Security in InfoPath forms

The subject of InfoPath security is a broad topic that can describe different concerns. For example, the trust level of a form template, the use of Secure Sockets Layer (SSL) technology on a Web server, and a user's decision to add a trusted publisher to the Trust Center are all security considerations.

This article contains best practices for helping to secure form templates and forms, and contains considerations about server security. Although these practices can help you make informed decisions, this article is not exhaustive. Use your organization's existing security policy as the foundation for any choices that you make about the security of your form templates and forms. For a detailed overview of security in InfoPath see: Security Levels, E-Mail Deployment, and Remote Form Templates.

In this article

Set the required security level for a form template

Best practices for Web server security

Best practices for using data sources

Best practices for deploying Document Information Panels

Best practices for sending form templates as e-mail messages

Best practices to help users stay secure

Set the required security level for a form template

InfoPath provides three security levels for forms: Restricted, Domain, and Full Trust. The security levels determine whether a form can access data on other domains, or access files and settings on a user's computer. The security levels also affect the features on a form when users fill it out.

When you design a form template, InfoPath automatically selects the correct security level required for the features in your form. All new blank form templates use the Restricted security level by default. The Restricted security level limits the ability of a form to access data on other domains, and files and settings on a user's computer.

The security level will automatically be raised to the Domain level if you add any features that require it, such as data connections or managed code. It is a good practice to use the most restrictive security level required for your form template to help your users avoid unnecessary security risks.

If the default security level that is set for the form template at design time is insufficient, you can complete the following steps to manually set the security level:

  1. Click the File tab.

  2. Click Form Options.

  3. Click the Security and Trust.

  4. Under Security Level, clear the Automatically determine security level (recommended) check box.

  5. Click the security level that you want, then click OK.

Note:  If the form template is an InfoPath filler form that requires full trust then it must be digitally signed with a trusted root certificate or installed on the user’s computer. If it is a SharePoint full-trust form then it must be deployed by the SharePoint farm administrator using SharePoint Central Administration.

Top of Page

Best practices for Web server security

The following is a list of best practices for web server security:

  • Use SSL for servers hosting browser-enabled form templates    SSL is a standard that is used to establish a secure communications channel to help prevent the interception of critical information, such as credit card numbers. If you plan to design a browser-enabled form template that will be available for users to fill out on the Internet, ask your server administrator whether Secure Sockets Layer (SSL) technology is configured on the server where the form template will be hosted. When relying on SSL technology as a security feature, you should verify that the digital certificate used by SSL was issued by an industry-standard third-party certificate authority (such as Verisign).

Tip:  You can tell SSL is enabled for a URL when the Web address begins with https instead of http.

  • Use a trusted host    If your organization does not maintain the server that hosts your form templates, make sure to use a trusted Web hosting company. If you can't verify the integrity of the hosting service, do not host your form templates there.

  • Install security patches and antivirus software    Check with your server administrator to verify that the latest security patches and updates are installed on the server where your form templates are hosted. Also, verify that the server is running up-to-date antivirus software, and that only trusted users can access the server.

  • Understand Windows Internet Explorer security zones    In Windows Internet Explorer, security zones and levels enable you to specify whether a Web site can access the files and settings on your computer and how much access those sites can have. InfoPath uses some of these settings, along with the form template security setting, to determine whether a form template's associated form can access the files and settings on a user's computer and how much access that form can have. InfoPath also uses some of these settings to determine whether a form that a user fills out can access content that is saved in domains other than the domain in which the form template is saved.

Top of Page

Best practices for using data sources

Many InfoPath forms use data connections to receive and submit data from external and internal data sources. When filling out forms that have data connections, you may be prompted to allow the data connections to be established. You should only allow the connection if you trust the source. The following is a list of best practices for using data sources when designing and deploying forms:

  • Use approved data sources    To help ensure that the form template designers in your organization use only approved data sources, use a data connection library, which is a central location to store and share data connections. By creating a collection of approved data connections and limiting permission to the library where they are saved, you can help protect the security of the data sources that are used in your organization.

  • Be cautious when using direct database connections    If the form template designers in your organization are unable to use an approved data source from a data connection library, they may decide to connect a form template directly to a data source. In such cases, make sure that only trusted users can access the forms based on that form template. A form template with a direct connection to a database may provide an untrustworthy user with a way to access proprietary information.

Top of Page

Best practices for deploying Document Information Panels

A form designer can deploy a form template as a Document Information Panel. A Document Information Panel is an InfoPath form that is hosted inside a Microsoft Word, Microsoft PowerPoint, or Microsoft Excel document, providing a single location for users to add or change metadata about the document. When hosted in a Word document, a Document Information Panel also supports the ability to edit data from the document itself.

Although the same security considerations apply to using a Document Information Panel as to using a form template — a Document Information Panel can run under the Full Trust, Domain, or Restricted trust setting depending on the features that a form designer adds to it — there are also some unique items to consider. If you reference an external resource in a Document Information Panel, you should make sure that users will have permission to that resource when they open the document. For example, you might connect a Document Information Panel in a Word document to a Web service. Even though users have permission to open the Word document, they will receive an error if they do not have permission to the Web service that is used in the Document Information Panel.

The following list describes some additional considerations for using Document Information Panels:

  • Deploying a Document Information Panel to an intranet    If you deploy a Document Information Panel to a location on your company's intranet, but the document associated with the Document Information Panel is located on an extranet, your internal users can use the Document Information Panel, but external users cannot.

  • Using cross-domain data connections in Document Information Panels    You cannot use cross-domain data connections in a Document Information Panel unless the form template for the Document Information Panel is set to the Full Trust security level or the associated form template is located on a domain that is included in the Trusted sites zone in Windows Internet Explorer.

  • Deploying Document Information Panels to SharePoint sites    Document Information Panels that are deployed to a SharePoint site don’t display unless the form template for the Document Information Panel is located on the same domain as the document that they are associated with.

  • Using Document Information Panels for custom XML schemas    Document Information Panels that are based on a custom XML schema must run at Full Trust or Restricted security levels. When a Document Information Panel is created, you can specify a custom XML schema and use that schema to create the content for the panel, but the resulting Document Information Panel cannot be granted partial trust.

  • Document information panels in the Local Machine Zone    In Windows Internet Explorer, security zones and levels enable you to specify whether a Web site can access the files and settings on your computer and how much access those sites can have. Document Information Panels that are located in the Local Machine Zone don’t open unless the form template for the Document Information Panel is installed on the user's computer by using an installation program such as a Microsoft Windows Installer (msi) file.

Top of Page

Best practices for sending form templates as e-mail messages

The following is a list of best practices for sending form templates as e-mail messages:

  • Trust levels for e-mail form templates    To send safely in an e-mail message, form templates need to be set to the Restricted trust setting. Form templates that are sent in a message work only with data contained in the form template, as opposed to external data sources, and cannot contain script or managed code.

  • Avoid sending personally identifiable information in an e-mail message    You can add rules to a form template that allow a user to send form data to multiple locations when a command button is pressed in the associated form. For example, you can configure a command button to use rules to allow form data to be sent to both a Web service and as the body of a message.

Security Note:  If the Web service and the target e-mail address are not located on the same domain as the form template, this may not be secure. For example, if the e-mail message is sent over the Internet, the data may be at risk even though the Web service uses SSL and is on the intranet.

Top of Page

Best practices to help users stay secure

The following is a list of best practices for helping users stay secure:

  • Encourage users to install or open forms only from trusted sources    You should encourage users to only install or open fully-trusted forms that they receive from trusted sources.

Note:  By managing the Trusted Publishers list in the Trust Center, your users can control whether to open fully trusted forms. Users can also use the Trust Center to manage Trusted Publishers, Add-ins, and Privacy Options.

  • Encourage users to install the latest Web browser    If your users will fill out browser-enabled form templates, it is a good practice to provide them with information about how to download patches and upgrade their browser to help ensure that they are running the most recent version.

  • Enable users to use digital signatures    When users fill out a form in InfoPath, they can digitally sign the form or specific parts of the form. Signing a form helps authenticate a user as the person who filled out the form and helps ensure that the contents of the form are not altered. For more information on Digital Signatures in InfoPath, see Digital signatures in InfoPath 2010.

Top of Page

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×