Access 2003 Security

[brincat.mark]

Hi all.

I'm new to securing Access dBs. I'm working on a small Access 2003 dB,
which I would like to secure. I have created the MDW and joined it
from my dB. I don't have access to the dB without the proper login/
password combination.

However, I noticed that when I rename or delete my MDW, Access simply
creates a new System<n>.MDW file (where <n> is a sequential number).
in the Documents and Settings folder (I'm working on XP). After this,
I was able to access the dB without any logins and passwords
whatsoever.

This is beyond me ... if Access Workgroups are supposed to be secure,
how am I able to delete/rename the Workgroup file, Access simply
creates a blank System.MDW and I'm in so easily?

Can anyone help pls?

Regards,

Mark

 

[Andy]

Mark,

I would not recommend using the system.mdw for for the security file for
your database. Rather I would strongly suggest you copy the system.mdw
to a new file like MyDataBase_users.mdw, where MyDatabase is the name of
the database you want to apply security to.

Then, use a shortcut to open your database:: <fullpath to MsAccess.exe>
/wrkgrp <full path to MyDatabase_users.mdw> /user "" <full path to
MyDatabase.mdb>

Hope this helps,
Andy

 

[brincat.mark]

Hi Andy.

Thanks for your reply.

I forgot to mention that we're not using Access directly, but as a
back-end to a web-based ASP application. Therefore the shortcut is not
a valid solution.

This means that we're connecting thru a connection string.

Regards,

Mark

 

[Joan Wild]

Hi all.

I'm new to securing Access dBs. I'm working on a small Access 2003 dB,
which I would like to secure. I have created the MDW and joined it
from my dB. I don't have access to the dB without the proper login/
password combination.

How did you create the mdw? You *do not* want to simply copy system.mdw and
work with the copy. That won't be secure. Also you don't 'join' a mdw to a
mdb.

However, I noticed that when I rename or delete my MDW, Access simply
creates a new System<n>.MDW file (where <n> is a sequential number).
in the Documents and Settings folder (I'm working on XP). After this,
I was able to access the dB without any logins and passwords
whatsoever.

Access requires a mdw in order to work (even for unsecure database files).
Out of the box, it uses system.mdw as the default workgroup. When it can't
find the default, it will create a new system.mdw workgroup file. If you
are able to even open your mdb using this new pristine system.mdw, then you
didn't secure the mdb properly. It is tricky; you must follow all the steps
outlined in the security FAQ.
http://support.microsoft.com/?id=207793

I've also outlined the detailed steps at
www.jmwild.com/AccessSecurity.htm

 

[Keith Wilby]

Hi all.

I'm new to securing Access dBs. I'm working on a small Access 2003 dB,
which I would like to secure. I have created the MDW and joined it
from my dB. I don't have access to the dB without the proper login/
password combination.

However, I noticed that when I rename or delete my MDW, Access simply
creates a new System<n>.MDW file (where <n> is a sequential number).
in the Documents and Settings folder (I'm working on XP).

This how it is supposed to work. If Access can't find "system.mdw" at
startup then it will creat a new pristine copy. To apply user level
security you need to take a number of steps in a certain order, one of which
is to use the Workgroup Administrator to create a custom workgroup (mdw)
file.

After this,
I was able to access the dB without any logins and passwords
whatsoever.

This would tend to indicate that you missed one or more steps in the
securing process.

This is beyond me ... if Access Workgroups are supposed to be secure,
how am I able to delete/rename the Workgroup file, Access simply
creates a blank System.MDW and I'm in so easily?

There's an example on my web site that will give you a flavour of how to
correctly secure an Access file but there's no getting away from having to
read, re-read and understand the FAQ on user-level security, link also on my
web site.

Be sure to work on dummy files until you're happy that you know what you're
doing. Having said that, I notice in your other reply that you're using
Access as a web BE - Access security IS breakable by a determined hacker
with the right tools, you might want to bear that in mind.

Regards,
Keith.
www.keithwilby.com

 

[brincat.mark]

Joan,

Thanks for your time first of all.

Basically I have followed the steps as outlined on http://www.jmwild.com/security02.htm.
This even more so leaves me perplexed.

I have created the Workgroup file thru the Tools ... Security ...
Workgroup Administrator ... and then set the login, group and
permissions. After this, I just closed Access and simply renamed the
MDW which was just created. Double-clicking on the dB file (in Windows
Explorer) just opened the dB without any user / password prompt
whatsoever. I noticed that at this stage, Access just created a NEW
system.mdw file in the same folder as the previous system.mdw (giving
it a number after the system ... like system1.mdw, system2.mdw,
etc ...)

After closing Access once again, I renamed the Workgroup file to its
ORIGINAL name, opened Access, joined the Workgroup, and I was once
again prompted for the login/password.

Should this be the situation or not? Are Access (2003 or other)
workgroups supposed to function this way?

Regards,

Mark

 

[brincat.mark]

Keith,

Thanks for your message.

This how it is supposed to work. If Access can't find "system.mdw" at
startup then it will creat a new pristine copy. To apply user level
security you need to take a number of steps in a certain order, one of which
is to use the Workgroup Administrator to create a custom workgroup (mdw)
file.

The "original" system.mdw WAS in the same folder. I don't know why a
new system.mdw file was created ...

Be sure to work on dummy files until you're happy that you know what you're
doing. Having said that, I notice in your other reply that you're using
Access as a web BE - Access security IS breakable by a determined hacker
with the right tools, you might want to bear that in mind.

The system is an intranet. Obviously, we are aware that hacks are a
possibility just the same. That's why I deleted the MDW - thinking
what a potential hacker would do - and got into the dB without any
trouble at all.

Regards,

Mark

 

[Keith Wilby]

Joan,

Thanks for your time first of all.

Basically I have followed the steps as outlined on
http://www.jmwild.com/security02.htm.
This even more so leaves me perplexed.

I have created the Workgroup file thru the Tools ... Security ...
Workgroup Administrator ... and then set the login, group and
permissions. After this, I just closed Access and simply renamed the
MDW which was just created. Double-clicking on the dB file (in Windows
Explorer) just opened the dB without any user / password prompt
whatsoever. I noticed that at this stage, Access just created a NEW
system.mdw file in the same folder as the previous system.mdw (giving
it a number after the system ... like system1.mdw, system2.mdw,
etc ...)

After closing Access once again, I renamed the Workgroup file to its
ORIGINAL name, opened Access, joined the Workgroup, and I was once
again prompted for the login/password.

Should this be the situation or not? Are Access (2003 or other)
workgroups supposed to function this way?

If you can open your file from explorer then you have missed one or more
steps. Access is, by default, joined to the "system.mdw" workgroup which is
why you're prompted for a password when you reinstate your modified version
of it. You need to use the Workgroup Administrator to create and join a
custom workgroup file, leaving "system.mdw" unmodified. See my other
response with respect to missed steps.

Keith.
www.keithwilby.com

 

[Joan Wild]

Basically I have followed the steps as outlined on
http://www.jmwild.com/security02.htm.
This even more so leaves me perplexed.

I have created the Workgroup file thru the Tools ... Security ...
Workgroup Administrator ... and then set the login, group and
permissions.

It is very important that you follow *every* step (every phrase), in the
order specified.

After this, I just closed Access and simply renamed the
MDW which was just created. Double-clicking on the dB file (in Windows
Explorer) just opened the dB without any user / password prompt
whatsoever.

Then you missed a step in securing it.