Security and Product Safety

This topic would be helpful for you only if you

• using IIS
• want to enhance the safety of Rep2excel

APPLIES TO Rep2excel in web server. If you call Rep2excel through command line, please ignore this topic.

• Rep2excel will not change any file on the server
• Rep2excel may create temporary file on cache directory.
• Rep2excel will not remove any file that is not created by itself
• Rep2excel will detect the file format and it handle the files output from Oracle Report only.
• You can restrict the range of the file to be process. see Define the prefix of filepath parameter
• Rep2excel will not change any value in registy that is not created by itself.
• The administrator of Rep2excel need to login before change Rep2excel settings.

Thank you very much for using Rep2excel. We try our best to keep Rep2excel users safe. If you know of a safety or security problem with our product, we'd like to hear about it right away.

When Rep2excel runs as service application, you can call Rep2excel, pass the File Path paramter to Rep2excel.

Rep2excel will read the file specified by File Path parameter. So you may wonder Rep2excel will return sensitive information to the anonymous user.

To avoid exposing sensitive data to the client user, Rep2excel will detect the file format, only html file created by Oracle Report will be processed.

In addition, you can also restrict the range of the file path. see Define the prefix of filepath parameter for more information.

Apache HTTP Server is the most popular web server in the world till now. It is powerful although is free software.

Generally speaking, the Apache is started under Local System account, so the Rep2excel is able to change any file on the server, but Rep2excel won't change any file, see Security Declaration above.

Maybe you want to run Apache and Rep2excel under limited user, so Rep2excel can not change any file any more. OK, let's go!

1. Create a new account

For example, named apache_usr.

The apache_usr can be changed to member of Guests group if you want. See the figure below.

2. Alter the security property of APACHE_HOME.

The APACHE_HOME is C:\Program Files\Apache Group\Apache for Apache 2.0 by default.

Make sure that the apache_usr is able to full control the folder.

3. Change properity of Apache Service, logon as apache_usr.

1. Click Start menu -> Click Run -> Fill in services.msc -> Click OK.
2. Stop Apache first.
3. Open Properities dialog of Apache service, click Log On tab, verify the Local System account is selected.
4. Now select The account, and then fill in apache_usr and password, click OK.

4. Configure Excel Application to be accessed by apache_usr.

Now if you use Rep2excel you will get this error message: Unable to access Microsoft Excel runtime.More info: Run Rep2excel as: apache_usr. Run Excel as Administrator. To solve the problem, you should configure Excel Application to be accessed by apache_usr.

1. Log on to the computer as the Administrator
2. Click Start, click Run, and then type DCOMCNFG.Select the Microsoft Excel Application from DCOM Config.
   
   Path: Console Root \ Component Services \ Computers \ My Computer \ DCOM Config \ Microsoft Excel Application
   
   
3. Right click the Microsoft Excel Application; Click Properties to open the property dialog box for this application
4. Click the Security tab.
5. Click Customize for access permissions. Verify that the following users are listed in the access permissions, or add the users if they are not listed:
• SYSTEM
• INTERACTIVE
• Administrators
• apache_usr
  
6. Click Customize for launch and activation permissions. Verify that the following users are listed in the launch permissions, or add the users if they are not listed:
• SYSTEM
• INTERACTIVE
• Administrators
• apache_usr
  
7. Make sure that each user is allowed access, and then click OK.
8. Click OK to close the property dialog box

5. Make sure that apache_usr is able to create/delete files in the Cache Directory.

To learn more about Cache Directory, please see Setup Rep2excel.

6. The end.

The Rep2excel Server is software combined the Web Server with Oracle Report to Excel Converter Engineer and Rep2excel Command Line Edition.

Generally speaking, the Rep2excel Server is started under Local System account, so the Rep2excel is able to change any file on the server, but Rep2excel won't change any file, see Security Declaration above.

Maybe you want to run Rep2excel Server under limited user, so Rep2excel can not change any file any more. OK, let's go!

1. Create a new account

For example, named rep2excel_usr.

2. Alter the security property of Rep2excel Server installation folder.

The Rep2excel Server installation folder is C:\Program Files\Rep2excel Server by default.

Make sure that the rep2excel_usr is able to full control the folder.

3. Change properity of Rep2excel Server Service, logon as rep2excel_usr.

1. Click Start menu -> Click Run -> Fill in services.msc -> Click OK.
2. Stop Rep2excel Server first.
3. Open Properities dialog of Rep2excel Server service, click Log On tab, verify the Local System account is selected.
4. Now select The account, and then fill in rep2excel_usr and password, click OK.

4. Configure Excel Application to be accessed by rep2excel_usr.

Now if you use Rep2excel you will get this error message: Unable to access Microsoft Excel runtime.More info: Run Rep2excel as: rep2excel_usr. Run Excel as Administrator. To solve the problem, you should configure Excel Application to be accessed by rep2excel_usr.

For more information, please see Configure Excel Application to be accessed by apache_usr

5. Make sure that rep2excel_usr is able to create/delete files in the Cache Directory.

To learn more about Cache Directory, please see Setup Rep2excel.

6. The end.

For some version of IIS, the Anonymous access is disabled by default. To enable to Anonymous access , you should do the following.

1. select the folder you want to change, for example scripts
2. open properities dialog
3. choose Directory Security tab
4. click Edit..
5. check Enable anonymous access.

If Anonymous access is disabled, and you logon IIS as common users, Rep2excel may not able to access Excel runtime (COM Server), you should spend several minutes on configuring Excel Appliction, see the section Configure Excel application to be accessed by non-System account below.

If Anonymous access is enabled, although the Windows start the IIS under SYSTEM user, but the IIS launch the Rep2excel under the user IUSR_<machinename> . This user was created when IIS is installed.

So, Rep2excel may not able to access Excel runtime (COM Server), you should spend several minutes on configuring Excel Appliction, see the section Configure Excel application to be accessed by non-System account below.

This section applies to

• IIS + Rep2excel solution
• Apache started under non-System account
• Rep2excel Server started under under non-System account

If your Apache server is configured to run under non-System user, or you deply Rep2excel inside IIS, you may got the following error whilce using Rep2excel.

Error [M:RBC] :Error (1008): An attempt was made to reference a token that does not exist.

How to fix it?

A: Please follow the steps below, configure Excel application to support Rep2excel.

1. Log on to the computer as the Administrator
2. Click Start, click Run, and then type DCOMCNFG.Select the Microsoft Excel Application from DCOM Config.
   
   Path: Console Root \ Component Services \ Computers \ My Computer \ DCOM Config \ Microsoft Excel Application
   
   
3. Right click the Microsoft Excel Application; Click Properties to open the property dialog box for this application
4. Click the Security tab.
5. Click Customize for access permissions. Verify that the following users are listed in the access permissions, or add the users if they are not listed:
• SYSTEM
• INTERACTIVE
• Administrators
• IUSR_<machinename> *
• IWAM_<machinename> *


* These accounts only exist if Internet Information Server (IIS) is installed on the computer.

See the figures below, it describe how to add the user to this list.



NOTE: If you craete special account for Apache, you should also add the account to list.

NOTE: If you disable anonymous access to IIS, and logon IIS using account belong to Users group, you should add Users group to the list.

NOTE: If you allo anonymous access to IIS, you should add IUSR_<machinename> to the list.




6. Click Customize for launch and activation permissions. Verify that the following users are listed in the launch permissions, or add the users if they are not listed:
• SYSTEM
• INTERACTIVE
• Administrators
• IUSR_<machinename> *
• IWAM_<machinename> *

* These accounts exist only if IIS is installed on the computer.

NOTE: If you craete special account for Apache, you should also add the account to list.

NOTE: If you disable anonymous access to IIS, and logon IIS using account belong to Users group, you should add Users group to the list.

NOTE: If you allo anonymous access to IIS, you should add IUSR_<machinename> to the list.



7. Make sure that each user is allowed access, and then click OK.
8. Click OK to close the property dialog box

APPLIES TO Windows XP, 2003. If you are using Windows 2000 or NT, You have to do minor change.

If you run Apache HTTP Server under SYSTEM user, the Rep2excel works properly for Windows 2000, XP.

But for Windows 2003, you may got the following error message.

Error [M:RBC] :Unable to access Microsoft Excel runtime.More info: Run Rep2excel and Excel as SYSTEM.

To solve the problem, you need to set the identity of Excel App Server, see the following page for more information.

http://www.lv2000.com/articles/configexcel2.htm