Security for Windows SharePoint Services 2.0

SharePoint 2003

Updated: 08-22-2005

HTML Viewer helps decrease security risks by minimizing access points to Office 2003 by using only the portions of Office 2003 applications needed to convert files. The following sections discuss other HTML Viewer security issues.

Network Configuration

Files converted by the Office HTML Viewer are transmitted across a network between the server running Windows SharePoint Services and the HTML Viewer computer. The communication on this network is done without specific encryption, even if Secure Sockets Layer (SSL) is configured on the server running Windows SharePoint Services. To help minimize security risk, manage the network path between the server running Windows SharePoint Services and the HTML Viewer computer carefully. Only the server running Windows SharePoint Services and trusted personell should be able to access the HTML Viewer computer.

Temporary Internet Files

HTML files viewed by a user using a remote computer are saved by default to the local cache folder of the remote computer. HTML Viewer marks all cached files for immediate expiration at the end of the browser session. This helps limit access by unauthorized users to the content of the files.

Server-Side Cache Protection

To help protect the cache on the server running Windows SharePoint Services, every request to retrieve a cached file on the Windows SharePoint Services server is recorded by a .aspx file. In parallel, access to the requested source file for that HTML file is analyzed to determine if the user has the proper permission to view the file.

Restricted Access User Account

When HTML Viewer is installed to a computer, it automatically creates a user account that it uses to run Office applications and perform file conversions. This account has minimal privileges and can only access the resources needed to convert a file to HTML.

This helps prevent harm if a malicious user attempts to intentionally upload a file intended to take over the server. The user account created for the viewing service has access only to the temporary files used for creating the HTML files.

If the HTML Viewer service is ever removed from the computer, the user account is also removed.

This user account is named HVU_ Computer_Name.

You cannot change this account name, but, as security precautions, the account is used only when HTML Viewer is running, and the password for this account is reset each time HTML Viewer is started (when the computer is restarted or the service is stopped and then started again). If this account already exists on the computer, the service takes over the account and resets the password. The password is 120 characters long, randomized, and adheres to the strong password standard.

Blocking Files

If a file cannot be viewed or if it causes the HTML viewing process to fail, HTML Viewer will block the file until the original document is updated. Whenever a file is blocked, it cannot be converted.

Prior to submitting a file to the computer running HTML Viewer, the Windows SharePoint Services content database examines a list of file statistics. If a file requesting HTML viewing is marked as blocked, it is not submitted to the service. If this occurs, an error message is presented to the user stating why the file could not be converted. Possible failures include:

  • File took too long to convert.

  • File is password protected (encrypted).

  • File is corrupt.

This does not affect access to the original file. Anyone with access to the original file should still be able to open the file and use it (as long as it is not corrupt).

Maximum conversion time can be set from the Configure HTML Viewer page in SharePoint Central Administration.

Blocking SharePoint Sites

Multiple Windows SharePoint Services sites can use a single HTML Viewer computer. If a site requests a file and it causes one of the errors outlined previously, the HTML Viewer computer makes a note of the event. If more than 50 files submitted by a specific SharePoint site cause an error on the server within a 24 hour period, the entire SharePoint site is blocked by HTML Viewer and that SharePoint site cannot gain access to the server for the remainder of the calendar day. Currently, no method of resetting this process exists if an administrator corrects the behavior of the offending site. The SharePoint site is not granted access to the service until the next calendar day.

Managing the HTML Viewer Cache

When the cache of the computer running HTML Viewer fills up, the oldest unused HTML files will begin to be deleted from the cache. If a file was deleted from the cache, but is needed later, Windows SharePoint Services will automatically request an HTML file conversion and restore it to the cache. The only noticeable difference to users is a slight lag from the time the file is requested to the time it is converted and available for use.

Manually deleting files from the HTML Viewer cache is not recommended since the management of this folder is performed by the Windows SharePoint Services.

Antivirus Support in Windows SharePoint Services

To reduce the risk of malicious viruses, use the new antivirus feature available in Windows SharePoint Services. Running the antivirus service in conjunction with HTML Viewer reduces the possibility that a file processed by HTML Viewer will have a virus. The effectiveness of this feature is dependent on the updating of virus signature files released by the antivirus vendor. See the Windows SharePoint Services documentation for information about setting up virus scanners and a list of participating vendors who support this feature.

ActiveX Control References Within a File

References to OCX controls (ActiveX) in a document or file are not converted or passed through HTML Viewer. Information preceding the control and following the control is converted, but not the control itself. This is done to help reduce any possible security threat presented by a malicious control that potentially possesses a virus or has been modified to hold malicious code.

See Also