Tải bản đầy đủ - 0 (trang)
Chapter 26. Exploring Security in Depth

Chapter 26. Exploring Security in Depth

Tải bản đầy đủ - 0trang

26.1.SecurityLayers

Whenit'scoldyoudressinlayers,andsecurityworksthesame

way.Theouterlayerisafirewall,preventingattacksfromthe

Internet.Next,virusdetectionsoftwarescanspermitted

attachmentsandotherfilesfrombringinginmaliciouscode.

Then,operatingsystemsecuritydefinesusersandtheir

permissions.Finally,Excelprovidesitsownsecuritylayer.

Datamostatriskisthatwhichissharedoutsideoftheselayers,

suchasaworkbookpostedonapublicserver.Inthatcase,

Excelbecomestheprimarysecuritylayer.Ofcoursenotalldata

needsthesamelevel(ortype)ofprotection.Therefore,Excel

itselfprovideslayersthroughthesesecurityapproaches:

Passwordprotectionandencryptioncontrolreadandwrite

accesstoworkbooks.

Worksheetprotectionpassword-protectsitemswithina

workbookandalternatelycanauthorizechangesbasedon

userlists.

User-basedpermissionsallowauthorstolimittherightsof

otherstoread,change,print,copy,ordistributea

document.Permissionscanalsosetanexpirationdatefora

document.

Digitalsignaturesidentifytheauthorofadocument,

ensuringthatadocumentistheauthenticoriginalnota

modifiedorspoofcopy.Signaturescanalsobeappliedto

macrosandActiveXcontrolstoensuretheircodeisfroma

trustedsource.

Macrosecuritylevelsdeterminewhatleveloftrustis



requiredbeforeExcelwillruncodeincludedinworksheets,

templates,add-ins,orSmartdocuments.

ActiveXcontrolsecuritylevelssimilarlylimitwhichcontrols

Excelwilltrust.

TheOfficeAntiVirusAPIprovidesaninterfaceforantivirus

softwaretoscandocumentsformaliciouscodebeforethey

areopened.

Thecustominstallationwizardpermitsadministratorsto

configurewhichsecurityoptionsareenabledduring

installationonusers'machines.

Thesesecurityapproachescanbecombinedtoprovideahigh

levelofassurancewhilestillallowingfilestobeshared,macros

toberun,and(ultimately)worktobedone.Therestofthis

chapterdiscusseseachoftheseapproaches,alongwith

Windowsfilesecurity,thenprovidesalistofcommonsecurity

tasksanddescribeshowyoucompletethosetasksby

combiningExcelsecurityfeatures.



26.2.UnderstandWindowsSecurity

BeforewetalkaboutExcelsecurity,itisimportanttoexplain

somegeneralconceptsrelatedtotheWindowsoperating

system.Thismayseembasictosomeofyou,butWindows

securityfeaturesaresomewhathiddenandit'sagoodideato

coverthemsomewhere.

Permissionsareasetofcapabilitiesthatsomeonehasor

doesn'thave.Permissionsapplytofilesandlocations,so

someonemaybeabletoopenaspecificfolder,seefiles,butnot

writetothatfolderoreditthefilesitcontains.

UsersareidentitiesthatWindowsusestocontrolaccess.When

yousignonwithausernameandpassword,Windows

authenticatesthatinformationandthereafteridentifiesyouas

machinename\usernameifyournetworkusesworkgroupsor

domainname\usernameifyournetworkusesdomains.Your

identityisthenusedanytimeyourequestpermissiontousea

resource,suchasopenafileorrunanapplication.Ifyour

identityhaspermissiontousethatresource,youaregranted

accessandtherequestedfileopensortheapplicationruns.

Groupsarethesecuritygroupstowhichausernamebelongs.

Windowscomeswithsomegroupsalreadyconfigured:

Administrators,Users,Guests,BackupOperators,andPower

Users.Groupsprovideaneasywaytograntasetof

permissionstoasetofusersratherthanhavingtogrant

permissionstomanyindividualusers.

Certificatesanddigitalsignaturesaresmallidentifiersthatcan

beattachedtoadatafileorexecutablethatidentifytheauthor

ofthefileorexecutable.Certificatesareissuedbyathird-party

certificateauthority(sometimescalledaCA),suchasVerisign,

whichprovidestheservicethatauthenticatescertificates.The

ideahereisthatifauserknowswhotheauthorofaparticular



fileis,heismorelikelytotrustthatitwillnotharmhis

computer.



26.2.1.SetFilePermissionsinWindowsXP

Howyousetpermissionsisnotobviousfromthedefaultsetup

ofWindowsXP.First,youmustdisabletheUseSimpleFile

SharingfolderoptioninWindowsExplorer,asshowninFigure

26-1.



Figure26-1.Disablesimplefilesharingin

WindowsXPtosetpermissions



Tosetpermissionsonafolderorfile:

1. InWindowsExplorer,selectthefileorfoldertoset

permissionsonandselectPropertiesfromtheFilemenu.

2. SelecttheSecuritytabonthePropertiesdialogbox(Figure

26-2).Thetoplistdisplaysusergroupsandindividualusers

withpermissionsfortheitem.Thebottomlistshowsthe

permissionsassignedtoeachgrouporuser.

3. Selectagrouporuser,thenassignordenypermissionsby

clickingontheboxesinthepermissionslist.ClickOKwhen

done.



Figure26-2.Settingpermissions



Ifyou'reunfamiliarwithhowthisworks,it'sagoodideato

experimentwithafile.Forexample,createanExcelworkbook

namedBook1.xls,thendenyFullControlforyourusername.

OK,thentrytoopenBook1.xlsinExcelyou'llgetanAccess

Deniederror.NowchangethefilepermissionstoallowRead&

ExecutebutdenyWriteaccess.You'llbeabletoopenthefilein

Excel,butyoucan'tsaveitasBook1.xls.

Thesepermissionsdon'thavemuchmeaninginthepreceding

examplebecauseyoucanalwayschangethembacktoallow

writingorwhatever.Youownthefilesoyoucandowhatever

youlike.Permissionsettingsaretrulysignificantwhenafileis

sharedwithotherusers,suchaswhenthefileisplacedina

publicnetworkaddress.

Forexample,ifyouwanttoallowotherstoreadworkbooksbut

nottomakechanges,asimplesolutionistocreateashared

folderthatdeniesWritepermissiontoeveryonebutyou.



26.2.2.ViewUsersandGroupsinXP

WhenyousetupuseraccountsfromtheWindowsXPControl

Panel,youhavethreetypesofaccountsavailable:Computer

Adminstrator,Limited,andGuestaccounts.Theseaccounts

correspondtotheAdministrator,User,andGuestaccount

groupswithinWindows.Thesearen'ttheonlygroupsavailable,

however.Toviewallthegroups:

1. FromtheControlPanel,runAdministrativeTools.Windows

runstheMicrosoftManagementConsole(MMC).

2. ClickLocalUsersandGroupsintheleftpanetoexpandthat

item.

3. SelecttheGroupsfoldertodisplayalistofGroups



4. Double-clickonagrouptoviewalistoftheusersthat

belongtothatgroup(Figure26-3).



Figure26-3.ViewingmembersofagroupinMMC



Yourlistofgroupsmaybedifferentfromthelistshownin

Figure26-3becauseapplicationsoftenaddgroupsandthenadd

usersasmembersofthosegroups.Ifyouclickaroundand

exploreabit,you'llseethatyoucan'tsetthepermissionsof

groupsorusersthroughtheMMC.That'sbecausepermissions

aresetonobjects,notonidentities.

Forexample,afolderinWindowsmayallowusersthatbelong

totheAdministratorsgrouptoreadandwritefiles,butallow

Usersgroupmembertoonlyreadthosefiles,andprohibit



Guestmembersfromevenreadingfiles.Inthiscase,thefolder

isthesecurityobjectthatdefinesthepermissionsforgroups

thathaveaccess.

Applicationssometimescheckwhetherauserbelongstoa

certaingroupbeforeallowinghertoperformatask.Thisis

referredtoasrole-basedsecurity.







26.3.Password-ProtectandEncryptWorkbooks

Passwordsareasimplewaytoprotectsensitivedataina

workbook.Youcanusepasswordstoencryptaworkbookto

provideaddedsecurity.Encryptionpreventshackersfrombeing

abletoreadyourworkbookbydisassemblingthefileinsome

way.

ToaddapasswordtoaworkbookinExcel:

1. ChooseSaveAsfromtheFilemenu.ExceldisplaystheSave

Asdialogbox.

2. OntheSaveAsdialogbox,clicktheToolsmenuandselect

GeneralOptions.ExceldisplaystheSaveOptionsdialogbox

showninFigure26-4.



Figure26-4.UseSaveOptionstoaddpasswords

andencryption



3. Enterpasswordsinthe"Passwordtoopen"and/or

"Passwordtomodify"textboxesandclickOK.Tocreatea

workbookthateveryonecanreadbutonlypasswordholders

canedit,set"Passwordtomodify"andleave"Passwordto

open"blank.

4. Excelpromptsyoutoconfirmthepasswordsenteredinthe



previousstep.

Toaddencryptiontoaworkbook:

1. ClicktheAdvancedbuttonafterStep2intheprecedinglist.

ExceldisplaystheEncryptionTypedialogboxshownin

Figure26-5.

2. Selectanencryptiontypefromthelistedencryption

providers,chooseanencryptionkeylength,andclickOK.

3. Proceedwithsettingtheworkbookpassword.



Figure26-5.Choosinganencryptiontype



Theencryptionprovidersyouhaveinstalledmayvary

dependingonyourlocation.Someencryptionprovidersarenot

availableoutsideoftheUnitedStates,soyouwillwanttotake

thatintoconsiderationifyouaredistributingencryptedfiles

internationally.Thelongertheencryptionkey,theharderitis

forahackertodecryptdata.Allsoftware-basedencryptionis

potentiallyreversiblewithoutthekey.



26.4.ProgramwithPasswordsandEncryption

Youcansetpasswordsandencryptionoptionsincodeusingthe

Workbookobject'ssecuritymembers,suchasthePasswordproperty

andSetEncryptionPropertiesmethod.Fromasecuritystandpoint,it

doesn'tmakesensetohardcodepasswordsintoVisualBasic

macros.Instead,theWorkbookobject'ssecuritymembersare

generallyusedinconjunctionwithUserFormstosetpasswords

andencryptionchosenbytheuserthroughacustomized

interface.

Forinstance,youmightcreateadocumenttemplate(.xlt)for

securedocumentsthatcanonlybesavedusingapasswordand

encryption.Suchatemplatemightincludeauserformtoget

thepassword,asshowninFigure26-6.



Figure26-6.Passworduserform



ThecodefortheuserformconfirmsthatthePasswordand

ConfirmPasswordtextboxesmatchandallowstheuserto

canceltheoperation,asshownhere:

'Publicfields

PublicPasswordAsString,EncryptAsBoolean



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 26. Exploring Security in Depth

Tải bản đầy đủ ngay(0 tr)

×