How to Avoid Security Warnings for Our Access Application

  • Thread starter Thread starter Rod Wright
  • Start date Start date
R

Rod Wright

Background:
We developed a program to integrate a large amount of data for National Air
and Space Museum (NASM) volunteer use. The program works fine, but our users
are relatively unsophisticated volunteers. They get confused by the warnings
issued by Access when opening our program. Our users run at multiple Win2K
and XP machines and load our program and the data over the Smithsonian
intranet.

In Vista, the popup warning is:
----------------------------------------------------
Open File - Security Warning
Do you want to open this file?
Name: \\Server\Public\UHC_Frms.exe
Publisher: Unknown Publisher
Type: Microsoft Office Access MDE Database
From: \\SERVER\Public\BLAST\UHC_Frms.mee
| Open | | Cancel |
______________________________________
Note that the path shown above is when I'm testing on my home network, not
at NASM. Also, that warning was from Office 2007 but at NASM they are still
using Office 2003, so the dialog box is different.

Also, the error message is different under Office 2003 (and a lot more
confusing for users.) I'm not at NASM now, so I can't see the exact text of
how the error appears there. I'll post that tomorrow when I go there.


Question:
How can we avoid these warnings? Would it work for us to obtain and publish
a certificate for the program code? If so, does it need to be reissued each
time we make a change? (Since we have only been up and running for users
since January, the code is still being modified as we gain experience.) How
do we do that?

What do you recommend?



--
Rodney L. Wright
 
You should definitely digitally sign the application no matter what. However,
that will not remove the warning. It just will have your (or your company's)
name in the dialog and won't say "Unknown Publisher."

Technically, there is a way to get rid of this warning, but it is there as a
warning to end users. If you remove it here, you would also remove it for all
other executables. That would put your users at significant risk. If you
programmatically remove that warning, you would be responsible for putting
them at significant risk a responsibility that I am pretty sure you do not
want to accept.

Rather, I would suggest that you take the opportunity to educate your users.
Teach them that the warning is there so that they can assess whether they
want to accept the risk involved in opening applications off the Internet. In
this case, you have digitally signed the application so they can trace it to
you and have assurance that they are, in fact, opening a trusted application.
Anytime they get a dialog like this they should evaluate it and see if they
really want to accept that risk or not. If the publisher is unknown, they
have no way to tell who wrote the application, and should consider it a
higher risk.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20


"Rod Wright" wrote:

> Background:
> We developed a program to integrate a large amount of data for National Air
> and Space Museum (NASM) volunteer use. The program works fine, but our users
> are relatively unsophisticated volunteers. They get confused by the warnings
> issued by Access when opening our program. Our users run at multiple Win2K
> and XP machines and load our program and the data over the Smithsonian
> intranet.
>
> In Vista, the popup warning is:
> ----------------------------------------------------
> Open File - Security Warning
> Do you want to open this file?
> Name: \\Server\Public\UHC_Frms.exe
> Publisher: Unknown Publisher
> Type: Microsoft Office Access MDE Database
> From: \\SERVER\Public\BLAST\UHC_Frms.mee
> | Open | | Cancel |
> ______________________________________
> Note that the path shown above is when I'm testing on my home network, not
> at NASM. Also, that warning was from Office 2007 but at NASM they are still
> using Office 2003, so the dialog box is different.
>
> Also, the error message is different under Office 2003 (and a lot more
> confusing for users.) I'm not at NASM now, so I can't see the exact text of
> how the error appears there. I'll post that tomorrow when I go there.
>
>
> Question:
> How can we avoid these warnings? Would it work for us to obtain and publish
> a certificate for the program code? If so, does it need to be reissued each
> time we make a change? (Since we have only been up and running for users
> since January, the code is still being modified as we gain experience.) How
> do we do that?
>
> What do you recommend?
>
>
>
> --
> Rodney L. Wright
 
"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:E245C8B1-FDE5-41C8-98A1-0985184927AD@microsoft.com...
> You should definitely digitally sign the application no matter what.
> However,
> that will not remove the warning. It just will have your (or your
> company's)
> name in the dialog and won't say "Unknown Publisher."
>
> Technically, there is a way to get rid of this warning, but it is there as
> a
> warning to end users. If you remove it here, you would also remove it for
> all
> other executables. That would put your users at significant risk. If you
> programmatically remove that warning, you would be responsible for putting
> them at significant risk a responsibility that I am pretty sure you do
> not
> want to accept.
>

Garbage --- MS Word doesn't generate a warning everytime I start it.
Neither does Excel, Powerpoint, or Outlook. What does OP need to do so his
application doesn't generate a Vista warning at runtime. Generating it at
install is a good idea, but generating it every single time an installed
application is run is overkill and leads to people blindly clicking
"continue" with eventual disastrous results. Obviously this warning can be
bypassed somehow on an application by application basis.

Rod,

You might want to repost this in an MS Access group as you will probably get
a quicker and more usable answer there. They will need to know at a minimum
the version of Access you're running and if it is a single mdb file that is
shared or multiple front end MDB files with a single back end for the
database.

Mike Ober.


> Rather, I would suggest that you take the opportunity to educate your
> users.
> Teach them that the warning is there so that they can assess whether they
> want to accept the risk involved in opening applications off the Internet.
> In
> this case, you have digitally signed the application so they can trace it
> to
> you and have assurance that they are, in fact, opening a trusted
> application.
> Anytime they get a dialog like this they should evaluate it and see if
> they
> really want to accept that risk or not. If the publisher is unknown, they
> have no way to tell who wrote the application, and should consider it a
> higher risk.
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20
>
>
> "Rod Wright" wrote:
>
>> Background:
>> We developed a program to integrate a large amount of data for National
>> Air
>> and Space Museum (NASM) volunteer use. The program works fine, but our
>> users
>> are relatively unsophisticated volunteers. They get confused by the
>> warnings
>> issued by Access when opening our program. Our users run at multiple
>> Win2K
>> and XP machines and load our program and the data over the Smithsonian
>> intranet.
>>
>> In Vista, the popup warning is:
>> ----------------------------------------------------
>> Open File - Security Warning
>> Do you want to open this file?
>> Name: \\Server\Public\UHC_Frms.exe
>> Publisher: Unknown Publisher
>> Type: Microsoft Office Access MDE Database
>> From: \\SERVER\Public\BLAST\UHC_Frms.mee
>> | Open | | Cancel |
>> ______________________________________
>> Note that the path shown above is when I'm testing on my home network,
>> not
>> at NASM. Also, that warning was from Office 2007 but at NASM they are
>> still
>> using Office 2003, so the dialog box is different.
>>
>> Also, the error message is different under Office 2003 (and a lot more
>> confusing for users.) I'm not at NASM now, so I can't see the exact text
>> of
>> how the error appears there. I'll post that tomorrow when I go there.
>>
>>
>> Question:
>> How can we avoid these warnings? Would it work for us to obtain and
>> publish
>> a certificate for the program code? If so, does it need to be reissued
>> each
>> time we make a change? (Since we have only been up and running for users
>> since January, the code is still being modified as we gain experience.)
>> How
>> do we do that?
>>
>> What do you recommend?
>>
>>
>>
>> --
>> Rodney L. Wright
>
 
> Garbage --- MS Word doesn't generate a warning everytime I start it.
> Neither does Excel, Powerpoint, or Outlook.

MS Word, Excel, PowerPoint and Outlook are (a) not applications you download
and run from the Internet most of the time, (b) not applications that will
run potentially untrusted contect when you launch them. It is a completely
invalid analogy.

> What does OP need to do so his
> application doesn't generate a Vista warning at runtime.

One of us clearly misunderstood OP. My understanding was that the warning
was generated at run-time because the application was not installed. It was
downloaded as a stand-alone executable, not as an installer. If you wrap the
application in an installation file Vista will warn you when you execute the
installer, but not when you execute the application that is installed.

I may have misunderstood OP, but the warning that was in the original post
was perfectly consistent with the Mark of the Web. IE adds the Mark of the
Web to all downloaded files by setting a flag in an Alternate Data Stream.
The flag can be removed on a download by download basis by unchecking the box
for "Always ask before opening this file." However, OP seemed to want to
remove all such warnings for a particular file. Doing so is highly
inadvisable because it would remove the warning to the user that s/he is
about to execute arbitrary content.
 
"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:4CDE2A3B-331E-4CFB-B296-3D0D02DF4AB8@microsoft.com...
>> Garbage --- MS Word doesn't generate a warning everytime I start it.
>> Neither does Excel, Powerpoint, or Outlook.
>
> MS Word, Excel, PowerPoint and Outlook are (a) not applications you
> download
> and run from the Internet most of the time, (b) not applications that will
> run potentially untrusted contect when you launch them. It is a
> completely
> invalid analogy.
>
>> What does OP need to do so his
>> application doesn't generate a Vista warning at runtime.
>
> One of us clearly misunderstood OP. My understanding was that the warning
> was generated at run-time because the application was not installed. It
> was
> downloaded as a stand-alone executable, not as an installer. If you wrap
> the
> application in an installation file Vista will warn you when you execute
> the
> installer, but not when you execute the application that is installed.
>
> I may have misunderstood OP, but the warning that was in the original post
> was perfectly consistent with the Mark of the Web. IE adds the Mark of the
> Web to all downloaded files by setting a flag in an Alternate Data Stream.
> The flag can be removed on a download by download basis by unchecking the
> box
> for "Always ask before opening this file." However, OP seemed to want to
> remove all such warnings for a particular file. Doing so is highly
> inadvisable because it would remove the warning to the user that s/he is
> about to execute arbitrary content.
>


Jesper,

Now we have common terminology. I thought OP was installing, but if he is
running from the web as you suspect, the warning is entirely valid.

OP - how is your app running? If you can create an installer and sign the
installation package, I suspect your Vista alert problems will go away as
installed apps don't alert every time they are started. This sounds like
you may actually need to rearchitect your app to be client server with the
server sitting behind a web service and the local client either be a ASP.NET
application (web site) or installed. You will probably need to dump Access
in favor of SQL Server 2005 (Express or Full) for your data store.

Mike.
 
Back
Top