What Is Macro Security And Why Are We Talking about Macros

In this instance, the term macro is not referring to macros in the sense of automating some tasks. Instead, it refers to security settings and certifications for VBA and other executable code associated with Access databases and projects.

To avoid macro warnings, attach a digital signature to each macro project and add that signature to your list of trusted sources. If the macros are already signed and if you are willing to trust all macros signed with that certificate, add the signer to your list of trusted sources. This will stop macro warnings when your security setting is set to High or Medium.

A less secure option is to change the security level to Low. When your macro security level is set to Low, Microsoft Access will not provide warnings about macros. To reduce your risk of getting a macro virus infection on your computer, run specialized antivirus software that is up-to-date and thatcan check files and add-ins for macro viruses and use macros only from trusted sources.

The presence of a certificate does not guarantee that a macro is safe. You should review the details of the certificate to confirm that the Issued to and Issued by fields contain recognized and acceptable entities and check the Valid from field to determine if the certificate is current.

Although Office has four security levels, Access only has three. If the security level is set to the highest possible, which is called Very High, Access cannot open any Access database or Access project files. So, this might be added to the list of things to check when someone suddenly cannot open any databases. The three levels applicable to the Access environment are:

□ High Level: This is the default security mode for Office Applications other than Access. Files and signatures/certificates are evaluated prior to the file being allowed to be opened. Criteria include, the file being from a trusted source, the signature being valid, the author is known, and the certificate is current. Files with current, valid, and accepted signatures are automatically opened. Only signed and/or trusted files can be opened. Files with an unsigned macro (code) can be opened only if the user chooses to trust the author and the certification authority. Files will not be opened if they have incompatible encryption or when the signature is invalid, has expired, or has been revoked.

□ Medium Level: This is the default security mode for Access—with Sandbox mode not enabled. Files and signatures/certificates are evaluated prior to the file being allowed to be opened. Criteria include the file being from a trusted source, the signature being valid, the author is known, and the certificate is current. Files from a trusted source with a valid signature are automatically opened. If the signature is invalid, it cannot be validated; if the signature has expired or has been revoked, the user will be warned and has the option of canceling or opening the file.

□ Low Level: This setting essentially shuts off macro security because all macros are treated equally and opened without prompting for a signature validation. This can be a convenient setting for development on a personal computer if you are confident that you are not getting malicious macros from elsewhere.

To review security levels and the list of trusted publishers and signatures, click Tools on the menu bar, then Macros, and then click Security. This will open the Macro Security window, as shown in Figure 3-14. The Macro Security window allows you to specify the security level and to see the list of trusted publishers and prior trusted sources if some signatures have expired or become invalid. If the Security command does not appear on the Macro fly out menu, you may need to customize the toolbar to add it. (To customize the toolbar go to Tools, then Customize, and then Commands. In the Categories list, click Tools, and then in the Command list click "Security." Remember, this is not to be confused with User-Level Security.)

When using a medium security setting and a database that contains VBA or macros is opened (if it is not your own file and it does not have an authenticated digital signature), two dialog boxes will need to be responded to before the database can be opened. The first dialog box provides a link to the Windows Update site for downloading SP8. If you click Yes to open the file, you will get the second dialog box. The second dialog box is the macro security warning. You can click Yes to open the database or you can cancel. If you respond Yes and open the database without enabling its functionality, it is unlikely that the application will function properly, if at all. After SP8 has been installed and Sandbox mode enabled, only the macro security warning dialog box will display when opening a database without a digital signature

Security Level I Trusted Publishers m

Security Level I Trusted Publishers

( High, Only signed inheres from trusted sources will be allowed to run. Unsigned macros are automatically disabled.

Medium. Vou can choose whether or not to run potentially unsafe macros,

Low (not recommended). You are not protected from potentially unsafe macros, Use this setting only if you have virus scanning software installed; or you have checked the safety of all documents you open, under medium security settings. Figure 3-15 shows the standard Security Warning dialog box along with the quick help pane.

Trust installed add-ins on the macro security dialog is enabled by default. This is why wizards do not produce a security dialog box when they are opened. However, if you uncheck Trust installed add-ins then launching a wizard will prompt you with a security dialog box.

Digital signatures are essentially like seals; they are to indicate that the item remains intact as delivered by the sender/signer. That is why code with trusted signatures is opened and used without warnings. A digital signature only applies to the parts of the database that could be modified to do malicious things, such as VBA code, macros, action queries, and properties of ActiveX controls. If any of these are modified after the file or macro project has been signed, the digital signature will be removed, and the file will no longer open under medium or high security.


Figure 3-14

0 0

Post a comment