Sandbox

Some of SAP 3D Visual Enterprise Viewer‘s supported file formats use third party libraries over which there is little control in terms of security. This means that vulnerabilities in third party code, encountered when processing corrupt data from an external, untrusted source, might pose security issues and compromise SAP products.

Sandboxing provides guarantees about what a piece of code can or cannot do, no matter what the inputs. Sandboxing leverages the operating system-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The architecture and exact assurances that the sandbox provides are dependent on the operating system.

Security through sandboxing is achieved by granting the sandboxed code the least possible access rights and privileges, ensuring that it works in accordance with a predefined set of rules. The collection of rules that any code running in the Sandbox must obey is called a Policy, and no other system resources beyond those defined in the policy can be accessed or operated on from within the sandbox.

The Sandbox for plug-ins feature is found under either the menu Edit  Preferences  Security Configuration, or context menu Preferences  Settings  Security Configuration. Sandboxing leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The architecture and exact assurances that the sandbox provides are dependent on the operating system.

The Sandbox for plug-ins feature also supports the group policy option. Using this, the network administrator can set a maximum security level and prevent users from changing it. The sandbox handling is implemented over registry, and is version dependent. The group policy writes to the registry and SAP 3D Visual Enterprise Viewer uses it to enable or disable sandbox settings.

The .adm file is located at SAP 3D Visual Enterprise Viewer install folder\DomainGroupPolicies\SandBox.adm

Prerequisites

You have:

• A Windows Server setup with a domain

• Full administrative rights to that server

• SAP 3D Visual Enterprise Viewer already installed

Procedure

Installing the SAP 3D Visual Enterprise Viewer Group Policy "SandBox.adm"

1. Log on to the domain server with full administrative rights.

2. Copy the file Sandbox.adm from the installation folder of SAP 3D Visual Enterprise Viewer, and paste into a location in the domain server for installation.

3. From the Windows Start Menu, choose Administrative Tools  Group Policy Management .

4. In the Group Policy Management tree, right click Group Policy Objects and choose New. Give the group policy a name, for example, <SAP Group Policy>. The newly added group policy displays under the group policy objects.

5. Select the newly created policy object, right-click and choose Edit to display the Group Policy Object Editor window.

6. From the User Configuration folder, right-click Administrative Templates, select Add/Remove Templates, and choose Add.

7. Browse for the file Sandbox.adm that you have transferred across to the domain server, and open it.

8. Choose Close to apply the changes. A folder entitled SAP 3D Visual Enterprise displays in the administrative templates. In that folder, double click the Sandbox item to display the sandbox properties.

9. Close the Group Policy Object Editor window to return to the Group Policy Management window. Right-click the domain to which you want to apply the group policy, and choose Link an Existing GPO. The group policy object is displayed in the Select GPO, under Group Policy Objects.

10. Log on and run SAP 3D Visual Enterprise Viewer. Check whether the changes in group policy display in the SAP 3D Visual Enterprise Viewer settings.