Security considerations for form templates and forms

"Security considerations" is a broad phrase that can describe different concerns. For example, the trust level of a form template, the use of Secure Sockets Layer (SSL) technology on a Web server, and a user's decision to add a trusted publisher to the Trust Center are all security considerations.

This article contains some best practices for helping to secure form templates and forms, and contains some considerations about server security. Although these practices can help you make informed decisions, this article is not exhaustive. Use your organization's existing security policy as the foundation for any choices that you make about the security of your form templates and forms.

In this article

Best practices for Web server security

Best practices for using data sources

Best practices for deploying form templates

Best practices for deploying Document Information Panels

Best practices for sending form templates as e-mail messages

Best practices for helping users stay secure

General considerations

Best practices for Web server security

  • Use SSL for servers hosting browser-enabled form templates    If you plan to design a browser-enabled form template that will be available for users to fill out on the Internet, ask your server administrator whether Secure Sockets Layer (SSL) technology is configured on the server where the form template will be hosted. Some organizations use SSL when collecting personally identifiable information (PII), such as credit card numbers or bank account numbers. The decision to use SSL may be driven by an organization's internal policies, regulatory compliance, or both. A browser-enabled form template is a browser-compatible form template that has been published to a server running InfoPath Forms Services and browser-enabled so that users can fill out the form in a Web browser. SSL is a proposed open standard that was developed by Netscape Communications for establishing a secure communications channel to help prevent the interception of critical information, such as credit card numbers.

    Note: You can tell when SSL is enabled for a URL because the address starts with "https" instead of "http." SSL may not be necessary if your form templates are available on a secure intranet where both the form designers and the users are trusted.

  • Use a trusted host    If your organization does not maintain the server that hosts your form templates, make sure to use a trusted Web-site hosting company. For example, if you decide to use SSL technology, verify that the hosting company has a digital certificate that was issued by a third-party certificate authority. If you can't verify the integrity of the hosting service, do not host your form templates there.

  • Install security patches and antivirus software    Check with your server administrator to verify that the latest security patches and updates are installed on the server where your form templates are hosted. Also, verify that the server is running up-to-date antivirus software, and that only trusted users can access the server.

Top of Page

Best practices for using data sources

  • Use approved data sources    To help ensure that the form template designers in your organization use only approved data sources, use a data connection library, which is a central location to store and share data connections. By creating a collection of approved data connections and limiting permission to the library where they are stored, you can help protect the security of the data sources that are used in your organization.

  • Be cautious when using direct database connections    If the form template designers in your organization are unable to use an approved data source from a data connection library, they may decide to connect a form template directly to a data source. In such cases, make sure that only trusted users can access the forms based on that form template. A form template with a direct connection to a database may provide an untrustworthy user with a way to access proprietary information.

Top of Page

Best practices for deploying form templates

  • Understand the scope of deployment for form templates    When an administrator-approved form template is deployed, it is added to a central location on the server where it can be activated to one or more site collections. An administrator-approved form template is a browser-compatible form template that has been uploaded by an administrator to a server running InfoPath Forms Services. An administrator-approved form template can include code. If the site collections and form templates in your organization span very different audiences, make sure to activate only those form templates that are designed for a particular site collection. For example, if your organization uses one site collection for customers and another for employees, do not activate an employee form template to the customer site collection. Activating form templates to the wrong site collection may make proprietary data available to the wrong users. For example, an employee form template that contains a list of employee e-mail addresses can lead to spam if that form template is made available to the public.

Top of Page

Best practices for deploying Document Information Panels

In Microsoft Office InfoPath 2007, a form template designer can deploy a form template as a Document Information Panel. A Document Information Panel is an InfoPath form that is hosted inside a Microsoft Office Word, Microsoft Office PowerPoint, or Microsoft Office Excel document, providing a single location for users to add or change metadata about the document. When hosted in a Word document, a Document Information Panel also supports the ability to edit data from the document itself. Although the same security considerations apply to using a Document Information Panel as to using a form template — a Document Information Panel can run under the Full Trust, Domain, or Restricted trust setting depending on the features that a form designer adds to it — there are also some unique items to consider. For example, if you reference an external resource in a Document Information Panel, you should make sure that users will have permission to that resource when they open the document. For example, you might connect a Document Information Panel in a Word document to a Web service. Even though users have permission to open the Word document, they will receive an error if they do not have permission to the Web service that is used in the Document Information Panel. The following list describes some additional considerations for using Document Information Panels:

  • Deploying a Document Information Panel to an intranet    If you deploy a Document Information Panel to a location on your company's intranet, but the document associated with the Document Information Panel is located on an extranet, your internal users will be able to use the Document Information Panel, but external users will not.

  • Using cross-domain data connections in Document Information Panels    You cannot use cross-domain data connections in a Document Information Panel, unless the form template for the Document Information Panel is set to the Full Trust security level, or the associated form template is located on a domain that is included in the Trusted sites zone in Windows Internet Explorer.

  • Deploying Document Information Panels to SharePoint sites    Document information panels that are deployed to a Microsoft Office SharePoint Services site will not display unless the form template for the Document Information Panel is located on the same domain as the document that they are associated with.

  • Using Document Information Panels for custom XML schemas    Document information panels that are based on a custom XML schema must run at Full Trust or Restricted security levels. When you create a Document Information Panel, you can specify your own custom XML schema and use that schema to create the content of the panel, but the resulting Document Information Panel cannot be granted partial trust.

  • Document information panels in the Local Machine Zone    In Internet Explorer, security zones and levels enable you to specify whether a Web site can access the files and settings on your computer and how much access those sites can have. Document information panels that are located in the Local Machine Zone will not open unless the form template for the Document Information Panel was installed on the user's computer by using an installation program such as Microsoft Windows Installer (.msi file).

Top of Page

Best practices for sending form templates as e-mail messages

  • Trust levels for e-mail form templates    InfoPath provides three security levels for form templates: Restricted, Domain, and Full Trust. In order to be sent out safely in an e-mail message, form templates need to have the Restricted trust setting. Form templates that are sent in an e-mail message work only with data contained in the form template, as opposed to external data sources, and cannot contain script or managed code.

  • Avoid sending personally identifiable information in an e-mail message    You can add rules to a form template that allow a user to send form data to multiple locations when they press a button in the associated form. For example, you can configure a button to use rules to allow form data to be sent to both a Web service and as the body of an e-mail message. If the Web service and the target e-mail address are not located on the same domain as the form template, this may not be secure. For example, if the e-mail message is sent over the Internet, the data may be at risk even though the Web service uses SSL and is on the intranet.

Top of Page

Best practices for helping users stay secure

  • Encourage your users to install or open forms only from trusted sources    InfoPath provides three security levels for form templates: Restricted, Domain, and Full Trust. The security levels determine whether a form template can access data on other domains, or access files and settings on your computer. Fully trusted forms have a Full Trust security level, and can access files and settings on a user's computer. The form template for these forms must be digitally signed with a trusted root certificate, or installed on a user's computer. You should encourage your users to only install or open fully-trusted forms that they receive from trusted sources.

    Note: By managing the Trusted Publishers list in the Trust Center, your users can control whether to open fully trusted forms. Users can also use the Trust Center to manage Trusted Publishers, Add-ins, and Privacy Options.

  • Encourage your users to get the latest browsers    If your users will fill out browser-enabled form templates, it is a good practice to provide them with information about how to download patches and upgrade their browsers, to help ensure that they are running the most recent version.

Top of Page

General considerations

  • Enable users to use digital signatures    When users fill out a form in InfoPath, they can digitally sign the form or specific parts of the form. When they fill out a browser-enabled form template, they cannot sign the entire form, only parts of it. Signing a form helps authenticate a user as the person who filled out the form and helps ensure that the contents of the form are not altered.

  • Use digital signatures    A form can run at Full Trust only if the form template is digitally signed with a trusted root certificate or if the form was installed on the user's computer by using an installation program such as Microsoft Windows Installer (.msi file). To preview a Full Trust form template in design mode, it is not necessary to have a digital signature applied to it.

  • Understand the security levels of the InfoPath object model    If any of the form templates in your organization contain managed code, you should understand the security levels of the InfoPath object model members. The InfoPath object model implements three distinct levels of security that determine how and where a particular object model member can be used. If managed code is present in a form template, and it requires a security level that is higher than that of the form template itself, the code won't run. For example, the Print Method requires Full Trust and will not work if the form template is set to Domain Trust.

  • Understand Windows Internet Explorer security zones    In Internet Explorer, security zones and levels enable you to specify whether a Web site can access the files and settings on your computer and how much access those sites can have. InfoPath uses some of these settings to determine whether a form template's associated form can access the files and settings on a user's computer and how much access that form can have. InfoPath also uses some of these settings to determine whether a form that a user fills out can access content that is stored in domains other than the domain in which the form template is stored.

Top of Page

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×