2017 R1 Update Rollup 1

Working With Third-Party ProductsPermanent link for this heading

A core feature of Fabasoft products is the management of a varied range of content. This includes running the tools needed for viewing and editing content like documents or pictures.

These tools are required to be installed on client workstations.

The native client identifies the type of content and uses mechanisms of the client operating system to map a tool to the identified type. The native client honors security policies of the client operating system and adds Fabasoft-specific security structures on top of the operating system.

Security SettingsPermanent link for this heading

When performing operations like viewing, editing or playing content the native client runs tools installed on the client workstation. Which tool has to perform a given operation on a given type of content is determined by mechanisms defined by the Microsoft Windows Shell. These mechanisms are described in http://msdn2.microsoft.com/en-us/library/bb762764.aspx.

Furthermore, the execution of programs by the Microsoft Windows Shell is controlled by security policies, as described in the following documents:

http://technet2.microsoft.com/WindowsServer/en/Library/9044c404-c9ab-40a2-b804-06703c54ee421033.mspx

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93497.mspx

In addition, the native client defines restriction points applying to Fabasoft products only. These are part of the broader customization mechanisms for running tools, defined by the registry sub tree HKEY_CURRENT_USER\Software\Fabasoft\Process Parameters.

In the root of this tree one of two policies can be declared:

  • If a named value of type String with the name Security and the value “Black” is present, the so called “Blacklist Security” policy applies.
  • Otherwise, the mode of operation is “Whitelist Security”.

Blacklist SecurityPermanent link for this heading

This security policy is the less secure tool restriction mode. It is therefore switched off by default. Any program not restricted by operating system policies and not explicitly disallowed by the native client is allowed to run. To explicitly disallow the execution of a tool, there must be a registry key HKEY_CURRENT_USER\Software\Fabasoft\Process Parameters\<base name of the tool executable> holding a named value of type DWORD with the name DisallowRun and the value “1”.

Example:

The setting in this example does not allow loading any executable from a file with the base name “notepad”. The base name comparison is case-insensitive.

Default Blacklist

If the native client security is set to “Black”, the following executables are disallowed by default:

  • Standard script engine hosts
    • wscript
    • cscript
  • Elevated browsers
    • mshta
  • Standard registry editors
    • regedit
    • regedt32

For any of these executables, no registry entry is needed to disallow its execution. If there is an explicit entry, execution can be allowed by setting the named value DisallowRun to the value “0”.

Whitelist SecurityPermanent link for this heading

This is the default native client security mode. Tool execution is restricted to an explicit list of executables. Only executables defined by that list can be executed within a Fabasoft product if not restricted by operating system policies.

To explicitly allow the execution of a tool, there must be a registry key HKEY_CURRENT_USER > Software > Fabasoft > Process Parameters > <base name of the tool executable> holding a named value of type DWORD with the name AllowRun and the value “1”.

Example:

The setting in this example allows loading an executable from a file with the base name “tracer”. The base name comparison is case-insensitive.

Default Whitelist

If the native client security is set to any value other than “Black“, the following executables are allowed by default:

  • Standard text editors/viewers
    • notepad
    • wordpad
  • Standard image editors/viewers
    • mspaint
    • rundll32 [shimgvw]
    • rundll32 [photoviewer]
  • Standard final format editors/viewers
    • acrord32
    • acrobat
    • xpsviewer
  • Supported package editors/viewers
    • winzip32
    • rundll32 [zipfldr]
  • Supported signature editors/viewers
    • siqscc
  • Supported help viewers
    • hh
  • Supported mail clients
    • thunderbird
    • outlook
    • msimn
  • LibreOffice
    • soffice
    • swriter
    • scalc
    • simpress
    • sdraw
    • smath
  • Microsoft Office
    • winword
    • excel
    • powerpnt
    • visio
    • msaccess
    • mspub
    • frontpg
    • fpeditor
    • winproj
    • wordview
    • xlview
    • pptview
    • ois
  • Windows Media Player
    • wmplayer
  • Apple Quicktime Player
    • quicktimeplayer

For any of these executables, no registry entry is needed to allow its execution. If there is an explicit entry, execution can be disallowed by setting the named value AllowRun to the value “0”.

Document PropertiesPermanent link for this heading

Document properties allow you to embed read-only metadata in documents edited with Microsoft Word. Before you can insert document properties into a Microsoft Word document, you have to activate the Fabasoft Folio COM add-in that is installed with the native client. To enable the COM add-in, click the Office button and click “Word Options”. In the dialog box, click “Add-Ins”, select “COM Add-Ins” in the Manage drop-down list box and click “Go”. In the dialog box that is opened, select “Fabasoft Folio” and click “OK”.

Note: The document properties will only be refreshed when opening the document, if the add-in is active.

The COM add-in can be activated manually as described above, or the corresponding registry keys can be deployed after installing the native client.

[HKEY_CURRENT_USER\Software\Microsoft\Office\Word\Addins\FolioPM17.AddinWord]
"FriendlyName"="Fabasoft Folio Text Insertion"

"LoadBehavior"=dword:00000003

Temporary FilesPermanent link for this heading

To be able to edit or read a document in a third-party product the document file has to be stored temporarily on the client. The location of the temporary files can be manually defined by setting the following registry key:

[HKEY_CURRENT_USER\Software\Fabasoft\WebClient\ConfigValues\Enterprise17\DocDir]
@="directory path"

The directory path can be defined the following way:

  • absolute directory path (e.g. C:\MyTempFolder)
    The user needs write access to the directory.
  • <local>
    Corresponds to CSIDL_LOCAL_APPDATA under Microsoft Windows (e.g. C:\Users\<user>\AppData\Local).
  • <roaming>
    Corresponds to CSIDL_APPDATA under Microsoft Windows (e.g. C:\Users\<user>\AppData\Roaming).
  • <temp>
    The temporary directory (e.g. C:\Users\<user>\AppData\Local\Temp).

Mail MergePermanent link for this heading

Working with Microsoft Word mail merge documents differs from working with normal documents.

  • First the document is opened in the background (invisible) and the mail merge data is applied.
  • Subsequently the document is saved, closed and reopened including the mail merge data.
  • After closing the document, the document will be opened again in the background (invisible) and the mail merge data will be removed from the document.

The steps in which the mail merge data source operations are carried out can be influenced by customer macros that may prevent a correct processing. Therefore all macros will be deactivated for the background steps and are only active when the document is opened regularly including a Microsoft Word user interface. Macros can be activated at your own risk with the with following registry key:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Fabasoft\WebClient\ConfigValues\Enterprise1
7]
"MSWORD_disablemacros"="false"

It is also possible to define the maximum delay (ms) and retry time (ms) for the attaching mail merge data call. This may be necessary because opening a mail merge document with macros often lasts longer.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Fabasoft\WebClient\ConfigValues\Enterprise1
7]
"MSWORD_timeout"=dword:00007530

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Fabasoft\WebClient\ConfigValues\Enterprise1
7]
"MSWORD_retrydelay"=dword:000003e8

Delay Uploading a Changed DocumentPermanent link for this heading

The upload of a changed document can be delayed. In normal circumstances, this setting is not necessary. However, if you use Microsoft Office 2010 and specially configured virus scanners, this setting can be used to prevent documents from being locked and opened read-only.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Fabasoft\WebClient\ConfigValues\Enterprise17]

"UPLOAD_handsoffseconds"=dword:00000002

The registry entry defines the minimum time in seconds between the last change and the upload. The default value is 0. If you notice problems, try the value 2 (possible values are from 0 to 5).