Summary
Starting in the May 11, 2021 Windows and Microsoft Office updates, an option to make your applications more secure has been added to allow you to disable remote references in query execution.
Starting in the October 12, 2021 Windows updates, an option is added to log a Windows event when an application attempts to open an external database through a SQL query.
You might need to do this when you allow unprivileged users to run custom SQL queries by using the Jet Red Database Engine or Access Connectivity Engine (ACE).
By default, no changes are made to accessing Jet or ACE by installing these updates.
More information
Access to remote databases
If you disable using the Jet Red Database Engine or the Access Connectivity Engine (ACE) to access remote databases, you may receive error messages that resemble the following when you run your SQL queries:
-
Microsoft Access: If a user executes a query in Access, the following error message is displayed:
Error message dialog box |
Text of error message |
|
Microsoft Access Operation is not supported for this type of object. |
-
Microsoft Access: If a user executes code that runs a query, a run-time error 3251 is displayed, unless the error message is handled in code:
Error message dialog box |
Text of error message |
Microsoft Visual Basic for Applications Run-time error '3251' Operation is not supported for this type of object. |
Warning: If you choose to re-enable the following registry values after disabling them, it might make your device vulnerable to attack by a malicious user or malicious software. We do not recommend that you re-enable these registry values after they are disabled. However, we are providing this information so that you can choose to implement this at your own discretion. Use this at your own risk.
Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Auditing of remote database access attempts
Note: Auditing is only available for Jet Red Database Engine at this time.
Auditing is added in Event viewer that logs a Windows event under "Application and Service logs'\Microsoft\Windows\JetRed."
By default, auditing is enabled and controlled through a new DWORD AllowQueryRemoteTables_Audit in which 1 enables auditing, and 0 disables auditing.
If this feature is enabled, the Windows event "level" is "Informational" and the "message" is "External Database open attempted."
If this feature is disabled, then the "level" is "Error" and the "message" is "External Database open attempt blocked."
The Details tab for the event will contain both the path to the external database and the executable as shown in the following example:
-
EventData
Database Path: C:\PathToMyDb\myDatabase.mdb Executable: C:\PathtoMyApplication\myApplication.exe
Jet Red Database Engine
To disable using the Jet Red Database Engine to access a remote database, add the following to the registry:
For x64-based devices:
-
Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Jet\4.0\Engines
DWORD name: AllowQueryRemoteTables Value data: 0
For x86-based devices:
-
Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines
DWORD name: AllowQueryRemoteTables Value data: 0
Note To re-enable the Jet Red Database Engine to access a remote database, change Value data to 1.
To disable auditing when the Jet Red Database Engine attempts to access a remote database, add the AllowQueryRemoteTables_Audit DWORD to the registry:
For x64-based devices:
-
Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Jet\4.0\Engines
DWORD name: AllowQueryRemoteTables_Audit Value data: 0
For x86-based devices:
-
Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines
DWORD name: AllowQueryRemoteTables_Audit Value data: 0
Note To re-enable the Jet Red Database Engine to audit access attempts to a remote database, change Value data to 1.
Access Connectivity Engine (ACE)
To disable using the Access Connectivity Engine (ACE) to access a remote database, add the following DWord and value to the registry as indicated in the following table:
-
DWORD name: AllowQueryRemoteTables
-
Value data: 0
Installation Type |
Office Version |
OS Bitness |
Office Bitness |
Registry Path |
C2R |
365 / 2019 / 2016 |
x64 |
x64 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\ Office\16.0\Access Connectivity Engine\Engines |
C2R |
365 / 2019 / 2016 |
x86 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\ 16.0\Access Connectivity Engine\Engines |
C2R |
365 / 2019 / 2016 |
x64 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\ Microsoft\Office\16.0\Access Connectivity Engine\Engines |
C2R |
2013 |
x64 |
x64 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\ 15.0\Access Connectivity Engine\Engines |
C2R |
2013 |
x86 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\ 15.0\Access Connectivity Engine\Engines |
C2R |
2013 |
x64 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\ Microsoft\Office\15.0\Access Connectivity Engine\Engines |
MSI |
2016 |
x64 |
x64 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\ AccessConnectivity Engine\Engines |
MSI |
2016 |
x86 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\ AccessConnectivity Engine\Engines |
MSI |
2016 |
x64 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Office\16.0\Access Connectivity Engine\Engines |
MSI |
2013 |
x64 |
x64 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ AccessConnectivity Engine\Engines |
MSI |
2013 |
x86 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ AccessConnectivity Engine\Engines |
MSI |
2013 |
x64 |
x86 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Office\15.0\Access Connectivity Engine\Engines |
Note To re-enable the Access Connectivity Engine (ACE) to access a remote database, change Value data to 1.