[AccessD] Database Needs Password Protection

William Hindman wdhindman at dejpolsystems.com
Mon Apr 26 10:09:19 CDT 2010


...compile and encrypt the be data ...don't even think about using jet 
security, it's easily broken ...use a be password that is a concat of a user 
input and a code hidden in the fe mde ...they can link all day and never 
touch the data ...and if you want to go even further, store the server mac 
address in a hidden usys table in the be during install and make your be 
password validation routine do a compare against it before opening the 
tables ...even if they managed to copy the be to another system, and knew 
the user fe password to it, the concat password would fail as would the hw 
mac validation ...otherwise, imnsho, move to SQL Server.

William

--------------------------------------------------
From: "Heenan, Lambert" <Lambert.Heenan at chartisinsurance.com>
Sent: Monday, April 26, 2010 9:47 AM
To: "Access Developers discussion and problem solving" 
<accessd at databaseadvisors.com>
Subject: Re: [AccessD] Database Needs Password Protection

> No. Nobody will be able to open the folder in which the backends reside 
> (except for the admins). So they cannot open them directly at all.Not 
> being able to open the folder, they cannot discover the name of the files 
> in there, so cannot link to them from any other application.
>
> Your task will be to restrict them from getting access to the databse 
> window where they will see the tables and queries, and to prevent them 
> from running any code they may craft themselves. Standard Access stuff.
>
> As long as nobody in the user pool knows the names of the backend files 
> they will not be able to open them in any access app. They may put 
> together themselves. They will only have access vie the approved 
> applications.
>
> # HOLD THE PRESSES!!! #####*($*#*$#*$#*$#*$#*$*#*$*#*$*#*$*#
> ###################################### Dang!!! ###########
>
> Just found the elephant sized hole in my suggestion. All they need to do 
> is import the table links from an approved application front end and 
> bingo... they have full access to the tables.
>
> Back to the drawing board.
>
> #############################################################
>
> Lambert
>
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com 
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Rocky Smolin
> Sent: Monday, April 26, 2010 9:25 AM
> To: 'Access Developers discussion and problem solving'
> Subject: Re: [AccessD] Database Needs Password Protection
>
> Lambert:
>
> His requirement is that anyone who tries to modify the back end directly 
> will be unable to do so but will still be able to modify the data through 
> the front end. It looks like with your approach a member of the group will 
> be able to open the back end directly and be able to modify the data in 
> the tables.  True?
>
> Rocky
>
>
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Heenan, Lambert
> Sent: Monday, April 26, 2010 6:18 AM
> To: Access Developers discussion and problem solving
> Subject: Re: [AccessD] Database Needs Password Protection
>
> Rocky,
>
> What kind of restrictions do they want? If they simply want to prevent 
> users from getting into the folder that holds the backend files then you 
> can do all of that with Windows security (NT/2K/XP/Vista/7)and not a line 
> of code needed.
>
> You'll need cooperation from the client's network people but...
>
> First thing you want is a windows user group into which all the users are 
> added. This makes it much simpler when applying permissions to folders.
>
> So. First make a folder on the server say 'Databases'
>
> Next create a subfolder called 'Backends'.
> Third create a subfolder in Backends which you can call 'Data'.
>
> Now modify the permissions on 'Databases' granting the user group modify 
> permissions and apply the permissions to the folder and all sub-folders.
> Also make sure that an administrator's ID and or the Database 
> administrator's ID is granted full control of the folder tree.
>
> Now you need to modify the permissions on the 'Backends' folder.  Open the 
> properties sheet for the folder and select the 'Security' tab. Click the 
> 'Advanced' button. Select the user group in the permissions listing, and 
> click 'Edit'. In the resulting dialog box clear the check boxes for 
> 'Traverse Folder / Execute File', 'List Folder /Read Data' and (most
> importantly) 'Delete Subfolders and Files'.
>
> Click OK and OK.
>
> The end result is that the user in the user group have modify permissions 
> to the 'Data' folder , and that is where all the backends would reside, in 
> their own sub-folders if desired. However, the users will only be able to 
> look inside the folder 'Databases' where they will see that there is a 
> folder called 'Data' inside it, but they will not be able to browse into 
> 'Data' nor delete it. Is that sufficiently restricted access?
>
> HTH
>
> Lambert
>
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Rocky Smolin
> Sent: Sunday, April 25, 2010 3:28 PM
> To: 'Access Developers discussion and problem solving'
> Subject: [AccessD] Database Needs Password Protection
>
> Dear List:
>
> In my manufacturing software users log in with a password that gives them 
> 1) read only, 2) read write, 3) administrator access.  But the back end is 
> wide open. So far this has not been a problem.  Everywhere the system is 
> installed people 'play by the rules'.
>
> Now comes a client who wants access to the back end restricted.  So I'm 
> trying to think of way to do that with the least disruption to the system 
> which BTW supports multiple back ends - the user can open a different back 
> end through an 'Open a Database' utility.
>
> In the code, of course, I'd have to change all occurrence of
>
> set db = CurrentDb to
>
> Set db = DBEngine.OpenDatabase(gstrDB, False, False, ";pwd=" & gstrPWD)
>
>
> where the password would be in gstrPWD.
>
> Then I would have to add a utility accessible only by someone with admin 
> rights, to 1) set, 2) remove, and 3) change the password on the currently 
> linked back end.  Don't know what that code looks like but I suppose I can 
> figure it out.
>
> Question is - is this the shortest distance between the two points?  Or is 
> there another approach which would be faster/better/easier?
>
>
>
> MTIA
>
> Rocky Smolin
>
> Beach Access Software
>
> 858-259-4334
>
> www.e-z-mrp.com <http://www.e-z-mrp.com/>
>
> www.bchacc.com <http://www.bchacc.com/>
>
>
>
>
>
>
>
>
> --
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>
> --
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 




More information about the AccessD mailing list