Access 2003 Macro Security Levels, Sandbox
Mode, and Digitally Signed Files
Tim Gordon
TWLMG@PUBLICNETWORKING.ORG
Programming Plus (816) 333-7357
About dangerous code
Dangerous code can consist of powerful commands that may exist in an Access file you open — in its objects (such as queries, forms, reports, and macros), and also in its Microsoft Visual Basic for Applications (VBA) modules.
You can prevent some potentially dangerous code from running by running Access in sandbox mode, which is strongly recommended.
How the macro security level works
Access features three different macro security levels that control what happens when you first try to open a database file, and what can then happen while you have that database open. These levels are High, Medium, and Low:
•
At the High macro security level, Access prevents you from opening any file unless it is digitally signed.•
At the Medium macro security level, Access prompts you with a message when you first open a file. This message warns you that the file could contain code that might damage your computer or data, and gives you the choice of either opening the file or not. The file may or may not have a digital signature. If you decide not to open the file, you can choose to scan it for viruses, check with the originator of the file (that is, the person or company that created or changed it) to verify that it is safe, and then open it later.•
At the Low macro security level, Access allows you to open any database file without being prompted. It is strongly recommended that you never use the Low macro security level.The macro security level for each Microsoft Office program is independent of all other Office programs. So, for example, if you set the macro security level to Medium in Access and the macro security level is already set to High in Microsoft Word, the security level for Word won't change.
What to do if you don't see the Security command
To change your macro security level in Access, you'll need to use the Security command (Tools menu, Macro submenu). However, this and other commands may have been made unavailable by your organization's Office administrator.
Note You may want to check with your Office administrator before attempting this procedure. Certain commands, such as the ability to change macro security levels, may have been made unavailable as part of your organization's security policy.
To make the Security command available
1. On the Tools menu, click Customize, and then click the Commands tab.
2. Click Rearrange Commands, click Menu Bar, and then in the Menu Bar box, click Tools | Macro. 3. Under Controls, click the Add button.
The Add Command dialog box appears. 4. In the Categories list, click Tools.
5. In the Commands list, click Security, and then click OK. The Security command now appears in the Controls list.
6. Use the Move Up and Move Down buttons to position the Security command where you want. 7. Click Close twice.
Access sandbox mode
For an additional layer of safety while working in Access, you can run the program in sandbox mode.
What is sandbox mode? Simply put, running in sandbox mode helps ensure that any potentially dangerous commands that could be run from an Access expression will be blocked. Access is "playing safely in a sandbox," so to speak, and is not being allowed to hurt anything outside its domain.
How sandbox mode protects your computer
In Access, it's possible to run dangerous VBA code in expressions — strings of instructions that Access can use to perform operations on your database. These expressions can include commands and properties that could delete files, change file attributes, start other programs, change Access settings, or change environment settings (for example, the PATH statement) on your computer. Running Access in sandbox mode helps prevent dangerous code from being run in expressions.
Important Code in a module or macro cannot be disabled by sandbox mode. To prevent macros or VBA code from being run in Access or to safely remove such code from your database altogether, you can do one or both of the following: Remove the macros or the modules that contain the code, or disconnect the modules that contain code connected to the database objects. Take care to ensure that you don't inadvertently remove functionality from your forms, reports, and other database objects.
Functions and properties that are blocked in sandbox mode
HTTP://SUPPORT.MICROSOFT.COM/DEFAULT.ASPX?SCID=KB;EN-US;294698&PRODUCT=ACC and
How do you identify and fix functions and properties that are blocked in
sandbox mode so that your database continues to function properly?
If you have Microsoft Office Access 2003 Developer Extensions installed, you can use the Custom Startup Wizard to search for all the
expressions that are blocked in sandbox mode. The Custom Startup Wizard helps you create new databases with custom startup options based on a development database, but it also provides an option to find the expressions that are blocked in sandbox mode.
For more information on how to identify and fix unsafe expressions, see: Frequently asked questions about Access security warnings, Question 19 HTTP://OFFICE.MICROSOFT.COM/EN-US/ASSISTANCE/HA011225981033.ASPX#190
Access 2003 Developer Extensions are part of the new Visual Studio Tools for the Microsoft Office System software package. Visual Studio Tools for the Microsoft Office System
HTTP://MSDN.MICROSOFT.COM/HOWTOBUY/VSTO/DEFAULT.ASPX Visual Studio Tools for the Microsoft Office System
Version Upgrade $199 US Estimated Price $499 US
The Jet 4.0 Service Pack 8 update
To run Access in sandbox mode, you must first install the Service Pack 8 (SP8) update for Microsoft Jet 4.0 — a program that Access uses behind the scenes for many of its operations, such as running queries and updates. At any time, go to Microsoft.com, click Windows Update in the left column, and then install all high-priority and critical Windows updates.
Before you do this, you first may be able to determine if the Jet 4.0 SP8 update has already been installed on your computer by looking in the Add or Remove Programs section of Control Panel. If you have installed the Service Pack 2 (SP2) update for Windows XP, at the top of the Add or Remove Programs window, make sure that the Show updates check box is selected. If you find the Windows Hotfix KB837001 or
KB829558, the Jet 4.0 SP8 update has been installed. You should still install all critical and high-priority Windows updates, however.
Important This update to the Jet engine is a vital part of security in Access and should be installed for every computer that runs Access. In fact, it's part of the Windows critical updates.
Note In order to install the Jet 4.0 SP8 update, you must have Administrators permissions on your computer. See your Office administrator for more details.
What happens if you enable sandbox mode without installing the latest Jet
service pack?
Under these circumstances, several Access features will not work properly. These features were not installed or are not enabled because the latest version of the Jet service pack is required for Access to be in sandbox mode, yet retain its full functionality.
The following is a list of things that might not work properly if you enable sandbox mode before installing the latest Jet service pack:
•
Wizards may not start.•
Switchboards created by using the Switchboard Manager won't function properly.•
You can't use the RunCode macro action to call a Visual Basic for Applications (VBA) procedure.•
Event handlers that call VBA procedures won't function.•
VBA procedures that are called from a property sheet or used in an SQL statement won't function.•
The following VBA functions won't work when called from a property sheet or used in an SQL statement:After you have installed the Jet update
When you start Access for the first time after installing the Jet 4.0 SP8 update, and Access is set to either the Medium or High macro security level, you will see the message shown above.
What does this message mean? Simple — click Yes to block unsafe expressions and run Access in sandbox mode. Assuming that you are running Access at the High or Medium macro security level, you're all set — and you should not see any more messages about sandbox mode, unless you change the macro security level and then explicitly choose to allow blocked expressions.
If your macro security level is set to Low, you won't be prompted about blocking unsafe expressions when you start Access for the first time after installing the Jet update. Only when you change the macro security level to Medium or High will you see the message shown above. Change your macro security level to Medium or High, and then click Yes to block unsafe expressions.
You've probably noticed that this message does not actually mention "sandbox mode" at all, but it is important to understand that choosing to block unsafe expressions is sandbox mode. By clicking Yes, you are choosing to block unsafe expressions and therefore to run Access in sandbox mode. To turn off sandbox mode — which is strongly discouraged — you would have to change the macro security level to Medium or High, and then click No when you are prompted whether you want to block unsafe expressions.
About digital signatures and trusted publishers
When you explicitly trust a particular signer of files, you can add that person or company to your computer as a "trusted publisher" — someone who is known by you or by your company to be reputable.
Although an entity (such as a software company or a consultant) may have a digital certificate from a certificate authority, that certificate means nothing until you decide to do one of the following:
•
Open the file (Medium macro security level). — or —•
Add the owner of that certificate to the list of trusted publishers on your computer (High or Medium macro security level). What it comes down to is this: Whether to trust the publisher is ultimately up to you.How digital signatures and the macro security level work together
Access displays this warning message when you open a Access displays this security warning when you open an digitally signed file at the Medium macro security level. unsigned file at the High macro security level.
There are two major factors to consider in whether to accept a digitally signed file: the macro security level setting in Access, and what actions you will take when you open the file.
At the Medium macro security level, when you open a digitally signed file for the first time, either you can open that file right away (by clicking Open), or you can permanently add its signer to your list of trusted publishers. If you add its signer as a trusted publisher, Access will treat any other files with that same digital signature as coming from a trusted entity.
At the High macro security level, things are buttoned down a bit more tightly. To be opened, any file must be digitally signed (no exceptions), and you must accept the digital signature and permanently add its signer to your list of trusted publishers. As with the Medium macro security level, any other files with that same digital signature will then be treated as coming from a trusted entity.
In Access, unlike most other Office programs, it simply isn't possible to open a file that has no digital signature at its highest (High) macro security level. Conversely, at the highest macro security level (Very High) in Microsoft Excel and Word, you can open a file but all macros will be disabled. At the Medium macro security level (Word and Excel), you can choose to enable or disable macros while opening your file. In Access, there is no option to open a file and disable macros — Access macros are fundamentally different in their nature from Word or Excel macros.
The safer, the better
In general, when you receive a digitally signed file from a trusted entity, you can feel reasonably confident the file is safe. This is primarily due to two things:
•
To digitally sign a file, you must have what is known as the "private key" for the signature — the private key allows you to add its unique signature to a file.•
Thus, if someone without the private key changes a signed file by making potentially dangerous changes, such as adding or altering code, macros, or expressions, the digital signature will become invalid and will be removed from the file.Caution At the Medium macro security level in Access, when you open a digitally signed file that has lost its signature, the standard security warning message for the Medium level will be displayed (see the picture above), as if the file had never been signed at all. Remember to exercise great care when you consider opening any file that's not signed. At the High macro security level, you simply won't be able to open the file because it no longer has a signature.
Before you open a file that has lost its signature, you should exercise extreme caution: You can run a virus scan, notify the publisher that the signature for the file is no longer valid, or retrieve a backup version of the file. It's then up to you whether to open the file. If you do decide to open the file, you should examine all objects and VBA modules, macros, or expressions for any suspicious code.
In summary, at the Medium and High macro security levels, when you open a file that has a digital signature from a trusted publisher, you won't be prompted with any security warnings. If you do see a warning, this indicates the file may have been changed by an unauthorized party or corrupted.
It's often said that no one is an island. It is recommended that you operate at the High macro security level. If you need to work with unsigned files from other sources, you can use the Medium macro security level to do that; however, you should always examine such files and sources carefully before choosing to enable any macros, and change back to High when you no longer need to use the Medium macro security level. At the Medium macro security level, when you open a file with a signature that you have not yet added as a trusted publisher, the warning message from Access should cause you to think about which files you can trust.
Do you feel completely secure?
You shouldn’t. That's because there's no such thing as absolute security. Nonetheless, using common sense, running antivirus software, choosing strong security options, and working with digitally signed files should greatly decrease the chance that you'll suffer from a catastrophic security breach.
Quick Reference:
Introduction to security
Avoid viruses You need to develop and stick to a plan for keeping viruses out of your computer:
•
Install and run antivirus software.•
Understand how your antivirus software works.•
Know from whom you get your database files.•
Keep your antivirus software up to date.Set the macro security level that's right for you
•
Avoid using the Low macro security level. It is recommended that you use the High macro security level. If you need to work with unsigned files from other sources, you can use the Medium security level to do that; however, you should always examine such files and sources carefully before choosing to enable any macros, and change back to High when you no longer need to use Medium.•
Depending on your macro security level setting, you may or may not be prompted with a security warning message when you open files.•
Using the High macro security level means that you can open only digitally signed files.•
Set the macro security level by pointing to Macro on the Tools menu, clicking Security, and then clicking an option on the Security Level tab.•
Can't find the Security command on the Macro submenu? Perform the procedure in the next section, "Make the Security command available on the Macro submenu."•
You can change the setting of the macro security level and have it take effect on any subsequent file that you open in Microsoft Access. Depending on whether Access is currently configured to block unsafe expressions (that is, whether it's in sandbox mode), you may be alerted that you need to exit and restart Access for the new security setting to take effect.Make the Security command available on the Macro submenu
Note You may want to check with your Office administrator before attempting this procedure. Certain commands, such as the ability to change macro security levels, may have been made unavailable as part of your organization's security policy.
1. On the Tools menu, point to Macro, and then look for the Security command.
If you see the Security command on the Macro submenu, you're all set. If you don't see the Security command on the Macro submenu, continue with this procedure.
2. On the Tools menu, click Customize, and then click the Commands tab.
3. Click Rearrange Commands, click Menu Bar, and then in the Menu Bar box, click Tools | Macro. 4. Under Controls, click the Add button.
The Add Command dialog box appears. 5. In the Categories list, click Tools.
6. In the Commands list, click Security, and then click OK. The Security command now appears in the Controls list.
7. Use the Move Up and Move Down buttons to position the Security command where you want. 8. Click Close twice.
Understand and use
digital certificates
•
Check with your Office administrator on your company's policies about using digital signatures.•
Find out if your organization creates its own digital signatures.•
Are you allowed to self-sign your own files or the files for your workgroup?•
Check with your Office manager to find out which publishers you should trust.•
Just because a file is digitally signed doesn't mean it's safe. Verify the origin of your files yourself for trustworthiness, and scan them by using an antivirus program.Check a digital
1. In Internet Explorer, on the Tools menu, click Internet Options and then click the Content tab. 2. Next, click Certificates.
If you can find your publisher in a list on the Intermediate Certification Authorities tab or Trusted Root Certification Authorities tab, that publisher has been validated by a certificate authority. If your publisher shows up only in a list on the Personal tab or Other People tab, the certificate is merely self-signed — and you should question its origin.
Using Netscape 7.1
1. In Netscape, on the Edit menu, click Preferences.
2. In the Preferences dialog box, double-click Privacy & Security, and then click Certificates. 3. Click Manage Certificates.
You may want to seriously question the credentials of your publisher if it appears anywhere but in the box on the Authorities tab.
Set up digital
certificate revocation checking
Digital signatures expire or get revoked. It's a good practice every now and then to verify that a publisher's digital certificate has not been revoked by its certification authority. You can set up revocation checking in Internet Explorer 6.0 or later and in Netscape 7.1.
Using Internet Explorer 6.0 or later
1. In Internet Explorer, on the Tools menu, click Internet Options, and then click the Advanced tab. 2. In the Settings list, scroll down to the Security section, and then select the Check for publisher's
certificate revocation check box. Using Netscape 7.1
1. In Netscape, on the Edit menu, click Preferences.
2. In the Preferences dialog box, double-click Privacy & Security, and then click Validation.
Learn about
certification authorities Certification authorities are independent commercial bodies that issue digital certificates.
Create your own digital
certificates When you run Access at the High macro security level, you can create a digital certificate for yourself so that files you create will be trusted.
Macro security settings
Here's a table to show how the various macro security settings work in Access.
Macro security level
If the origin of the file
is a trusted publisher... And the file is digitally signed...
Access will:
High Yes Yes Open the file without prompting you.
No Yes Inform you that the file is digitally signed. Access will allow you to open the file if you add its signer to your computer as a trusted publisher.
No No Not allow you to open the file.
Medium Yes Yes Open the file without prompting you.
No No Warn you that the file is not signed and that it could contain dangerous code, but allow you to open the file anyway.
Low Yes or No Yes or No Allow you to open any file, whether it is digitally signed or not.
Install the Microsoft Jet 4.0 Service Pack 8 update and run Access in sandbox mode
Important You should install this Microsoft Windows update as soon as you can. If you have not installed the update and your macro security level is set to Low, any time you open a file in Microsoft Office Access 2003, you will be prompted to install the update.
To install the update, go to Microsoft.com, click Windows Update, and then choose to install all high-priority and critical updates — the Jet 4.0 Service Pack 8 (SP8) update may be available on its own or as part of any number of "rollup" updates.
Any time you are prompted with a message asking if you want to block unsafe expressions, click Yes to run Access in sandbox mode.
Not sure about warning messages? If you have completed the installation of the Jet 4.0 SP8 update and you are concerned about messages that mention sandbox mode or the update, keep the following in mind: If a message box asks if you want to block unsafe expressions, the Jet 4.0 SP8 update has been successfully installed, and you are ready to run Access in sandbox mode. You can safely ignore any message such as "Microsoft Jet 4.0 Service Pack 8 or later must be installed to block unsafe expressions without affecting common functionality" — that message is purely informational and does not mean that you need to reinstall the Jet 4.0 SP8 update.
Quick Reference:
Sign your own macros for stronger security
Summary of macro security levels
Macro securitylevel
Trust all installed add-ins and templates check box
Digitally signed
From trusted sources
Microsoft Excel, Microsoft PowerPoint, and Microsoft Word will:
Very High Cleared Yes or No Yes or No Disable the add-in or macro.
Remember: All macros, COM add-ins, and smart tag .dll files will be disabled. This may interfere with some processes in Microsoft Office.
High Cleared Yes Yes Run the add-in or macro silently.
Yes No Open the Security Warning dialog box so that you can choose to enable or disable macros.
No n/a Disable add-ins or macros.
Medium Cleared Yes Yes Run the add-in or macro silently.
Yes No Open the Security Warning dialog box so that you can choose to enable or disable macros.
No n/a Open the Security Warning dialog box so that you can choose to enable or disable macros.
Low Cleared Yes or No Yes or No Run the add-in or macro silently. Very High, High,
Medium, or Low Selected Yes or No Yes or No Run all add-ins silently. Macros will be run silently if they're in the User Templates folder, Workgroup Templates folder, or Startup folder.
settings previously described.
Note Microsoft Access does not have a Very High macro security level.
Set the macro security level
In Access, Excel, PowerPoint, and Word:
1. On the Tools menu, point to Macro, and then click Security.
2. In the Security dialog box, click the Security Level tab. Make sure that the macro security level is set to High; if it's not, consider changing it now.
3. Click OK.
Install Digital Certificate for VBA projects (SelfCert.exe)
1. On the taskbar, click the Start button, and then click Control Panel.2. Click Add or Remove Programs. (If you use Category View in Control Panel, you'll have to click Add or Remove Programs again.)
3. Make sure that Change or Remove Programs is selected on the left, and then scroll down t he page and click Microsoft Office Professional Edition 2003. Click the Change button.
4. In Microsoft Office 2003 Setup, make sure the Add or Remove Features is selected; then click Next. Select the Choose advanced customization of applications check box; then click Next.
5. Click the plus sign next to Office Shared Features, click the arrow next to Digital Certificate for VBA projects (SelfCert.exe), and then click Run from My Computer.
6. Click Update. When the installation is finished, click OK.
Create a self-signed digital certificate
1. On the taskbar, click the Start button, point to All Programs, point to Microsoft Office, point to Microsoft Office Tools, and then click Digital Certificate for VBA Projects.
2. In the Create Digital Certificate dialog box, type a unique name in the Your certificate's name box, and then click OK. 3. You'll see a success message. Click OK.
Sign a macro with a digital signature
In Access, Excel, PowerPoint, and Word:1. On the Tools menu, point to Macro, and then click Visual Basic Editor.
2. Open the module that contains your macro. Review your code. It's always a good idea to review your code before signing it. 3. In the Visual Basic Editor, on the Tools menu, click Digital Signature.
4. In the Digital Signature dialog box, click Choose, click the certificate you wish to use, and then click OK. 5. Click OK, and then, on the File menu, return to the program.
Remember, you'll have to add the certificate to your list of trusted publishers the first time that you try to use it. This process will sign all the macros in the file.
Digital certificates in a workgroup
There is no way to share the private key of a self-signed certificate created by using the SelfCert.exe file, so other people in your workgroup will not be able to run or use your macros at the High macro security level. If you do want this functionality, you must create a certificate by using the MakeCert.exe file instead of the SelfCert.exe file.
References:
Introduction to securityHTTP://OFFICE.MICROSOFT.COM/TRAINING/TRAINING.ASPX?ASSETID=RC011461801033 Sign your own macros for stronger security
HTTP://OFFICE.MICROSOFT.COM/TRAINING/TRAINING.ASPX?ASSETID=RC011615881033 Security in Office
HTTP://OFFICE.MICROSOFT.COM/TRAINING/TRAINING.ASPX?ASSETID=RC010425851033 Functions and properties that are blocked in sandbox mode
HTTP://SUPPORT.MICROSOFT.COM/DEFAULT.ASPX?SCID=KB;EN-US;294698&PRODUCT=ACC and
HTTP://OFFICE.MICROSOFT.COM/EN-US/ASSISTANCE/HP010447361033.ASPX Frequently asked questions about Access security warnings
HTTP://OFFICE.MICROSOFT.COM/EN-US/ASSISTANCE/HA011225981033.ASPX Visual Studio Tools for the Microsoft Office System
HTTP://MSDN.MICROSOFT.COM/HOWTOBUY/VSTO/DEFAULT.ASPX Anti-Virus Resources for Microsoft Office
HTTP://OFFICE.MICROSOFT.COM/EN-US/ASSISTANCE/HA010450731033.ASPX Let Office XP check for revoked certificates
HTTP://OFFICE.MICROSOFT.COM/EN-US/ASSISTANCE/HA010348761033.ASPX TechNet Security
HTTP://WWW.MICROSOFT.COM/TECHNET/SECURITY/DEFAULT.MSPX Create your own digital certificate
HTTP://OFFICE.MICROSOFT.COM/EN-US/ASSISTANCE/HP010446111033.ASPX Add a digital signature to a file or a VBA project
HTTP://OFFICE.MICROSOFT.COM/EN-US/ASSISTANCE/HP010446121033.ASPX Microsoft Windows Update
HTTP://V4.WINDOWSUPDATE.MICROSOFT.COM/EN/DEFAULT.ASP Public/Private Key Pairs
HTTP://MSDN.MICROSOFT.COM/LIBRARY/DEFAULT.ASP?URL=/LIBRARY/EN-US/SECCRYPTO/SECURITY/PUBLIC_PRIVATE_KEY_PAIRS.ASP Certificate Creation Tool (Makecert.exe)
HTTP://MSDN.MICROSOFT.COM/LIBRARY/DEFAULT.ASP?URL=/LIBRARY/EN-US/CPTOOLS/HTML/CPGRFCERTIFICATECREATIONTOOLMAKECERTEXE.ASP MakeCert HTTP://MSDN.MICROSOFT.COM/LIBRARY/DEFAULT.ASP?URL=/LIBRARY/EN-US/SECCRYPTO/SECURITY/MAKECERT.ASP Using MakeCert HTTP://MSDN.MICROSOFT.COM/LIBRARY/DEFAULT.ASP?URL=/LIBRARY/EN-US/SECCRYPTO/SEC URITY/USING_MAKECERT.ASP Microsoft Security Home Page
