Security..Is there another way? (RE-STATED)

[marianne]

Thanks for the reply Doc_man and DJKarl.

Doc_Man

1. it is in my mind to consider using SQL
2. I do know that access is for small environment applications
3. I could probably find some person to make some dll for me but what is lacking on me is how to apply the encryption method to the database password and subsequently applied to database.
4, Sorry, I dont know who is Rod Serling.
5. Yes, probably this question is quite difficult but I am more inclined on believing that it is more difficult for some of us who really not that good at VBA.


DJKarl

1. ok. so DB_Encrypt tells compactdatabase to use the RSA encryption. is there a way to tell compactdatabase to use my own customized encryption?

2. Yes, I do listen to everyone's advice here but still I would like to know how to do it as an option for me. and it would be part of my learning knew things in access.

 

[gemma-the-husky]

marianne - you said in post 15

cant the forum help me with my need?

I am struggling to understand what your need IS.

I thought this was just a general interest - type thread - so what are you trying to achieve? and on which access platform?

eg security against hackers. security levels for users, or just database integrity.

 

[DJkarl]

Thanks for the reply Doc_man and DJKarl.

DJKarl

1. ok. so DB_Encrypt tells compactdatabase to use the RSA encryption. is there a way to tell compactdatabase to use my own customized encryption?

No there is not, DB_ENCRYPT is simply a constant, CompactDatabase is a compiled function and will only perform the tasks it has been programmed to do.

 

[The_Doc_Man]

1. it is in my mind to consider using SQL

Good, I think in the long term, that will be where you need to go.

2. I do know that access is for small environment applications

Actually, I didn't doubt it for a minute. My writing style can be a bit pedantic at times, though, and I didn't want that point to be forgotten. If you feel I beat you over the head, neck, and shoulders with it, sorry.

3. I could probably find some person to make some dll for me but what is lacking on me is how to apply the encryption method to the database password and subsequently applied to database.

To be blunt, you are still on a path that will not be helpful to you. Encryption is not a method of securing against someone who is a legitimate but malicious user who already has the password. O/S security is far more effective in disallowing people access unless they are in an appropriate Windows site-defined group. Your Windows System Admin will know about these groups and the Access Control Lists (ACLs) needed to make them useful. If you try to improve security of Access itself in isolation, you are looking at only one page of a thicker book. Windows can help. Firewalls can help. Domain administrators can help you set up the structure you need if your site is domain-based, with a domain server and domain-level accounts. Doing security in isolation is doomed to failure. PERIOD.

4, Sorry, I dont know who is Rod Serling.

Whoops, guess I'm showing my age. Rod Serling was the genius behind the 1960s TV series "The Twilight Zone" - a classic in stories of the bizarre, macabre, horrific, and unusual. About like some of the stories I hear on the forum.

5. Yes, probably this question is quite difficult but I am more inclined on believing that it is more difficult for some of us who really not that good at VBA.

And here is where I have to be brutally honest, with no intent to insult and every intent to inform. Without VBA behind the scenes in your forms to make the db sensitive to who is logging in, even using ULS, you are going to have a bad time. I can recommend a book for you, but it is heavy reading and doesn't always cover everything despite its thickness and its depth of investigation. From Wrox press, I use "Access 2003 VBA - Programming Reference" by Cardoza, Henning, Seach, and Stein. I'm sure others of the forum have their favorites. If you are a beginner in VBA, that book would take you quite far. By no means is it the only way to get where you need to be, though.

You are looking for a fast solution to a difficult and complex problem. This problem is tough enough that it could easily cost you your family life, sanity, and health if you don't take it seriously and attack it as a monster problem. The only solution will be lots of hard work programming your forms to implement your security requirements, then compiling your DB to a .DBE file and implementing other steps so that the product as a whole includes security steps at every turn.

If you have such serious security concerns, you might wish to engage the services of a professional computer security consultant who takes on programming tasks. Before you ask, I am not available due to terms of an employment contract.

I surely wish you well and am trying to give you advice that will help you find your way through the mine field that you have discovered in front of you. I regret that it might appear that I am being an obstructionist. However, the level of help you are requesting is far more than this forum was ever designed or intended to give through normal posting channels.

 

[marianne]

To post number 22. To Dave:

Dave thanks for the reply. just to reiterate my problem for you, I am using access version 2003. What I would like to achieve is a database password security like of version 2007 where 2007 does not implement anymore ULS to its new version for its more empowered database password with improved encryption.

I know how to make my own encryption. My problem is how can I encrypt the database password and apply it to the database.

TO POST NUMBER 23: TO DJKARL

if I may just ask, if I assign in my vba the value of pi to 3.1416 as constant, I can also alter it someday to any value. so if db_encrypt is a constant somewhere, cant it be altered and be replaced? or perhaps, db_encrypt constant can be replace but the function compactdatabase cant be?

TO POST NUMBER 24: TO DOC_MAN

1. I dont know much of SQL. What program do I need to make tables in SQL.

2. With regards to security measures, I have also looked into OS security, SQL and ULS. I have also looked into the matter of Human Resource. You see I am very persistent on finding this solution and maybe futile for no direct help.

3. Quote: "However, the level of help you are requesting is far more than this forum was ever designed or intended to give through normal posting channels."

Well for one, last year I was looking for people who could assist me on building access projects, regarding codes especially. Only this year that I searched the internet that this forum exist, so I was happy that I can talk to someone and ask for assistance. When I find this forum and until now, I see lots of samples and post on high level of programming talks. So definitely I said to myself, this is one big help for me. and that's how I find this forum. It did not came to my mind that this forum cannot assist me on this simple problem of mine especially with our MVP's around.

 

[The_Doc_Man]

Fair questions.

Access connected to an SQL back-end via ODBC methods can create tables. Or you can look up something called Data Definition Language (DDL), a variant part of SQL that defines the characteristics of tables, fields, and their attributes. In which case, entering SQL-like DDL commands to the SQL server or MySQL server will also be possible.

I am glad that you are persistent. You will need it.

It did not came to my mind that this forum cannot assist me on this simple problem of mine especially with our MVP's around.

Being an MVP isn't a guarantee that we can help you if you want to do something not within the easy parts of Access. You have admitted more than once that you are not strong in VBA. In order to tackle this problem, you will need to be. Security isn't about encryption. It isn't about making something obscure. The truth is, a determined hacker will eventually break into anything s/he wants to.

The only question is, can you make it tough enough to persuade the hacker to try something else? This is the "Theory of Low-Hanging Fruit." A hacker with no specific agenda will look for web sites or computer systems that have not implemented normal security. If you have implemented reasonable security and other sites around you have done less, hackers will pass you by. Unless... they have a grudge against your company or think your company has information that is actually worth a lot of effort.

You can do best for yourself in terms of security by implementing all security guidelines in accordance with your site's security policies. This includes patching everything that can be patched, painful though that can be to get "caught up" with an ever-mounting load of security patches. According to several security surveys in 2005, the most common reason that people got hacked or virally infected or Trojan Horsed or whatever is that they failed to patch known faults that had been published among the Microsoft patches for at least SIX MONTHS. A simple Windows Update would have saved them tons of recovery effort.

Browse some web sites, not for access, but for Windows security, to get some ideas about how to secure your system that hosts your database. Notice carefully that I did not say to secure your database. Secure your host system.

Between ULS and doing special code in VBA in each form's class module, that is where you have the best chance of hiding things that need to be hidden. Adding an extra layer of encryption beyond that or outside of the database does NOTHING. Listen carefully. It DOES NOTHING. Because your greatest risk isn't that someone will brute-force attack your system and get into your disk. It is that someone will steal an authorized password and get in, at which time the encryption is meaningless. Systems are designed to let in folks who appear to present proper credentials. That's why I commented about "smart cards" and other biometric methods in an earlier post.

Even if you use Windows directory-level encryption, once someone has the password you are a goner unless you use physical-token or biometric authentication.

I don't know if I'm making that fact clear or you just don't want to believe me. I have no solution to either part of that problem.

A very large part of your problem IS NOT PROGRAMMABLE. It is fixed by education of users and careful review of your site's security practices. It is fixed by yearly "booster" lectures or Power Point reminders of why you secure your terminal when you walk away from it. It is fixed by establishing an environment of security awareness. Static safeguards are ONE SMALL PART of a security solution. It takes literally hundreds or often THOUSANDS of person-days of work to do reasonable security assurance. (I sense that English is not your first language, so... 1 person-day is one person working solidly for one eight-hour day.)

Marianne, I'll say it again. If you want to improve your security you need to do certain things. Study VBA. Look at ways to prevent people from seeing your database window. Product MDE files for distribution. Put code in your class modules that causes the database engine to QUIT if they detect a flaw in whatever they see. Make it a point to work with your site security group to make the system secure as well as the particular database. More detailed data than that DOES NOT EXIST because we don't know your specific problem, and probably never will.

You mourn that we cannot help you. But first, we cannot do your job for you unless you are going to pay us for it, and many of us have employment contracts that limit our ability to do outside work. Second, this is a volunteer site. The magnitude of your problem as you have tried to describe it is so much that it asks too much of volunteers. If you had specific, narrowly-tailored questions, we can help. If you had very broad-brush questions about a concept, we can help. But you sound very much as though you think we should pull magic items out of a hat, and trust me, my magic hat went dry years ago. Yet you should not take that as a statement of non-caring. Just non-ability.

 

[marianne]

thank you very much doc_man for the very quick reply today.

with the second to the last paragraph, I have done what you stated there. And every day I search every references online and on bookstores reading materials that will help me.

with the last paragraph, yes I do believe exerting ones effort really costs something. And I am sorry if I appear that I ask too much from the forum, but I am just optimistic in this forum.

 

[Banana]

if I may just ask, if I assign in my vba the value of pi to 3.1416 as constant, I can also alter it someday to any value. so if db_encrypt is a constant somewhere, cant it be altered and be replaced? or perhaps, db_encrypt constant can be replace but the function compactdatabase cant be?

This is not how it works, actually. If you do this in the immediate windows:

?dbEncrypt

It returns number 2. Basically, it's just a option telling the function what to do. For all I know, the function may do something like this:

If Arguments = 2 Then
   'Encrypt it
End If

(NOTE: This is a wild-assed guess on my part because I do not have the actual source code for this function. This is only had by Microsoft and I do not think they will be sharing it in foreseeable future!)

But that does not mean you can pass 4, 8, or 1000000 into the same function because it was not coded to expect such values.

If the encryption function had some parameter like "Key", or "Algorithm", then you can have more control, but that is not the case. As Wayne at EverythingAccess.com explained already, Access simply just assume RSA-32 without even asking at all and that cannot be changed short of reverse engineering (and before you ask, to do this, you need a decompiler, learn C language to sufficient proficiency that you can read junk codes with no meaningful names into something meaningful and hope like mad it didn't break anything and Microsoft doesn't sic you for breaking the EULA)

Which is why I kept going back to the original assertion; if you want custom encryption, you have to implement it yourself all the way. But why re-invent the wheels when you can just port data into more secure data store such as SQL Server or if you're strapped for cash, MySQL or PostgreSQL (which are free to download and use without any restrictions) and use MDE to lock down the non-data objects or use audit trails to undo any malicious changes.

Adding an extra layer of encryption beyond that or outside of the database does NOTHING. Listen carefully. It DOES NOTHING. Because your greatest risk isn't that someone will brute-force attack your system and get into your disk. It is that someone will steal an authorized password and get in, at which time the encryption is meaningless.

The_Doc_Man, have you been reading the XKCD?

 

[The_Doc_Man]

Actually, Banana, I have not been reading XKCD. I have been forced to stay awake during yearly security lectures by USA Dept. of Defense officials.

But given the sample you posted, I would have to agree with the cartoonist's concept of reality. With my luck, not only would they use a $5 wrench on me to extract the password, but the wrench would have been left out in the rain long enough to get rusty and develop a layer of mold or mildew or something similar. So I'd get tetanus and at least two other toxins from one stroke of the wrench.

 

[The_Doc_Man]

Marianne, there is NOTHING wrong with optimism. Please continue to be optimistic. Just don't forget to leave room for realistic right next to it.

 

[gemma-the-husky]

I havent used A2007 much - so I am not familiar with the security layer. I wil have a look and see how it differs form earlier versions.

 

[The_Doc_Man]

I think microsoft may not make service pack for this database password encryption update for version 2003 and below since they are in the business of sales for new and improved product.

This is from your very first post in this thread. Your presumption is incorrect. MS will continue for at least a while to fix things because they have contracts with the U.S. Government that cover Ac2003. It doesn't matter that AC2k3 came out in about 2003, what REALLY matters is when it fell off the "first tier" list. The U.S. Government Services Administration (GSA) contracts have a little clause that says MS, as a holder of GSA contracts, has to support the product for not less than 5 years after production stops. The critical date isn't when it went into production but rather, when it went OUT of production. The five-year ticker starts THERE.

Because of that, you will see a few MS Office patches that touch the libraries and maybe some of the code where the patch is plausible. However, you are correct that their thrust is on newer software. Just remember, governments are typically the biggest customers for all major office packages and the vendors do NOT want to tick off their biggest customers.

 

[Banana]

Be it far from me to presume myself even remotely knowledgeable about the GSA contracts, but wouldn't 'support' mean "keep things working as they are." and not "enhance functionalities", surely?

For whatever reasons, they made a decision to use RSA-32 encryption for 2003 and below (can't remember which version was the first to have encryption... I'm thinking only 2000 or 2002 or maybe it's only to 2003?) and they didn't do a external API call as they do now with 2007, which was why 2007 was not only stronger but also could be customized as explained in that link to EverythingAccess.com somewhere in middle of the thread. Because it's totally internal, I'm thinking it's not going fall under 'ongoing support' clause in term of beefing up the strength. They'd probably fix oddball case of a weird password breaking the database, yeah, but not beefing up the algorithm.

The more I think about it, the more moot the question become. I think it has been said before somewhere else on the forums that with 2007 runtime being free, one could just buy single-seat license of Access 2007, develop it, and distribute the free runtime engine with the application and pesto - a pure Access solution with better security measures.

Even so, I wouldn't go as far as to say it's ideal because it still is vulnerable, and it's by inherent design; we're swapping around files and requiring full access to the file, so it's just a matter of time for hacker to crack the security measures whereas other RDBMS avoid that problem entirely because files are managed by the daemon and all communication must pass through the daemon. Jet doesn't have a daemon but that's for a good reason- to require that Jet have a daemon would significantly increase complexity and possibly negate any benefits Jet has to offer as a simple & small standalone solution for users who do not have time or money to be/pay a dedicated DBA to manage the solution.

 

[marianne]

thanks for the inputs.

TO DOC_MAN:

say doc_man, if MS will continue to make this patches due to contract with the said government agency, could it be possible that the government ask MS to strengthen the database password and encryption just like version 2007 since this aspect of databasing data is relevant?

 

[The_Doc_Man]

No. They will fix security bugs - BUGS - but will not enhance anything, particularly if it is addressed in a later version.

Which is why I said you might still some articles and patches for a while. New features will only appear in new versions.

By the way, Marianne, I've posted in your original thread that is a restatement of. I'm trying to give you enough of a foundation to see why you are asking Access to do the nearly impossible, i.e. improve security without use of extensive VBA and other security actions, or without switching to an external DB server.

 

[The_Doc_Man]

Banana, your comments regarding that Access will inherently be limited in what it can do because it avoids use of a Daemon / Server-task are pretty much correct, though the other side of that is that the typical things that use Daemon/Server technology are likely to have better internal security capabilities - e.g. data triggers, more robust security analysis, audit logging, etc.