By Mats Halfvares, the Content Studio development team

WARNING

This article contains information about editing the global policy file. Before you edit that file, make sure that you have a recent backup. Any mistake in either the syntax or one of the policy definitions can cause the entire installation of Content Studio to malfunction!

Security policies in brief

Starting with Content Studio version 5.1 there is a new policy based security layer in the product. Policies are global rules that defines rules that the Content Studio core enforces in certain security sensitive scenarions such as when creating and uploading documents and when previewing documents. A policy contains one or more rules that contains instructions of what to do and Content Studio checks these rules one at the time from top to bottom.

For example there is a policy that defines the allowed file extensions for EPT documents and by default this policy contains two rules that specifies the file extensions .ept and .xml and in this case .ept will be the default file extension for EPT documents. This policy is then used everytime an administrator tries to update the allowed file extensions for a category in such a way that only these two file extensions are allowed in any EPT document category

In Content Studio version 5.1 the Policy API has not been made public but in the a later version of the product user defined policies can be used to application that need global policy rules similar to them that is defined in Content Studio.

The Policies.policy file

The policies are defined in the file Policies.policy, located in the Security subdirectory of the directory where the Content Studio service is installed. The syntax of this file is enforced by an xml schema in the Policies.xsd located in the same directory.

The following example shows a small part of the policy file where a policy named "AllowedEPTFileExtensions" with two rules defined.

<policies>
    <policy type="AllowedEPTFileExtensions"
            status="enabled"
            description="The policy defines the file extension that are allowed for EPT documents.">
        <rule key=".ept" 
              value="" 
              status="enabled" 
              description="Allow EPT documents to be saved with the .ept file extension." />
        <rule key=".xml" 
              value="" 
              status="enabled" 
              description="Allow EPT documents to be saved with the .xml file extension." />
    </policy>
</policies>

Each policy has three attibutes:

Policy attributes
Attribute value Remarks
type Required, the name of the policy Only policy names defined in the schema is allowed.
status Required, one of the following values are supported:
  • enabled
  • disabled
  • none
Defines the status of the policy
enabled
The policy rules are enforced
disabled
The policy rule will be loaded by ignored
none
The policy appears as if it was not defined 
description Optional, a brief description of the policy In future releases of the product the policy API will be public and this description would turn up as a guide in a policy dialog.

The policy contains a number of rules each one having three attributes

Policy rule attributes
Attribute value Remarks
key Required, the key name of the rule The name is not case sensitive and must be unique within the policy.
value Required, but can be empty. Additional data for the rule. The value can contain additional data for the rule such as embedded xml or regular expressions. This attribute is not used by any policy rule in version 5.1.
status Required, one of the following values are supported:
  • enabled
  • disabled
  • none
Defines the status of the policy rule 
enabled
The rule is enforced
disabled
The rule is ignored
none
The rule appears as if it did not exist 
description Optional, a brief description of the policy rule In future releases of the product the policy API will be public and this description would turn up as a guide in a policy dialog.

Policies defined in version 5.1

The policies defined in version 5.1 is all used to enforce security rules that has to do with file types. A system flexible as Content Studio offers very poweful possibilities for users to created documents on the web site. This also opens up for a number of security leaks such as uploading files that contain code that can execute on the server (.aspx, .asp, .axhx etc. To avoid this Content Studio has a sophisticated layer of security based on Rights, Access control lists and Policy rules to prevent this from happening. For example only users holding the right WriteActiveContent can upload files that are marked as beeing executable on the server side and the list of executable file types is defined in a Policy.

The following policies are defined and enforced

List of policies
Name Description When to change Remarks
RestrictedFileExtensions This policy contains rules that defines what type of files that cannot be saved or created by users not holding the WriteActiveContent right. This is policy is enforced for every document but as such it would forbid regular users to create any normal document in Content Studio since, for example the .aspx file extension is restricted. To avoid this regular (not uploaded) documents can be created if their file extension is defined in the positive BypassInEditorFileExtensions policy. An administrator might need to disable some of the rules that specifies a file extensions when there is a need for ordinary users to be able to upload one of the file types that are marked as restricted by CAUTION:
If this policy is not enabled there will be no limitation based on file types for ordinary users to upload documents that can execute on the server side. 
BypassInEditorFileExtensions This is a positive policy whose rules defines file extensions that should not be restricted when created as an ordinary, not uploaded document. Some files such as .aspx, .ascx and .master are restricted in the upload policy but users must be able to create them as ordinary documents in Content Studio. File extension rules defined here and enabled are excluded from the check performed by the RestrictedFileExtensions policy. An administrator might add more of the restricted file extensions that ordinary users should be allowed to create from within the Content Studio editor. CAUTION!
If this policy is not enabled only developers will be able to save any regular (not binary) document that has file extensions that appear in the RestrictedFileExtensions policy.
AllowedEPTFileExtensions This policy contains rules that defines the only file types that are allowed for EPT documents. By default there are two rules defined that allow the .ept and .xml file extensions. An administrator might want to tighten security further by removing the .xml file rule, thus making it impossible to allow that extension for EPT documents. CAUTION:
If this policy is not enabled, EPT will not work!
AllowedEPTFileExtensionsInPreviewDraftMode Starting with Content Studio version 5.1 the default file extension of EPT documents has been changed to .ept instead of .xml. The reason for this is that if .xml is used, the web server happily returns the content of the EPT document in its native Xml format. If the file name is known an illegimate user might be able to read sensitive data that, on the web site, only was viewable through a presentation template that might filter out the sensitive data. Using this method it would be possible to entirely bypass the EPT meta data security rules defined on the document as well. When the .ept file extension is used the default settings if Internet Information Server 6 (Windows Server 2003) and later does not return unknown file types and will report that the file cannot be found.
This makes it impossible to preview an EPT document via the preview manager and the rules in this policy defines what file extensions are allowed i preview mode. By default this policy has one rule that allows the .xml file extension.
There is no reason to change this policy. CAUTION:
If this policy is not enabled, users cannot preview EPT documents.
DefaultCategoryFileExtensions This policy defines the default file extensions for new categories where no file extension has been specified. The Content Studio interface always specifies the file extensions so this policy only concerns other applications that creates categories. Normally the creator of a category specifies the file extensions to use but if not, the rules in this policy kicks in. If this policy is not enabled it will not be possible to create categories without specifying allowed file extension. Consequently, if a specific rule is not enabled that type of category cannot be created if no file extension has been provided. Change this policy only if there is a problem with code that creates categories and that relies on the default file extensions. CAUTION:
If this policy is not enabled, external applications that creates categories might experience difficulties.

If you need to edit a policy rule you must do so directly in the Policies.policy file with an ordinary text editor. Before saving the file, make sure that it contains only valid xml. Any mistake will cause the entire Content Studio installation to malfunction.