SRP Question [Archive] - Wilders Security Forums

View Full Version : SRP Question

chennemann

July 25th, 2008, 09:48 PM

I followed the instructions exactly as mechbgon states on his page. I am running Vista Ultimate. Everything seems to work ok, other than Access 2007. I get the following error:

A problem occurred while Microsoft Access was communicating with the OLE server or ActiveX Control.
Close the OLE server and restart it outside Microsoft Access. Then try the original operation again in Microsoft Office Access.

If I switch the security back to basic user, the error goes away. Is there another way to fix this?

Thanks,
Chuck

Kerodo

July 25th, 2008, 10:11 PM

You'd probably need more details on what is happening there... I'm not sure how you'd find out either, except maybe if there are any errors in your event viewer logs. It's possible that something is trying to execute from somewhere other than the Program Files or Windows folders. If so, you can probably set up a rule in policy somehow to allow that specific circumstance. Aside from that, I can't really think of what the problem might be... maybe someone else has more ideas...

nick s

July 25th, 2008, 11:22 PM

Hi chennemann,

Enabling SRP's advanced logging might reveal what is failing. Per Troubleshooting Software Restriction Policies (http://technet.microsoft.com/en-us/library/bb457006(TechNet.10).aspx#EDAA):

"When creating rules or troubleshooting a machine displaying problems, an administrator may want a log of every software restriction policy evaluation. This can be done by enabling advanced logging.

To enable advanced logging:

Create the following registry key:

KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

String Value: LogFileName, <path to a log file>"

Nick

nick s

July 27th, 2008, 12:28 AM

Hi chennemann,

After playing a bit with my Technet distro of Access 2007 on Vista Ultimate, I see similar errors. I got Access working at the Disallowed level only by...

1. Under Enforcement, limiting SRP to "All software files except libraries (such as DLLs)"
2. Under Additional Rules, adding a path rule for "C:\Program Files\Microsoft Office\Office12"
3. Under Additional Rules, adding path rules to wherever you store your .mdb files (this allows you to execute Access by double-clicking .mdb files)

Hope this helps.

Nick

chennemann

July 27th, 2008, 01:09 PM

Thanks Nick, it seemed to work.