Guest Rod Wright Posted April 20, 2008 Posted April 20, 2008 Background: We developed a program to integrate a large amount of data for National Air and Space Museum (NASM) volunteer use. The program works fine, but our users are relatively unsophisticated volunteers. They get confused by the warnings issued by Access when opening our program. Our users run at multiple Win2K and XP machines and load our program and the data over the Smithsonian intranet. In Vista, the popup warning is: ---------------------------------------------------- Open File - Security Warning Do you want to open this file? Name: \\Server\Public\UHC_Frms.exe Publisher: Unknown Publisher Type: Microsoft Office Access MDE Database From: \\SERVER\Public\BLAST\UHC_Frms.mee | Open | | Cancel | ______________________________________ Note that the path shown above is when I'm testing on my home network, not at NASM. Also, that warning was from Office 2007 but at NASM they are still using Office 2003, so the dialog box is different. Also, the error message is different under Office 2003 (and a lot more confusing for users.) I'm not at NASM now, so I can't see the exact text of how the error appears there. I'll post that tomorrow when I go there. Question: How can we avoid these warnings? Would it work for us to obtain and publish a certificate for the program code? If so, does it need to be reissued each time we make a change? (Since we have only been up and running for users since January, the code is still being modified as we gain experience.) How do we do that? What do you recommend? -- Rodney L. Wright Quote
Guest Jesper Posted April 21, 2008 Posted April 21, 2008 You should definitely digitally sign the application no matter what. However, that will not remove the warning. It just will have your (or your company's) name in the dialog and won't say "Unknown Publisher." Technically, there is a way to get rid of this warning, but it is there as a warning to end users. If you remove it here, you would also remove it for all other executables. That would put your users at significant risk. If you programmatically remove that warning, you would be responsible for putting them at significant risk; a responsibility that I am pretty sure you do not want to accept. Rather, I would suggest that you take the opportunity to educate your users. Teach them that the warning is there so that they can assess whether they want to accept the risk involved in opening applications off the Internet. In this case, you have digitally signed the application so they can trace it to you and have assurance that they are, in fact, opening a trusted application. Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047010155...rotectyourwi-20 "Rod Wright" wrote: <span style="color:blue"> > Background: > We developed a program to integrate a large amount of data for National Air > and Space Museum (NASM) volunteer use. The program works fine, but our users > are relatively unsophisticated volunteers. They get confused by the warnings > issued by Access when opening our program. Our users run at multiple Win2K > and XP machines and load our program and the data over the Smithsonian > intranet. > > In Vista, the popup warning is: > ---------------------------------------------------- > Open File - Security Warning > Do you want to open this file? > Name: \ServerPublicUHC_Frms.exe > Publisher: Unknown Publisher > Type: Microsoft Office Access MDE Database > From: \SERVERPublicBLASTUHC_Frms.mee > | Open | | Cancel | > ______________________________________ > Note that the path shown above is when I'm testing on my home network, not > at NASM. Also, that warning was from Office 2007 but at NASM they are still > using Office 2003, so the dialog box is different. > > Also, the error message is different under Office 2003 (and a lot more > confusing for users.) I'm not at NASM now, so I can't see the exact text of > how the error appears there. I'll post that tomorrow when I go there. > > > Question: > How can we avoid these warnings? Would it work for us to obtain and publish > a certificate for the program code? If so, does it need to be reissued each > time we make a change? (Since we have only been up and running for users > since January, the code is still being modified as we gain experience.) How > do we do that? > > What do you recommend? > > > > -- > Rodney L. Wright</span> Quote
Guest Michael D. Ober Posted April 22, 2008 Posted April 22, 2008 "Jesper" <Jesper@discussions.microsoft.com> wrote in message news:E245C8B1-FDE5-41C8-98A1-0985184927AD@microsoft.com...<span style="color:blue"> > You should definitely digitally sign the application no matter what. > However, > that will not remove the warning. It just will have your (or your > company's) > name in the dialog and won't say "Unknown Publisher." > > Technically, there is a way to get rid of this warning, but it is there as > a > warning to end users. If you remove it here, you would also remove it for > all > other executables. That would put your users at significant risk. If you > programmatically remove that warning, you would be responsible for putting > them at significant risk; a responsibility that I am pretty sure you do > not > want to accept. ></span> Garbage --- MS Word doesn't generate a warning everytime I start it. Neither does Excel, Powerpoint, or Outlook. What does OP need to do so his application doesn't generate a Vista warning at runtime. Generating it at install is a good idea, but generating it every single time an installed application is run is overkill and leads to people blindly clicking "continue" with eventual disastrous results. Obviously this warning can be bypassed somehow on an application by application basis. Rod, You might want to repost this in an MS Access group as you will probably get a quicker and more usable answer there. They will need to know at a minimum the version of Access you're running and if it is a single mdb file that is shared or multiple front end MDB files with a single back end for the database. Mike Ober. <span style="color:blue"> > Rather, I would suggest that you take the opportunity to educate your > users. > Teach them that the warning is there so that they can assess whether they > want to accept the risk involved in opening applications off the Internet. > In > this case, you have digitally signed the application so they can trace it > to > you and have assurance that they are, in fact, opening a trusted > application. > Anytime they get a dialog like this they should evaluate it and see if > they > really want to accept that risk or not. If the publisher is unknown, they > have no way to tell who wrote the application, and should consider it a > higher risk. > --- > Your question may already be answered in Windows Vista Security: > http://www.amazon.com/gp/product/047010155...rotectyourwi-20 > > > "Rod Wright" wrote: ><span style="color:green"> >> Background: >> We developed a program to integrate a large amount of data for National >> Air >> and Space Museum (NASM) volunteer use. The program works fine, but our >> users >> are relatively unsophisticated volunteers. They get confused by the >> warnings >> issued by Access when opening our program. Our users run at multiple >> Win2K >> and XP machines and load our program and the data over the Smithsonian >> intranet. >> >> In Vista, the popup warning is: >> ---------------------------------------------------- >> Open File - Security Warning >> Do you want to open this file? >> Name: ServerPublicUHC_Frms.exe >> Publisher: Unknown Publisher >> Type: Microsoft Office Access MDE Database >> From: SERVERPublicBLASTUHC_Frms.mee >> | Open | | Cancel | >> ______________________________________ >> Note that the path shown above is when I'm testing on my home network, >> not >> at NASM. Also, that warning was from Office 2007 but at NASM they are >> still >> using Office 2003, so the dialog box is different. >> >> Also, the error message is different under Office 2003 (and a lot more >> confusing for users.) I'm not at NASM now, so I can't see the exact text >> of >> how the error appears there. I'll post that tomorrow when I go there. >> >> >> Question: >> How can we avoid these warnings? Would it work for us to obtain and >> publish >> a certificate for the program code? If so, does it need to be reissued >> each >> time we make a change? (Since we have only been up and running for users >> since January, the code is still being modified as we gain experience.) >> How >> do we do that? >> >> What do you recommend? >> >> >> >> -- >> Rodney L. Wright</span> ></span> Quote
Guest Jesper Posted April 22, 2008 Posted April 22, 2008 > Garbage --- MS Word doesn't generate a warning everytime I start it. <span style="color:blue"> > Neither does Excel, Powerpoint, or Outlook. </span> MS Word, Excel, PowerPoint and Outlook are (a) not applications you download and run from the Internet most of the time, (style_emoticons/ not applications that will run potentially untrusted contect when you launch them. It is a completely invalid analogy. <span style="color:blue"> > What does OP need to do so his > application doesn't generate a Vista warning at runtime. </span> One of us clearly misunderstood OP. My understanding was that the warning was generated at run-time because the application was not installed. It was downloaded as a stand-alone executable, not as an installer. If you wrap the application in an installation file Vista will warn you when you execute the installer, but not when you execute the application that is installed. I may have misunderstood OP, but the warning that was in the original post was perfectly consistent with the Mark of the Web. IE adds the Mark of the Web to all downloaded files by setting a flag in an Alternate Data Stream. The flag can be removed on a download by download basis by unchecking the box for "Always ask before opening this file." However, OP seemed to want to remove all such warnings for a particular file. Doing so is highly inadvisable because it would remove the warning to the user that s/he is about to execute arbitrary content. Quote
Guest Michael D. Ober Posted April 23, 2008 Posted April 23, 2008 "Jesper" <Jesper@discussions.microsoft.com> wrote in message news:4CDE2A3B-331E-4CFB-B296-3D0D02DF4AB8@microsoft.com...<span style="color:blue"><span style="color:green"> >> Garbage --- MS Word doesn't generate a warning everytime I start it. >> Neither does Excel, Powerpoint, or Outlook.</span> > > MS Word, Excel, PowerPoint and Outlook are (a) not applications you > download > and run from the Internet most of the time, (style_emoticons/ not applications that will > run potentially untrusted contect when you launch them. It is a > completely > invalid analogy. ><span style="color:green"> >> What does OP need to do so his >> application doesn't generate a Vista warning at runtime.</span> > > One of us clearly misunderstood OP. My understanding was that the warning > was generated at run-time because the application was not installed. It > was > downloaded as a stand-alone executable, not as an installer. If you wrap > the > application in an installation file Vista will warn you when you execute > the > installer, but not when you execute the application that is installed. > > I may have misunderstood OP, but the warning that was in the original post > was perfectly consistent with the Mark of the Web. IE adds the Mark of the > Web to all downloaded files by setting a flag in an Alternate Data Stream. > The flag can be removed on a download by download basis by unchecking the > box > for "Always ask before opening this file." However, OP seemed to want to > remove all such warnings for a particular file. Doing so is highly > inadvisable because it would remove the warning to the user that s/he is > about to execute arbitrary content. ></span> Jesper, Now we have common terminology. I thought OP was installing, but if he is running from the web as you suspect, the warning is entirely valid. OP - how is your app running? If you can create an installer and sign the installation package, I suspect your Vista alert problems will go away as installed apps don't alert every time they are started. This sounds like you may actually need to rearchitect your app to be client server with the server sitting behind a web service and the local client either be a ASP.NET application (web site) or installed. You will probably need to dump Access in favor of SQL Server 2005 (Express or Full) for your data store. Mike. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.