VBA alternative (1 Viewer)

JamesR

New member
Local time
Today, 13:54
Joined
Aug 20, 2021
Messages
12
Hi all,
The company I work for has taken the step to block all VBA/macros because of the risk to IT security. This will have a massive impact on any excel/access users.
I look after a DB that is used daily by 50+ people, it spits out large text files based on users inputs
The solution they are proposing is to place the db on a secure share and limit access to certain users, this isn't ideal for a number of reasons

Has anyone overcome this before and what have you done?
Could the VBA be rewritten in to some form of python application?

Thanks
 

Ranman256

Well-known member
Local time
Today, 09:54
Joined
Apr 9, 2015
Messages
4,339
you cant run access apps without macros. (same with excel, word)
 

theDBguy

I’m here to help
Staff member
Local time
Today, 06:54
Joined
Oct 29, 2018
Messages
21,357
Hi. Welcome to AWF!

Our company used to block certain code as well, but they eventually changed their minds and allowed it. Lots of companies allow VBA. It would be interesting to see what your IT's real concern with VBA, so you can provide some counter arguments.
 

JamesR

New member
Local time
Today, 13:54
Joined
Aug 20, 2021
Messages
12
Hi. Welcome to AWF!

Our company used to block certain code as well, but they eventually changed their minds and allowed it. Lots of companies allow VBA. It would be interesting to see what your IT's real concern with VBA, so you can provide some counter arguments.
The argument given by IT is that VBA can be used by hackers to gain access to internal systems.

A large organization, who shall remain nameless, was hacked with this method. An employee opened an excel attachment which contained a malicious macro, this then started an encryption process of all data on the shared drives across the whole company.

A blanket ban on macros is what I would call the nuclear option, a more simple solution would be to block all emails containing these attachments, but hey, what do I know
 

theDBguy

I’m here to help
Staff member
Local time
Today, 06:54
Joined
Oct 29, 2018
Messages
21,357
The argument given by IT is that VBA can be used by hackers to gain access to internal systems.
In my humble opinion, that argument is a bit weak. So, if they allow Python, wouldn't hackers then be able to use it to do damage as well?

Our company conducts cybersecurity training all the time, because hackers can use multiple methods to do harm. Even if your company totally bans all sorts of code, that won't stop damages that could happen with social engineering. Since your company uses technology, they should try to find a way to also use technology to stay safe.

In the sample scenario you presented, that could have happened as well even if the attacker wasn't using VBA. Sounds like your IT is trying to be reactive instead of being preemptive. If you can't use VBA, then you won't be able to do any automation in your Access database (I don't think).

Just my humble opinion...
 

June7

AWF VIP
Local time
Today, 05:54
Joined
Mar 9, 2014
Messages
5,423
Does this mean an executable Access file (accde) built without macros, only VBA, would be blocked?
 

JamesR

New member
Local time
Today, 13:54
Joined
Aug 20, 2021
Messages
12
In my humble opinion, that argument is a bit weak. So, if they allow Python, wouldn't hackers then be able to use it to do damage as well?

Our company conducts cybersecurity training all the time, because hackers can use multiple methods to do harm. Even if your company totally bans all sorts of code, that won't stop damages that could happen with social engineering. Since your company uses technology, they should try to find a way to also use technology to stay safe.

In the sample scenario you presented, that could have happened as well even if the attacker wasn't using VBA. Sounds like your IT is trying to be reactive instead of being preemptive. If you can't use VBA, then you won't be able to do any automation in your Access database (I don't think).

Just my humble opinion...
I share your opinion but this new policy has the backing of the senior management so that's a no win situation
 

JamesR

New member
Local time
Today, 13:54
Joined
Aug 20, 2021
Messages
12
Does this mean an executable Access file (accde) built without macros, only VBA, would be blocked?
I haven't tried it but once it contains VBA then it will be blocked. All laptops in the organization are being upgraded to Win 10 and the trust center options will all be disabled by default and end users will not be able to change them
 

isladogs

MVP / VIP
Local time
Today, 13:54
Joined
Jan 14, 2017
Messages
18,186
Trust centre options affect Access macros but NOT VBA.
So you can block all Access macros but VBA code will still run
 

Pat Hartman

Super Moderator
Staff member
Local time
Today, 09:54
Joined
Feb 19, 2002
Messages
42,970
I share your opinion but this new policy has the backing of the senior management so that's a no win situation
Including for management. You might want to make a list of what will no longer work and ask how soon IT can create a "safe" replacement. Don't call them idiots even though they are. Just ask for advice. In all companies where they have an IT staff, there is always a backlog. Tasks get prioritized and cost justified. If you can figure the cost of this decision to replicate with a manual solution, include that.
 

JamesR

New member
Local time
Today, 13:54
Joined
Aug 20, 2021
Messages
12
Trust centre options affect Access macros but NOT VBA.
So you can block all Access macros but VBA code will still run
They must have enabled something else on the policy side because even when I delete all macros from the DB it still will not run.
The user will still get the warning " Some active content has been disabled. Click for more details..." This option is now greyed out and the user is unable to enable it
 

isladogs

MVP / VIP
Local time
Today, 13:54
Joined
Jan 14, 2017
Messages
18,186
That message occurs when the application is run from a non-trusted folder. If so all code is indeed disabled.
It is indeed possible to disable all trusted locations, either from Access options or (I believe) as part of a group policy setting.
Out of interest, see whether you can re-enable trusted locations from Access options - I suspect not.
 

Pat Hartman

Super Moderator
Staff member
Local time
Today, 09:54
Joined
Feb 19, 2002
Messages
42,970
Isn't there some default trusted location for a user? I'm having a senior moment and can't remember for certain. Maybe it is a windows thing rather than an Office thing.
 

isladogs

MVP / VIP
Local time
Today, 13:54
Joined
Jan 14, 2017
Messages
18,186
No. There's a default location for the access wizards e.g. C:\Program Files (x86)\Microsoft Office\root\Office16\ACCWIZ\
However, that won't help as users won't be able to save or move databases to that folder
 

Umpire

Member
Local time
Today, 06:54
Joined
Mar 24, 2020
Messages
120
I am more petty. I would just have every user submit a fix-it ticket to IT every time they tray to use the database and it doesn't work. When their open ticket que balloons out of this world, they will take another look at reality.
 

Jason Lee Hayes

Active member
Local time
Today, 13:54
Joined
Jul 25, 2020
Messages
174
My 2 pennies worth..

Reading some of the comments i find quite concerning and demonstraights a lack of understanding from various parties involved. If your IT company have made the decision to blanket ban an application because their argument is that MSA uses Macros or VBA which may lend itself to be exploited resulting in data being corrupt, leaked or encrypted and/or held to ransom then what this suggests to me is that the IT Company/Manager currently providing an IT support service is placing limitation on you because they simply have a lack of knowledge and understanding. Reflected also is the fact that if Management have agreed to this blanket ban/limitations then they have been ill advised. This is typical of what I see in industry and when my skills are called upon to find a solution most of amenable resolve is found in simple communication with real understanding of the threat, the consiquence the restriction proposed has to business and a clear move forward plan. Most IT companies when brought to the table with Appication designers, Management and someone with the a broad spectrum of skill set to challenge all argument is all that's needed to resolve the issue you present here. I have never been unsuccessful yet in argument however I've been doing this for many years. Developers should never feel the IT department is working agains them. Any IT company worth their salt will be happy to be part of the solution not the problem.
 

Users who are viewing this thread

Top Bottom