Results 1 to 7 of 7
  1. #1
    Lounger
    Join Date
    May 2001
    Location
    NJ
    Posts
    25
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Security Warnings and MDBs (Access 2003)

    My organization is trying to figure out how best to respond at the institutional/enterprise level to the heightened security warnings in Access 2003. I'm wondering three things:

    (1) has Microsoft suggested any strategy for "certificating" large numbers of databases in any secure, semi-automatic fashion? (we haven't been able to find anything on microsoft.com)
    (2) Is there a way to attach a certificate to an mdb file programmatically, using VBA (or any other language/platform)?
    (3) (if the answer to 1 & 2 are 'no') Are we missing something? Is this 'high security level' in A2003 real-world plausible, or is it just some kind of PR ploy by MS?

    We're trying to find a solution that allows us to keep 'High' or 'Medium' security, but doesn't make our users click through the prompt with every legit database--and doesn't require them all to become experts on certification as a workaround. The former just eliminates any real, effective protection, once the click-through becomes habitual; the latter is unrealistic, given our user community.

    But to make it work, we need a way to certify legacy databases in bulk, and to automate centrally the certification process for new mdbs (which are distributed from several dozen points within our org). We'll buy the certificates from one of the usual suspects, but we need a local solution (we're thinking a web-app) to streamline distribution/incorporation. Any thoughts or suggestions very much welcomed and appreciated. --Chris

  2. #2
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: Security Warnings and MDBs (Access 2003)

    That is one of the challenges of Access 2003 - since nearly every database that does something useful contains code, it means you get a warning every time you open the database. The digital certificate is a solution, but has it's own challenges. I can't suggest any solution for databases that are already deployed (presuming they are resident on workstations and not on servers). How do you deploy new databases?
    Wendell

  3. #3
    Lounger
    Join Date
    May 2001
    Location
    NJ
    Posts
    25
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Warnings and MDBs (Access 2003)

    Hi Wendell; thanks for replying! We're a university, so we deploy databases the same way we do everything else -- chaotically :-).

    One of the issues we're thinking through is whether it's even possible to centralize a distribution mechanism. We have dozens of administrative units, and more than a hundred academic departments, each of which has the ability to deploy databases to its own members and constituents across the institution. We can't do QA: all we can do is provide an audit trail in case someone does something malicious.

    We envisioned an app that would watch a network share or allow a web-upload of an mdb, sign it automatically, and return it to the submitter. We would control security by controlling access to that app.

    It's troubling that MS has *zero* documentation anywhere we could find as to how to manage the 'high' security level in an enterprise setting. Signing works great if you have a database-cert czar sitting somewhere, all your dbs are deployed centrally, and you have an up-to-date inventory of who's got what db on their desktop, but you don't have to be a university for that model to make no sense. And if you don't have that, MS has no advice for you. Makes me think this is really just another marketing ploy.

    Any idea whether it's even possible to add a cert to an mdb using VB/VBA or some other code/scripting tool? I can't find anything in the docs.

  4. #4
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: Security Warnings and MDBs (Access 2003)

    Ah yes, I know the environment well - and it's not confined to universities. And I actually spent a couple of years near those hallowed halls.

    Thinking about the issue a bit more, I suspect Microsoft has deliberately not exposed the digital signature objects, as doing so would allow malicious code to do so as well. In addition, there are other issues with digital signatures - see for example [msbk=828412]. I suspect that for a version or two we are largely stuck with running Access databases in low security mode.

    Looking at the deployment problem, you might want to look at a tool available from FMS called Total Access Startup that large departments might find useful. We also have a developer deployment tool you can read about on our website, and there are several threads about the subject if you do a search on the forum.
    Wendell

  5. #5
    Bronze Lounger
    Join Date
    Nov 2001
    Location
    Arlington, Virginia, USA
    Posts
    1,394
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Re: Security Warnings and MDBs (Access 2003)

    I don't have much experience with Access 2003 (and plan to avoid it until further notice) but don't think you will find any programmatic interface for creating digital signatures, etc in 2003 version of VBA, as is likewise the case in earlier versions of Office, for reasons that should be obvious. Recommend take a look at the following Microsoft links:

    Office XP Document: Macro Security White Paper

    You can download this white paper (Word document format) that provides some useful information related to Security in Office applications. To assist in deploying Office within large organizations, Microsoft makes an Office Resource Kit (ORK) (poor choice of acronym) available for the currently supported versions of Office. For Office 2003 see this link:

    Office 2003 Editions Resource Kit

    On the main page there are links for various topics, including Security:

    Office 2003 Editions Resource Kit - Security: Overview

    Where I work we're still using Office 2000, so I don't have any specific suggestions. This is really an issue for your organization's IT department, but if it is as Balkanized as you describe, with no "Central Authority" in charge, there may be no simple solution. Recommend review the MS resources to see if anything useful can be found to facilitate this task.

    HTH

  6. #6
    Lounger
    Join Date
    May 2001
    Location
    NJ
    Posts
    25
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Warnings and MDBs (Access 2003)

    Thanks, Wendell; I've passed the link along to the folks who determine policy and purchasing. Appreciate your help!

    --CJ

  7. #7
    Lounger
    Join Date
    May 2001
    Location
    NJ
    Posts
    25
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Warnings and MDBs (Access 2003)

    Thanks, Mark; We've been through the ORK resources, as well as everying that a search of microsoft.com returns on the subject of "Access 2003 security" and cognates (I'm part of a committee for our central IT group that's trying to figure out our options). Across the board, the documents that address signing at all are long on hype, short on details of how you're actually supposed to implement signing on any large scale. Notably, there's nothing like a whitepaper or how-to titled "Deploying Digital Signing with Access 2003 in the Enterprise."

    The implicit model for all MS Office security documentation appears to assume a single, central development group that can sign everything (mdbs, wkss, etc.) before it ships, working for a user community that has no trouble handling the steps involved to self-sign personally built Office apps. It also assumes no legacy Office docs, or at least that you can lay hands on every copy of every wks and mdb that's ever been distributed. That's fine, but that's not us, nor is it ever likely to be us.

    If you stumble across anything like a how-to, I'd appreciate a heads-up. Thanks again, --CJ

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •