D
David C. Holley
Is it possible to create a trusted location via code? Which I'm thinking no,
but...
but...
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
D
Daniel Pineault
In general sense, No! That would kinda defeat the purpose of security.
That said, with enough diging... there are ways to do almost anything. I
believe that it can be done if you are willing to mess around with registry
settings (be very carefull as you can seriously damage a computer if you mess
this up). Take a look at:
http://www.access-programmers.co.uk/forums/archive/index.php/t-136411.htm
http://bytes.com/topic/access/answers/692003-access-2007-runtime-security-issue#post2752405
Basicly you need to add a new reg key per trusted location you wish to create
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\A ccess\Security\Trusted
Locations\Location1]
AllowSubFolders (REG_DWORD) = 1
Path (REG_SZ) "FullPathOfTrustedLocation"
--
Hope this helps,
Daniel Pineault
http://www.cardaconsultants.com/
For Access Tips and Examples: http://www.devhut.net
Please rate this post using the vote buttons if it was helpful.
That said, with enough diging... there are ways to do almost anything. I
believe that it can be done if you are willing to mess around with registry
settings (be very carefull as you can seriously damage a computer if you mess
this up). Take a look at:
http://www.access-programmers.co.uk/forums/archive/index.php/t-136411.htm
http://bytes.com/topic/access/answers/692003-access-2007-runtime-security-issue#post2752405
Basicly you need to add a new reg key per trusted location you wish to create
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\A ccess\Security\Trusted
Locations\Location1]
AllowSubFolders (REG_DWORD) = 1
Path (REG_SZ) "FullPathOfTrustedLocation"
--
Hope this helps,
Daniel Pineault
http://www.cardaconsultants.com/
For Access Tips and Examples: http://www.devhut.net
Please rate this post using the vote buttons if it was helpful.
M
Mark Andrews
These guys did a little program for this:
http://www.accessribbon.de/en/?Trust_Center:Trusted_Locations
HTH,
http://www.accessribbon.de/en/?Trust_Center:Trusted_Locations
HTH,
M
microsoft
We're already creating a system DSN via a VBScript. Its more for our
convenince when we setup a PC to use the front end. It did occur to me that
it would defeat the purpose, but it also occurred to me that MS is stupid
enough to hve designed the Trust Center to use the registry which would by
default mean that code could be used. God forbid that they should modify the
design of the registry so that modification of certain node or keys would be
restricted.
convenince when we setup a PC to use the front end. It did occur to me that
it would defeat the purpose, but it also occurred to me that MS is stupid
enough to hve designed the Trust Center to use the registry which would by
default mean that code could be used. God forbid that they should modify the
design of the registry so that modification of certain node or keys would be
restricted.
Daniel Pineault said:In general sense, No! That would kinda defeat the purpose of security.
That said, with enough diging... there are ways to do almost anything. I
believe that it can be done if you are willing to mess around with
registry
settings (be very carefull as you can seriously damage a computer if you
mess
this up). Take a look at:
http://www.access-programmers.co.uk/forums/archive/index.php/t-136411.html
http://bytes.com/topic/access/answers/692003-access-2007-runtime-security-issue#post2752405
Basicly you need to add a new reg key per trusted location you wish to
create
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\A ccess\Security\Trusted
Locations\Location1]
AllowSubFolders (REG_DWORD) = 1
Path (REG_SZ) "FullPathOfTrustedLocation"
--
Hope this helps,
Daniel Pineault
http://www.cardaconsultants.com/
For Access Tips and Examples: http://www.devhut.net
Please rate this post using the vote buttons if it was helpful.
David C. Holley said:Is it possible to create a trusted location via code? Which I'm thinking
no,
but...
.
M
microsoft
Exporting to a .reg file and then merging on the target machines is looking
pretty.
pretty.
D
david
The registry has both security and restricted regions.
There is no reason why an "ordinary" user should have permission on the
trust centre except by elevating privileges.
But these are the people that block MDBs in email, and not DOC. I haven't
checked it.
And all that Windows Licensing stuff is in the registry: you just don't have
access to it.
(david)
There is no reason why an "ordinary" user should have permission on the
trust centre except by elevating privileges.
But these are the people that block MDBs in email, and not DOC. I haven't
checked it.
And all that Windows Licensing stuff is in the registry: you just don't have
access to it.
(david)
microsoft said:We're already creating a system DSN via a VBScript. Its more for our
convenince when we setup a PC to use the front end. It did occur to me
that it would defeat the purpose, but it also occurred to me that MS is
stupid enough to hve designed the Trust Center to use the registry which
would by default mean that code could be used. God forbid that they should
modify the design of the registry so that modification of certain node or
keys would be restricted.
Daniel Pineault said:In general sense, No! That would kinda defeat the purpose of security.
That said, with enough diging... there are ways to do almost anything. I
believe that it can be done if you are willing to mess around with
registry
settings (be very carefull as you can seriously damage a computer if you
mess
this up). Take a look at:
http://www.access-programmers.co.uk/forums/archive/index.php/t-136411.html
http://bytes.com/topic/access/answers/692003-access-2007-runtime-security-issue#post2752405
Basicly you need to add a new reg key per trusted location you wish to
create
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\A
ccess\Security\Trusted
Locations\Location1]
AllowSubFolders (REG_DWORD) = 1
Path (REG_SZ) "FullPathOfTrustedLocation"
--
Hope this helps,
Daniel Pineault
http://www.cardaconsultants.com/
For Access Tips and Examples: http://www.devhut.net
Please rate this post using the vote buttons if it was helpful.
David C. Holley said:Is it possible to create a trusted location via code? Which I'm thinking
no,
but...
.
T
Tony Toews [MVP]
Daniel Pineault said:In general sense, No! That would kinda defeat the purpose of security.
Actually yes. I do realize it doesn't make a lot of sense in some
respects but yes. The Auto FE Updater does create those registry keys
if desired without requiring any admin privileges.
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\A ccess\Security\Trusted
Locations\Location1]
AllowSubFolders (REG_DWORD) = 1
Path (REG_SZ) "FullPathOfTrustedLocation"
Yup, looks about right. Note that you don't need, nor should you,
name the registry key Location1. It can be anything you like such as,
for example, "Granite Fleet Manager" or "Auto FE Updater - Fleet". I
would suggest not using Location1 because that may already have been
used by Access on some of those systems.
Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/
T
Tony Toews [MVP]
David C. Holley said:Is it possible to create a trusted location via code? Which I'm thinking no,
but...
The Auto FE updater can do this for you as well as a whole bunch of
other, hopefully useful, functionality.
Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/
D
David W. Fenton
Actually yes. I do realize it doesn't make a lot of sense in some
respects but yes. The Auto FE Updater does create those registry
keys if desired without requiring any admin privileges.
On Vista/Win7, that surely prompts a UAC prompt, which is a good
thing, no?
M
microsoft
Tony Toews said:Daniel Pineault said:In general sense, No! That would kinda defeat the purpose of security.
Actually yes. I do realize it doesn't make a lot of sense in some
respects but yes. The Auto FE Updater does create those registry keys
if desired without requiring any admin privileges.
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\A ccess\Security\Trusted
Locations\Location1]
AllowSubFolders (REG_DWORD) = 1
Path (REG_SZ) "FullPathOfTrustedLocation"
Yup, looks about right. Note that you don't need, nor should you,
name the registry key Location1. It can be anything you like such as,
for example, "Granite Fleet Manager" or "Auto FE Updater - Fleet". I
would suggest not using Location1 because that may already have been
used by Access on some of those systems.
I simply did an export out of my development machine. We're not using Access
extensively so we should be good to go.
M
microsoft
I went with VBScript that actually copies the front end from the server to
the local machine and then launches Access and runs the .mde file. It was my
simple solution to distributing new front ends as well as dealing with bloat
due to some temp tables that exist. The script creates an icon on the users
desktop that points to the script, but has the Access icon. They don't know
the difference. The script also creates an IE window and updates it to
provide the user with progress information.
the local machine and then launches Access and runs the .mde file. It was my
simple solution to distributing new front ends as well as dealing with bloat
due to some temp tables that exist. The script creates an icon on the users
desktop that points to the script, but has the Access icon. They don't know
the difference. The script also creates an IE window and updates it to
provide the user with progress information.
T
Tony Toews [MVP]
David W. Fenton said:On Vista/Win7, that surely prompts a UAC prompt, which is a good
thing, no?
No, this doesn't hit the UAC prompt. I test my Auto FE Updater in a
clean Win Vista/7 OS install with just Office installed and no other
settings changes. And no UAC.
Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/
T
Tony Toews [MVP]
Tony Toews said:[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\A ccess\Security\Trusted
Locations\Location1]
AllowSubFolders (REG_DWORD) = 1
Path (REG_SZ) "FullPathOfTrustedLocation"
Yup, looks about right. Note that you don't need, nor should you,
name the registry key Location1. It can be anything you like such as,
for example, "Granite Fleet Manager" or "Auto FE Updater - Fleet". I
would suggest not using Location1 because that may already have been
used by Access on some of those systems.
Actually don't use any registry key that starts with Location and then
some digits.
Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/
T
Tony Toews [MVP]
microsoft said:well as dealing with bloat
due to some temp tables that exist.
See the TempTables.MDB page at my website which illustrates how to use
a temporary MDB in your app.
http://www.granite.ab.ca/access/temptables.htm
Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/
D
david
I was just looking at this:
http://technet.microsoft.com/en-us/library/cc179039.aspx
to see how it all worked (the trust registry is controlled by
Group Policy or Local Machine settings, not UAC), and I
saw this:
"Applications in the Office 2010 cannot recognize environment variables that
are stored as String Value (REG_SZ) value types. For applications to
recognize environment variables, you must change the value type of the Path
entry so that it is an Expandable String Value (REG_EXPAND_SZ) value type."
Cool: I never thought of it like that. It's gonna be a generic trick. You
can use an environment variable to control a registry setting if you
re-write the registry setting as a (REG_EXPAND_SZ) including the environment
variable. I bet you can use this to make user-controlled settings in HKLM
without permission!
(david)
http://technet.microsoft.com/en-us/library/cc179039.aspx
to see how it all worked (the trust registry is controlled by
Group Policy or Local Machine settings, not UAC), and I
saw this:
"Applications in the Office 2010 cannot recognize environment variables that
are stored as String Value (REG_SZ) value types. For applications to
recognize environment variables, you must change the value type of the Path
entry so that it is an Expandable String Value (REG_EXPAND_SZ) value type."
Cool: I never thought of it like that. It's gonna be a generic trick. You
can use an environment variable to control a registry setting if you
re-write the registry setting as a (REG_EXPAND_SZ) including the environment
variable. I bet you can use this to make user-controlled settings in HKLM
without permission!
(david)
D
David W. Fenton
No, this doesn't hit the UAC prompt. I test my Auto FE Updater in
a clean Win Vista/7 OS install with just Office installed and no
other settings changes. And no UAC.
Hmm. That means the Trust Center registry key is in a location
editable by users, which seems to me to make it pretty useless!
I've always felt that "macro security" and all of this was just
"security theater" on MS's part, and that just serves to confirm
that suspicion.
T
Tony Toews [MVP]
David W. Fenton said:Hmm. That means the Trust Center registry key is in a location
editable by users, which seems to me to make it pretty useless!
<shrug> Pretty much. Also given that you can mark a given registry
locations sub folders as trusted too. So that makes it even less
meaningful.
Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/
D
david
If you look at the link I gave previously, you will see that
this is controlled by Group Policy and HKLM settings.
Group Policy and HKLM settings are indeed the 'old'
way of doing things, but they are also the 'only' way of
doing network management: there is not an independent
(non-group-management) way of doing management of
UAC. UAC would be a very blunt instrument for controlling
the trust centre.
If you want to restrict yourself on your own PC, you
can set a local group policy (you will need elevated rights
to do that) or change the HKLM settings (you will need
elevated rights to do that).
It is still interesting that a user can, by default, change
their own trust settings, when there are so many other
things they, by default, can no longer do. But that
doesn't make it useless: it just makes it less important
for individual users who aren't in locked-down domains.
(david)
this is controlled by Group Policy and HKLM settings.
Group Policy and HKLM settings are indeed the 'old'
way of doing things, but they are also the 'only' way of
doing network management: there is not an independent
(non-group-management) way of doing management of
UAC. UAC would be a very blunt instrument for controlling
the trust centre.
If you want to restrict yourself on your own PC, you
can set a local group policy (you will need elevated rights
to do that) or change the HKLM settings (you will need
elevated rights to do that).
It is still interesting that a user can, by default, change
their own trust settings, when there are so many other
things they, by default, can no longer do. But that
doesn't make it useless: it just makes it less important
for individual users who aren't in locked-down domains.
(david)
D
David W. Fenton
<shrug> Pretty much. Also given that you can mark a given
registry
locations sub folders as trusted too. So that makes it even less
meaningful.
Security theater, not actual security. That's pretty much the way
I've seen all the alterations to Outlook and macro security starting
back with the ILOVEYOU worm.
Complete idiots they must be.
As an after thought...It is NOT counter intuitive to set a trusted location via code for the following 2 reasons:
1) If the current project is not trusted, the code attempting to make it trusted will not run, so there's no security threat. At best, the code will simply not run.
2) The user can "temporarily" allow the given file, but that won't make the location a trusted location. As such, the permissions will have to be granted every time the file is opened. However, once the file is allowed once, the code modules will then be permitted to run, and then you can put in the code to add the file location to the list of trusted ones, making the permissions permanent.
1) If the current project is not trusted, the code attempting to make it trusted will not run, so there's no security threat. At best, the code will simply not run.
2) The user can "temporarily" allow the given file, but that won't make the location a trusted location. As such, the permissions will have to be granted every time the file is opened. However, once the file is allowed once, the code modules will then be permitted to run, and then you can put in the code to add the file location to the list of trusted ones, making the permissions permanent.