How to Avoid Security Warnings for Our Access Application

Discussion in 'Windows Vista Security' started by Rod Wright, Apr 20, 2008.

  1. Rod Wright

    Rod Wright Guest

    Background:
    We developed a program to integrate a large amount of data for National Air
    and Space Museum (NASM) volunteer use. The program works fine, but our users
    are relatively unsophisticated volunteers. They get confused by the warnings
    issued by Access when opening our program. Our users run at multiple Win2K
    and XP machines and load our program and the data over the Smithsonian
    intranet.

    In Vista, the popup warning is:
    ----------------------------------------------------
    Open File - Security Warning
    Do you want to open this file?
    Name: \\Server\Public\UHC_Frms.exe
    Publisher: Unknown Publisher
    Type: Microsoft Office Access MDE Database
    From: \\SERVER\Public\BLAST\UHC_Frms.mee
    | Open | | Cancel |
    ______________________________________
    Note that the path shown above is when I'm testing on my home network, not
    at NASM. Also, that warning was from Office 2007 but at NASM they are still
    using Office 2003, so the dialog box is different.

    Also, the error message is different under Office 2003 (and a lot more
    confusing for users.) I'm not at NASM now, so I can't see the exact text of
    how the error appears there. I'll post that tomorrow when I go there.


    Question:
    How can we avoid these warnings? Would it work for us to obtain and publish
    a certificate for the program code? If so, does it need to be reissued each
    time we make a change? (Since we have only been up and running for users
    since January, the code is still being modified as we gain experience.) How
    do we do that?

    What do you recommend?
     
    Rod Wright, Apr 20, 2008
    #1
    1. Advertisements

  2. Rod Wright

    Jesper Guest

    You should definitely digitally sign the application no matter what. However,
    that will not remove the warning. It just will have your (or your company's)
    name in the dialog and won't say "Unknown Publisher."

    Technically, there is a way to get rid of this warning, but it is there as a
    warning to end users. If you remove it here, you would also remove it for all
    other executables. That would put your users at significant risk. If you
    programmatically remove that warning, you would be responsible for putting
    them at significant risk; a responsibility that I am pretty sure you do not
    want to accept.

    Rather, I would suggest that you take the opportunity to educate your users.
    Teach them that the warning is there so that they can assess whether they
    want to accept the risk involved in opening applications off the Internet. In
    this case, you have digitally signed the application so they can trace it to
    you and have assurance that they are, in fact, opening a trusted application.
    Anytime they get a dialog like this they should evaluate it and see if they
    really want to accept that risk or not. If the publisher is unknown, they
    have no way to tell who wrote the application, and should consider it a
    higher risk.
     
    Jesper, Apr 21, 2008
    #2
    1. Advertisements

  3. Garbage --- MS Word doesn't generate a warning everytime I start it.
    Neither does Excel, Powerpoint, or Outlook. What does OP need to do so his
    application doesn't generate a Vista warning at runtime. Generating it at
    install is a good idea, but generating it every single time an installed
    application is run is overkill and leads to people blindly clicking
    "continue" with eventual disastrous results. Obviously this warning can be
    bypassed somehow on an application by application basis.

    Rod,

    You might want to repost this in an MS Access group as you will probably get
    a quicker and more usable answer there. They will need to know at a minimum
    the version of Access you're running and if it is a single mdb file that is
    shared or multiple front end MDB files with a single back end for the
    database.

    Mike Ober.
     
    Michael D. Ober, Apr 22, 2008
    #3
  4. Rod Wright

    Jesper Guest

    Garbage --- MS Word doesn't generate a warning everytime I start it.
    MS Word, Excel, PowerPoint and Outlook are (a) not applications you download
    and run from the Internet most of the time, (b) not applications that will
    run potentially untrusted contect when you launch them. It is a completely
    invalid analogy.
    One of us clearly misunderstood OP. My understanding was that the warning
    was generated at run-time because the application was not installed. It was
    downloaded as a stand-alone executable, not as an installer. If you wrap the
    application in an installation file Vista will warn you when you execute the
    installer, but not when you execute the application that is installed.

    I may have misunderstood OP, but the warning that was in the original post
    was perfectly consistent with the Mark of the Web. IE adds the Mark of the
    Web to all downloaded files by setting a flag in an Alternate Data Stream.
    The flag can be removed on a download by download basis by unchecking the box
    for "Always ask before opening this file." However, OP seemed to want to
    remove all such warnings for a particular file. Doing so is highly
    inadvisable because it would remove the warning to the user that s/he is
    about to execute arbitrary content.
     
    Jesper, Apr 22, 2008
    #4

  5. Jesper,

    Now we have common terminology. I thought OP was installing, but if he is
    running from the web as you suspect, the warning is entirely valid.

    OP - how is your app running? If you can create an installer and sign the
    installation package, I suspect your Vista alert problems will go away as
    installed apps don't alert every time they are started. This sounds like
    you may actually need to rearchitect your app to be client server with the
    server sitting behind a web service and the local client either be a ASP.NET
    application (web site) or installed. You will probably need to dump Access
    in favor of SQL Server 2005 (Express or Full) for your data store.

    Mike.
     
    Michael D. Ober, Apr 23, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.