Download ppt - Microsoft ® Office Access ® 2003 Training Introduction to security Your STS, Tom Redd, presents:

Microsoft® Office Access® 2003 Training

Introduction to security

Your STS, Tom Redd, presents:


Course contents

• Overview: Take steps to protect your data

• Lesson 1: Viruses, dangerous code, and the macro security level

• Lesson 2: Access sandbox mode

• Lesson 3: Working with digitally signed files

One lesson includes a list of suggested tasks, and all have a set of test questions.


Help protect your data and your computer from intruders, corruption, and loss. Start by using antivirus software. Also:

Overview: Take steps to protect your data

•Choose an appropriate macro security level.

• And work with digitally signed files.

•Enable an important Microsoft Office Access environment called sandbox mode.


Course goals

• Change the Access macro security level and options to the settings that work best for you.

• Understand the security warning messages you'll encounter in Access and how to work with them to help protect your data.

• Install and enable sandbox mode, and see how it helps you work more safely in Access.

Lesson 1

Viruses, dangerous code, macro security levels



Whether you are a home user or part of a large organization, losing your data or suffering from computer downtime can cost you valuable time and money.

Learn about potential security risks and how to help prevent them.



Running antivirus software and being careful about which files you open can help protect you.



Your database or computer can be attacked or damaged by many sources:

•Viruses attached to files and e-mail messages

•Files downloaded from the Web

•Network worms

•Programming code that uses commands available inside Access


About viruses and dangerous code

Viruses are destructive programs that can act as program files, or attach themselves to innocent-looking files and corrupt them.

Viruses and dangerous code have many sources.



Computer viruses and malicious (destructive) code can corrupt your data or even take control of your computer.




Antivirus software can help detect viruses and stop them in their tracks before they can run. But you need to work as a team with your antivirus program to achieve the best results:

• Keep your antivirus software up to date.

• Manually scan downloaded files.

• Be careful about which files you open or run.




Dangerous code is not necessarily a virus, but can consist of powerful commands that may exist in an Access file you open — in its objects (such as queries, forms, reports, and macros) or in its Microsoft Visual Basic® for Applications (VBA) modules.




You can prevent some potentially dangerous code from running by running Access in sandbox mode, which is strongly recommended.



How the macro security levels work

Access features three different macro security levels that control what happens when you first try to open a database file and what can then happen while you have that database open.

These levels are:

Security dialog box • High

• Medium

• Low



Security dialog box

• To set the macro security level in Access, click an option on the Security Level tab of the Security dialog box.



• At the High macro security level, you cannot open any file in Access unless it is digitally signed.

Security dialog box

The effect for each security level setting is as follows:

You get this message.



Security dialog box

• At the Medium macro security level, Access prompts you with a message when you first open a file.

This message warns you that the file could contain code that might damage your computer or data, and gives you the choice of opening the file.



• At the Low macro security level, you can open any database file in Access without being prompted.

We recommend that you never use the Low macro security level.

Security dialog box


More about the macro security level

The macro security level for each Microsoft Office program is independent of all other Office programs.



Choose one of the three macro security levels that fits your work environment.

In Access, it is recommended that you choose High.



If you need to work with unsigned files from other sources, you can use the Medium macro security level.

• Always examine such files and sources carefully before choosing to enable any macros.

• Change back to High when you no longer need to use the Medium level.



If you use only your own files in Access, you should self-sign these files and use the High macro security level.



We routinely use phrases such as “help protect” or “probably feel safe” because there’s no such thing as absolute security.

But you can greatly decrease the chance of a catastrophic security breach by doing the following:



• Use common sense

• Run antivirus software

• Choose strong security options

• Work with digitally signed files


If you don’t see the Security command

The Security command, on the Macro submenu

To change the macro security level in Access, use the Security command.

•On the Tools menu, select the Macro submenu.


Suggestions for practice

1. Change the macro security level to High.

2. Change the macro security level to Medium.

Online practice (requires Access 2003)

http://office.microsoft.com/training/Training.aspx?AssetID=RP011461811033&CTT=6&Origin=RC011461801033


After you complete the practice

We strongly recommend that you run Access at the High macro security level.

After completing the practice, make sure that you set the macro security level to High. If you need to work with unsigned files from other sources, you can use the Medium macro security level to do that; however, you should always examine such files and sources carefully before choosing to enable any macros, and change back to High when you no longer need to use the Medium macro security level. If you use only your own files in Access, you should self-sign your files and use the High macro security level.


Test 1, question 1

In Access, using the Low macro security level will protect you against: (Pick one answer.)

1. Dangerous code embedded in your VBA modules.

2. Computer viruses infecting your database.

3. Nothing.


Test 1, question 1: Answer

Nothing.

We strongly recommend that you avoid using the Low security level in all cases.


Test 1, question 2

You change the macro security level in Access by: (Pick one answer.)

1. Clicking either OK or Cancel in the dialog box when you open a file.

2. Setting the level in the Security dialog box.

3. Selecting a startup option.



Setting the level in the Security dialog box.

It's an option you set once; then it's applied every time you use Access.


Test 1, question 3

By using common sense, running antivirus software, choosing strong security options, and working with digitally signed files, you should feel completely secure when working in Access. (Pick one answer.)

1. True.

2. False.



False.

By taking this course, you are on your way to working more securely in Access, but absolute security is never a certainty.

Lesson 2

Access sandbox mode


Access sandbox mode

For an additional layer of safety while working in Access, you can run the program in sandbox mode.

Running in sandbox mode helps ensure that any potentially dangerous commands that could be run from an Access expression will be blocked.


How sandbox mode protects your computer

In Access, it’s possible to run dangerous VBA code in expressions — strings of instructions that Access can use to perform operations on your database.

Sandbox mode protects against harmful commands



• Delete files

• Change file attributes

• Start other programs

• Change Access settings

• Change environment settings (such as the PATH statement)

Potentially dangerous expressions can include commands and properties that could:





Running Access in sandbox mode helps prevent dangerous code from being run in expressions.


The Jet 4.0 Service Pack 8 update

To run Access in sandbox mode, first install the Service Pack 8 (SP8) update for Microsoft Jet 4.0.

Jet 4.0 is a program that Access uses behind the scenes for many of its operations, such as running queries and updates.



Jet Database Engine 4.0 Service Pack 8 (SP8) is part of a critical Windows update.

• On Microsoft.com, click Windows Update in the left column.

• Install all high-priority and critical Windows updates.

To install the update:



Before you do this, determine if the Jet 4.0 SP8 update is already installed on your computer.

• Look in the Add or Remove Programs section of Control Panel.

• If you have installed the Service Pack 2 (SP2) update for Windows XP, make sure that the Show updates check box is selected at the top of the Add or Remove Programs window.



• If you find the Windows Hotfix KB837001 or KB829558, the Jet 4.0 SP8 update has been installed.

Before you do this, determine if the Jet 4.0 SP8 update is already installed on your computer.



Important: Remember that this update to the Jet engine is a vital part of security in Access, and should be installed for every computer that runs Access.


After you have installed the Jet update

When you start Access for the first time after installing the Jet 4.0 SP8 update, and Access is set to either the Medium or High macro security level, you will see the message shown on the left.

Click Yes to block unsafe expressions and run Access in sandbox mode.

Click Yes to block unsafe expressions.



Assuming that you are running Access at the High or Medium macro security level, you're all set — and you should not see any more messages about sandbox mode unless you change the macro security level and explicitly choose to allow blocked expressions.




If your macro security level is set to Low, you won't be prompted about blocking unsafe expressions when you start Access for the first time after installing the Jet update.


Only when you change the macro security level to Medium or High will you see the message shown on the left. Change your macro security level to Medium or High, and then click Yes to block unsafe expressions.



While this message does not actually mention "sandbox mode" at all, just understand that choosing to block unsafe expressions is sandbox mode.


By clicking Yes, you are choosing to block unsafe expressions and therefore to run Access in sandbox mode.


Test 2, question 1

Sandbox mode can best be described as an environment where: (Pick one answer.)

1. Access and other Office programs can work safely with each other.

2. Interaction between Access and any other Office program is not allowed.

3. Certain potentially dangerous commands cannot be run from Access.



Certain potentially dangerous commands cannot be run from Access.

Sandbox mode prevents certain potentially destructive commands from running in Access.


Test 2, question 2

Sandbox mode is related to the macro security level in the following way: (Pick one answer.)1. There is a one-to-one correspondence between

the state of sandbox mode and the macro security level.

2. Changing the macro security level lets you decide whether sandbox mode is enabled.

3. If your macro security level is set to High, sandbox mode must be enabled.



Changing the macro security level lets you decide whether sandbox mode is enabled.

When you change the macro security level from Low to either Medium or High, Access will ask you if you want to block unsafe expressions by running Access in sandbox mode.


Test 2, question 3

Running Access in sandbox mode will prevent: (Pick one answer.)

1. Many dangerous commands from running in expressions.

2. Many dangerous macro commands from running.

3. Dangerous VBA code from running.



Many dangerous commands from running in expressions.

For example, you can't delete files, format your hard disk drive, or rename folders.

Lesson 3

Working with digitally signed files


Working with digitally signed files

Wondering which data you can trust? Wondering how you can verify the integrity of the files that you open?

Working only with digitally signed files is a good practice that can help protect your database environment.

A digital signature helps assure who originated and signed that file.


About digital signatures and trusted publishers

Digital signatures can be issued by a “certificate authority.”

A certificate authority is a third-party organization that issues certificates used to digitally sign files.

Digital certificate: Can you trust it?



You can also create digital certificates for your own use or for use within a small, closely trusted group.

These are called “self-signed certificates.”




When you explicitly trust a particular signer of files, you can add that person or company to your computer as a “trusted publisher.”


A trusted publisher is someone who is known by you or by your company to be reputable.



Although an entity (such as a software company or a consultant) may have a digital certificate from a certificate authority, that certificate means nothing until you do one of the following:




• Open the file (Medium macro security level).


— Or —

• Add the owner of that certificate to the list of trusted publishers on your computer (High or Medium macro security level).


Digital signatures and macro security level

Consider two major factors when deciding whether to accept a digitally signed file:

• The macro security level setting in Access

• What actions you will take when you open the file

Access warning, Medium macro security level


At the Medium macro security level, when you open a digitally signed file for the first time, you can either:

• Click Open, and open that file right away.

— Or —

• Permanently add its signer to your list of trusted publishers.

Access warning, Medium macro security level



At the High macro security level, things are buttoned down a bit more tightly: • To be opened, any file must be digitally signed (no

exceptions).

• You must accept the digital signature and permanently add its signer to your list of trusted publishers.


Access warning, High macro security level


In Access, unlike most other Office programs, you can't open a file that has no digital signature at the High macro security level.

Access warning, High macro security level


It’s different in Microsoft Excel and Word.


You can verify the authenticity of a digital signature by inspecting its certificate through your Web browser.

The unsigned file warning, High macro security level



Summing it up: The safer, the better

In general, when you receive a digitally signed file from a trusted entity, you can feel reasonably confident the file is safe.This is primarily due to two things:

Has this Access file lost its digital signature, or has it never been signed?



• To digitally sign a file, you must have what is known as the "private key" for the signature — the private key allows you to add its unique signature to a file.


• Thus, if someone without the private key changes a signed file by making potentially dangerous changes, the digital signature will become invalid and will be removed from the file.



Caution: At the Medium macro security level in Access, when you open a digitally signed file that has lost its signature, the standard security warning message for the Medium level displays (see the picture at left), as if the file had never been signed at all.


Exercise great care when you consider opening any file that's not signed.



Before you open a file that has lost its signature, you should exercise extreme caution. You can:• Run a virus scan

• Notify the publisher that the signature for the file is no longer valid

— Or —

• Retrieve a backup version of the fileHas this Access file lost its digital signature, or has it never been signed?



In summary, at the Medium and High macro security levels, when you open a file that has a digital signature from a trusted publisher, you won’t be prompted with any security warnings.


If you do see a warning, this indicates the file may have been changed by an unauthorized party or is corrupted.



It is recommended that you operate at the High macro security level.


If you need to work with unsigned files from other sources, you can use the Medium macro security level to do that.



At the Medium macro security level, when you open a file with a signature that you have not yet added as a trusted publisher, the warning message from Access should cause you to think about which files you can trust.



Test 3, question 1

Which of the following is true about opening files in Access? (Pick one answer.)

1. You can open all files by clearing the Only open files from the trusted publishers list check box.

2. You can selectively open a digitally signed file by adding the file to the trusted publishers list.

3. You can open only digitally signed files from a trusted publisher at the High macro security level.



You can open only digitally signed files from a trusted publisher at the High macro security level.

We strongly recommend that you work in Access at the High macro security level.


Test 3, question 2

To selectively open digitally signed files, you would: (Pick one answer.)

1. Run Access at the High macro security level after adding the file’s signer as a trusted publisher.

2. Run Access at the Medium macro security level, but not add the file's signer as a trusted publisher.

3. Run Access at the Medium macro security level after adding the file’s signer as a trusted publisher.



Run Access at the Medium macro security level, but not add the file's signer as a trusted publisher.

Although the High macro security level is the most secure, the Medium level does allow you more flexibility about which files to open.


Test 3, question 3

One reason why you might want to work only with digitally signed files is: (Pick one answer.)

1. You can choose to run Access safely at the Low macro security level.

2. You can choose to run Access at the High macro security level, where a digital signature is required to open any file.

3. You can have complete confidence that all digitally signed files are safe.



You can choose to run Access at the High macro security level, where a digital signature is required to open any file.

Working in Access at the High macro security level and requiring digital signatures help make your computer and your database files more secure.


Test 3, question 4

When code in a digitally signed file is changed by a user without the private key: (Pick one answer.)

1. Access warns the next user who opens the file that it has been changed by an unauthorized user.

2. Access won’t open the file until it is re-signed.

3. Access removes the signature from the file, and you can't open it at the High macro security level.



Access removes the signature from the file, and you can’t open it at the High macro security level.

In addition, at any macro security level, Access treats the file as if it was never signed.


Quick Reference Card

For a summary of the tasks covered in this course, view the Quick Reference Card.