Introduction
  Welcome
  The Web Reporting Solution
  What is ExcelWriter?
  Features and Benefits
  New in This Version  V4
  Requirements
  Edition Differences
  Frequently Asked Questions
  Troubleshooting

Quick Start
  Creating Your First Spreadsheet
  Adding a Formula
  Adding Formatting
  Importing from a Database

Features In Depth
  Addressing Cells
  Setting Values
  Output Options
  Adding Charts
  Reading an Existing Spreadsheet
  Modifying an Existing Spreadsheet
  The Range Object
  Template Spreadsheets
  How to Use Templates
  ExcelApp.Open vs. ExcelTemplate
  Using ExcelTemplate with PivotTables
  Templates and Charts
  Reliable Spreadsheet Download  V4
  Page Setup
  Formatting Headers & Footers
  Protecting your Worksheet
  Multilingual Support  V4
  XML Import

HotCell Technology  V4
  What is HotCell Technology?
  Upload Example
  Advanced POST Example
  Advanced Upload Example

Programmer's Reference
  Object Model
      ExcelTemplate Object
      ExcelApplication Object
         3DProperties Object
         Area Object
         Axis Object
         Cells Object
         Cell Object
         Charts Object
         Chart Object
         ChartFrame Object
         Font Object
         Line Object
         PageSetup Object
         Pictures Object
         Picture Object
         Range Object
         SeriesCollection Object
         Series Object
         Style Object
         Worksheets Object
         Worksheet Object
  Formula Functions
  Formula Calculation Operators
  Formatting Codes
  Chart Codes

Installation
  Quick Installation
  Configuring IIS
  Security Considerations

External Links
  ExcelWriter Home Page
  Technical Support
  ExcelWriter Demos
  SoftArtisans Home Page
  E-mail General Questions
  E-mail Technical Support
  Legal Information

Security Considerations

To understand the security of ExcelWriter it is necessary to have background knowledge in IIS and ASP security.

The security context is not important if you are streaming files to the browser, or returning the resultant spreadsheet to memory. In both of these cases, ExcelWriter does not write any intermediate files to the hard disk of the server. Since everything is performed in memory, security considerations are not relevant.

The security context is important if you want to,

  • Save a generated spreadsheet on the server's hard disk
  • Open an existing spreadsheet
  • Embed images in a spreadsheet

ASP provides three levels of authentication:

  • Anonymous
  • Basic
  • NT Challenge/Response

When a user hits a web page, the security of the page is verified. If there are no restrictions, such as NTFS permissions, anonymous access is used. When there are NTFS permissions in place, IIS will negotiate with the browser and determine if the user can be authenticated.

IIS uses a special NT account, typically called IUSR_MachineName, as the default anonymous account. An administrator can change this default account. It is possible to have different anonymous accounts for each virtual server or web application on the server.

With Basic and NT Challenge/Response, an authentication mechanism is in place that identifies the user who is requesting the page. With either Basic or NT Challenge/Response, IIS/ASP will actually perform an NT login for that specific user.

This means that a given page is executing as a specific NT user: either IUSR_MachineName or the actual authenticated NT domain user. This technique is known as impersonation and is a standard feature of NT Services.

This has strong implications for ExcelWriter if you are trying to save the generated spreadsheet on the hard disk of the web server. When ExcelWriter attempts to create, read or write files, it will be executing in the security context provided by IIS/ASP.

If a non-authenticated user is creating a spreadsheet, ExcelWriter will only be able to write to locations that are accessible by the IUSR_MachineName account.

If an authenticated user is creating a spreadsheet, ExcelWriter will only be able to write to locations determined by that specific user's NT domain permissions.

For more information, see Microsoft KB Article Q207671.

Copyright © 2003, SoftArtisans, Inc.