Of course, Notepad is not likely to cause problems that would result in destroying your computer. But there are a lot of destructive programs on your computer — format.com, for example — as well as destructive commands such as DEL that could be run using such a technique. Those code lines could have been written in an Access macro. That macro could have been named AutoExec, which automatically runs when a database is opened. If the Shell function had called a destructive program instead of Notepad, or if the SQL had contained a destructive command like DEL, data could be destroyed on the computer that opened the database, or worse yet, data could be destroyed on other computers networked to the computer that opened the database. So if you’re not paying atten- tion to the databases you open, or worse yet, your users aren’t paying attention, well, you have heard about the countless hours spent recovering from viruses. That is nothing compared to the value of data that can be deleted if a hard disk drive is reformatted. And malicious code can do just that. Enabling a Database When Access opens a database, it gives certain information, known as evidence, to the Trust Center. For Access, the evidence includes the location of the file and the digital signature of the database if it has one. The Trust Center takes the evidence and makes a trust decision based on certain logic. The decision is then given to Access, which opens the database in either Disabled or Enabled mode as needed. Figure 22-9 illustrates the logic for determining whether a database will open in Disabled mode. Figure 22-9 Launch Access, open a database In a trusted location? Digitally signed? Disable Content, do not allow Enable Signature valid? Enable Content Disable Content Enable Content Disable Content Is publisher trusted? 763 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:28 AM Page 763 When a database is disabled, there are a few different ways to enable it. First, you can click the Options button in the Message Bar. That opens the Office Security Options dialog box, as shown in Figure 22-10. Figure 22-10 To enable the database, select Enable This Content, and click OK. The database will close and then re- open in enabled mode. If the database is signed, you can view the details of the source by clicking the Show Signature Details link, as shown in Figure 22-11. Additionally, you can select Trust All Documents From This Publisher, which will open them automatically (if the signature is valid). Obviously, whenever you open that data- base or any database from the same publisher, it will automatically open without prompting. So signing your database is one option to avoid making your users respond to the prompt. Figure 22-11 764 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:28 AM Page 764 Modal Prompts Certain types of files always prompt the user to open them, unless they are opened from a trusted loca- tion or are digitally signed. These include ACCDE, MDE, ADP, and ADE files. Those files are opened with a modal prompt for security reasons. ADP and ADE files connect directly to SQL Server, and code executed in these files can also be executed on the server in the form of stored procedures and functions. One primary goal for Disabled mode is to allow you to view the code in a solution without running it. Because VBA source code is removed from ACCDE and MDE files, these files cannot be opened in Disabled mode. For more information about ACCDE and MDE files, please read Chapter 18. You are also prompted when opening a database in the Access Runtime or with the /runtime com- mand-line switch, as shown in Figure 22-12. That’s because the Trust Center is not available to users in Runtime mode. There’s no way to inspect a database for its safety, so users are given the explicit choice to open the file. This isn’t necessarily the optimal solution; after all, when you put your database in front of users, you don’t particularly want them to have to respond to this warning every time they open your database. In addition to using trusted locations, we’ll describe some options to prevent this, including Visual Basic scripts and digital signatures later in this chapter. Figure 22-12 For security purposes, you can revert to the Access 2003 behavior where you are prompted to open every file if you so choose. Adding the following value in the Registry makes Access 2007 prompt you to open every file. You need to create the ModalTrustDecisionOnly DWORD value because it does not exist by default. HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\i ModalTrustDecisionOnly = 1 AutomationSecurity The AutomationSecurity property was added to the Access Application object in Access 2003. It determines how Access behaves when running under automation. The following sections show you how to use the AutomationSecurity property to open your Access applications without user interaction. Opening Remote Databases Programmatically Disabled mode and trusted locations are a major improvement over the warnings in Access 2003. That said, it would still be nice if your users didn’t have to deal with prompts or disabled content or trusted 765 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:28 AM Page 765 locations when opening a database. If you work in an environment where you are opening remote data- bases from VBA code, you’ll want (and essentially need) those remote databases to open without issues. To solve this, you can create a Visual Basic Script file (type VBS) to open a database without getting the security prompt or opening in Disabled mode. The following code temporarily disables security (actu- ally, it effectively enables all code or macros) while the database is being opened. When the script ends, control is turned over to Access and the AcApp object is released. Because the security setting is persist- ent only while the AcApp object exists, the macro setting in Access returns to whatever setting was cho- sen using the Trust Center. Const DATABASE_TO_OPEN = “C:\<FileToOpen>.mdb” On Error Resume Next Dim AcApp Set AcApp = CreateObject(“Access.Application”) If AcApp.Version >= 11 Then ‘ Set to 11 because this works in Access 2003 as well AcApp.AutomationSecurity = 1 ‘ Enable content (Low security) End If AcApp.Visible = True AcApp.OpenCurrentDatabase DATABASE_TO_OPEN If AcApp.CurrentProject.FullName <> “” Then AcApp.UserControl = True Else AcApp.Quit MsgBox “Failed to open ‘“ & DATABASE_TO_OPEN & “‘.” End If Similar code can be used in VBA to open and access a remote database. That is, depending on the reason you are opening the remote database, you may or may not want to switch control to the user ( AcApp.UserControl = True). Of course, if you use this VB script for databases that your users open, you cannot specify command-line parameters — for example, /wrkgrp to specify a Workgroup Information file (MDW). If you don’t need to specify parameters, this gets around Disabled mode quite easily. Other Uses for AutomationSecurity There are several scenarios in VBA code where Access opens a database behind the scenes and can dis- play a prompt to open a database. This is often not desirable because you don’t want a dialog box to open while code is running. Examples of this scenario include database conversion using the ConvertAccessProject method, and exporting objects using the TransferDatabase method. To pre- vent the prompt from appearing, you can set the AutomationSecurity property to 1 (Enable Content) prior to calling the specified method. The following code demonstrates using the AutomationSecurity property prior to converting a data- base using the ConvertAccessProject method. Sub ConvertWithoutPrompt() 766 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:28 AM Page 766 Const SOURCE_DB As String = “\Database8.accdb” Const DEST_DB As String = “\Database8.mdb” ‘ Set AutomationSecurity. This code requires a reference to the ‘ Office 12.0 Object Library Application.AutomationSecurity = msoAutomationSecurityLow ‘ Convert an ACCDB to MDB in 2002-2003 format Application.ConvertAccessProject CurrentProject.Path & SOURCE_DB, _ CurrentProject.Path & DEST_DB, _ acFileFormatAccess2002 End Sub Macros in Access 2007 Similar to the way that expressions are evaluated for safety in Access, macros in Access 2007 now run in a sandboxed environment. This means that Access has a list of those macro actions that are safe to exe- cute in Disabled mode. As mentioned in Chapter 2, a safe macro is one that does not perform any of the following tasks: ❑ Change data ❑ Create or delete objects ❑ Update or alter the Access user interface ❑ Access the Windows file system ❑ Run a SQL statement ❑ Send e-mail Unsafe Actions Following is a list of actions that are blocked in Disabled mode in Access 2007. If you run any of these actions, an error is displayed while the database is disabled. CopyDatabaseFile CopyObject DeleteObject Echo OpenDataAccessPage OpenDiagram OpenFunction OpenModule OpenStoredProcedure OpenView PrintOut Rename RunApp 767 Chapter 22: Protecting Yourself with Access 2007 Security RunSavedImportExport RunSQL Save SendKeys SetValue SetWarnings ShowToolbar TransferDatabase TransferSharePointList TransferSpreadsheet TransferSQLDatabase TransferText 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 767 Nine safe actions are blocked when you set an action argument to a specific value. These are described in the following table. Macro Action Action Argument Unsafe Argument Value Close Save No and Yes. OpenForm View Design and Layout. OpenQuery View Design. OpenReport View Design, Layout, and Print. OpenTable View Design. OutputTo Output File Any. When a filename is specified, this action becomes unsafe. Quit Options Exit and Save All. RunCommand Command See the list of commonly used RunCommand action arguments following this table. SendObject Edit Message No. SendObject Template File Any value specified. The following commonly used RunCommand action arguments are blocked: InsertObject PasteAppend PasteSpecial Relationships Cut Copy Paste WorkgroupAdministrator While the list does not include all RunCommand arguments, only a small subset of macro actions are blocked in Disabled mode. Several of the safe actions revolve around navigation, so the actions that remain can still allow an application to be relatively useful. In fact, the majority of the functionality in the new Access templates is implemented using embedded macros so that they can function successfully in Disabled mode. Naturally, for more complex applications you will need to enable the database. CurrentProject.IsTrusted If code is blocked in Disabled mode, how do you start your application? Well, you can have an autoexec macro that calls the OpenForm action, or you can set the StartupForm property to the name of a form to open, but what if that form has code? After they upgrade to Access 2007, your users might 768 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 768 be left scratching their heads, wondering why your application doesn’t work! To help with this, Microsoft has added a new property on the CurrentProject object called IsTrusted. As its name suggests, this property determines whether the database is enabled. Naturally, if code is dis- abled, you cannot check this property using code. If code is running, IsTrusted returns True. You can, however, use it as the condition in a macro to determine a course of action to take when the application opens. Figure 22-13 shows a macro that uses this property to open one form if the database is enabled, and another form if disabled. Figure 22-13 Digital Signatures and Certificates As you now know, databases with digital signatures are exceptions to the macro setting checks. That is, if a database is digitally signed, it can be opened regardless of the macro setting. Before you tackle creating and using digital signatures, however, let’s briefly review ACCDB files. Access 2007 introduces a new file format called ACCDB. These files include additional features for the 769 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 769 Access database engine and are the default file format created in Access 2007, but they do not support digital signatures — at least not in the sense that you were becoming accustomed to in Access 2003. For ACCDB files, Microsoft has introduced a new feature called Signed Packages that enables you to com- press a database and sign the compressed file. You’ll see more about this feature later in the chapter. Okay, back to digital signatures. So, what is a digital signature and how do you create one? You have probably seen various forms of digital signatures or digitally signed programs while browsing the Internet or installing software. Typically you see a security warning dialog box that contains infor- mation describing the purpose of the digital certificate used to sign the program, the date and time the certificate was published, and who published it. Some certificates permit you to obtain more information about the program and/or the publisher. After reviewing the information about the certificate, you can accept the certificate or reject it. If desired, you can choose to have that certificate accepted automatically by selecting the Always Trust Content From This Publisher check box. So a digital certificate is an electronic attachment applied to a program, database, or other electronic document. A digital signature is a means to apply a digital certificate to programs, databases, or other electronic documents so that a user of that program, database, or document can confirm that the document came from the signer and that it has not been altered. If the program, database, or document is altered after it has been digitally signed, the signature is invalidated (removed). This feature means that you can be assured that nobody can introduce viruses after the signature is applied. All of this means that you have to obtain a digital certificate to give your database a digital signature. In a moment, you’ll see more about how to obtain a digital certificate, and later, how to sign your database with the digital certificate. But first, a bit more explanation about how digital certificates and digital sig- natures work with Access. Microsoft Office 2007 uses Microsoft Authenticode technology to enable you to digitally sign your Access database by using a digital certificate. A person using your signed database can then confirm that you are the signer and that your database has not been altered since you signed it. If that person trusts you, he can open your database without regard to his Access macro security level setting. You’re probably thinking that your database will be altered. After all, that’s what a user does when he inserts or deletes data. Because a database is likely to be altered in anticipated ways, a digital signature for an Access database applies to specific aspects of the database rather than to the entire database. Therefore, a database can be updated in the ways you would expect without the signature being invalidated. More specifically, a digital signature on an Access database covers only objects that could be modified to do malicious things. These objects include modules, macros, and certain types of queries, for example, action queries, SQL pass-through queries, and data definition queries. The signature also applies to the ODBC connection string in queries and properties of ActiveX controls. If any of these types of objects are modified after you sign your database, the digital signature is invalidated (removed). Types of Digital Certificates There are two types of digital certificates: commercial and internal. Commercial certificates are obtained through a commercial certification authority (CA) such as VeriSign, Inc. Internal certificates are intended 770 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 770 for use on a single computer or within a single organization and can be obtained from your organiza- tion’s security administrator or created using the Selfcert.exe program, which is described a little later. Commercial Certificates To obtain a commercial certificate, you must request (and usually purchase) one from an authorized commercial certificate authority vendor. The vendor sends you a certificate and instructions about how to install the certificate on your computer and how to use it with your Access application. The certificate you need for your Access databases is called a code-signing certificate. Also look for cer- tificates that are suitable for Microsoft Authenticode technology. The commercial certificate provides full protection of your database for authenticity. Because the digital certificate is removed if the file or VBA project is modified, you can be sure that your database will not be authenticated if anyone tampers with it. Likewise, commercial certificates provide protection for users. In the event someone obtains a certificate and uses it for malicious purposes, the commercial authority will revoke the certificate. Then anyone who uses software that is signed with that certificate will be informed of its revocation by the CA. The computer opening a digitally signed program, database, or other electronic document must have access to the Internet to verify the authenticity and status of a commercial certificate. Internal Certificates An internal certificate is intended for use on a single computer or within a single organization. An inter- nal certificate provides protections similar to a commercial certificate in that if the file or VBA project is changed, the certificate is removed, and the database does not automatically open unless Enable All Macros is selected as the macro setting. Internal certificates can be created and managed by a certificate authority within your organization using tools such as Microsoft Certificate Server. You can create a certificate for your own computer using the Selfcert.exe tool. Obtaining a Digital Certificate As mentioned earlier, you can obtain a certificate from a commercial authority such as VeriSign, Inc. For internal certificates you can turn to your security administrator or Digital Certificate group, or you can create your own certificate using the Selfcert.exe tool. Be aware that if you create your own certificate, Access still opens a database in Disabled mode when your signed database is opened on a computer other than the one where the certificate was created. This happens because Microsoft considers it to be a self-signed database. The trouble with self-certification is that the certificate isn’t trusted because it is not in the Trusted Root Certification Authorities store. That is, your certificate isn’t registered and Microsoft Authenticode tech- nology cannot determine its authenticity — the certificate gets a crosswise look. And the reason for this is that a digital certificate you create can be imitated: Someone can mimic your certificate and sign a database with it. If you have trusted a digital certificate that has been mimicked, a database signed with 771 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 771 that certificate will open, and if that database contains malicious code, it could execute that code. This brings up two important issues: ❑ If a certificate you create can be imitated, what kind of security do you really get? ❑ If your certificate won’t be trusted on another computer, why bother creating your own certificate? A certificate is nothing more than a digital document. As with any digital document it can be copied, replicated, or otherwise imitated. However, Microsoft’s Authenticode technology is able to determine authenticity of the certificate if, and only if, it is in a Trusted Root Certification Authorities store. Using self-certification is a solution that should be considered only if your databases will just be used behind the security of a firewall, with virus software, for protection. If your database, and therefore your certificate, will be made publicly available, such as through the Internet, you will be putting your certifi- cate out where someone could copy it. They could then attach the copy to a database with malicious code and send that database back to you, or worse yet, on to other users who could think the database is from you. If the certificate has been on the computer that is opening the database, that database will be trusted, it will open, and the malicious code will be executed. If you are interested in acquiring a commercial certificate, the Microsoft Developer Network (MSDN) has list of root certificate program vendors at http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnsecure/html/rootcertprog.asp . When you are looking for a vendor to supply a certificate, you need one that provides a certificate for code signing or that works with Microsoft Authenticode technology. Using Self-Certification Now that you have been sufficiently warned about the pitfalls of self-certifying, take a look at how you can self-certify in situations that you believe are secure from hacker attacks. The question asked in the previous section was: If your certificate isn’t going to be trusted on another computer, why bother creating one? The answer is that the certificate isn’t trusted unless it is installed on the computer that is opening the signed database. Therefore, the solution is to install your certificate on that computer so that it will be trusted. Only a few steps are necessary to self-certify and use the certificate for your database as well as use that database on any computer. Some of the steps have to be done only once, and some have to be repeated for each computer that will use your certificate to open your database. First you need to run Selfcert.exe to create a certificate on your computer. Creating a Self-Certification Certificate To create a certificate for yourself, simply run the SelfCert.exe program. This is available from Start ➪ All Programs ➪ Microsoft Office ➪ Microsoft Office Tools ➪ Digital Certificate for VBA Projects. You can also run this from the Office12 folder. For example, mine is located in C:\Program Files\Microsoft Office\OFFICE12\SELFCERT.EXE . If SelfCert.exe is not installed on your computer, use the Microsoft Office 2007 installation disk to install it. 772 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 772 [...]... does not recognize mdw files MDB The Access file format that allows previous versions of Access to open the file Access 2007 can create or save as an mdb file in either a 2000 or 20022003 format Access 2007 also works with or converts files from Access 95 and Access 97 MDE “Execute Only” mode for the MDB file format Access 2007 can work with MDEs that are in an Access 2000 or 2002-2003 file format... Appendix A: Upgrading to Access 2007 Access 2007 or a runtime installation And, now that the Access Runtime is a free download from Microsoft, we may see a lot more deployments using a runtime file instead of the requiring the full version of Access Steps for Converting or Enabling For the most part, this section will focus on migrating to Access 2007 However, if an Access 2007 application will be... be used with newer versions of Access — in this case, Access 2007 It applies to scenarios in which you will be using Access 2007 and have some Access applications that were created in previous versions ❑ Convert: The specific process that Access runs to change the database format from one version to another Obviously, this appendix focuses on converting to the Access 2007 ACCDB format Converting allows... file format For backward compatibility, Access 2007 also works with the file extensions of mdb, mde, ldb, and mdw The following table describes the Access file extensions for both ACCDB and MDB file formats 786 47033bapp01.qxd:WroxProgRef 3/30/07 12:29 AM Page 787 Appendix A: Upgrading to Access 2007 Extension Description ACCDB The extension for the new Access 2007 file format This is the only file... an Access 2007 database to Access 97, you first need to convert it to an intermediate version (2000 or 2002-2003) and then use that file and version to convert to an Access 97 file Since we’ve already covered converting from 2007 to 2003, you can use the following steps to convert from Access 200 to Access 97 1 7 98 Convert the file to 2003, as described earlier in the section “File Conversion Using Access. .. in a compatible format VBA References As in the past, it is best to have the VBA references match the version of Access that is opening the application and match the version of the programs that they are referencing However, if the application will be opened by multiple versions of Access, it is a good practice to set references and test the database on the oldest version of Access, Office, and Windows... The Access 2007 accdb format locking file Access 2007 creates an ldb file when opening an mdb or mde file MDW The workgroup information file that stores information for secured databases with an MDB file format Access 2007 mdw files have the same file format as those created by Access 2000, 2002, and 2003, so the mdw files created with any of these versions can be used with all four versions of Access. .. be quietly ignored or will not appear when an Access 2007 mdb file is opened with an earlier version of Access Chapter 3 provides a rather extensive list of what’s new in Access 2007 However, for the purposes of this appendix and discussion, you need to know the features that are available only with the 2007 ACCEB file format File Extensions Office Access 2007 introduces a few new file extensions to... specifications What Happens When a 2007 MDB Is Opened by 2000+ Access 2007 has a multitude of new features for both the MDB and ACCDB file formats When working with multiple versions of Access, trying to keep track of what will work can get rather confusing The following table lists the new features and how they will behave in prior versions of Access New features for Access 2007 mdb filess are also available... Service Pack 3 and Jet 4.0 Service Pack 1 That’s right — for Access 97 and 2000 The enhancements made to the Expression Service for Access 2003 actually made expressions more usable than in previous versions An enhanced sandbox mode was half of the overall security story for Access 2003 But this book is about Access 2007 Sandbox Mode in Access 2007 When sandbox mode is enabled in the Registry, certain . code? After they upgrade to Access 2007, your users might 7 68 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 7 68 be left scratching their. enhanced sandbox mode was half of the overall security story for Access 2003. But this book is about Access 2007. Sandbox Mode in Access 2007 When sandbox mode is enabled in the Registry, certain expressions. expressions, is disabled. 7 78 Chapter 22: Protecting Yourself with Access 2007 Security 47033c22.qxd:WroxProgRef 3/30/07 12:29 AM Page 7 78 Sandbox Mode Limitations Sandbox mode blocks VBA functions or commands