Go Back   Access World Forums > Microsoft Access Discussion > Theory and practice of database design

 
Closed Thread
 
Thread Tools Rate Thread Display Modes
Old 09-24-2018, 12:58 PM   #1
isladogs
Part time moderator
 
isladogs's Avatar
 
Join Date: Jan 2017
Location: Somerset, UK
Posts: 10,448
Thanks: 112
Thanked 2,862 Times in 2,607 Posts
isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold
Access File Security : MDB / MDE vs ACCDB / ACCDE

I’ve been going on about security in Access databases for some time.

Whilst there are many things that developers can do to improve the security of their applications (both design & data), no Access database can EVER be made 100% secure.
A capable and determined hacker can break any Access database given sufficient time and determination.

Recently, I’ve also stated on more than one occasion that the older MDB / MDE file format is FAR LESS secure than the newer ACCDB / ACCDE format.

Whilst this is hardly news to many developers, I’ve had a few requests to provide more details to justify this statement

Attached is an article in PDF format (zipped) summarising the results of several simple tests I ran using a hex editor to view a variety of files.

The files are also attached if anyone wishes to repeat the tests
a) MDB.zip - Access 2003 MDB / MDE files with/without password protection
b) ACCDB.zip - Access 2010 ACCDB / ACCDE files again with/without password protection

In each case, the BE file has the password dinsdale. It contains 1 table with 2 records
The FE files are linked to this table. Where FE files have a password, this is MDS

In summary, for MDB/MDE files:
a) the password in a BE file can easily be read from the FE using a hex editor even if the FE is password protected.
b) the linked table fields & data can also be read even if the FE is password protected

For ACCDB/ACCDE files:
a) the password, linked table fields & data in a BE file can also be read from the FE using a hex editor UNLESS the FE file is encrypted with a password.
b) if the FE is password protected, the whole file is encrypted so nothing can be read by this method

I would appreciate any feedback on this article
Attached Files
File Type: zip ACCDB.zip (1.33 MB, 101 views)
File Type: zip MDB.zip (75.9 KB, 80 views)
File Type: zip Checking Access File Security - MDB vs ACCDB format.zip (315.9 KB, 94 views)

__________________
If this answer has helped, please click the Thanks button and/or click the 'reputation scales' symbol on the left.

Website links:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Colin
Access 2010 32-bit, Access 2016 32-bit & 64-bit, SQL Server Express 2014, Windows 10,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Last edited by isladogs; 09-24-2018 at 02:16 PM.
isladogs is offline  
The Following 4 Users Say Thank You to isladogs For This Useful Post:
Galaxiom (09-24-2018), Isskint (12-13-2018), Minty (09-25-2018), The_Doc_Man (09-24-2018)
Old 09-24-2018, 04:52 PM   #2
Galaxiom
Super Moderator
 
Join Date: Jan 2009
Location: NSW Australia
Posts: 11,611
Thanks: 89
Thanked 1,494 Times in 1,410 Posts
Galaxiom is a splendid one to behold Galaxiom is a splendid one to behold Galaxiom is a splendid one to behold Galaxiom is a splendid one to behold Galaxiom is a splendid one to behold Galaxiom is a splendid one to behold Galaxiom is a splendid one to behold
Re: Access File Security : MDB / MDE vs ACCDB / ACCDE

The importance of the bottom line cannot be overstated:
Quote:
However, an Access database can NEVER be made 100% secure. A capable and determined hacker can
break any Access database given sufficient time and determination
If data security matters, the backend needs to be in a database server. No ifs, no buts. An Access backend file must be available to users and as such they may be able to copy and exfiltrate the file to break the security offsite at their leisure.

Having said that, ultimately if a user can see the data then it is at risk. The PCs on our domain even have their USB ports disabled to prevent files being taken away but there is no way to stop someone photographing the screen. There are stories on line of cases where data has been stolen in this way.
Galaxiom is offline  
Old 09-25-2018, 02:28 AM   #3
isladogs
Part time moderator
 
isladogs's Avatar
 
Join Date: Jan 2017
Location: Somerset, UK
Posts: 10,448
Thanks: 112
Thanked 2,862 Times in 2,607 Posts
isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold isladogs is a splendid one to behold
Re: Access File Security : MDB / MDE vs ACCDB / ACCDE

Quote:
If data security matters, the backend needs to be in a database server. No ifs, no buts. An Access backend file must be available to users and as such they may be able to copy and exfiltrate the file to break the security offsite at their leisure.
Agree totally.... though I had to look up the meaning of exfiltrate!
withdraw (troops or spies) surreptitiously, especially from a dangerous situation.

For info, I've updated the attached PDF file to include additional information about the security (or rather lack of security) for linked SQL tables in any MDB file format (including password protected MDE files)

For those who may not have time to read the PDF document, here are some screenshots which I hope are self explanatory:

Details of password protected MDE file in a hex (text) editor:


Details of password protected MDB BE file:


SQL Server BE details in password protected MDE file:


Hopefully these make it clear why no MDB/MDE data in a BE file can ever be totally secure if users have access to the FE file location.
They don't even need to know the FE or BE passwords to view the file using a hex editor.


For comparison, a password protected ACCDB/ACCDE file is fully encrypted and therefore much safer:

__________________
If this answer has helped, please click the Thanks button and/or click the 'reputation scales' symbol on the left.

Website links:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Colin
Access 2010 32-bit, Access 2016 32-bit & 64-bit, SQL Server Express 2014, Windows 10,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Last edited by isladogs; 09-25-2018 at 09:57 AM.
isladogs is offline  
The Following 2 Users Say Thank You to isladogs For This Useful Post:
Isskint (12-13-2018), Minty (12-13-2018)
Closed Thread

Tags
access security , mdb/mde vs accdb/accde

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
The way to 100% secure your accdb/accde file ? dhlao Theory and practice of database design 8 02-18-2016 10:04 AM
Question Making ACCDE file from ACCDB file teja General 9 11-04-2013 07:54 AM
Open A forn in a .accdb file by a form in another .accdb file Power_User Forms 1 03-16-2012 06:26 AM
Question Saved File from Accdb to Accde and it won't open sladetroityer General 0 01-26-2012 07:42 AM
ACCDB to ACCDE file konaan1 Forms 4 12-07-2011 08:23 AM




All times are GMT -8. The time now is 11:47 AM.


Microsoft Access Help
General
Tables
Queries
Forms
Reports
Macros
Modules & VBA
Theory & Practice
Access FAQs
Code Repository
Sample Databases
Video Tutorials

Featured Forum post


Sponsored Links


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
(c) copyright 2017 Access World