Solved

Access 2010 Security Concern Pop-up

Posted on 2016-10-09
34
49 Views
Last Modified: 2016-10-11
Hi Experts,

I am receiving the following message after installing my application on another PC via InstallShield Express 2016 that I create.

'A potential security concern has been identified.'

Environment
Windows 7 Pro 32 Or 64 Bit
Access 2010 or Access 2010 Runtime
Separate Access 2010 FE and BE on same PC in C:\ProgramData\SAS\
Trust Centre has the above location as a Trusted Location including Sub-Folders.
I have a very small company and cannot afford the price of a Digital Certificate.

In searching for a solution I came across the code in the attached file but for a different Application that can be run to modify the Register.  I have changed the Extension to .txt from .reg.
1. Is there a solution that I can provide the average User with to stop this message?
2. Could the contents of the attached solution be modified to work with Access 2010? If yes I could run it from a Shortcut or during installation.

Thanks,
Bob C.
Add_pta_Trusted_Office14_2010_runtim.txt
0
Comment
Question by:Bob_Collison
  • 16
  • 8
  • 4
  • +2
34 Comments
 
LVL 18
Comment Utility
trust the location: C:\ProgramData\SAS\

File --> Options --> Trust Center Settings --> click "Trust Center Settings..." command button --> Trusted Locations on left sidebar menu
0
 
LVL 75

Expert Comment

by:DatabaseMX (Joe Anderson - Access MVP)
Comment Utility
Or ...

Macros
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Crystal,
I have already done this as mentioned in my Environment Section above.  It has no effect.
Thanks,
Bob C.
0
 

Assisted Solution

by:Bob_Collison
Bob_Collison earned 0 total points
Comment Utility
Hi Joe,
I have also Enabled all macros.... as you suggested but nothing has changed.
Thanks,
Bob C.
0
 
LVL 18
Comment Utility
these settings need to be made on each machine; they are particular to a computer and are not saved with the database

you can also trust publishers

here is a link that may be helpful:
http://www.accessribbon.de/en/?Trust_Center:Trusted_Locations
0
 
LVL 75

Expert Comment

by:DatabaseMX (Joe Anderson - Access MVP)
Comment Utility
You should do the Trusted Locations as Crystal suggested.
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Joe,
As previously mentioned, the first thing I did was the 'Trusted Location' including 'Sub-Folders'  It had no effect.

I haven't re-booted.  Do I need too?

Hi Crystal,
The links within the link you provided don't work.  The rest of the information is too complicated for me to understand how it is 'Run' and what it does.

Thanks,
Bob C.
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Experts,
I just tried a couple of things and they work with Full Access 2010.  They were as follows:
- Deleted and re-added the Trusted Location.
- Changed the Security of the Application Root Folder (SAS) to be Full Control.

I will try with Runtime to see what happens.

Thanks,
Bob C.
0
 
LVL 75

Expert Comment

by:DatabaseMX (Joe Anderson - Access MVP)
Comment Utility
Reboot should not be necessary ... normally.
0
 
LVL 18

Assisted Solution

by:crystal (strive4peace) - Microsoft MVP, Access
crystal (strive4peace) - Microsoft MVP, Access earned 100 total points
Comment Utility
>"The links within the link you provided don't work. "
they reference links on Microsoft -- and they are always changing where pages are!  Try searching for (part of) the title.  Gunter's site has a lot of really good information but it is hard to keep reference links to pages on Microsoft correct.

> "The rest of the information is too complicated for me to understand how it is 'Run' and what it does."
Security setting cannot be enabled within Access or they wouldn't be too secure ;) -- however, there are registry keys that control this.  If you cannot figure out how to modify them or your users may have different versions making that difficult, you may need to give your users instructions for enabling your program -- or connect to them and do that for them as part of the setup.

> "InstallShield Express 2016"
is there an option to NOT require a digital certificate?  Ideally, it will just put files where they need to go.

one of my clients uses SageKey (about 500 when he bought it), which installs Access 2007 runtime, puts icon on desktop, and suppresses security warning (which sometimes works and sometimes doesn't) -- but he connects to his users and helps them get it installed.  He is really happy with SageKey -- he wrote down all the settings and said it works pretty good.
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Experts,

My 'solution' also works with Runtime so I guess I have the solution.

I'll just wait a bit before I close off the case.

Thanks,
Bob C.
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
One method is to use the user's LocalAppData folder - which exists exactly for the purpose - it even works in a Citrix environment:

Deploy and update a Microsoft Access application in a Citrix environment

The ProgramData folder is really for use by applications - to store data not related to users. And your accdb application file is, in this regard, not an application - it is MSAccess.exe that is.

/gustav
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Gustav,

The reason I am using 'ProgramData' is because it was recommended by Experts at EE.

It has served well until this issue arose.

Thanks,
Bob C.
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
Yes, you may be able to tweak anything.

/gustav
0
 
LVL 84

Assisted Solution

by:Scott McDaniel (Microsoft Access MVP - EE MVE )
Scott McDaniel (Microsoft Access MVP - EE MVE ) earned 150 total points
Comment Utility
You don't need a digital certificate for your application. Access does not use that certificate. Instead, it is used by your packaging application to ensure the integrity of your installation package. Once the user starts the install, the digital cert does not come into play.

Changed the Security of the Application Root Folder (SAS) to be Full Control.

You should never change the users security environment to suit your needs (or the needs of your program). You should instead change your program to suit the security environment of your user's environment. In this case, change where you're installing that Access application. It should be in one of these folders:

Documents
<UserName>\AppData\<RoamingOrLocalFolder>\<SomeFolder>
<UserName>\AppData\LocalFolder\<SomeFolder>

You can also create a directory right off the root, but MSFT doesn't recommend that, and changes to UAC or other security measures may render that location unwriteable.
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Scott / Gustav,

As mentioned previously I am currently (at EE's suggestion) installing to %SystemDrive%\ProgramData\SAS\ with 'SAS' being my Application Root Directory.

I very much appreciate both of your suggestions to change that to use a different Path.  I have also taken a look at the Citrix reference.  Since I am using InstallShield Express 2016 I already have a comprehensive tool to manage the installation and would prefer to continue using it.

My Access application has FE Code (SAS.accde) linked to BE Databases (SAS_DB10.accdb).  If I install to any of the suggested paths it does so at a User Level.  Does this mean there are multiple instances of  the FE and BE Files (one for each 'User')?  If this is correct would there be multiple BE Databases containing the data or only one?   i.e. The BE Database would be in a Non-User specific folder.  How would this be managed?

Thanks,
Bob C.
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
I would be surprised if InstallShield couldn't handle this.

Yes, using %LocalAppData% will install separate copies for each user.
If users are about to share the backend, it should be located in a shared network folder.

If all users log in on the same machine, you should be able to place the backend in a folder under %AllUsersProfile% (the Program Data folder), though - as Scott mentions - you could also create a folder under C:\ for just this purpose.

/gustav
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Assisted Solution

by:Bob_Collison
Bob_Collison earned 0 total points
Comment Utility
Hi Gustav,

Thanks for the clarifications / suggestions.

InstallShield would certainly handle what is being proposed.

This application is typically not installed where there is a server available to be used for the BE Databases.

Use of this application is primarily on a single PC however there may be multiple Users.  Since during the preparation of the FE prior to building the install I link the FE to the BE Databases (%SystenDrive%\ProgramData\SAS\)  there is no issue with changing this location to be a common one accessible to all Users.

Since %SystenDrive%\ProgramData\SAS\ created during the installation is not considered a 'Trusted Location' and doesn't have the required Permissions (Read & Execute) i.e. The original problem. I have to put the BE Databases somewhere else.

What I need is a location common to all Users that by default:
- Is in a 'Trusted Location'.
- Has Read & Execute or higher Permissions.

It appears that C:\ provides this capability if I create SAS as my Data Folder.  e.g. %SystemDrive\SAS\.  What I don't know is if this is correct for all potential installations or just happens to be correct on my PCs.

Can you confirm whether I am correct?  Is there a yet better location?

Thanks,
Bob C.
0
 
LVL 18

Assisted Solution

by:crystal (strive4peace) - Microsoft MVP, Access
crystal (strive4peace) - Microsoft MVP, Access earned 100 total points
Comment Utility
While Scott brought up a good point about using system directories under AppData, I personally don't like doing this in case my computer fails and I have to mount the drive in another machine or set up a different boot drive (which has happened!).  It is much easier to get to data in directories that you created -- due to added security on system directories.

For sharing a back-end, it is also better, in my opinion, to create your own location.
0
 
LVL 49

Accepted Solution

by:
Gustav Brock earned 250 total points
Comment Utility
It sounds right to me.

There is the Shared Documents folder for all users.
It typically is named C:\Users\Public
and should be reachable with: %Public%

It should be exactly for a purpose like this.
Try to create a folder here for your backend.

/gustav
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Crystal / Gustav,

This sounds like the best suggestion so far.  e.g. %SystemDrive%\Users\Public\SAS\. It has Permissions of 'Full Control' so that won't be an issue.  I can't tell whether it is considered a 'Trusted Location' but I assume it is.  If not I do not consider it a big deal to have the Users specify it as 'Trusted'.

Since I am putting the BE here, is there any issue with putting the FE here as well.  It is obviously much easier to have everything in one path.

Thanks,
Bob C.
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
That should be doable, except if the users have a habit of just "signing on as another user" as this will leave the other user session(s) open.

The safe route is to put the FE in %localappdata%.

/gustav
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Gustav,

Good point.  However when I said that multiple Users may use it on the same PC.  It was because I might logon as Bob and a User as User1 but I don't see this as happening concurrently as the FE will be running on the individuals PCs.  My profile on these PCs is to provide administrative assistance.

I'll give it a try (all in %SystemDrive%\Users\Public\SAS\) and provide an update of my results.

Thanks all,
Bob C.
0
 
LVL 84

Assisted Solution

by:Scott McDaniel (Microsoft Access MVP - EE MVE )
Scott McDaniel (Microsoft Access MVP - EE MVE ) earned 150 total points
Comment Utility
but I assume it is.
The only default Trusted Location for Access is the one where the Wizards are installed. See this TechNet article for more info:

https://technet.microsoft.com/en-us/library/cc179039.aspx?f=255&MSPPError=-2147217396

It would be best to have InstallShield create the necessary registry keys (during install) to define your install directories as TLs.
0
 
LVL 49

Assisted Solution

by:Gustav Brock
Gustav Brock earned 250 total points
Comment Utility
Scott is right. If you study my script (the link above), you will notice these two sections:

' Write Registry entries for Access security.
strRegKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\"
strRegValue = "VBAWarnings"
strRegPath = strRegKey & strRegValue
varValue = 1
Call WriteRegistry(strRegPath, varValue,"REG_DWORD")

strRegKey = strRegKey & "Trusted Locations\LocationLocalAppData\"
strRegValue = "AllowSubfolders"
strRegPath = strRegKey & strRegValue
varValue = 1
Call WriteRegistry(strRegPath, varValue, "REG_DWORD")

Open in new window


So tell InstallShield to perform similar tasks.

/gustav
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Experts,

Thanks for the update.

I am about to test without it so I expect that I will get a Security Warning.

I haven't used InstallShield to change the Registry but I know it can handle it.

I'll let you know how I make out.

Thanks,
Bob C.
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Gustav,

The use of C:\Users\Public\SASInstall\ works perfectly however I still need to add it as a Trusted Location .

I would like to run a Batch Script (.Bat) as part of the install to do this.  Does this make sense?

If it does make sense, in looking at the extract of your Citrix code, what would the code be to do this?

I assume that the 'Call' line has to be replaced by placing the rest of the code in a text file with an extension of .REG and then running that file from within the .Bat or can the commands be made directly from within the .Bat?
' Write Registry entries for Access security.
strRegKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\"
strRegValue = "VBAWarnings"
strRegPath = strRegKey & strRegValue
varValue = 1
Call WriteRegistry(strRegPath, varValue,"REG_DWORD")

strRegKey = strRegKey & "Trusted Locations\LocationLocalAppData\"
strRegValue = "AllowSubfolders"
strRegPath = strRegKey & strRegValue
varValue = 1
Call WriteRegistry(strRegPath, varValue, "REG_DWORD")

Thanks,
Bob C.
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
Oh, I haven't worked with bat files for decades.

But are you sure that InstallShield cannot set these entries for you? If in doubt, ask support.

If not, I would take the proven VBscript and cut it down to just run the registry settings, then call it from InstallShield. But again, I would believe you don't have to go this route.

/gustav
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Gustav,

I'm sure you are correct.  I will contact Flexera if I can't figure it out myself.

In the meantime, do you know what a .REG File would look like to do this?

Thanks,
Bob C.
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
Yes, but to leave out guessing, the simple method is to manually edit the entry as needed on a test machine, then right-click the entry and select Export. That will neatly save the entry as is as a Reg file.

/gustav
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Gustav,

Thanks.  I'll do that.
Bob C.
0
 
LVL 84

Assisted Solution

by:Scott McDaniel (Microsoft Access MVP - EE MVE )
Scott McDaniel (Microsoft Access MVP - EE MVE ) earned 150 total points
Comment Utility
InstallShield LE (the free version that comes with Visual Studio) allows you to do this so I'm confident the full version (Express or otherwise) would do so as well. It allows you to import a .reg file, which would help ensure the registry keys are created correctly, and you could then modify those settings to use the correct installer paths.

You'll have to make use of installer variables in order to get your paths right, of course.
0
 

Author Comment

by:Bob_Collison
Comment Utility
Hi Scott,

I have an InstallShield Express 2016 Licenced version so it shouldn't be a problem.

Thanks, Bob C.
0
 

Author Closing Comment

by:Bob_Collison
Comment Utility
Hi Experts,

Thanks for all of your suggestions / comments.

In summary what I have done is:
- Used the %SystemDrive%\Users\Public\ folder to contain my Application Files including the Access FE and BE.  This eliminated one part of the Security Warnings since the %SystemDrive%\Users\Public\ Folder has a Permission of 'Full Control'.
- Used Flexera InstallShield Express 2016 to create a Registry Entry to trust the Installation Location and Sub-Folders.  This eliminated the other part of the Security Warnings.

Thanks again,
Bob C.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This article is a continuation or rather an extension from Cascading Combos (http://www.experts-exchange.com/A_5949.html) and builds on examples developed in detail there. It should be understandable alone, but I recommend reading the previous artic…
I see at least one EE question a week that pertains to using temporary tables in MS Access.  But surprisingly, I was unable to find a single article devoted solely to this topic. I don’t intend to describe all of the uses of temporary tables in t…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now