Excel macros & a Windows Server - Risk?

[drjones]

Hi guys, I have a client who's got two physical servers; one DC & exchange, the other straight file & print serving.

SBS 2008, File is 2008 R2 Std.

There's a new employee who is.......creative. He recently sent me the below email which concerned me enough to ask here before replying to him.

I know nothing about Macros, other than they can be malicious & cause damage. Based on what he describes below, could he cause any harm to my clients file server or any of the data contained on it?

Say his macro goes awry / is poorly written.....any risk to my clients?? His use of the word "experiment" brings me chills.....we installed both servers a couple years ago & everything runs perfectly. They're one of my lowest-maintenance clients. I want to keep it that way!

I have a couple of clients that are now using an Excel workbook I created on a shared network drive. I have some automatic backup functions in macros in the Excel workbook. The macros work fine when backing up the file to my local hard drive, but I’m having problems saving to shared drives at the client site. I’m using the word “backup”, but what the macros are really doing are running a "file save as” command where I specify the file name and the path to the directory where I want to save the file.

I want to experiment with running my macros and saving backups to our File server using a mapped drive letter.

Thanks guys

 

[drjones]

Was it that dumb a question to get 236 views & no replies?

 

[mraikes]

Yeah that's kind of odd, isn't it?

No, it's not a dumb question. Of course a badly written or malicious macro can be a risk to your client's server. The decision maker at your client needs to weigh in on whether the new employee should be allowed to do this.

However, if the guy just needs (and has permission) to experiment with shared folders and his Excel macro, start him out with a shared folder on another workstation rather than the server. He could connect to the workstation's folder, map a drive if needed, and experiment away with greatly reduced risk.

 

[Moltuae]

If I understand correctly, all he wants to do is run the macro on a workstation (not directly on the server) but have the resulting file save to a shared folder on the server.

If the macro isn't actually running on the server, I see no possible harm in that. As long as he only has read/write access to the relevant server files/folders there's not a lot of harm he could do. Of course if his account allows full admin access or 'full control' of files and folders rather than just read/write, then that's a different story, but then if that were the case there'd be greater potential threats to the server's security than his macros.

 

[smashedbotatos]

Bascially he is asking you to create a shared folder he can map to use his macro. I don't see any harm in it. As long as he has rw and not execute privvy.

Only problem I could see arising is if he screwed up the macro and saves a ton of garbage files to the shared folder filling the server drive where that folder is located. Maybe give him a 1 or 2GB quota on the folder.

 

[angry_geek]

Anywhere it's at all possible, I'm eliminating mapped drives. I've always been somewhat against them, but much more so now with cryptolocker running amok. So far (knock on wood), I haven't seen it go after unc shares.

 

[Moltuae]

Anywhere it's at all possible, I'm eliminating mapped drives. I've always been somewhat against them, but much more so now with cryptolocker running amok. So far (knock on wood), I haven't seen it go after unc shares.

Actually, yeah, that's a good point. Same here and for the same reasons.

I've started using command scripts instead, where possible, to create temporary network connections for the necessary duration only without saving any credentials on the system.