Understanding SandBox Mode

  • Thread starter Thread starter Sam S.
  • Start date Start date
S

Sam S.

Hello,
Not being familiar with later versions of Access I am somewhat confused
about operations of sandbox mode. An organization wide request has been
made to disable sandbox mode through the registry on each machine with access
because some reporting does not work.

After reading the MS documentation I was recommended against this without
first trying other options such as trusting a database, trusted locations,
digital signature.

My understanding is that by disabling sandbox through the registry we could
potentially be opening ourselves up to harmful code in other databases such
as if someone were to download a database from the internet.

I was then pointed to the following quote from another site which states:
"Remember that the database must either be located in a trusted location, or
bear a valid trust signature, for it to be possible to disable sandbox mode."
http://office.microsoft.com/en-us/access/HA101674291033.aspx

Question: Based on this and the flow chart associated with that it appears
that I was incorrect and that disabling Sandbox mode in the registry (Set reg
key to "0") will only disable Sandbox mode for trusted locations. Which
means that if by carefully defining trusted locations we would be limiting
our exposure?

How common a practice is it to disable SanBox mode in order to get apps to
run? Is it common that many issues are resolved by using a trusted location
without disabling sandbox mode?


Thank you very much for the feedback on this topic.
 
I use Trusted Locations on Access 2007 databases and also disable the
Sandbox.

Although I'm sure that there are some, I know of no companies which allow
the Sandbox to run. My clients include several Fortune 500 companies. I also
only know of a few Access developers that have code certifications, and
those typically are selling off-the-shelf apps.

Most companies with IT staffs generally use Group Policies to keep most
users from even downloading executables. One of my Fortune 500 companies
distributes files via email, and only emails from a specific source are
allowed as attachments, and they must be saved in a specific location, no
other downloads of any kind are allowed.

Getting back to security. Access databases have too small a footprint for
the virus writers to consider using them as a vehicle. True, malicious code
can be written in Access databases, but hardly anyone downloads databases,
especially from unknown sources. Today, most viruses are written, not to
contaminate a computer, but for profit. Access just doesn't offer enough to
the virus authors to be of high concern.

So my advice is to open up your LAN to your users, but lock out any outside
executable files.
 
Back
Top