Security Warnings pop up in Run Time distribution Access 2003

J

Jason

How do you set the macro security level for the Access
2003 runtime? There are no menu bars.

Thank you,

Jason
 
M

Michael Cheng [MSFT]

Hi Jason,

From your descriptions, I understand that you would like to set Security
Level in Access 2003 Runtime. Have I understood you? If there is anything I
misunderstood, please feel free to let me know.

Based on my knowledge, Even though an application is developed in Low
Security, when it's deployed the target machines running Access Runtime are
in Medium security by default and you cannot modify Macro Security settings.

However, you could do in this way (NOTE! that there is not a way to deploy
the applicable registry keys to modify Macro Security settings with Runtime
using Access Developer Extensions 2003, A more robust application like
InstallShield would better serve you)

The applicable registry settings are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines]
"SandBoxMode"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\11.0\Access\Security]
"Level"=dword:00000001

Note Again that these are DWORD registry entries, and cannot be implemented
within the Package Wizard. An internet package uses an .INF file to add
registry values and DWord's are not a documented key that can be added via
an .INF. It only accepts binary registry entries. So to use the Package
Wizard, you'd need to work around this.

Moreover, you could do this as another workaround, which may be more complex
A. Manually add/change those keys on the target machines
B. Perform this through a script (which would need to be run separately or
included in a chained installation package)
C. Install and run the sample code database previously provided. It does
adjust both the Sandbox and Security Level code. If the Security Level
entry does not exist on your clients then you'll have to programmatically
create it.
D. Sign your code with a digital certificate

The developer needs to get a digital signature from one of the companies
listed on the following web site. The company you choose should provide a
Code Sign signature:
Microsoft Root Certificate Program Members
http://msdn.microsoft.com/library/?url=/library/en-us/dnsecure/html/rootcert
prog.asp

The developer can also use a signature created with Microsoft Certificate
Server.
Certificate Server comes with Microsoft Windows NT 4.0 Option Pack,
Microsoft
Windows 2000 Server and Microsoft Windows 2003 Server.

Steps to Add the Digital Signature to the Application
1. Once you have the digital signature on development computer open the
database you want to create the setup routine for.
2. On the Tools menu, point to Macro, and then click Visual Basic Editor.
3. In the Project Explorer, select the project you want to sign.
4. On the Tools menu, click Digital Signature.
5. If you haven't previously selected a digital certificate or want to use
another one, click Choose, select the certificate, and then click OK twice.
6. To use the current certificate, click OK.
7. Close the Visual Basic Editor and Access.
8. Create the setup routine.

Steps to Trust the Signature if it isn't automatically trusted
1. Open the database.
2. Click Yes if prompted with the security warning: Unsafe expressions are
not blocked.
3. Click Details
4. Click View Certificate
5. Click the Certification Path tab.
6. Select the Certification path that has the Red x and then click View
Certificate.
7. Click Install Certificate.
8. In the Certificate Import Wizard, click Next.
9. Leave the option to Automatically select the certificate store based on
the type of certificate.
10. Click Finish
11. Click Yes
12. Click OK four times until you are back at the security warning.
13. Open or Cancel the operation.
14. The next time you open the database, you will have the option to
"Always trust files from this publisher and open them automatically.

Thank you for your patience and cooperation. If you have any questions or
concerns, don't hesitate to let me know.

Sincerely yours,

Michael Cheng
Microsoft Online Support
***********************************************************
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only, many thanks.
 
C

Cyberwombat

I have the same problem, and am getting EXTREMELY FRUSTRATED.

I tried your suggestion regarding the registry entries on a workstation that only has the Access runtime installed. The WS only had the first, not the second, entry. When I changed the first to "2" and tried to run the app, it asked (in so many words) if I wanted to block. Saying "Yes" reset the registry entry. Saying "no" triggered several additional warning dialog boxes.

Will manually adding the second registry entry solve this problem? I just want the warning messages to GO AWAY. My app is a relatively simple Access DB for a small client, and frankly, going thru the trial and expense of getting a digital signature and incorporating it into the installation is a major pain.
 
G

Garyh

EXTREMELY FRUSTRATED too. This issue needs to be addressed by Microsoft as it makes the Visual Studio Tools product unusable in the context of Access development. The claims made on th ebox regarding Access developmentIt says on the are not reality

Please add your comments to this complaint and maybe we can get something done.

Access ODE for 97 has allowed me to ditribute many applications successfully!
 
M

Michael Cheng [MSFT]

Hi All,

Thanks for your reply.

I apologized for that mistyping.
0. Open Registry Editor with command "regedit" from Start -> Run
1. Go into
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Access\]
2. Right Click -> New -> Key, type "Security" (no quotation mark included)
3. In newly created Key Security, Right Click -> New -> DWORD Value, type
"Level " (no quotation mark included)
4. double Click new created value Level, type "00000001" (no quotation mark
included) in Value data and keep others what it used to be
5. restart machine and you will see it works:)

Wish you all a GOOD day!

If you have any questions or concerns, don't hesitate to let me know.

Sincerely yours,

Michael Cheng
Microsoft Online Support
***********************************************************
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only, many thanks.
 
M

Michael Cheng [MSFT]

Hi All,

Thanks for your reply.

You could make it successfully follow these setps:
0. Open Registry Editor with command "regedit" from Start -> Run
1. Go into
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Access\]
2. Right Click -> New -> Key, type "Security" (no quotation mark included)
3. In newly created Key Security, Right Click -> New -> DWORD Value, type
"Level " (no quotation mark included)
4. double Click new created value Level, type "00000001" (no quotation mark
included) in Value data and keep others what it used to be
5. restart machine and you will see it works:)


If you have any questions or concerns, don't hesitate to let me know.

Sincerely yours,

Michael Cheng
Microsoft Online Support
***********************************************************
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only, many thanks.
 
G

garyh

Thanks for the tip regarding the registry entry, but I am trying to distribute a professional application to non technical people (the majority of the worlds population hopefully). How would you feel if you had just paid for a brand new piece of software and the first thing you have to do after installing it is go into the registry and start editing it.

Microsoft must answer this

Gary
 
C

Cyberwombat

Michael:

That did the trick, thank you for your help.

< rant
However, I must agree with Gary regarding this issue. After checking with some of the digital certificate peddlers, I found out it would cost a bundle to do what we needed to do. This is an unreasonable and (I would argue) unnecessary expense for small clients using Access for relatively simple needs. It's taken me three evenings to track this solution down for a part-time contract, and frankly, I resent having to do so with so much other work to be done.

This is going to cost MS in the long run, as corporations and solution providers discover that getting around this security message isn't easy (and decide to investigate other products than Access). Whoever decided to include this "feature" with Office needs a good smacking, and you can give them my email and tell them I said so.

< /rant

Again, thanks for your help. I hope you don't think I'm taking my frustrations out on you.
 
M

Michael Cheng [MSFT]

Hi Gary,

Thanks for your reply.

Based on my knowledge, you could make this inserting registry in your
installation of access package instead of makeing user make the change of
registery manually.

As I have replied in the first post, the registry key we want to insert is
DWORD registry entries so that and cannot be implemented within the Office
2003 Developer Extension's Package Wizard, which only accepts binary
registry entries. However, you could have a try on InstallShield, which
will serve you better, with which software user only need a restart after
installation to remove that security warning.

Anyway, you could find the importance of Access Security Warning in Access
Help, titled with "About helping protect files from macro viruses"

I am so sorry for the inconvenience that you may meet again and thank you
for your patience and cooperation. If you have any questions or concerns,
don't hesitate to let me know. We are here to be of assistance!

Sincerely yours,

Michael Cheng
Microsoft Online Support
***********************************************************
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only, many thanks.
 
J

Jason

Thank you Michael your sugestions did help as I was looking for that elusive registry key as I had it before though I had lost my notes. The issue had been resolved in another way previously by starting the Access application with a code module as opposed to the autoexec macro. As through the code the digital certificate signing method does work as well as the ability to suppress warning message. Sorry for the delay in my response, been swamped, I really appreciate your quick responses and follow up emails. I had made a similar posting back in January and no one responded. Thank you, have a great day

Jason
 
G

Garyh

Hi jason

Sorry I haven't got an answer but I wanted to let you know that I don't think it can be done. I have posted several mesages to the groups and no-one has come forward from MS with anuy info. This disfunction has actually stopped the distribution of my companies latest application. I am having to go back to Access 97 and use the ODE kit to creat an app that will actually install and run - progress?

Regard

Gar
Access Developer
 
G

Garyh

Thanks Michael for your efforts, but Im afraid you're missing th epoint here. I bought Visual Studio tools specifically to distribute access 2003 apps and it is not happening because of the Jet SP isuue and the ridiculous macro security level disfeature. The MS response is use Installshield - way not good enough

Gary
 
T

Tamar Katz

Hi. Has any one automated the applicable registry settings through
script? If so, could you please share the file? What type of file
would that be?

This is in reference to point B that Michael Cheng has brought up as
below:

B. Perform this through a script (which would need to be run
separately or
included in a chained installation package)
Thanks
-----------------------------------------------
Hi Jason,

From your descriptions, I understand that you would like to set Security
Level in Access 2003 Runtime. Have I understood you? If there is anything I
misunderstood, please feel free to let me know.

Based on my knowledge, Even though an application is developed in Low
Security, when it's deployed the target machines running Access Runtime are
in Medium security by default and you cannot modify Macro Security settings.

However, you could do in this way (NOTE! that there is not a way to deploy
the applicable registry keys to modify Macro Security settings with Runtime
using Access Developer Extensions 2003, A more robust application like
InstallShield would better serve you)

The applicable registry settings are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines]
"SandBoxMode"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\11.0\Access\Security]
"Level"=dword:00000001

Note Again that these are DWORD registry entries, and cannot be implemented
within the Package Wizard. An internet package uses an .INF file to add
registry values and DWord's are not a documented key that can be added via
an .INF. It only accepts binary registry entries. So to use the Package
Wizard, you'd need to work around this.

Moreover, you could do this as another workaround, which may be more complex
A. Manually add/change those keys on the target machines
B. Perform this through a script (which would need to be run separately or
included in a chained installation package)
C. Install and run the sample code database previously provided. It does
adjust both the Sandbox and Security Level code. If the Security Level
entry does not exist on your clients then you'll have to programmatically
create it.
D. Sign your code with a digital certificate

The developer needs to get a digital signature from one of the companies
listed on the following web site. The company you choose should provide a
Code Sign signature:
Microsoft Root Certificate Program Members
http://msdn.microsoft.com/library/?url=/library/en-us/dnsecure/html/rootcert
prog.asp

The developer can also use a signature created with Microsoft Certificate
Server.
Certificate Server comes with Microsoft Windows NT 4.0 Option Pack,
Microsoft
Windows 2000 Server and Microsoft Windows 2003 Server.

Steps to Add the Digital Signature to the Application
1. Once you have the digital signature on development computer open the
database you want to create the setup routine for.
2. On the Tools menu, point to Macro, and then click Visual Basic Editor.
3. In the Project Explorer, select the project you want to sign.
4. On the Tools menu, click Digital Signature.
5. If you haven't previously selected a digital certificate or want to use
another one, click Choose, select the certificate, and then click OK twice.
6. To use the current certificate, click OK.
7. Close the Visual Basic Editor and Access.
8. Create the setup routine.

Steps to Trust the Signature if it isn't automatically trusted
1. Open the database.
2. Click Yes if prompted with the security warning: Unsafe expressions are
not blocked.
3. Click Details
4. Click View Certificate
5. Click the Certification Path tab.
6. Select the Certification path that has the Red x and then click View
Certificate.
7. Click Install Certificate.
8. In the Certificate Import Wizard, click Next.
9. Leave the option to Automatically select the certificate store based on
the type of certificate.
10. Click Finish
11. Click Yes
12. Click OK four times until you are back at the security warning.
13. Open or Cancel the operation.
14. The next time you open the database, you will have the option to
"Always trust files from this publisher and open them automatically.

Thank you for your patience and cooperation. If you have any questions or
concerns, don't hesitate to let me know.

Sincerely yours,

Michael Cheng
Microsoft Online Support
***********************************************************
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only, many thanks.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top