2018 Spring Release

Working With Third-Party ProductsPermanent link for this heading

A core feature of Fabasoft products is the management of a varied range of content. This includes running the tools needed for viewing and editing content like documents or pictures.

These tools are required to be installed on client workstations.

The native client identifies the type of content and uses mechanisms of the client operating system to map a tool to the identified type. The native client honors security policies of the client operating system and adds Fabasoft-specific security structures on top of the operating system.

Security SettingsPermanent link for this heading

When performing operations like viewing, editing or playing content the native client runs tools installed on the client workstation. Which tool has to perform a given operation on a given type of content is determined by mechanisms defined by the Microsoft Windows Shell. These mechanisms are described in http://msdn2.microsoft.com/en-us/library/bb762764.aspx.

Furthermore, the execution of programs by the Microsoft Windows Shell is controlled by security policies, as described in the following documents:

http://technet2.microsoft.com/WindowsServer/en/Library/9044c404-c9ab-40a2-b804-06703c54ee421033.mspx

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93497.mspx

In addition, the native client defines restriction points applying to Fabasoft products only. These are part of the broader customization mechanisms for running tools, defined by the registry sub tree HKEY_CURRENT_USER\Software\Fabasoft\Process Parameters.

In the root of this tree one of two policies can be declared:

  • If a named value of type String with the name Security and the value “Black” is present, the so called “Blacklist Security” policy applies.
  • Otherwise, the mode of operation is “Whitelist Security”.

Blacklist SecurityPermanent link for this heading

This security policy is the less secure tool restriction mode. It is therefore switched off by default. Any program not restricted by operating system policies and not explicitly disallowed by the native client is allowed to run. To explicitly disallow the execution of a tool, there must be a registry key HKEY_CURRENT_USER\Software\Fabasoft\Process Parameters\<base name of the tool executable> holding a named value of type DWORD with the name DisallowRun and the value “1”.

Example:

The setting in this example does not allow loading any executable from a file with the base name “notepad”. The base name comparison is case-insensitive.

Default Blacklist

If the native client security is set to “Black”, the following executables are disallowed by default:

  • Standard script engine hosts
    • wscript
    • cscript
  • Elevated browsers
    • mshta
  • Standard registry editors
    • regedit
    • regedt32

For any of these executables, no registry entry is needed to disallow its execution. If there is an explicit entry, execution can be allowed by setting the named value DisallowRun to the value “0”.

Whitelist SecurityPermanent link for this heading

This is the default native client security mode. Tool execution is restricted to an explicit list of executables. Only executables defined by that list can be executed within a Fabasoft product if not restricted by operating system policies.

To explicitly allow the execution of a tool, there must be a registry key HKEY_CURRENT_USER > Software > Fabasoft > Process Parameters > <base name of the tool executable> holding a named value of type DWORD with the name AllowRun and the value “1”.

Example:

The setting in this example allows loading an executable from a file with the base name “tracer”. The base name comparison is case-insensitive.

Default Whitelist

If the native client security is set to any value other than “Black“, the following executables are allowed by default:

  • Standard text editors/viewers
    • notepad
    • wordpad
  • Standard image editors/viewers
    • mspaint
    • rundll32 [shimgvw]
    • rundll32 [photoviewer]
  • Standard final format editors/viewers
    • acrord32
    • acrobat
    • xpsviewer
  • Supported package editors/viewers
    • winzip32
    • rundll32 [zipfldr]
  • Supported signature editors/viewers
    • siqscc
  • Supported help viewers
    • hh
  • Supported mail clients
    • thunderbird
    • outlook
    • msimn
  • LibreOffice
    • soffice
    • swriter
    • scalc
    • simpress
    • sdraw
    • smath
  • Microsoft Office
    • winword
    • excel
    • powerpnt
    • visio
    • msaccess
    • mspub
    • frontpg
    • fpeditor
    • winproj
    • wordview
    • xlview
    • pptview
    • ois
  • Windows Media Player
    • wmplayer
  • Apple Quicktime Player
    • quicktimeplayer

For any of these executables, no registry entry is needed to allow its execution. If there is an explicit entry, execution can be disallowed by setting the named value AllowRun to the value “0”.

Document PropertiesPermanent link for this heading

Document properties allow you to embed read-only metadata in documents edited with Microsoft Word. Before you can insert document properties into a Microsoft Word document, you have to activate the Fabasoft Cloud COM add-in that is installed with the native client. To enable the COM add-in, click the Office button and click “Word Options”. In the dialog box, click “Add-Ins”, select “COM Add-Ins” in the Manage drop-down list box and click “Go”. In the dialog box that is opened, select “Fabasoft Cloud Word Extension” and click “OK”.

Note: The document properties will only be refreshed when opening the document, if the add-in is active.

The COM add-in can be activated manually as described above, or the corresponding registry keys can be deployed after installing the native client.

[HKEY_CURRENT_USER\Software\Microsoft\Office\Word\Addins\FolioPU.OxWord]
"
FriendlyName"="Fabasoft Cloud Word Extension"
"
LoadBehavior"=dword:00000003

Temporary FilesPermanent link for this heading

To be able to edit or read a document in a third-party product the document file has to be stored temporarily on the client. The location of the temporary files can be manually defined by setting the following registry key:

[HKEY_CURRENT_USER\Software\Fabasoft\WebClient\ConfigValues\Cloud\DocDir]
@="directory path"

The directory path can be defined the following way:

  • absolute directory path (e.g. C:\MyTempFolder)
    The user needs write access to the directory.
  • <local>
    Corresponds to CSIDL_LOCAL_APPDATA under Microsoft Windows (e.g. C:\Users\<user>\AppData\Local).
  • <roaming>
    Corresponds to CSIDL_APPDATA under Microsoft Windows (e.g. C:\Users\<user>\AppData\Roaming).
  • <temp>
    The temporary directory (e.g. C:\Users\<user>\AppData\Local\Temp).