Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Dieses Thema enthält eine Liste der empfohlenen Vorgehensweisen für die Arbeit mit Excel Services.
Abwehren von Bedrohungen
Anonymer Zugriff und Offenlegung von Informationen
The following settings combination gives anonymous users access to any files in the share to which the process account has access. Therefore, the following combination of settings is not recommended, because of the possibility of information disclosure:
- Anonymous access to Microsoft SharePoint Foundation is turned on.
- You have a UNC trusted location and the Process account is turned on.
Hinweis
Das Prozesskonto ist eine globale Einstellung von Excel Services, die Auswirkung auf alle vertrauenswürdigen Speicherorte hat.
So zeigen Sie die Option „Prozesskonto“ an
- Klicken Sie unter Start auf Alle Programme.
- Point to Microsoft SharePoint 2010 Products, and then click SharePoint Central Administration.
- Under Application Management, click Manage service applications.
- On the Manage Service Applications page, click Excel Services Application.
- On the Excel Services Application page, click Global Settings.
- Suchen Sie im Abschnitt Sicherheit unter Dateizugriffsmethode nach der Option Prozesskonto.
Angriffe mit Verweigerung des Dienstes
In a denial of service attack against a Web service, an attacker generates very large, individual requests against the Web service. The purpose is to attempt to exploit the limits of one or more Web service input values.
We recommend that you use the Microsoft Internet Information Services (IIS) setting to set the maximum request size for the Web service.
Use the maxRequestLength attribute in the httpRuntime element in the system.web element to prevent denial of service attacks that are caused by users posting large files to the server. The default size is 4096 KB (4 MB).
Weitere Informationen finden Sie unter <httpRuntime-Element> und <maxRequestLength-Element>.
Ermitteln zwischen der aufrufenden Anwendung und dem Webdienstcomputer
If the calling application and Excel Web Services are deployed to different computers, an attacker can listen to the network traffic for data transfer between the calling application and the Web service. This threat is also called "sniffing" or "eavesdropping."
To help mitigate this threat, we recommend that you:
- Use Secure Sockets Layer (SSL) to set up a secure channel to protect data transfer between the client and the server. The SSL protocol helps to protect data against packet sniffing by anyone with physical access to the network.
- Physically protect the relevant network if a custom application using Excel Web Services is running in a confined networkfor example, if Excel Web Services is deployed on a Web front-end computer within the enterprise.
Weitere Informationen finden Sie unter Sichern ihres Netzwerks und SOAP-Sicherheit.
Informationen zur Excel Services-Topologie, Skalierbarkeit, Leistung und Sicherheit finden Sie im Microsoft SharePoint Server 2010 TechCenter.
Spoofing
Es wird empfohlen, dass Sie SSL verwenden, um die Bedrohungen von gehackten Webdienst-IP-Adressen und Ports abzuwehren und zu verhindern, dass Angreifer Anforderungen empfangen und im Auftrag des Webdiensts antworten.
The SSL certificate is matched against a few properties, one of which is the IP address from which the message is coming. The attacker cannot spoof the IP address if it does not have the Web service SSL certificate.
Weitere Informationen finden Sie unter Schützen Ihres Netzwerks.
Benutzerdefinierte Funktionen in Excel Services
Abhängigkeiten mit starkem Namen
In some cases, a user-defined function (UDF) assembly depends on other assemblies that are deployed with it. These dependent DLLs load successfully if they are in the global assembly cache, or if they are located in the same folder as the UDF assembly.
In the latter case, however, it is possible for the load to fail if Dienste für Excel-Berechnungen has already loaded another assembly with the same name. (It fails either because the assembly is not strongly named, or because another version with the same name has been deployed and loaded.)
Consider the following scenario, with the following directory structure:
C:\Udfs\Udf01
The Udf01 folder contains:
- Udf01.dll
- dependent.dll (not strongly named)
The Udf01.dll file has a dependency on the dependent.dll file.
C:\Udfs\Udf02
The Udf02 folder contains:
- Udf02.dll (which depends on Interop.dll)
- dependent.dll (which is not strongly named)
The Udf02.dll file has a dependency on the dependent.dll file. Udf01.dll's dependency and Udf02.dll's dependency share the same name. But Udf02.dll's dependent.dll file is not the same as Udf01.dll's dependent.dll file.
Assume the following flow:
- Udf01.dll is the first DLL to be loaded. Dienste für Excel-Berechnungen looks for dependent.dll and loads Udf01.dll's dependency, which in this case is dependent.dll.
- Udf02.dll is loaded after Udf01.dll. Dienste für Excel-Berechnungen sees that Udf02.dll depends on dependent.dll. However, a DLL with the name "dependent.dll" is already loaded. Therefore, Udf02.dll's dependent.dll file is not loaded, and the currently loaded dependent.dll file is used as the dependency.
As a result, the objectin this case, the dependent.dll file that Udf02.dll needsis not loaded into memory.
Um Namenskonflikte zu vermeiden, empfehlen wir, dass Ihre Abhängigkeiten starke und eindeutige Namen aufweisen.
Allgemein
Naming Managed-Code DLLs
Um sicherzustellen, dass Ihre Assemblynamen eindeutig sind, verwenden Sie den vollqualifizierten Klassennamen gemäß den Richtlinien für die Benennung von Namespaces.
Verwenden Sie CompanyName.Hierarchichal.Namespace.ClassName beispielsweise anstelle von Namespace.ClassName.