Solved

Can Security Policies stipulate that a given VBA application has permission to run?

Posted on 2006-11-06
11
258 Views
Last Modified: 2013-12-04
Hi Experts,

This likely falls under the heading of dumb questions but since I'm out of my element with corporate Security Policies and how flexibly they can (or cannot) be administered, I'm hoping someone can provide some insights here.

I've written an Add-in Application for Excel that is almost entirely written in VBA, uses a fair amount of API calls and in one instance uses scripting to communicate with Outlook.  I did my first demo last week of the application at a prospective corporate customer and ran into some problems with my installation program throwing handled errors that I hadn't expected to be triggered.  As further background, the Installation program was designed to:

a) Simplify the installation process for those users that aren't familiar with the process of installing add-in applications (so I do that in the background via code)

b) In the free Trial version of the program that I was demonstrating, there is also an automatic uninstall after the 30 day trial ends.  

Basically the error that got triggered was from code that detects whether or not a user has bypassed my normal installation program and did the install from Excel's Tools | Addins menu (Since using my Install program sets the stage for the automatic uninstall 30 days later, detecting this bypass of the install process is necessary to prevent users from "converting" a free Trial version to an (unpaid) "production" version.

I've tested the install program extensively on standalone PC's and have also been able to install it on a laptop from a Shared Folder on a Desktop and been able to successfully install it and automatically uninstall it 30 days hence in that environment.  While I was able to successfully demo the product by using the "production" version, my intent is to make the free trial version available on my web site and am trying to anticipate what corporate IT administrators can do to allow my installation program to run.

A long way to say: can corporate Security Policies stipulate that a given VBA application has permission to run? That is, without opening "holes" in their systems that would allow other (unwanted) code from others to run? If it helps answer the question, I do use Digital Certificates on all the files in my application.  Also, if there is any "generic" advice I could offer to corporate IT administrators to accomplish this, I'd be interested in that detail, too.

I appreciate any insights.

Jeff
0
Comment
Question by:jeffreywsmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 85

Expert Comment

by:Rory Archibald
ID: 17889821
Jeff,
Can you clarify what your installation program is? Is it an executable file, or a workbook/add-in or what? At the end of the day, most corporate IT departments frown on users installing software and therefore do not give them rights to do so. I would guess that the problem you are having is that the users do not have rights to access certain parts of their systems (e.g. the registry) - they would therefore require the administrator to perform the actual installation. You cannot, AFAIK, give specific security rights to a program (other than using the RunAs option, which requires a user id and password with appropriate security rights)
HTH
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
ID: 17889942
Hi Rory and thanks for logging in on this. The installation program is in the form of an Excel xls file and it installs an XLA add-in while also establishing some Registry settings to faciliate the app's functionality while also (in the Free Trial version) setting the stage for an automatic uninstall after 30 days.

I do recognize that most corportate IT administrators restrict user rights - my question was more to the point of what corportate IT administrators *themselves* could do to give my application (as well as the Installation program) permission to run for any users they specify.  I was actually doing the demo for the IT director so I would have thought he had Administrative privileges on the PC we were using (but didn't think to ask about that ...).  Funny that the installation program failed to run but that I was still able to do a "manual install" through Tools | Addins (but that was using the "production version", not the Free Trial version which has some more convoluted code to effect the automatic uninstall after the 30 days is up) - both update the Windows Registry so I'm not sure exactly where/why one failed and the other didn't.

I'm not familar with the RunAs option ... can you elaborate on that?

Jeff
0
 
LVL 85

Expert Comment

by:Rory Archibald
ID: 17890325
Jeff,
If you install an add-in via Tools-Addins, Excel does the updating of the registry in a location that it *has* to have rights to, in order to work. I'm not sure what parts of the registry your installation app might be accessing? I do not believe it is possible to give access rights to a particular workbook. I would guess that the IT director quite possibly did not have access rights, either at all or just on that PC. I would never give an IT director admin rights, but that's a different issue! :)
The RunAs command does exactly what you would think - it gives you the ability to run a program as a different user than the one logged-in. It won't help you though as you need details of a user with sufficient rights. I would suggest that for corporations, any user who needs the program will have to get their IT department to perform the installation for them (as I have to do at work now) Alternatively, you will need to make your registry changes to an unrestricted location.
HTH
Rory
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 2

Author Comment

by:jeffreywsmith
ID: 17890515
Rory,

My Registry updates are made under the VB and VBA Program Settings key, which I understand is the only Registry section available to VBA code.

You may be right about the difficulties I experienced being due to the IT Director not having Admin Rights ... if so, I guess there is a level in the Security Policy heirarchy that would allow a Tools | Addins install, while still restricting VBA code from doing the same - is that correct?

In my simplified view of these issues, I imagined that if someone with Admin Rights in the IT department, using my Install program, "installed" my app on a Server, then set up a Group of users who had rights to then access this application's folder, that said users could then also execute my Install program to achieve the Tools | Addins install (but via my code) along with the Registry updates necessary to faciliate the app's functionality while also (in the Free Trial version) setting the stage for an automatic uninstall after 30 days.  Is there a way to make this happen within the Security Polices framework?

If not, I may have to present the Free Trial version for individual users only ... and offer a Money Back guarantee for corporate users who would install the "production version" with Tools | Addins, I suppose (or they could test the Free Trial version on an unrestricted computer for evaluation first).

Jeff
0
 
LVL 85

Accepted Solution

by:
Rory Archibald earned 500 total points
ID: 17890738
Jeff,
That is not correct. That is the only area of the registry you can access using the GetSetting and SaveSetting functions - you can, however, access any part of the registry using scripts or API calls.
It is possible (I don't in all honesty know either way) that Excel has System privileges for its registry changes, rather than performing them as the logged-in user.
I think your options are:
1. Deal with corporate customers differently, as you suggest, with a full version of the product. They are, after all, less likely to run the risk of violating your licensing.
2. Add a disclaimer that installation may fail due to security restrictions and that in such cases, the user will have to ask his IT department to perform the installation.

Your scenario of an application folder would only work, I think, if the IT department included some sort of batch file to make the installation run as an administrator. I doubt they would do this because the admin password would be easily discoverable!

I am a little surprised that a security policy would restrict access to the VBA Program Settings part of the registry though!

Regards,
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
ID: 17891813
Thanks for the clarification on the other ways to update the Registry, Rory ... would you expect there's a way to use API calls to achieve what I want? Or would I end up in the same place I am now?

Your idea of the IT department making some sort of batch file to make the installation run as an administrator is interesting ... shouldn't there be a way to restrict the privileges of viewing the batch file (& admin password) while allowing it's execution by those with appropriate Group rights?

I'm obviously out of my element here but it seems to me that their ought to be some way for Security Policies to "White list" vetted applications that carry Digital Certificates, no matter what language they were written in ...

Jeff



0
 
LVL 85

Expert Comment

by:Rory Archibald
ID: 17892438
I don't know whether APIs would help - it would depend entirely on their security.
You cannot, AFAIK, give permission to execute a file but not read it. They could probably put it in the login script though. But at that point, I think you're expecting a lot of an IT department.
I think the problem is that you are not talking about an application in the traditional sense of an executable - you are talking about a document with some added functionality. I still thing the simplest thing is to have the IT department do the installation.
Regards,
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
ID: 17892832
Well, I certainly don't want to expect a lot of an IT department - I'm just trying to do what I can to make this simpler ... for them (and me).  So my statement about "Your idea of the IT department making some sort of batch file ..." was just quoting your earlier language, but the idea I had (again in my simplistic view of these issues), was that if the mechanics of such a batch file was generic enough, perhaps if it was done once, it might be re-usable by other customers and something I could include in the "package" of the application files.  Or, if these sort of things differ by OS, then maybe a collection of a few of them might cover most bases ...?  

Again, Rory, I'm just throwing out ideas here without really knowing how to make these ideas work ... or if they are even viable.

Jeff
0
 
LVL 85

Expert Comment

by:Rory Archibald
ID: 17894102
Jeff,
Firstly, I think it would be worth double-checking exactly what the problem was - as I said, I'm a little surprised that programs can't write their own settings to the registry; this is after all a pretty standard requirement.
The problem with the batch file approach is that you are effectively creating a text file containing a user name and password with admin rights. Most IT departments would be pretty reluctant to do this. It would be much easier for them to create a .reg file with the necessary settings and apply it remotely to the relevant users I would think. But I would still do some more digging into the root cause of the error.
HTH
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
ID: 17899304
Ok - Rory - let me do some checking to see if I can find out more specifically what the issue was here & report back.  

As far as this .reg file you mentioned, again, once constructed, would that be a generic enough file that I could bundle it in with my package for others to use in their installs (even if it was a "starter" file needing modifications)? Or are there likely to be so many variables in the path to the Key, etc. that everyone would need to "grow their own"?

Jeff
0
 
LVL 2

Author Comment

by:jeffreywsmith
ID: 17909666
Rory,

I've posed the question about the specifics of the Network environment I was doing the demo in ... but since I wasn't talking to the one who had the knowledge, we just left it that I would speak with those folks when I go back to do a larger scale evaluation. So rather than just leave this question hanging, let me close it out - I think your answers have outlined my options here ... it would be helpful if you could address the question about the .reg files posted in my last comment ... an example of what that might look like would be very helpful ... if that's possible to construct on the very vague information I've provided thus far ...

Thanks for your help, Rory.


Jeff
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question