How much security do we really need?

[PamelaJoy]

Our db is ready for use, replacing the former dBase system. There are only two of us in the office - I am the db developer and the GM will use it to update records and print reports. This is easily accomplished from the Switchboard (so he doesn't ever need to see anything else). The db resides in a folder shared by both of our computers.
When the db is opened, only the Switchboard appears. I can use F11 to maintain it, and the GM has no Access experience or desire to do anything else. He knows all of the proprietary information in the tables - I'm only preventing him from having to learn the application, and from deleting or otherwise hosing things up accidentally.
Our security issue stems from someone outside of the company being able to tap into our db, or copying the db design, either through a wireless connection, or being in the office. What is the best/easiest/cleanest way to implement that level of protections? If I just split the database and password protect the be, will that prevent an outsider from being 'nosy Rosy' or from copying everything?
I initially set up a shared workgroup, and gave the GM one level of use and myself everything. But I don't want to have to enter a password every time we open the db if it's not really necessary, and if the Switchboard will keep it protected from innocent mistakes.
If ULS is still recommended, since this is the only access application we (will ever!) use, can I just keep both of our computers logged in to the new workgroup, or do we have to switch back to the System.mdw group for some reason (as most here seem to recommend)?
Thanks in advance for your advice!
Pam

 

[Banana]

It sounds like you are particularly interested in allowing only users access to the database itself and keeping out the nonusers. If you also trust the users (e.g. that's you and the GM) to not mess with objects within the database and would be content just to keep out the users, then I think the best & secure answer is to use Windows permissions.

That is, place the database in a folder that only you & GM have permission to open, read, write, delete and deny all permission to other for the same folder. This is simple to set up and far more secure than using password (easy to break), or ULS (download a cracker, it's good as a corralling system but not that good as a security system).

HTH.

 

[PamelaJoy]

I'll read up on that method now - it sure beats the hassles I've had with the ULS (locked myself out more than once and had to start over - NOT WORTH IT!) and having to add passwords, travel through the right workgroup, etc. Yes - all I'm concerned about is keeping everyone EXCEPT the GM and I out of there! Thanks so much. Glad you were logged in this morning, Banana.
Pam

 

[Banana]

Glad to help.

Just to be sure as I didn't give the obvious keywords; look at 'Windows filesystem permission' or 'Windows folder permission' or maybe even 'Windows folder security.'

Also to be explicit; you & GM must have full permission on the folder or Access may not work at all.

 

[PamelaJoy]

I am so frustrated. I just spent my whole weekend learning about then diagramming what I needed to do to use Microsoft Permissions . . . only to come in this morning and discover our files at work, unlike ours at home, are formatted in a FAT file system rather than NTFS so it appears there is no way to access folder security or set up permissions.
If I set up a shared workgroup .mdw, split the database, use password protection, and put the front end on a shared folder that both the GM and I have access to, how secure would that be? Enough? We do have a firewall to (hopefully) prevent outsiders from just popping in, and if the db is password secured, it would (hopefully) prevent the cleaning crew from becoming double-agents . . . right? (There are no other computers but mine and the GM's in the office) I could then make shortcuts from each of our desktops to travel through the correct workgroup, which would be missing if someone tried to access the db directly.
Any ideas?

 

[Banana]

Frustrating, indeed!

I'm not so sure how security is important to you and that's something you need to decide for yourself, but what i can describe what is feasible:

1) There exists programs that can crack either database password or workgroup security and can be freely downloadable.
2) Unless you choose to encrypt the database (and take a performance hit), all data can be read plaintext when one opens .mdb file in say, Notepad. This isn't effective way to read data but this does work in locating and extracting password, busting any DIY security mechanisms using VBA. Any literals such as this:

Mypassword = "foobar" '<-- foobar is a literal and will be saved plaintext
Mypassword = Me.SomeTextbox <-- A reference to control isn't a literal

can easily expose a password or key that one creates themselves. Workgroup is a little better because it's always encrypted but as mentioned in #1, it can be cracked anyway.

Clearly, this depends on how savvy anyone who has potential access to the computer are. A janitor who scarcely understand how mouse works may not even know where to look for such program or even know one exists and that will work. But then again, if the janitor is a whiz kid with propensity for trouble.... it's probably no good.

One thing I just want to make clear... can you possibly require password to log in to your & GM computer, even after a brief inactivity? That would be far more secure and protect not only the Access document but also everything else.

If that's not feasible, and you feel that workgroup security will be inadequate, then the next advice is to place data in a different product that has more robust security mechanism. Mind, you still can use Access forms & reports and link it to whatever you use as long it has ODBC support: SQL Server Express edition, MySQL, PostgreSQL, and few more. (All what I've listed are free BTW)

HTH

 

[PamelaJoy]

Thanks. I'm still bummed though! I think I'll look into NTFS more, thinking that maybe I can create a new logical drive in a separate partition. That way I can be the boss, and put the db there but with a different (NTFS) file system.
And after all the design, development, and testing - I thought this was going to be the easy part - just put it in a shared folder and run with it!

 

[RossWindows]

Don't forget to back-up the data regularly!

 

[Simon_MT]

There is a facility in XP to convert to NTFS.

The most important issue is to first protect the frontier, using security on the any wireless connectivity either WAP or WEP. You need to be careful with wireless connections using connectivity as it may corrupt the database.

To protect the application split it into tables Back End and programs Front End. Make a Front End mde or accde and put on yours and the GM's PC. This means that only people with the Front End can access the application. This only leaves you to secure the data.

Simon

 

[PamelaJoy]

Sounds like a plan - thanks so much!!

 

[The_Doc_Man]

Even if you are running a FAT file system, you have to define a SHARE in order to allow someone to use the files. I believe that if you have a domain-based setup, you can still put permissions on the SHARE. However, I would agree that you would do better if you could convert the existing system to NTFS or if you could build a small NTFS that is big enough to hold your DB and keep a little room for expansion.

Backup? Regardless of the file system type, ALWAYS back up your DB on a regular and predictable basis. A regular backup is like a regular heartbeat. Without them, you might end up "dead in the water." (Metaphorically speaking, of course.)

 

[PamelaJoy]

I think I am going to cry . . .
I have a nice, big, NTFS file location set up, ready to go, only to discover we run on Windows XP HOME EDITION (which must have come with the Dell computers the company purchased years ago) so I still can't utilize Permissions. The Security tab is not available, and the line 'Use simple file sharing (Recommended)' box to uncheck is not even visible on the Folder Options' View tab to make it so.
I brought up my system in safe mode, logged in as Administrator, editing the permissions on each of the group/user names, and checking 'Replace permission . . ' on all, but nothing seems to have changed when I restarted (unless I did something wrong?)
As for backing up - I have made it a habit to make a copy of the db every time before I 'go in' so that I can always say 'never mind!' if something goes wrong. (Those copies were often my best friends during db development/creation!) Every Monday morning I already copy the backup of our accounting program to an offsite host, and plan to do the same with our db as well.
Guess we have become too big for our britches. It looks like I need to look into a different security mechanism altogether after all. I am none too trusting of the outside world . . . and learning more than I ever really wanted to!

 

[Simon_MT]

Pamela,

What happens when you right click on the file and go to properties. Forgive me but I don't use Home Edition.

Simon

 

[PamelaJoy]

Here are the two screens when you right click on the folder's properties, followed by the screen that I would use to change the folder properties - the 'Use simple file sharing (Recommended)' line would be just below where my screen ends.
Thanks in advance for ideas, advice, direction, etc.
Pam

 

[gemma-the-husky]

you can still have a user logon with xp home to protect your pc generally. i wouldnt worry too much about the back end to be honest.

 

[PamelaJoy]

I just want to be smart - our db holds all of our proprietary recipes, some of which are patented. You just never know 'what evil lurks in the hearts of men' these days, unfortunately. But who would have thought I'd develop the db at home using Windows XP Professional, only to take it to the office where we run on Windows XP Home Edition?!
I do plan to try and outsmart the shared folder starting in Safe Mode using the trick I found online. Thanks to everyone for your input and advice.
Pam

 

[Banana]

You know, if the data is so valuable that even setting up a login screen and force timeout after a period of inactivity is not good enough for you, I would definitely want to think about putting the data in a much more secure environment. I'm not that familiar with Home XP but I worry given the fact there's no file/folder permission built in, even moving data to a more secure backend such as SQL Server, MySQL, PostgreSQL, Oracle... whatever may be an exercise in futility because they still can get to the data files directly. If you can even just acquire a cheap workstation and install some kind of server OS (even a Unix-like one) that has the proper security mechanism in place and secure the data with beforementioned servers you can be more confident in it being safe from prying eyes and still use your Access application with very little changes.

 

[PamelaJoy]

I like that idea best of all, Banana. The GM did not want to have to log in every morning, (let alone after a period of being idle during the day) so that option wasn't an easy sell. And he has recently arranged for the ability to access his computer remotely from home, so now he leaves his computer on not only all week, but also over the weekend. It does require a password, and his son had to set up permission on the office end, but I think with just those habits alone we're flirting with disaster.
I want to thank everyone for helping me determine our best options - what a great group of unselfish, helpful brains this forum has to offer.
Pam

 

[gemma-the-husky]

what i meant was that any legitimate user with access to the front end and back end can probably easily copy all the data.

its generally hard for them to get at the back end though - so often all you need to worry about is the front end.

 

[PamelaJoy]

I figured that's what you meant! Thanks for the input, Gemma.
Pam