15.2. Macros and Security
In recent years , the people at Microsoft have become paranoid about security. They've clamped down in Office programs like Access in a bid to lock out evil virus writers. And although these changes make Access a safer place to be, they also make it a bit inconvenient to use certain types of macros.
15.2.1. Unsafe Macro Actions
Access distinguishes between two types of macros: those that are always harmless, no matter how they're used, and those that have the potential for abuse. The OpenTable macro's harmless. It could open a table you don't want to see, but it can't cause any real mischief. On the other hand, the PrintOut macro isn't as innocent. In the wrong hands, it could send 400 copies of your data to the printer in 80-point font. Similarly, DeleteObject could wreak real havoc in your database, and RunApp definitely isn't safeit could launch the latest spy ware or install a computer virus.
When you create a macro, the drop-down list of actions shows only actions that are 100 percent harmless. These actions are known as safe actions. Of course, there are valid reasons to use potentially unsafe macros. Maybe you really do want to print out a report, delete an object, or run another program. In that case, you need to use potentially unsafe macro actionsones that Access doesn't trust quite so readily.
Note: As long as you're the one in control of your database, you know it doesn't contain devious code and other trickery . There's no good reason to stay away from potentially unsafe macro actions. However, if someone's just sent you a database in an email message, or if you've downloaded a database from the Web, you may not be so sure. For that reason, Access automatically disables the unsafe macros in a database, unless you tell it otherwise . You'll learn more about how this works in Section 15.2.2.
To see the full list of macro actions, including those that Access considers unsafe, create a new macro (or open an existing one), and then choose Macro Tools Design Show/Hide Show All Actions. Now the drop-down list of actions includes several more possibilities. When you choose an unsafe action while building a macro, Access lets you know with a warning icon (Figure 15-8).
Note: Access has no concept of what actions may be more or less dangerous. Instead, it simply distinguishes between safe and unsafe.
15.2.2. How Access Handles Unsafe Macros
You've learned the difference between safe and unsafe macro actions, but you haven't considered what Access does when it comes face to face with a risky action. Previous versions of Access pop up a stream of warning messages. Access 2007 handles the challenge on its own, by quietly disabling the unsafe macros whenever you open a database file.
As you've no doubt noticed by now, when you open a database, Access shows a security message, as shown in Figure 15-9. This message warns you that Access has switched off any potentially risky parts of your database.
Note: The message bar can be hidden. If you think Access has disabled some macros, but you don't see the message bar, then choose Database Tools Show/Hide Message Bar.
All this fuss about safe and unsafe macros might seem a little unnecessary, considering you can enable all your macros and get back to normal with a quick click of the Enable Content button. However, life isn't always that easy. Here's why:
Although you may not be bothered by a few unnecessary warning messages, other people won't be as trusting. They'll see the security warning and think twice, which means they won't be able to use all your database's features. Or they might not understand the question, or realize they need to click Enable Content.
In corporate environments, the system administrator can configure Access so it doesn't show the security warning at all. Your macros are quietly disabled, and the person using the database won't understand why certain features don't work.
Clicking Enable Content for the one thousandth time gets annoying. Really.
So what if you don't want to face the message bar every time you open a database? Access gives you three options to make it easier to work with databases that contain unsafe macros:
You can lower the Access security settings so that unsafe macros are allowed . This approach isn't recommended, because it allows any code in your database. If you accidentally open a database that contains troublemaking code, you have no protection.
You can tell Access to trust the database files in certain folders on your computer (or on other computers) . This way's the most convenient way to go.
You can tell Access to trust databases that have been created by a trusted publisher . This option's the most secure, but in order to set it up, you need to pay another company to get a security certificate. For that reason, only big companies with money to burn use this option.
All these actions take place in the same window: the Trust Center (Figure 15-11). To get to it, in the Microsoft Office Security Options dialog box (Figure 15-10), click the "Open the Trust Center" link. Or, use the following more roundabout approach:
Choose Office button Access Options .
Click the Trust Center Settings button .
There are six sections in the Trust Center:
Trusted Publishers lets you tell Access to trust databases that are digitally signed by certain people. In order to use this feature, your company needs to buy a digital certificate from a company like VeriSign (www.verisign.com). Then, when you open a signed database, Access contacts the company that issued the certificate, and checks that it's valid. If it is, everything's kosher, the database is trusted, and all unsafe macros are allowed. Digital certificates are outside the scope of this book.
Trusted Locations lets you pick out the places on your hard drive where you store your databases. That way, Access knows to trust your database files, but not anyone else's. You'll learn how to set up a trusted location in the following section.
Add-ins lets you adjust whether Access add-ins (mini programs that extend the features in Access) should be supported even if they weren't created by a supported publisher. Ordinarily, all add-ins are allowed. (After all, if you don't trust a specific add-in, don't install it!) People use this setting only in corporate environments where they need to lock down Access severely to prevent any chance of a problem.
Macro Settings lets you configure how Access deals with macros. You can make it more rigorous (so that no macros are allowed, unless they're from a trusted publisher), or less (so that all macros are allowed, no matter what they might do). By far the best choice is to leave this option at the standard setting: "Disable all macros with notification."
Message Bar lets you set whether Access shows the message bar when it blocks unsafe macros in an untrusted database.
Privacy Options lets you tweak a few options that aren't related to macros at all. You can choose whether Access checks the Web for updated Help content, and whether it sends troubleshooting information to Microsoft when a problem occurs (so that Microsoft can spot bugs and learn how to improve Access in the future). If you're paranoid about Internet spies, then you may want to disable some of these options. Most of the time, these settings are only for conspiracy theorists.
Wouldn't it be nice to have a way to distinguish between your databases, which contain perfectly harmless code, and other databases? Access 2007 adds a new feature to make this easy. It lets you designate a specific folder on your hard drive as a trusted location. If you open a database in this location, then Access automatically trust it and allows unsafe macros.
Here's how you can set up a new trusted location:
Open the Trust Center window .
If you're not there already, follow the steps in Section 15.2.3.
Choose the Trusted Locations section .
You see a window that lists all the trusted locations (Figure 15-12). Initially, you just see one trusted location: the ACCWIZ folder that Access uses to store its wizard.
Make sure the "Disable all Trusted Locations" options isn't set .
If it is, you need to switch it off before you can use the trusted locations feature.
If you want to trust a folder on your company or home network, then choose "Allow trusted locations on my network" .
This setting's a bit riskier, because a network location's out of your control. A hacker could sneak a virus-laden database into that location without your noticing. However, if you're reasonably certain that the network's secure (and the other people who use the folder aren't likely to download databases from the Web and place them there), you don't need to worry.
Click "Add new location" .
Access asks you to fill in a few pieces of information (Figure 15-13).
Click OK to add the location to the list .
You can configure the location or remove it at any time by selecting it in the list, and then using the clear-as-a-bell Remove and Modify buttons .