Solved

Can Security Policies stipulate that a given VBA application has permission to run?

Posted on 2006-11-06
11
243 Views
Last Modified: 2013-12-04
Hi Experts,

This likely falls under the heading of dumb questions but since I'm out of my element with corporate Security Policies and how flexibly they can (or cannot) be administered, I'm hoping someone can provide some insights here.

I've written an Add-in Application for Excel that is almost entirely written in VBA, uses a fair amount of API calls and in one instance uses scripting to communicate with Outlook.  I did my first demo last week of the application at a prospective corporate customer and ran into some problems with my installation program throwing handled errors that I hadn't expected to be triggered.  As further background, the Installation program was designed to:

a) Simplify the installation process for those users that aren't familiar with the process of installing add-in applications (so I do that in the background via code)

b) In the free Trial version of the program that I was demonstrating, there is also an automatic uninstall after the 30 day trial ends.  

Basically the error that got triggered was from code that detects whether or not a user has bypassed my normal installation program and did the install from Excel's Tools | Addins menu (Since using my Install program sets the stage for the automatic uninstall 30 days later, detecting this bypass of the install process is necessary to prevent users from "converting" a free Trial version to an (unpaid) "production" version.

I've tested the install program extensively on standalone PC's and have also been able to install it on a laptop from a Shared Folder on a Desktop and been able to successfully install it and automatically uninstall it 30 days hence in that environment.  While I was able to successfully demo the product by using the "production" version, my intent is to make the free trial version available on my web site and am trying to anticipate what corporate IT administrators can do to allow my installation program to run.

A long way to say: can corporate Security Policies stipulate that a given VBA application has permission to run? That is, without opening "holes" in their systems that would allow other (unwanted) code from others to run? If it helps answer the question, I do use Digital Certificates on all the files in my application.  Also, if there is any "generic" advice I could offer to corporate IT administrators to accomplish this, I'd be interested in that detail, too.

I appreciate any insights.

Jeff
0
Comment
Question by:jeffreywsmith
  • 6
  • 5
11 Comments
 
LVL 85

Expert Comment

by:Rory Archibald
Comment Utility
Jeff,
Can you clarify what your installation program is? Is it an executable file, or a workbook/add-in or what? At the end of the day, most corporate IT departments frown on users installing software and therefore do not give them rights to do so. I would guess that the problem you are having is that the users do not have rights to access certain parts of their systems (e.g. the registry) - they would therefore require the administrator to perform the actual installation. You cannot, AFAIK, give specific security rights to a program (other than using the RunAs option, which requires a user id and password with appropriate security rights)
HTH
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
Comment Utility
Hi Rory and thanks for logging in on this. The installation program is in the form of an Excel xls file and it installs an XLA add-in while also establishing some Registry settings to faciliate the app's functionality while also (in the Free Trial version) setting the stage for an automatic uninstall after 30 days.

I do recognize that most corportate IT administrators restrict user rights - my question was more to the point of what corportate IT administrators *themselves* could do to give my application (as well as the Installation program) permission to run for any users they specify.  I was actually doing the demo for the IT director so I would have thought he had Administrative privileges on the PC we were using (but didn't think to ask about that ...).  Funny that the installation program failed to run but that I was still able to do a "manual install" through Tools | Addins (but that was using the "production version", not the Free Trial version which has some more convoluted code to effect the automatic uninstall after the 30 days is up) - both update the Windows Registry so I'm not sure exactly where/why one failed and the other didn't.

I'm not familar with the RunAs option ... can you elaborate on that?

Jeff
0
 
LVL 85

Expert Comment

by:Rory Archibald
Comment Utility
Jeff,
If you install an add-in via Tools-Addins, Excel does the updating of the registry in a location that it *has* to have rights to, in order to work. I'm not sure what parts of the registry your installation app might be accessing? I do not believe it is possible to give access rights to a particular workbook. I would guess that the IT director quite possibly did not have access rights, either at all or just on that PC. I would never give an IT director admin rights, but that's a different issue! :)
The RunAs command does exactly what you would think - it gives you the ability to run a program as a different user than the one logged-in. It won't help you though as you need details of a user with sufficient rights. I would suggest that for corporations, any user who needs the program will have to get their IT department to perform the installation for them (as I have to do at work now) Alternatively, you will need to make your registry changes to an unrestricted location.
HTH
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
Comment Utility
Rory,

My Registry updates are made under the VB and VBA Program Settings key, which I understand is the only Registry section available to VBA code.

You may be right about the difficulties I experienced being due to the IT Director not having Admin Rights ... if so, I guess there is a level in the Security Policy heirarchy that would allow a Tools | Addins install, while still restricting VBA code from doing the same - is that correct?

In my simplified view of these issues, I imagined that if someone with Admin Rights in the IT department, using my Install program, "installed" my app on a Server, then set up a Group of users who had rights to then access this application's folder, that said users could then also execute my Install program to achieve the Tools | Addins install (but via my code) along with the Registry updates necessary to faciliate the app's functionality while also (in the Free Trial version) setting the stage for an automatic uninstall after 30 days.  Is there a way to make this happen within the Security Polices framework?

If not, I may have to present the Free Trial version for individual users only ... and offer a Money Back guarantee for corporate users who would install the "production version" with Tools | Addins, I suppose (or they could test the Free Trial version on an unrestricted computer for evaluation first).

Jeff
0
 
LVL 85

Accepted Solution

by:
Rory Archibald earned 500 total points
Comment Utility
Jeff,
That is not correct. That is the only area of the registry you can access using the GetSetting and SaveSetting functions - you can, however, access any part of the registry using scripts or API calls.
It is possible (I don't in all honesty know either way) that Excel has System privileges for its registry changes, rather than performing them as the logged-in user.
I think your options are:
1. Deal with corporate customers differently, as you suggest, with a full version of the product. They are, after all, less likely to run the risk of violating your licensing.
2. Add a disclaimer that installation may fail due to security restrictions and that in such cases, the user will have to ask his IT department to perform the installation.

Your scenario of an application folder would only work, I think, if the IT department included some sort of batch file to make the installation run as an administrator. I doubt they would do this because the admin password would be easily discoverable!

I am a little surprised that a security policy would restrict access to the VBA Program Settings part of the registry though!

Regards,
Rory
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Author Comment

by:jeffreywsmith
Comment Utility
Thanks for the clarification on the other ways to update the Registry, Rory ... would you expect there's a way to use API calls to achieve what I want? Or would I end up in the same place I am now?

Your idea of the IT department making some sort of batch file to make the installation run as an administrator is interesting ... shouldn't there be a way to restrict the privileges of viewing the batch file (& admin password) while allowing it's execution by those with appropriate Group rights?

I'm obviously out of my element here but it seems to me that their ought to be some way for Security Policies to "White list" vetted applications that carry Digital Certificates, no matter what language they were written in ...

Jeff



0
 
LVL 85

Expert Comment

by:Rory Archibald
Comment Utility
I don't know whether APIs would help - it would depend entirely on their security.
You cannot, AFAIK, give permission to execute a file but not read it. They could probably put it in the login script though. But at that point, I think you're expecting a lot of an IT department.
I think the problem is that you are not talking about an application in the traditional sense of an executable - you are talking about a document with some added functionality. I still thing the simplest thing is to have the IT department do the installation.
Regards,
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
Comment Utility
Well, I certainly don't want to expect a lot of an IT department - I'm just trying to do what I can to make this simpler ... for them (and me).  So my statement about "Your idea of the IT department making some sort of batch file ..." was just quoting your earlier language, but the idea I had (again in my simplistic view of these issues), was that if the mechanics of such a batch file was generic enough, perhaps if it was done once, it might be re-usable by other customers and something I could include in the "package" of the application files.  Or, if these sort of things differ by OS, then maybe a collection of a few of them might cover most bases ...?  

Again, Rory, I'm just throwing out ideas here without really knowing how to make these ideas work ... or if they are even viable.

Jeff
0
 
LVL 85

Expert Comment

by:Rory Archibald
Comment Utility
Jeff,
Firstly, I think it would be worth double-checking exactly what the problem was - as I said, I'm a little surprised that programs can't write their own settings to the registry; this is after all a pretty standard requirement.
The problem with the batch file approach is that you are effectively creating a text file containing a user name and password with admin rights. Most IT departments would be pretty reluctant to do this. It would be much easier for them to create a .reg file with the necessary settings and apply it remotely to the relevant users I would think. But I would still do some more digging into the root cause of the error.
HTH
Rory
0
 
LVL 2

Author Comment

by:jeffreywsmith
Comment Utility
Ok - Rory - let me do some checking to see if I can find out more specifically what the issue was here & report back.  

As far as this .reg file you mentioned, again, once constructed, would that be a generic enough file that I could bundle it in with my package for others to use in their installs (even if it was a "starter" file needing modifications)? Or are there likely to be so many variables in the path to the Key, etc. that everyone would need to "grow their own"?

Jeff
0
 
LVL 2

Author Comment

by:jeffreywsmith
Comment Utility
Rory,

I've posed the question about the specifics of the Network environment I was doing the demo in ... but since I wasn't talking to the one who had the knowledge, we just left it that I would speak with those folks when I go back to do a larger scale evaluation. So rather than just leave this question hanging, let me close it out - I think your answers have outlined my options here ... it would be helpful if you could address the question about the .reg files posted in my last comment ... an example of what that might look like would be very helpful ... if that's possible to construct on the very vague information I've provided thus far ...

Thanks for your help, Rory.


Jeff
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now