Freigeben über


Protecting Sensitive Data

Frequently, we find developers using InfoPath as a platform for developing solutions that manipulate sensitive data, may it be financial data, patient records, or performance review forms. This article shares tips on protecting such data.

 

First and foremost, you must know that an InfoPath form is a plain-text XML file. A malicious user can read it through Notepad or other text editor, circumventing any InfoPath authentication logic. So if a user has read access to an InfoPath XML form, anything stored in that XML file can be read. Information Rights Management in InfoPath 2007 allows storing encrypted XML; we'll talk more about it below.

 

Also remember that an InfoPath form template (.xsn file) is just a CAB archive, containing plain-text files. These files store all client-side form logic. Information Rights Management allows you to encrypt form templates in InfoPath 2007, see more about it below.

 

Like with any other client-server application development platform, you can never trust the logic that happens on the client. InfoPath uses the form template to store all form logic; if the user has access to the form template (and they must in order to be able to open any form based on that form template), they can create a hacked version of the template, circumventing any restrictions that the original form author put in place.

 

This means that authentication and authorization performed on the client can't be trusted; calculations and data validation have to be re-done on the server. Here is an example of how this strategy can be realized for a simple record-keeping application:

 

  • Do not store sensitive data in the XML file; instead, store keys in the XML file, and perform queries on load that populate the rest of the data by using a database/web service. If the user is unauthorized (as determined by the server-side logic), return an empty dataset. You can even detect such condition on the client and show a friendly error message.
  • On submit, send the data to a web service and redo all non-schema validations on the server side. For example, if employees should not be able to submit expense reports above $100 without specifying an approver, have your web service process the dataset and verify that this condition is satisfied. 

 

It is always a good idea to restrict access to a production form template by assigning read-only permissions to form users, write access to form maintenance staff, and no access to everyone else. This can be done by using permission features of the SharePoint Server or file shares. Even if you install form templates to the users' machines via a logon script, you can still control access to the .xsn file - provided the user is not running as an administrator, you can set their access to the template file to read-only.

 

You may want to enable the protection feature for production form templates:

 

 

However, remember that this protection feature is for recommendations only, it is not intended as a security mechanism. This will show the user a nice error message if they accidentally try to open the template in the Design mode, but won't defend the form template against a malicious user.

 

Information Rights Management, or IRM, is a new feature for InfoPath 2007; some of you may already be familiar with the concepts from the other apps in the Office 2003 release. IRM allows the form author to protect both the form template and forms based on the template; IRM infrastructure must be in place in the organization to make this possible. Briefly, IRM is a way to encrypt both form templates and forms, allowing form author to specify who can access the template and suggest default rights for forms based on the template:

 

 

Note that IRM is an InfoPath client-only feature, and it will not work in browser-enabled form templates.

 

Alex Weinstein

Program Manager

Comments

  • Anonymous
    October 05, 2006
    For those who are wondering about the infrastructure that must be in place for IRM to work, you can find more information here: http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

  • Anonymous
    October 15, 2006
    Shoutout to S.Y.M. Wong-A-Ton, who wrote a very cool article on encrypting InfoPath form fields using form code: http://aspalliance.com/784 -Alex

  • Anonymous
    January 30, 2007
    I noticed this does not work for web enabled forms but will this work if you send to outlook as a task? Thanks, Mike Walker

  • Anonymous
    January 30, 2007
    To Mike Walker: which mechanism are you asking about? -Alex

  • Anonymous
    January 30, 2007
    Sending an InfoPath Form from an event in a WF workflow on a MOSS Server to a user as a task. Mike Walker

  • Anonymous
    January 30, 2007
    Mike, I apologize, I still don't follow. What mechanism are you trying to use to protect that InfoPath form? -Alex

  • Anonymous
    February 05, 2007
    We have built a workflow & deployed it to a MOSS 2007 server. The workflow creates a Sharepoint task and assigns it to a user. This task has an associated InfoPath form which is used for approval. When the task is created Sharepoint sends an email to the user with the link to the task form. We are trying to see if we can embed the form in the email. So that the user does not have to take an extra step of clicking the task link. Assuming that we can embed the task form in the email, will any IRM settings in the task form template be preserved? Thoughts? Mike Walker

  • Anonymous
    February 06, 2007
    Unfortunately, you will have to build much of this on your own. First of all, if the task item template asks for domain trust (it will if it has the contact selector and other similar items), the XSN will have to be published to an accessible intranet location (file path or server). Second, and you will have to look around to see how do-able this is in code, you’ll have to send the task item template as an InfoPath email form. Outlook may have object model to do this. If not, you may have to piece together a few things. You may want to try pinging the Outlook blogs/newsgroups for this. Third, you’ll have to manage writing the submitted results of the task item template back into the config DB (take a look at the AlterToDo web method on http://server/_vti_bin/workflow.asmx).

  • Anonymous
    November 03, 2011
    Hello and I hope you can help.  I wanted to see what the IRM was all about so I resrticted on of my InfoPath forms.  Now users can access it unless I go around and get their email addresses.  Besides it is a trial version so every 15 minutes I have to re-authenticate or I can'tt even access my forms.  How can I return my form to the original permissions?