Microsoft Office Tutorials and References
In Depth Information
Protecting Against Attacks
Passwords in Data Connections
Excel allows a username and password embedded in a connection string to be saved. This username and
password are used to connect to an external data source, when the authentication settings are configured
The password is saved in clear text, so anyone who can open the workbook can read those credentials.
As a general rule, do not use this feature except if these credentials are well known. If you have to use
the feature, make sure you limit the number of users who have Open permissions to the workbook, and
give only View permissions to the other users. Users who have only View permissions cannot download
the workbook to read the credentials.
Excel Services allows the process account to be used to read workbooks from UNC or HTTP locations.
Although this is not a classic spoofing threat, the result is similar: users are allowed to read a
workbook, even though they might not have permissions to it.
You should use SharePoint document libraries rather than UNC or HTTP locations to ensure that the end
user’s credentials are used to verify the permissions. For UNC and HTTP locations, you should use
impersonation rather than the process account. Using impersonation requires setting up
Kerberosconstrained delegation to the UNC or HTTP server, which makes this deployment more difficult.
If you must use the process account, ensure that it is acceptable for all authenticated users to have
permissions to those files.
When the authentication settings for accessing external data are set to None in a workbook, the ECS
attempts to use the Unattended Account to connect to the external database. It optionally passes on a
username and password if they were specified as part of the connection string. While this is not a classic
spoofing attack, it results in all users using the same account.
The Unattended Account is not set by default, disabling this threat. If you do set up an Unattended
Account, use an account with very low permissions, so that it is useful only when a username and
password are defined on the connection string, or only against databases that contain public information.
Tampering with Data
Tampering with data means changing data in a malicious way. Following are examples related to Excel
Through Excel Services, a user adds, changes, or deletes data in a database that he or she would
not have permissions to otherwise.
A malicious attacker changes the information that is displayed to a legitimate user of the
system, tricking him or her into believing that the data of the workbook is different from what it