Excel Services Security Best Practices – Trusted File Locations

There are several trusted file locations that can be leveraged. They include UNC paths, HTTP websites, and SharePoint sites. These are all locations where the use of Excel Calculation Services are permitted to access workbooks. The location section of the Excel Services Add Trusted File Location Page is where you can configure information. This includes the location type, the address, and if there are child libraries of trusted file locations that can be trusted as well. Should you select trust children you will find that you have more control over management.

However, it is also important to point out that you can create a security issue if you have enabled subdirectories and sub sites to be trusted as soon as you create them. The Session Management section allows you to conduct configuration for settings so you can conserve your available resources. By doing so you will improve the performance and the security of Excel Calculation Services. If you have multiple users with various sessions of Excel Calculation Services open at the same time then performance will decrease. The best method for limiting this issue is to configure time out settings for sessions that are open and idle.

You can go to the Session Timeout settings to determine what intervals you wish to apply for the sessions to remain inactive before they are closed. There is the Short Session Timeout setting and the New Workbook Session Timeout. You can put information into the Maximum Request duration too. The values you place in any of these areas will help to control risk of denial of service for users. The Workbook Properties section allows you to be able to successfully configure the maximum size for workbooks, charts, or images that are opened through any Excel Calculation Services session. You want to apply such settings as performance and security can be compromised if such entities are too large. Should an application server that runs Excel Calculation Services fail or be shut down all of the open sessions on that server can be lost. If it is a standalone installation then the Excel Services Application can’t be accessed. That also means the workbooks can’t be accessed.

The External Data section allows you to determine if the workbooks will be stored in trusted file locations and then opened up in Excel Calculation Services and if they can access an external source of data. You can also decide if you want to set Allow External Data to none, trusted data connection libraries only, or trusted data connections libraries and embedded. With external data connections, they can only be accessed if they are linked from a workbook or they are embedded. Excel Calculation Services will check the list of trusted file locations before any workbook is opened. Should you select none, then the Excel Calculation Services will block attempts to access any external data source. If you want to manage data connections for several different authors then you should consider using trusted data connection libraries online. This will make it possible for all of the data connects in those workbooks to be generated by the workbook authors. They will have a trusted data connection library in place before they are able to use external data sources for access.

If you only have a few authors with workbooks then you should consider trusted data connection libraries and embedded. This will allow the authors of the workbooks to have direct connections to external data sources in their workbooks. They will have access to trusted data connection libraries even if the embedded links fail. The Warn on Refresh area of the External Data section there is the ability to decide if you want a warning to be on display before a workbook will refresh from an external data source. When you select Refresh Warning Enabled you will be able to have external data that doesn’t get refreshed automatically. Enabling the Display Granular External Data Errors gives you the option to have descriptive error messages on display. They can offer you information should you have connection problems that need fixed. This can help you with the troubleshooting aspect of the operations. You can use the Stop when Refresh on Open Fails if you want Excel Calculation Services to stop a workbook from opening up. The workbook will contain a connection that fails with Refresh on Open Data. When you select Stopping Open Enabled you will be able to have values that aren’t displayed when they are cached. Refresh on Open can be a success and if that is the case the values cached are purged. You can clear the Stop Open Enabled check box but you will risk the values in cache being displayed if Refresh on Open fails. The External Data Cache Lifetime is found in the External Data section. You have the opportunity to determine the maximum amount of time that the cached values will be available before they are considered expired.

You want to make sure you only have trusted users accessing the workbooks that are stored in the trusted locations. In order to accomplish this, make sure you enforce ACLS for all of your trusted file locations.
There are three scenarios you may consider when it comes to the deployment of the Excel Services Application with SharePoint Server 2010. They include:

  • Custom
  • Enterprise
  • Small department

There are several guidelines that you need to take into consideration with enterprise deployment. They include:

  • Never configure support for user defined functions.
  • Never allow workbooks to use data embedded data connections in order to have direct access to external data sources.
  • Always limit the use of data connection libraries for any external data source access that is from workbooks.
  • Always restrict the size of the workbooks that are allowed to open in Excel Calculation Services.
  • Be selective with the trust specific file locations.
  • Never enable Trust Children for trusted sites and directories.

With a small organization you want to consider the following guidelines in regards to deployment. Always enable trust for all file location that used by any users in the department for storing workbooks. Always enable Trust Children for your trusted directories and sites. Be selective when it comes to the access users have to specific file locations if you are experiencing problems.

With a custom deployment in place there are guidelines to consider. Configure log session time outs in the settings.

  • Enable Excel Calculation Services to open workbooks that are large in size.
  • Create a single trusted location for your deployment.
  • Don’t enable Trust Children for this specific trusted location.
  • Configure large data caches.