Excel Services Security Best Practices Common Security Settings

The ability to configure the administrative settings for Excel Services Application can be found by opening the SharePoint Central Administration Web Application. Then the Excel Services Settings page needs to be accessed.

It is important for the Excel Services Settings to be configured for several things. External data controls the external data connections for Excel Calculation Services. Load Balancing allows Excel Services Application sessions will be spread out across the Excel Calculation Services. Memory Utilization is the memory allocated for Excel Calculation Services. Security is where communication and web service settings are determined. The Excel Services Application is also authenticated here. Session Management maintains the sessions of behavior for the Excel Calculation Services. Workbook Cache are the settings for caching of the workbook files in memory and on disk. The use of Excel Service Settings Page can help you to configure options for a file. This access method also enables encryption for connections and methods. All of these scenarios directly affect the security of any deployment.

With impersonation you have the ability for a thread to run in the secure context. This is a good idea when you want Excel Calculation Services to authorize users to access any workbooks that have been stored in HTTP or UNC locations. This has no bearing on any workbooks that have been stored in SharePoint Server 2010 databases. Most of the server farms deploy front end web servers and Excel Calculation Services applications that run on various computers. With impersonation Kerberos delegate is restrained. When you have workbooks to open, Excel Calculation Services serves can allow that to happen from HTTP or UNC sites. However, the process account has to be used because the user account won’t be able to be impersonated.

The use of SSL for encryption for the data that will be transmitted is very important when you rely on Excel Calculation Services, data sources, client computers, or front end web servers. In order to encrypt the data while it is being transmitted, click on Connection Encryption settings and make sure it says required. If it says not required which is the default setting your data won’t be as secure as it needs to be. The Excel Calculation Services will only allow data that has been transferred between client computers and front end web servers to be done through SSL. If you don’t require encryption then you will have to configure the SSL manually. This will allow you to have encryption for the connections that occur between client computers and front end computers. However, you can have connections from front end servers and Excel Calculation Service applications that aren’t encrypted.

Share

ForeFront for SharePoint High Memory Utilization

At a client of mine today, who has a robust FSSP environment, similar to the larger one I wrote about in this MSDN article:

http://msdn.microsoft.com/en-us/library/ee412237.aspx

or if you are just interested in the specific image:

http://i.msdn.microsoft.com/Ee412237.792e5c8b-f1b7-4cb4-9b87-5689c44973da(en-us,office.12).gif

was experiencing an abnormal amount of memory utilization on the WFE’s I had built for them. While they wanted a quick fix, it is important to remember that the scanning processes of FSSP will cause memory consumption depending on how you balance the engines being used. Forefront uses in-memory scanning (FSCRealtimeScanner.exe) and up to 5 scan engines can be employed so each scan process will load the engines that you have enabled under SETTINGS>Anti Virus.

For each of the scanning processes ~ 200-300MB RAM will generally be consumed depending the file being processed since the file being scanned is loaded into memory. Thus, if a scan is being executed on a file that is 200 MB and further 200MB RAM utilized. Once the scan is complete, this memory will return to the available pool.

All this being said, explicit reduction of processes spawned is controllable by modifying the RealtimeProcessCount registry value (HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint), which would require restarting FSSP and SharePoint services, however this should be approached with caution since having several real-time processes allow FSSP to scan more than one file, thus avoiding scan-related bottlenecks.

The only recommendation that can be made is a review of the memory consumption to establish whether the memory consumption is normal, and thus requires expanding the available RAM or whether there is a separate problem.

Share