Database Security

[james_halliwell]

Hi everyone,

I have built a database which is used for work, it is used by a few different departments but there seem to be a few changes that i havent made, since this has started to happen i have been asked by my boss to protect it.

Is there a way to password protect it just if there have been modifications not when you open it ( i have taken quick messures and removed the navigation Pane and just put default menus )

Can any one suggest anything

 

[Banana]

If you just want a simple implementation to keep honest users honest, I would recommend re-distributing the application as a MDE or ACCDE, which is basically same thing as MDB or ACCDB file only with code stripped away so no design changes can be made.

They still can, however, import/export the tables and queries, but if the database is split, then you probably could use a database-share password on 2007 and store the password in the the new MDE/ACCDE file so it can access the backend when it open up.

The password can be read plaintext if they know where to look for (and would think of opening it in a notepad, for example), but I feel that at this point, it's more of a human resource issues- a company is going to have problems if they can't trust their employees to be honest and by that point, they've obviously went far enough to be constructed as nothing other but than circumventing the design of the application.

Another option you have available is to try out vPPC, which you can download from UtterAccess forums.

HTH.

 

[marianne]

vPPC? can you give us the link here Banana?

 

[Banana]

vPPC

 

[marianne]

Banana this is acc2007 version. does it have acc2003 version. or could you possible convert this to acc2003 so we can study it.

 

[Banana]

Though the OP didn't explicitly say, he was using 2007 (I inferred from the phrase "navigation pane", which is available in 2007 but not earlier.

vPPC is pretty much irrelevant to 2003 & earlier because vPPC addresses the issue of ULS being removed from 2007, but in earlier version you still have ULS so you can use this.

 

[marianne]

i see. thanks for that answer. but can I ask your help Banana. I have been studying ULS but not much clear to.

I made a custom permission procedure. this include two, first table has userid, username, userpassword and second table have userid, formname, (add, edit,view, delete) which are YES/NO field.

i made the custom to make it simplier. because, if I included the ULS option in my application, maybe the user will be in difficulty using it.

but I wanted my backend db objects to be protected by ULS so that when the backend objects are exposed even if the database password is cracked, they cannot open the objects and when using the link manager, they cannot use the link manager to link from the backend to frontend if they are not permitted.

Moreover, I know after using ULS, there will be password generated. I would like to eliminate that login form generated by ULS since I have my own login form.

do you know how to accomplish that?

 

[Banana]

Two questions:

1) Is this a pure Access solution or a front-end Access with a RDBMS backend?
2) What are you after? Data security (e.g. keeping the prying eyes out) or permissions management (e.g. make sure users don't accidentally hurt themselves)?

 

[marianne]

1. it is front and backend access.
2. I am after for data security and permissions management.

 

[Banana]

A note of caution.

It is quite difficult to secure the data in a pure Access solution from a dedicated hacker or a disgruntled employee bent on destruction. Usually the security of data from non-users is accomplished using Windows filesystem permissions and/or networking permissions. Fence off the LAN from the world, then that's done.

But if it's the employees we are protecting from, then I would argue we have a bigger problem and it's not a IT problem but rather a human resource problem. For most parts, employees already have incentive to be honest and not break the application- after all, their paycheck depends on it.

It must be understood that even with a secured application, it still can be:
1) cracked with a password cracker available for download, even for ULS
2) read plaintext in a notepad or any text editor
3) once the access is granted, whether directly or indirectly, they may find a means of copying the data off.

With all that in mind, my usual recommended guide for ULS security is Jack MacDonald's pdf.

Reading the pdf will help make sense of below and how you how to actually do it.


IMHO, a best solution I would use would be to create at least two separate mdws, one that contains the administrative privileges, the other that is distributed to users. The first one is never distributed so that means the application get distributed with the administrator user "missing". It is difficult to crack the .mdw when there's no info in it to be cracked other what they already were privileged with but is not bulletproof as it is possible to crack the .mdb file and extract the SID and reconstruct the missing user. Hopefully, that expertise would be beyond most of the users anyway.

You also definitely want to compile the .mdb into a .mde as it makes it difficult to do any design changes or even just reading the source code. If you have dough to burn, you could also buy MDE Code stripper from EverythingAccess.com for extra precaution (I have not used that product neither can I comment on its effectiveness. Caveat Emptor.) If the ULS is properly set up, the user will not have any permissions to the tables and queries and lack the permission to create new tables/queries so import/export would be no-go. The only permissions the users should have is forms and only through the forms can they execute queries/open & print reports and access the table. I can't recall if forms is able to execute other objects that the user do not have the permissions, but if that is the case; that means certain queries that will be used by forms & reports will have to be written with WITH OWNERACCESS OPTION, so the query can be owned by someone else without giving the users permissions to the base tables or queries this query is based upon.

Hopefully that helps.

 

[DJkarl]

My general take on Access security is it's good practice to take general precautions to secure the database from accidental mistakes or general mischief, but putting forth a monumental effort to make it completely secure is wasted time. I think of it as trying to use a the world's greatest security system on a screen door, if someone really wants to get in they're going to.

 

[Banana]

DJkarl-


Beautiful.