[AccessD] POLL: Access Security

Jim Lawrence (AccessD) accessd at shaw.ca
Thu Nov 13 22:05:06 CST 2003


Drew:

That is the whole issue surround Access security, is that a fully exposed
MDB is very hackable. If the DB can be hidden behind a ASP FE or simply
replaced with another remote BE, some other SQL, the whole security issue is
non-starter and hardly has to be addresses at all.

In my humble opinion.
Jim

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com]On Behalf Of Drew Wutka
Sent: Thursday, November 13, 2003 10:56 AM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] POLL: Access Security


Actually, an .mdb can be made VERY secure by using ASP as a front end.  The
problem with using Access or even VB for a front end, is that you need to
have direct access to the back end.  So if user XYZ is logged on, XYZ needs
permission to have direct Access to the .mdb AND the .mdw.  However, if you
use ASP as the Front End, so the user is using their browser to access the
db, then the users can be completely stripped of access to the .mdb itself.
In fact, if you store the .mdb on the IIS server, and you don't even have to
have share access to it.  Sure, you're then relying on NT security, but you
can button that down pretty tight.  So you can keep the .mdb and the .mdw at
an 'unavailable' location.

I've used Access User Level security quite a bit, I don't find it difficult
at all (partly due to so many similarities between it and NT security).
However, it is a pretty fallible system.  With enough time and resources,
and it can be cracked.  Actually for $40 (last time I checked), you can
crack any .mdb, as long as you have a copy of the .mdw with the
administrative accounts in it.  Even with a solid knowledge of Access User
Level security, you are still dependant upon the users ignorance for it to
be secure.  With what I was talking about with an ASP front end, you are
taking the level of security to a point where a SERIOUS hacker would be
required to get at whatever you want protected.

Drew

-----Original Message-----
From: Rocky Smolin - Beach Access Software [mailto:bchacc at san.rr.com]
Sent: Thursday, November 13, 2003 9:03 AM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] POLL: Access Security


But seriously there are some apps, like the HR apps (someone, I forget who,
wrote in about) where you want it real secure.

But even in that case, passwording the back end and maybe encrypting it,
with some additional restrictions in the front end like I use and then
making an mde would seem to do the trick without having to get mixed up in
all that mdw stuff.

Rocky

----- Original Message -----
From: "Rocky Smolin - Beach Access Software" <bchacc at san.rr.com>
To: "Access Developers discussion and problem solving"
<accessd at databaseadvisors.com>
Sent: Thursday, November 13, 2003 6:40 AM
Subject: Re: [AccessD] POLL: Access Security


> Hahahahahahahahahah....sorry.
>
> Rocky
>
> ----- Original Message -----
> From: "Gustav Brock" <gustav at cactus.dk>
> To: "Access Developers discussion and problem solving"
> <accessd at databaseadvisors.com>
> Sent: Thursday, November 13, 2003 5:55 AM
> Subject: Re: [AccessD] POLL: Access Security
>
>
> > Hi Rocky
> >
> > So why is JC's world so much different from yours and mine??
> >
> > /gustav
> >
> >
> > > Had to fool with it once on a legacy app and got around it.  But it
was
> a
> > > big PITA.
> >
> > > I generally roll my own by having the user log in with a password.
They
> get
> > > one of three levels of access to the whole system - 1) read only, 2)
> > > read/write, 3) admin.  I put their access level in a global variable.
> Each
> > > form has to check the access level then to see if they are allowed to
do
> a
> > > certain function.  So far, the three levels have been adequate and no
> one
> > > except for one client has wanted function of field level control.
> >
> > _______________________________________________
> > AccessD mailing list
> > AccessD at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/accessd
> > Website: http://www.databaseadvisors.com
> >
>
> _______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>

_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com



More information about the AccessD mailing list