Microsoft Office Tutorials and References
In Depth Information
Protecting Against Attacks
The first way is through the use of Windows Authentication. To allow this method, the access model
between the WFE and the ECS must be set to Delegation. In addition, the database must be on the same
machine as the ECS, or the administrator must enable Kerberos-constrained delegation between the ECS
and the database. When using this method, the end user’s credentials are delegated to the WFE, the
ECS, and then the database.
The second way is to use SSO. To allow this method, SSO must be set up on the server, and the user
must be given certain mapped credentials for this database in SSO. The ECS asks SSO for those
credentials, and uses them to connect to the database.
The last way is to not use any credentials that are related to the end user. Rather, a predefined Unattended
Account is used to connect to the database, optionally passing in a username and password that were
saved in the workbook on the connection string. You can set the Unattended Account username and
password in the External Data section of the Excel Services administration settings.
Protecting Against Attacks
In the first part of this chapter, you learned how to set up the server to allow users to see workbooks and
the data contained in them according to their permissions. This was based on a normal working scenario,
in which the permission limitations were set because of various business rules.
In addition to functioning in normal scenarios, security must be able to protect against malicious attacks.
In today’s world of cybercrime, security and protection against such attacks play an ever-increasing role.
There are many types of possible attacks against the server. One way to categorize them is by what they
are trying to achieve. In this section, you learn about the various categories of threats, the features that
Excel Services has to protect against those threats, and additional recommendations on how to configure
and administer the server in a secure way.
The following threat categories are addressed in this section:
Spoofing — Impersonating another user in an unauthorized way.
Tampering with data — Changing data in a database or data that is displayed in a malicious way.
Repudiation — Doing something (usually a bad thing) without a way for the system to know and
prove it.
Information disclosure — Stealing private information.
Denial of service — Reducing the availability of the server, possibly by overloading it.
Elevation of privilege — Gaining access to higher privileges than were intended for the user.
Search JabSto ::

Custom Search