self-signing certificate

[Josh]

just upgraded to access2003, and got the Jet4sp8 warning, which I should have
Jet4sp8, as I just went to office update.

Searched google, and saw that I can either set security to low, or do a
self-signing certificate if used with this computer. So, did the self-signing
certificate, added it to macro/Security/trusted publishers. I thought that would
take care of it, but, now, still get the warning. I had to actually set security
to low to avoid the warning. Went back to macro/Security/trusted publishers and
viewed my certificate. Looked ok until I looked at the "certification Path" tab,
and saw that my certificate had a red X on it, with this comment: This CA Root
certificate is not trusted because it is not in the Trusted Root Certification
Authorities store.

Is that why I still had to set security level to Low, because the certificate,
while there, isn't trusted?

btw, sandbox mode is set to 2 in registry, not sure whether to set it to 1 or 2
or does it make a difference if security is set to Low?

Seems to me that this is an example of "make it too difficult and people will
just bypass security", like "make password requirements too complex, therefore
people write them down and leave the note by the keyboard" kinda thing.

Thanks, Josh

 

[Josh]

hmmmmmmm, went to:
http://home.bendbroadband.com/conradsystems/accessjunkie/macrosecurity.html

and used his VBscript, but it does NOT set security to Low, for me anyways. I
ran the script, and was trying to figure out where to put the line:
Application.RunCommand acCmdAppMaximize
I tried just putting it in a macro and running that, just to verify that it did
maximize access, but got the warning about being blocked, thats when I went and
checked, and sure nuff, security was set to low.

Josh

 

[Josh]

This just isn't my day.......that last line should have been:
"checked, and sure nuff, security was set to MEDIUM.

 

['69 Camaro]

Hi, Josh.

which I should have
Jet4sp8, as I just went to office update.

No. Office Update won't update Access 2003 with Jet 4.0 SP-8, because
Access 2003 already contains Jet 4.0 SP-8. Re-read that warning message in
the context of Access 2002 users, who didn't have Jet 4.0 SP-8 by default.
Microsoft didn't bother updating the message for Access 2003, so you and the
other millions of Access 2003 users were confused the first time we saw that
message, too.

Is that why I still had to set security level to Low, because the
certificate,
while there, isn't trusted?

A Self-Cert digital certificate isn't trusted when the Macro Security level
is set to High level. It's only trusted when used for Medium level.

btw, sandbox mode is set to 2 in registry, not sure whether to set it to 1
or 2
or does it make a difference if security is set to Low?

It makes a difference, because it's a separate issue that has been enabled
with Jet 4.0 SP-8. (Remember that warning message? That's what it's for.)
If you leave the Sandbox mode setting at 2 (the default), then Sandbox mode
is used for non-Access applications, but not for Access. If you set it at
1, then Sandbox mode will only be used for Access applications, not other
applications.

Seems to me that this is an example of "make it too difficult and people
will
just bypass security"

Yup. Those with common sense will avoid spitting into the wind.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.

 

['69 Camaro]

Hi, Josh.

but it does NOT set security to Low

It will if you're using Access 2003, scripts are not blocked, and User-level
Security have not been implemented on the database file.

and was trying to figure out where to put the line:
Application.RunCommand acCmdAppMaximize

It should be placed in the start up form's OnLoad( ) or OnOpen( ) event,
whichever is more convenient.

but got the warning about being blocked

"Unsafe expressions" are checked by Jet's Expression Service, so if you have
the Sandbox mode set to 1 or 3 when Jet 4.0 SP-8 is installed, it doesn't
matter which Macro Security level you have it set at, because your Macro
Security level is an entirely separate issue. Set the Sandbox mode back to
2 and you won't be blocked, although you'll get a warning message that
"unsafe expressions" are not blocked if you have the Macro Security level
set at Medium or High.

thats when I went and
checked, and sure nuff, security was set to [Medium]

As it's designed to do. That script doesn't change the actual Windows
Registry setting, which is what you're reading when you open the Security
dialog window. That script only changes the Access.Application object's
AutomationSecurity Property to the indicated security level for that
specific instance of Access, as explained on Jeff's Web page: ". . . a
script file which sets the macro security level to low for that single
invocation of Access." The script is intended for users who don't have
Windows security permissions to make changes in the Windows Registry.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.

 

[Josh]

It will if you're using Access 2003, scripts are not blocked, and User-level
Security have not been implemented on the database file.

It has not been set

It should be placed in the start up form's OnLoad( ) or OnOpen( ) event,
whichever is more convenient.

yes, I had placed it in the OnOpen event

but got the warning about being blocked

"Unsafe expressions" are checked by Jet's Expression Service, so if you have
the Sandbox mode set to 1 or 3 when Jet 4.0 SP-8 is installed, it doesn't
matter which Macro Security level you have it set at, because your Macro
Security level is an entirely separate issue. Set the Sandbox mode back to
2 and you won't be blocked, although you'll get a warning message that
"unsafe expressions" are not blocked if you have the Macro Security level
set at Medium or High.

thats when I went and
checked, and sure nuff, security was set to [Medium]

As it's designed to do. That script doesn't change the actual Windows
Registry setting, which is what you're reading when you open the Security
dialog window. That script only changes the Access.Application object's
AutomationSecurity Property to the indicated security level for that
specific instance of Access, as explained on Jeff's Web page: ". . . a
script file which sets the macro security level to low for that single
invocation of Access." The script is intended for users who don't have
Windows security permissions to make changes in the Windows Registry.

Ok, but , 'for this instance of Access', security should have been set to low
via the script, and therefore I shouldn't have gotten a warning...?

Thanks, Josh

 

[Josh]

Hi, Josh.


No. Office Update won't update Access 2003 with Jet 4.0 SP-8, because
Access 2003 already contains Jet 4.0 SP-8. Re-read that warning message in
the context of Access 2002 users, who didn't have Jet 4.0 SP-8 by default.
Microsoft didn't bother updating the message for Access 2003, so you and the
other millions of Access 2003 users were confused the first time we saw that
message, too.


A Self-Cert digital certificate isn't trusted when the Macro Security level
is set to High level. It's only trusted when used for Medium level.

But, it was set for Medium during the time I was experimenting with certificate,
so that should have satisfied access and not given me a warning, is that
correct? And, if correct, why the warning?

It makes a difference, because it's a separate issue that has been enabled
with Jet 4.0 SP-8. (Remember that warning message? That's what it's for.)
If you leave the Sandbox mode setting at 2 (the default), then Sandbox mode
is used for non-Access applications, but not for Access. If you set it at
1, then Sandbox mode will only be used for Access applications, not other
applications.

I don't understand the default of 2, sandbox mode for non-access applications,
but not for Access. Wouldn't the default of 1 be better (from a 'Default' point
of view), to make Access more secure and leave non-Access applications alone?
Or, am I totally screwed up (which is the most likely case)

Thanks

 

['69 Camaro]

Hi, Josh.

It has not been set

Your description of "got the warning about being blocked" sounds like you're
describing the Sandbox mode, not the Macro Security level. If you want to
test which Macro Security level is being used for the current instance of
Access, place the following code in your startup form, save, and compile:

Private Sub Form_Open(Cancel As Integer)

On Error GoTo ErrHandler

MsgBox "AutomationSecurity is set to " & Application.AutomationSecurity

Exit Sub

ErrHandler:

MsgBox "Error in Form_Open( ) in" & vbCrLf & _
Me.Name & " form." & vbCrLf & vbCrLf & _
"Error #" & Err.Number & vbCrLf & vbCrLf & Err.Description
Err.Clear

End Sub

If the message box displays "AutomationSecurity is set to 2" when your
database opens, then select the Tools -> Macro -> Security... menu to open
the Security dialog window. Whichever level you see displayed there is the
Macro Security level that the current instance of Access is using. However,
if you're using the Automation VB Script on Jeff Conrad's Web site, then you
should see "AutomationSecurity is set to 1" displayed, meaning that despite
the value set in the Security dialog window (which reflects the Windows
Registry setting), the database was opened with Macro Security set to Low.

Ok, but , 'for this instance of Access', security should have been set to
low
via the script, and therefore I shouldn't have gotten a warning...?

So you see the question, "Do you want to open this file or cancel the
operation?" when you use the script and have three buttons to push,
"Cancel," "Open," and "More Info"? That question indicates Macro Security
level is Medium and the database file is not digitally signed. If you don't
see this question, but instead see "Microsoft Office Access cannot open <DB
file name> due to security restrictions," then this indicates that the Macro
Security level is High and the database file is not digitally signed. If
you see neither of these messages, then the Macro Security level is Low.

However, you'll get a warning about the Sandbox mode if your current Macro
Security level requires unsafe expressions to be blocked in order to work
correctly. Automation Security (to alter the Macro Security level) is a
separate issue from Jet 4.0 SP-8's Sandbox mode issue, which is why you get
so many different prompts when you're using the new security features of
Access 2003.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.

It will if you're using Access 2003, scripts are not blocked, and
User-level
Security have not been implemented on the database file.

It has not been set

It should be placed in the start up form's OnLoad( ) or OnOpen( ) event,
whichever is more convenient.

yes, I had placed it in the OnOpen event

but got the warning about being blocked

"Unsafe expressions" are checked by Jet's Expression Service, so if you
have
the Sandbox mode set to 1 or 3 when Jet 4.0 SP-8 is installed, it doesn't
matter which Macro Security level you have it set at, because your Macro
Security level is an entirely separate issue. Set the Sandbox mode back
to
2 and you won't be blocked, although you'll get a warning message that
"unsafe expressions" are not blocked if you have the Macro Security level
set at Medium or High.

thats when I went and
checked, and sure nuff, security was set to [Medium]

As it's designed to do. That script doesn't change the actual Windows
Registry setting, which is what you're reading when you open the Security
dialog window. That script only changes the Access.Application object's
AutomationSecurity Property to the indicated security level for that
specific instance of Access, as explained on Jeff's Web page: ". . . a
script file which sets the macro security level to low for that single
invocation of Access." The script is intended for users who don't have
Windows security permissions to make changes in the Windows Registry.

Ok, but , 'for this instance of Access', security should have been set to
low
via the script, and therefore I shouldn't have gotten a warning...?

Thanks, Josh

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.

 

['69 Camaro]

Hi, Josh.

But, it was set for Medium during the time I was experimenting with
certificate,
so that should have satisfied access and not given me a warning, is that
correct? And, if correct, why the warning?

You also stated that your SelfCert certificate had a red X on it and you
were warned that this certificate isn't trusted because it isn't in the
Trusted Root Certification Authorities store. Let's assume for a moment
that this information is somehow incorrect, and you installed the SelfCert
digital certificate on this computer correctly and digitally signed this
database file with your SelfCert digital certificate. You set the Macro
Security level to Medium, which should allow a SelfCert digitally signed
database to open unchallenged. Since you're being challenged when you open
this database, it means that your Macro Security level can only be set to
Medium (you couldn't open it at all if it were High, and you wouldn't be
challenged if it were Low), but either the digital signature on the database
file is invalid or the SelfCert digital certificate on that computer is
invalid (not trusted). Since you got the warning that your SelfCert digital
certificate isn't trusted, we have to assume that this Microsoft Office
security feature is complaining for a good reason. You need to troubleshoot
why the application is claiming that the digital certificate isn't in the
Trusted Root Certification Authorities store.

I don't understand the default of 2, sandbox mode for non-access
applications,
but not for Access. Wouldn't the default of 1 be better (from a 'Default'
point
of view), to make Access more secure and leave non-Access applications
alone?

No. Access versus the other applications is comparing apples with oranges.
If Sandbox mode were set to 1, then any Access database application without
action queries, and without expressions in table, query, field, form,
report, or control properties would run as is. Such a simple Access
database is trivial, in that the user interface isn't much used, if at all,
and most likely the file is only being used as a data source by some other
application, which wouldn't have any of its expressions blocked by the Jet
Expression Service.

But a non-trivial Access database would have its update, make table, and
append queries disabled. The other queries or any of the tables, forms,
reports, or controls on the forms or reports using the functions listed as
blocked on the following Web page in their properties would be disabled:

http://support.microsoft.com/default.aspx?id=294698&Product=acc

Such an Access database application wouldn't be very useful because it
couldn't be very complex or do the things that most database applications
do. Non-Access applications in the Microsoft Office Suite don't generally
rely on queries or properties of database objects, so preventing them from
using these queries or functions in expressions in those other applications
isn't much of a penalty.

Or, am I totally screwed up (which is the most likely case)

The new security feature of Access 2003 is pretty confusing, which is why
most folks are ignoring it completely by using the Low Macro Security
setting.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.

 

[Josh]

Taking another look at the certificates, I ran the Certificate MMC snap in, and
saw that my self-signed certificate (current user) was under the "personal"
folder. So, I moved it to "Trusted Root Certification Authorites", and it works
now. Now warnings at all when opening with medium security set.

Thanks, Josh

 

['69 Camaro]

Hi, Josh.

So, I moved it to "Trusted Root Certification Authorites", and it works
now. No warnings at all when opening with medium security set.

Excellent. Thanks for reporting back with your solution so that others who
have the same problem can research the archive and benefit, too.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.