the link to the page to a user who has permissions to the
When the second user accesses the page, the ECS opens the workbook and performs the
malicious query using the second user’s permission.
In order to steal data, the malicious user can create a query that reads data from the database and stores
the query results into another database (to which the malicious user does have access).
For certain trusted locations (for which only very few trusted authors can publish workbooks), the
administrator can allow external data access with embedded connections. It is assumed that these
trusted authors will not to create malicious workbooks.
For the other less-trusted locations, the administrator should only allow external data using predefined
connections in trusted DCLs, or even no external data access at all. The assumption is that the
connections defined in a trusted DCL are safe. In addition, the administrator can turn on the Warn on Data
Refresh setting for the less-trusted locations. When this setting is on, the end users are warned that a
potentially risky data access will be performed (using their credentials).
The attacker cannot perform this by creating his or her own farm. Therefore, the external database
owner should not allow the non-trusted user to delegate Kerberos-constrained users’ credentials
through its farm.
Chapter 7 provides more details about trusted locations. Warn on Data Refresh and
Kerberosconstrained delegation are explained later in this chapter.
Attackers who are not farm users can try to steal information by using various means. For example, they
can try to use cross-site scripting to listen to messages sent over the wire, read files on the ECS machine,
or gain administrative rights to the farm. In addition, they could try to stage a denial of service attack by
using the server’s resources such as the network, CPU, or memory.
These attacks are not specific to external data queries. Their mitigations are described in Chapter 8.
This section describes the various security features that Excel Services uses to mitigate threats.