Solved

Access "A potential security concern has been identified" when opening DBs off intranet - GPO??

Posted on 2011-09-15
24
9,869 Views
Last Modified: 2012-05-12
We have just recently begun using Access Runtime 2010 to open corporate databases stored on our DFS share - rather than Acces 2003 (proper).  Every time I open any DB, Access Runtime 2010 gives a warning as seen in the screenshot below.  I would expect this to appear if I was opening a DB from an email attachement, I want to stop it from doing so for the LAN's DFS share.  I would like a group policy solution, if possible.

I have looked in User Config -> Admin Templates -> MS Office 2010 -> Security Settings -> Trust Center, and have put the folder containing the DB into "Trusted Location #1"

But it is still happening.

By the way, the client machine is a Windiows Server 2008 R2.

One thing I have checked (don't know if it is connected) is to see if Windows Explorer sees the folder as Local Intranet when I browse to it - but Windows 7/2008 doesn't show this info like XP used to .  Annoying!
Access.JPG
0
Comment
Question by:meirionwyllt
  • 8
  • 8
  • 5
  • +1
24 Comments
 
LVL 84

Accepted Solution

by:
Scott McDaniel (Microsoft Access MVP - EE MVE ) earned 250 total points
Comment Utility
You'd need to add the location where your databases are stored as a Trusted Location in Access. This would need to be done on each workstation. AFAIK you can't do this with the runtime, but you add it directly to the registry of each machine. You can build a .reg file to "merge" with the workstation's registry (which basically adds the items needed). It would look something like this:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\TrustedLocations\SomeName]
"Path"="C:\\Path To Your Folder"
"AllowSubfolders"=dword:00000001
"Description"="TrustedLocation1"

Build this as a standard TExt file, then save it with a .reg extension. Right click on it and select Merge, and this should add the item to your Trusted Locations. You'd need to do this as an Admin level user, of course, and I'd strongly encourage you to test this thoroughly before using it on your workstations (and backup your registry before you try this merge).

The only caveat is the name you use (the SomeName item above) must be unique for that machine.
0
 

Author Comment

by:meirionwyllt
Comment Utility
Oh no!  Is that true?  I won't be able to use thjis method, because our users have roaming profiles, and so the machine name will be different every time.

We use Citrix XenApp to publish a WS2008R2 desktop to a thin client device.  It's only the desktop being published, i.e. not a full VDI, and it's from this desktop that the user will be launching these shortcuts.

There are 50-odd XenApp servers for 2000-odd users.  So, the only way of getting your solution to work would be if I made a GPO with preferences, created 3 registry entries in it - for the first XenApp server, but do this 50 times, one for each server - so ending up with 150 regiistry entries filling up the users' profiles.

Is there no other way?  Anyway, can't this be a Machine setting rather than an user one?

Thanks for your input.
0
 
LVL 84

Assisted Solution

by:Scott McDaniel (Microsoft Access MVP - EE MVE )
Scott McDaniel (Microsoft Access MVP - EE MVE ) earned 250 total points
Comment Utility
Given your environment, you may be able to add the location to the Trusted Sites zone in Internet Explorer. I have no idea if you can do this via a GPO policy or not, but you can try it to see.
0
 
LVL 26

Expert Comment

by:Nick67
Comment Utility
Other things about trusting.
The trust center has trusted locations...but there are also trusted publishers.
You may be able to digitally sign your db's so that they are trusted by the client.
Given the scope of your problem, that may be simpler.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 125 total points
Comment Utility
I think that configuring the Intranet Zone would be more appropriate as a whole for the IE Zone Config....

And regarding the first comment by LSMComputing in http:#36543907

Wouldnt that "Path" value be ""Path"="\\\\server\\share\\" (since we are talking about a network location, unless I am interpreting that reg mode differently)?

That way, it would follow your Roamers....
0
 
LVL 84
Comment Utility
I don't know that you can set a UNC as a Trusted Location, but if so I don't see any reason why you couldn't do that.
0
 
LVL 26

Expert Comment

by:Nick67
Comment Utility
When I put a mapped drive in, it auto-magically changes it to a UNC.  In the GUI there is a checkbox for 'allow trusted locations on my network'. If you're reghacking, the appropriate setting for that needs to be worked out too
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Just adding the FQDN to the Intranet Zone should be sufficient...

Only reason I suggest this, is that you can often run into Authentication issues on Intranet sites, and if you change settings like the Integrated Authentication methods to the Trusted Sites, you might break some websites.....

Least having them separated, you can manage settings individually.....
0
 

Author Comment

by:meirionwyllt
Comment Utility
Right, I've started from the beginning - adding the UNC path of the DB folder into group policy.

I've added it to User Config -> Admin Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List

First I added  \\DFS-share\DBfolder\* and given it a value of 1 (Local Intranet), but this makes no difference.  Then I tried to give it a value of 2 (Trusted Sites Zone), but then I get a prompt that didn't appear before - please see attachment for this.  I don't know why putting it in the Trusted Sites zone would cause this.

Any ideas?
Trusted-Zone.JPG
0
 
LVL 84
Comment Utility
This is the publisher warning. You can set the Macros Security to Low for your workstations, but I'm not sure you can do that on a GP basis, and of course any security changes expose you to more risk.

You could always sign the databases with a commercial Digital Certificate. You may already have one, if you're working in a large corporate environment, or you can purchase one fairly cheaply these days. You could also use as self-certificate, but you must export and install several files on each machine in order to make this work.
0
 

Author Comment

by:meirionwyllt
Comment Utility
Right, macro security in Access 2003 can be very easily set with Group Policy, however, in Access 2010 I think they've changed how it deals with security from top to bottom, and as a result there is no Macro Security as such in Access 2010.

Do you know what the equivalent of Macro Security would be in Access Runtime 2010?

Thanks.
0
 
LVL 84
Comment Utility
The concepts are the same as before, but the way you get to them has changed:

http://www.ageesw.com/macro.htm

I'm not sure how you'd do this with the Runtime, however.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 26

Expert Comment

by:Nick67
Comment Utility
From
http://www.pcreview.co.uk/forums/bypass-security-warnings-access-runtime-t1671488.html

<<<<
By far the easiest way is to start the database via a script file which
 sets the macro security level to low for that single invocation of
 Access. This does not require a certificate, or a registry change, and
 it does not affect any other database(s) - just the one being started
 by that script.
 
Eg. in VBScript:
 
dim o
 set o=createobject ("Access.Application")
 o.automationsecurity=1 ' set macro security LOW.
 o.opencurrentdatabase "full path to your database"
 o.usercontrol=true
 set o=nothing
 
>>>
0
 
LVL 26

Expert Comment

by:Nick67
Comment Utility
The HiTechCoach has a link off his site how to add Trust Center locations via VBA.
http://www.utteraccess.com/wiki/index.php/AddTrustedLocation
Kudos to THTC and Doug Steele
Public Function AddTrustedLocation()
On Error GoTo err_proc
'WARNING:  THIS CODE MODIFIES THE REGISTRY 
'sets registry key for 'trusted location'
'Source http://www.utteraccess.com/wiki/index.php/AddTrustedLocation

  Dim intLocns As Integer
  Dim i As Integer
  Dim intNotUsed As Integer
  Dim strLnKey As String
  Dim reg As Object
  Dim strPath As String
  Dim strTitle as string
  
  strTitle = "Add Trusted Location"
  Set reg = CreateObject("wscript.shell")
  strPath = CurrentProject.Path

  'Specify the registry trusted locations path for the version of Access used 
  strLnKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Format(Application.Version, "##,##0.0") & _
             "\Access\Security\Trusted Locations\Location"

On Error GoTo err_proc0
  'find top of range of trusted locations references in registry
  For i = 999 To 0 Step -1
      reg.RegRead strLnKey & i & "\Path"
      GoTo chckRegPths        'Reg.RegRead successful, location exists > check for path in all locations 0 - i.
checknext:
  Next
  MsgBox "Unexpected Error - No Registry Locations found", vbExclamation
  GoTo exit_proc
  
  
chckRegPths:
'Check if Currentdb path already a trusted location
'reg.RegRead fails before intlocns = i then the registry location is unused and
'will be used for new trusted location if path not already in registy

On Error GoTo err_proc1:
  For intLocns = 1 To i
      reg.RegRead strLnKey & intLocns & "\Path"
      'If Path already in registry -> exit
      If InStr(1, reg.RegRead(strLnKey & intLocns & "\Path"), strPath) = 1 Then GoTo exit_proc
NextLocn:
  Next
  
  If intLocns = 999 Then
      MsgBox "Location count exceeded - unable to write trusted location to registry", vbInformation, strTitle
      GoTo exit_proc
  End If
  'if no unused location found then set new location for path
  If intNotUsed = 0 Then intNotUsed = i + 1
  
'Write Trusted Location regstry key to unused location in registry 
On Error GoTo err_proc:
  strLnKey = strLnKey & intNotUsed & "\"
  reg.RegWrite strLnKey & "AllowSubfolders", 1, "REG_DWORD"
  reg.RegWrite strLnKey & "Date", Now(), "REG_SZ"
  reg.RegWrite strLnKey & "Description", Application.CurrentProject.Name, "REG_SZ"
  reg.RegWrite strLnKey & "Path", strPath & "\", "REG_SZ"
  
exit_proc:
  Set reg = Nothing
  Exit Function
  
err_proc0:
  Resume checknext
  
err_proc1:
  If intNotUsed = 0 Then intNotUsed = intLocns
  Resume NextLocn

err_proc:
  MsgBox err.Description, , strTitle
  Resume exit_proc
  
End Function

Open in new window

0
 
LVL 26

Assisted Solution

by:Nick67
Nick67 earned 125 total points
Comment Utility
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
http:#36559603

That dialog is notrmally seen when the ADS Zone Identifier has tagged the file as being from the internet/another machine. Right click the file>properties, and see if there is an "unblock" button....
0
 

Author Comment

by:meirionwyllt
Comment Utility
OK, now I'vw gotten rid of the "Open File - Security Warning" - it was just something that needed to be adjusted in my Trusted Sites group policy settings.  I am now back to having the information bar showing...

"This database has been opened read-only. You can only change data in linked tables..."

So now it doesn't matter if the "Site to Zone Assignment List" setting of my IE group policy has the share set as Intranet of as Trusted Sites - the Read-only warning occurs regardless.

I've been reading your suggestions above, and, Argh!! This is typical Microsoft - making a meal out of something that should be very simple to do!



We have about a hundred of these databases, and at the moment we are using Citrix XenApp (published content) to leave a shortcut to various databases on the desktop of the relevant users.



So I'll have to forget about having them digitally signed I think as it would take too long.


Nick67 - The "Allow trusted locations on my network" is already Enabled via Group Policy.

johnb6767 - No, there isn't an Unblock button in the propertiers of the .ade file.


After writing all this, I tried moving one of the databases to a non-DFS share on another server and running it from there, and it didn't show a warning - great.  So I thought it might be a DFS issue.  But not, because I then bypassed DFS and ran it directly from the DFS source location, and it still gave a warning.

So, what can be the difference between one server and onther, in terms of security?  Can you suggest places I should check?  I think we can rule out IE Security Zones, and Access 2010 Trusteed Locations, as being the issue here - because the server on which it works is not listed in either of these.

Thanks.
0
 

Author Comment

by:meirionwyllt
Comment Utility
Further testing has concluded that it's a permissions issue.  Users can do what they want on their home share (which is where it worked without warning) but only have read access on our 'software distribution' share, for obvious reasons.

But, when these .ade are opened normally, no file is created (i.e. no lock file or anything), so I don't see why this would need modify permissions.  And I don't see why the .ade file would need to be modified upon opening, especially since it is only connecting to an SQL back-end.

Any ideas?
0
 
LVL 26

Expert Comment

by:Nick67
Comment Utility
What is happening inside any MSys tables may not be readily apparent, amongst other things.
And the lock file may not being created BECAUSE of the permission issue, and that may be throwing the read-onlyness
0
 

Author Comment

by:meirionwyllt
Comment Utility
No, I can confirm that the lock-file doesn't appear if the .ade is opened in a folder with full permissions - even when all hidden and system files are showing.
0
 
LVL 26

Expert Comment

by:Nick67
Comment Utility
<"This database has been opened read-only. You can only change data in linked tables..."
So now it doesn't matter if the "Site to Zone Assignment List" setting of my IE group policy has the share set as Intranet of as Trusted Sites - the Read-only warning occurs regardless.>
<but only have read access on our 'software distribution' share, for obvious reasons.>

If they are opening a file in a read-only location, are you surprised that a read-only warning is coming up?
0
 

Author Comment

by:meirionwyllt
Comment Utility
No, but there should be a way of switching this off, because I know the .ade file doesn't need to be modified.  The .ade files have been fairly locked down, and multiple users can open them simultaneously.
0
 
LVL 26

Expert Comment

by:Nick67
Comment Utility
<No, but there should be a way of switching this off>
I don't know of one.
All the Office programs slobber-knock you if they are read-only.
It doesn't matter if you don't want to change the file.  The warning is that you can't
0
 

Author Comment

by:meirionwyllt
Comment Utility
OK, I've resorted to changing permissions on the relevant folders now to get rid of the error
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In Microsoft Access, learn different ways of passing a string value within a string argument. Also learn what a “Type Mis-match” error is about.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now