About Microsoft Jet Expression Service sandbox mode
Microsoft Office Access 2003 uses the Microsoft Jet Expression Service to evaluate expressions. The Jet Expression Service can be configured to run in sandbox mode. Sandbox mode is a mode of operaton where only safe expressions can be evaluated.
About unsafe expressions
Unsafe expressions contain functions that could be exploited by malicious users to access drives, files, or other resources for which they do not have authorization. If malicious users have access to these resources, then they may be able to perform actions such as deleting all of the files from a folder, tying up a network resource, or modifying a file.
To make your Access databases (MDBs) and projects (ADPs) more resistant to malicious attacks, you should enable sandbox mode. Sandbox mode allows Access to be fully functional while blocking unsafe expressions.
Functions that are blocked in sandbox mode
The following functions are blocked when the Jet Expression Service is configured to run in sandbox mode. the functions cannot be used in expressions, but they can be utilized in Visual Basic for Applications (VBA) code.
Blocked functions located in the Visual Basic for Applications (VBA) object library
| Function Name |
|---|
| AppActivate |
| Beep |
| Calendar |
| CallByName |
| ChDir |
| ChDrive |
| Command |
| Command$ |
| CreateObject |
| CurDir |
| CurDir$ |
| DeleteSetting |
| DoEvents |
| Environ |
| Environ$ |
| EOF |
| Err |
| FileAttr |
| FileCopy |
| FileDateTime |
| FileLen |
| FreeFile |
| GetAllSettings |
| GetAttr |
| GetObject |
| GetSetting |
| Input |
| Input$ |
| InputB |
| InputB$ |
| Kill |
| Load |
| Loc |
| LOF |
| Randomize |
| Reset |
| SaveSetting |
| Seek |
| SendKeys |
| SetAttr |
| Shell |
| Spc |
| Tab |
| Unload |
| UserForms |
| Width |
Blocked functions and properties in the Microsoft Access object library
| Object | Blocked Function/Property |
|---|---|
| Application | AddAutoCorrect |
| Application | AddToFavorites |
| Application | ADOConnectString |
| Application | AnswerWizard |
| Application | Application |
| Application | Assistant |
| Application | AutoCorrect |
| Application | BeginUndoable |
| Application | CloseCurrentDatabase |
| Application | CodeContextObject |
| Application | CodeDb |
| Application | COMAddIns |
| Application | CommandBars |
| Application | CompactRepair |
| Application | ConvertAccessProject |
| Application | CreateAccessProject |
| Application | CreateAdditionalData |
| Application | CreateControl |
| Application | CreateControlEx |
| Application | CreateDataAccessPage |
| Application | CreateForm |
| Application | CreateGroupLevel |
| Application | CreateNewWorkgroupFile |
| Application | CreateReport |
| Application | CreateReportControl |
| Application | CreateReportControlEx |
| Application | CurrentDb |
| Application | DataAccessPages |
| Application | DBEngine |
| Application | DDEExecute |
| Application | DDEInitiate |
| Application | DDEPoke |
| Application | DDERequest |
| Application | DDETerminate |
| Application | DDETerminateAll |
| Application | DefaultWebOptions |
| Application | DefaultWorkspaceClone |
| Application | DelAutoCorrect |
| Application | DeleteControl |
| Application | DeleteReportControl |
| Application | DoCmd |
| Application | Echo |
| Application | ExportXML |
| Application | FeatureInstall |
| Application | FileDialog |
| Application | FileSearch |
| Application | FollowHyperlink |
| Application | GetHiddenAttribute |
| Application | ImportXML |
| Application | InsertText |
| Application | LanguageSettings |
| Application | LoadFromText |
| Application | LoadPicture |
| Application | Modules |
| Application | NewAccessProject |
| Application | NewCurrentDatabase |
| Application | NewFileTaskPane |
| Application | OpenAccessProject |
| Application | OpenCurrentDatabase |
| Application | Parent |
| Application | ProductCode |
| Application | Quit |
| Application | References |
| Application | RefreshDatabaseWindow |
| Application | RefreshTitleBar |
| Application | ReloadAddIns |
| Application | ReplaceModule |
| Application | RunCommand |
| Application | SaveAsText |
| Application | SetDefaultWorkgroupFile |
| Application | SetHiddenAttribute |
| Application | SetOption |
| Application | SetUndoRecording |
| Application | SysCmd |
| Application | TransformXML |
| Application | VBE |
| BoundObjectFrame | Object |
| Combobox | Recordset |
| Control | Object |
| CurrentProject | AccessConnection |
| CurrentProject | BaseConnectionString |
| CurrentProject | CloseConnection |
| CurrentProject | Connection |
| CurrentProject | OpenConnection |
| CustomControl | Object |
| Form | Dynaset |
| Form | Recordset |
| Form | RecordsetClone |
| Hyperlink | AddToFavorites |
| Hyperlink | CreateNewDocument |
| Hyperlink | Follow |
| ListBox | Recordset |
| ObjectFrame | Object |
| Report | Recordset |
| SmartTagAction | Execute |
| Screen | ActiveDataAccessPage |
How to enable sandbox mode
Follow these steps to enable sandbox mode:
- On the Tools menu, point to Macro, and then click Security.
- Click the Security Level tab, and then click Medium or High.
- Click OK.
- Restart Access.
Note Enabling the sandbox mode setting applies to all users of the computer.
When are unsafe expressions blocked?
These functions are blocked only when used in expressions such as for a default value, a control source, or in a SQL statement. These functions are not blocked for use in VBA code.
How to use a blocked function in an expression
You can utilize a blocked function in an expression by wrapping the function in a public VBA function. For example, you can create the following VBA function in order to use the blocked CurDir function:
Public Function MyCurDir() As String
MyCurDir = CurDir()
End Function
You would call the MyCurDir() function in your expression instead of calling the CurDir() function.
How to disable sandbox mode
Follow these steps to disable sandbox mode:
- On the Tools menu, point to Macro, and then click Security.
- Click the Security Level tab, and then click Low.
- Click OK.
- Restart Access.
Note At this security level, macros are always enabled when you open files.
Note Disabling the sandbox mode setting applies to all users of the computer.