Lab 4: Securing Office Solutions that Use Managed Code Extensions

  • Article

 

Lori Turner
Microsoft Corporation

March 2004

Applies to:
    Microsoft® Visual Studio® Tools for the Microsoft Office System
    Microsoft Office Professional Edition 2003
    Microsoft Visual Basic® .NET 2003

Summary: Demonstrates how to set up and provide security for Visual Studio Tools for Office solutions running from a local computer, a network share, or a Web server. (7 printed pages)

Contents

Introduction
Exercise 1: Using a Solution with Managed Code Extensions on the Local Computer
Exercise 2: Using a Solution with Managed Code Extensions on a Network Share
Exercise 3: Using a Solution with Managed Code Extensions on a Web Server
Exercise 4: Giving an Assembly a Strong Name
Next Steps

Download the VSTOLabs.exe sample file.

Introduction

The objective of this lab is to examine the Microsoft® .NET Framework security requirements for managed code extensions to load in Microsoft Office Excel 2003 and Microsoft Office Word 2003. The four exercises in this lab demonstrate how you can set up a Microsoft Office solution to run from a local machine, a network share, or a Web server, and how to strong name an assembly.

For testing the various security scenarios in this lab, use the WinFormInput project you created in Exercise 1 of Lab 1: Creating Projects Using Visual Studio Tools for the Microsoft Office System.

Estimated time to complete:

  • Exercise 1: Using a Solution with Managed Code Extensions on the Local Computer - 15 minutes
  • Exercise 2: Using a Solution with Managed Code Extensions on a Network Share - 15 minutes
  • Exercise 3: Using a Solution with Managed Code Extensions on a Web Server - 15 minutes
  • Exercise 4: Giving an Assembly a Strong Name - 25 minutes

For a link to all labs in this series, see Visual Studio Tools for the Microsoft Office System Training.

Note   The labs in this series are designed to be completed in order.

Exercise 1: Using a Solution with Managed Code Extensions on the Local Computer

The WinFormInput solution from Lab 1: Creating Projects Using Visual Studio Tools for the Microsoft Office System involves a managed code extension that loads from the local computer and relies upon a .NET Framework security policy for the user. You will examine the workbook and the corresponding security settings that allow the solution to run from the local computer.

Examine the custom document properties in WinFormInput.xls used by the managed code loader to load the managed code extension.

To examine the custom document properties

  1. Start Excel, and click Open on the File menu.

  2. Browse to locate C:\Labs\Lab1\WinFormInput\WinFormInput.xls.

  3. While holding the SHIFT key (to keep your code from executing), click Open.

    **Note   **To prevent your code from executing, you must press the SHIFT key while opening the document from the File menu. The code is not suppressed if you open the document from the Getting Started task pane.

  4. On the File menu, click Properties, and select the Custom tab to view the custom document properties for WinFormInput.xls.

    In the list of custom properties, notice the two properties required by the managed code loader to load your assembly when the workbook opens: _AssemblyName0 and _AssemblyLocation0. These properties are added to the workbook when you create a new Excel workbook project in Microsoft Visual Studio® .NET.

    _AssemblyName0 is the name of the assembly and _AssemblyLocation0 represents the path to the assembly. _AssemblyLocation0 may be a relative or absolute local, UNC, or HTTP path.

Next, examine the security policy for the WinFormInput solution.

To examine the security policy

  1. Open the Windows Control Panel, select Administrative Tools, and then select Microsoft .NET Framework 1.1 Configuration.
  2. In the .NET Configuration 1.1 window, expand the Runtime Security Policy node.
  3. Expand the node for User policies, expand Code Groups, expand All_Code, and then expand the Office_Projects node.

The Microsoft Office Project Wizard added a code group when you created the WinFormInput project. Examine the C:\Labs\Lab1\WinFormInput\WinFormInput_bin code group and its child code group C:\Labs\Lab1\WinFormInput\WinFormInput_bin\WinFormInput.dll to note the following:

  • The code group grants Execution permissions to the folder that contains the assembly and to all subfolders. The URL for the folder and its subfolders (file://C:/Labs/Lab1/WinFormInput/WinFormInput_bin/*) is used as evidence of membership to the code group.
  • The child code group grants FullTrust permissions to the assembly and uses the URL to the assembly (file://C:/Labs/Lab1/WinFormInput/WinFormInput_bin/WinFormInput.dll) as evidence of membership to the group.
  • The WinFormInput solution does not require a .NET Framework security policy for the workbook because the workbook is opened from a folder on the local computer.

Exercise 2: Using a Solution with Managed Code Extensions on a Network Share

This section illustrates how you can create .NET Framework security policies to load and run the WinFormInput solution on a network share. To load an assembly from a network share, you must grant full trust at the machine level to the assembly. If you intend to load the workbook from a network share, you must also grant full trust at the machine level for the workbook.

To create a network share

  1. Copy the folder C:\Labs\Lab1\WinFormInput and all of its contents to C:\Labs\Lab4.
  2. In Windows Explorer, create a share named "WinFormInput" for the folder C:\Labs\Lab4\WinFormInput and give Everyone Read permissions to the share.

To create a machine-level policy for referencing the assembly on the share

  1. In the .NET Configuration 1.1 window, expand the Runtime Security Policy node.
  2. Expand the node for Machine policies, expand Code Groups, and expand All Code.
  3. Right-click LocalIntranet_Zone and click New on the shortcut menu.
  4. Enter the name WinFormInput Assembly for the new code group, and click Next.
  5. In the condition type drop-down list, select URL, enter the URL for the assembly (file:// yourcomputer /WinFormInput/WinFormInput_bin/WinFormInput.dll), and click Next.
  6. Select the FullTrust permission set, and click Next.
  7. Click Finish.

To create a machine-level policy for referencing the workbook on the share

  1. In the .NET Configuration 1.1 window, right-click the LocalIntranet_Zone node under the machine-level code groups, and click New on the shortcut menu.
  2. Enter the name WinFormInput Workbook for the new code group, and click Next.
  3. In the condition type drop-down list, select URL, enter the URL for the assembly (file:// yourcomputer /WinFormInput/WinFormInput.xls), and click Next.
  4. Select the FullTrust permission set, and click Next.
  5. Click Finish.

After changing or creating a policy, you should quit all instances of Excel for your policy to take affect. Verify that no instances of Excel.exe are running using Windows Task Manager.

To run the code

  1. Start Excel.
  2. Open WinFormInput.xls from the network share (\\yourcomputer\WinFormInput\WinFormInput.xls) and the managed code extension executes.

Exercise 3: Using a Solution with Managed Code Extensions on a Web Server

**Note   **You must have Internet Information Services (IIS) installed on your local computer to complete Exercise 3.

First, create a virtual directory for the WinFormInput solution.

To create a virtual directory for the solution

  1. In Windows Explorer, locate the folder C:\Labs\Lab4\WinFormInput.

  2. Right-click the WinFormInput subfolder and click Sharing and Security on the shortcut menu.

    The WinFormInput Properties dialog box appears.

  3. In the dialog box, select the Web Sharing tab, and select Share this folder.

    The Edit Alias dialog box appears.

  4. Click OK to accept the default settings.

  5. Click OK to close the WinFormInput Properties dialog box.

Next, modify your security policies in the .NET Configuration 1.1 window.

To modify the security policies

  1. Change the URL for your WinFormInput Assembly code group to http://localhost/WinFormInput/WinFormInput_bin/WinFormInput.dll.
  2. Change the URL for your WinFormInput Workbook code group to http://localhost/WinFormInput/WinFormInput.xls.

After changing or creating a policy, you should quit all instances of Excel for your policy to take effect. Verify that no instances of Excel.exe are running using Windows Task Manager.

To run the code

  1. Start Excel and click Open on the File menu.

  2. Type http://localhost/WinFormInput/WinFormInput.xls, and click Open.

    WinFormInput.xls opens from your Web server and the managed code extension runs.

Exercise 4: Giving an Assembly a Strong Name

Thus far, your code groups have trusted the assembly using the URL to the assembly as evidence. In production, it is recommended that you do not simply trust the project using the URL as evidence, but instead rely on other forms of evidence, like a signature, a publisher key, and/or a strong name.

To create a strong name for an assembly

  1. Click Start, point to All Programs, point to Microsoft Visual Studio .NET 2003, point to Visual Studio .NET Tools, and click Visual Studio .NET 2003 Command Prompt.

  2. Execute the following command to create a strong name key pair:

    sn -k "c:\Labs\Lab4\WinFormInput.snk"

  3. Close the Command Prompt window.

  4. Start Visual Studio .NET and open C:\Labs\Lab4\WinFormInput\WinFormInput.sln.

  5. Using Solution Explorer, open AssemblyInfo.vb in the WinFormInput project.

  6. Change the AssemblyVersion in AssemblyInfo.vb:

    <Assembly: AssemblyVersion("1.0.0.1")>

  7. Add the following line at the end of AssemblyInfo.vb:

    <Assembly: AssemblyKeyFile("c:\Labs\Lab4\WinFormInput.snk")>

  8. On the Build menu, choose Build Solution to build the assembly against the strong name key pair.

Next, you create a new code group for your assembly that uses the strong name instead of the URL as evidence of membership to the code group.

To create a new code group for your assembly

  1. Open the .NET Framework Configuration 1.1 window.

  2. Right-click the Office_Projects node under the User level code groups, and click New on the shortcut menu.

  3. Enter the name WinFormInput Strong Name for the new code group, and click Next.

  4. Change the membership condition to Strong Name.

  5. Click the Import button, browse to C:\Labs\Lab4\WinFormInput\WinFormInput_bin\WinFormInput.dll, and click Open.

  6. Select Name and Version, and then click Next.

  7. Click Next to accept the FullTrust permission set, and then click Finish.

  8. Start the Visual Studio .NET Command Prompt and execute the following command to retrieve the PublicKeyToken for the assembly:

    sn -Tp "c:\Labs\Lab4\WinFormInput\WinFormInput_bin\WinFormInput.dll"

  9. Record the PublicKeyToken that is displayed in the command window.

    **Note   **The PublicKeyToken is only the last line of output in the command window.

    After changing or creating a policy, you should quit all instances of Excel for your policy to take affect. Verify that no instances of Excel.exe are running using Windows Task Manager.

  10. Start Excel, and click Open on the File menu.

  11. Browse to select C:\Labs\Lab4\WinFormInput\WinFormInput.xls.

  12. While pressing the SHIFT key to keep the code from executing, click Open.

  13. On the File menu, click Properties and select the Custom tab.

  14. Change the _AssemblyName0 property as follows:

    WinFormInput,Version=1.0.0.1,PublicKeyToken= fba54482d0c05750

    **Note   **Use the PublicKeyToken string you recorded earlier.

  15. Save your changes to WinFormInput.xls and close the workbook.

  16. Open the C:\Labs\Lab4\WinFormInput\WinFormInput.xls and the managed code extension executes.

Troubleshooting Security

Your best resource for troubleshooting security for Office solutions that use managed code extensions is the Visual Studio Tools for Office documentation. For more information on troubleshooting specific problems, see Troubleshooting Office Solutions That Use Managed Code Extensions.

Next Steps

Lab 5: Deploying Office Documents that Use Managed Code Extensions introduces some of the methods you can use for deploying your Microsoft Office 2003 managed code solutions and discusses some of the security issues.

For more information, as well as links to other labs in this series, see Visual Studio Tools for the Microsoft Office System Training.