I am writing a service that picks up spreadsheets from an FTP drop location
uploaded by customers. I am leary of security problems because a customer
could unknowingly upload a spreadsheet with some malicious VBA. I am using
excel interop to open the spreadsheets via C#. Macro security will be set to
high, but I am wondering if this is enough. The customer is not willing to
sign their documents with a certificate.

Does anyone have any further suggestions for securely opening the
spreadsheet. I was thinking of decorating the asssembly or certain methods
with extra code access security declarations, but I'm not sure where to
start. It is important for this to be secure because the next request is to
allow sending spreadsheets via e-mail which means there isn't even a username
/ password preventing submission.

Thanks

When you run Excel through automation (which is what I assume 'interop'
does) the user's security setting has no effect. Security is 'low'. I
don't know what you're doing or if you want the user to see a macro warning.
Assuming you want to open the workbook and not show a warning and not run
its open code you would just have to turn events off. In a VBS script it
would look like this:

Dim XL
Set XL = CreateObject("Excel.Application")
XL.EnableEvents=False
XL.Workbooks.Open "c:\openme.xls"
XL.Visible = True ''else XL will not be visible

--
Jim
"chriscap" wrote in message
...
|I am writing a service that picks up spreadsheets from an FTP drop location
| uploaded by customers. I am leary of security problems because a customer
| could unknowingly upload a spreadsheet with some malicious VBA. I am
using
| excel interop to open the spreadsheets via C#. Macro security will be set
to
| high, but I am wondering if this is enough. The customer is not willing
to
| sign their documents with a certificate.
|
| Does anyone have any further suggestions for securely opening the
| spreadsheet. I was thinking of decorating the asssembly or certain methods
| with extra code access security declarations, but I'm not sure where to
| start. It is important for this to be secure because the next request is
to
| allow sending spreadsheets via e-mail which means there isn't even a
username
| / password preventing submission.
|
| Thanks

The spreadsheet will never be presented to the user. It will be parsed and
its data will be stored into a database. I am opening the excel document
using C# via .NET. To interact in .NET with the COM objects you have to use
interoperability. So, while I'm parsing this document I want to make sure
that malicious code cannot be executed. I always want the security to be
high. Furthermore, I want to take more precautions than just having security
on the document set to high. I'd like to restrict the .NET code using code
access security delcarations. I'm looking for suggestions on this.

"Jim Rech" wrote:

When you run Excel through automation (which is what I assume 'interop'
does) the user's security setting has no effect. Security is 'low'. I
don't know what you're doing or if you want the user to see a macro warning.
Assuming you want to open the workbook and not show a warning and not run
its open code you would just have to turn events off. In a VBS script it
would look like this:

Dim XL
Set XL = CreateObject("Excel.Application")
XL.EnableEvents=False
XL.Workbooks.Open "c:\openme.xls"
XL.Visible = True ''else XL will not be visible

--
Jim
"chriscap" wrote in message
...
|I am writing a service that picks up spreadsheets from an FTP drop location
| uploaded by customers. I am leary of security problems because a customer
| could unknowingly upload a spreadsheet with some malicious VBA. I am
using
| excel interop to open the spreadsheets via C#. Macro security will be set
to
| high, but I am wondering if this is enough. The customer is not willing
to
| sign their documents with a certificate.
|
| Does anyone have any further suggestions for securely opening the
| spreadsheet. I was thinking of decorating the asssembly or certain methods
| with extra code access security declarations, but I'm not sure where to
| start. It is important for this to be secure because the next request is
to
| allow sending spreadsheets via e-mail which means there isn't even a
username
| / password preventing submission.
|
| Thanks