How secure is a MDE?

[Guest]

I am finishing work on a database that will be split and I plan on compiling
the front-end into a MDE. If, prior to compiling, I disable all of the
special keys and the shift key, would it be possible for someone to still get
to the linked tables? I also have all of the menus and toolbars shutoff,
save one custom toolbar.

As it stands now, there is user-level security that limits who can access
the database. This is done through the fOSUserName function that I found
here. When a user logs on, their network ID is checked against the
authorized users. If they are not on the list, a record of the user is made
and the database shuts down. For more secure data, like the list of users, a
second password is required to open that form. Of course, all that is moot
if they can get to the table and make whatever changes.

Keeping in mind that no Access database is really secure, could I be
reasonably sure that your average office worker is not going to figure out
how to get behind the scenes. They won’t be able to use some combination of
keys to get to the tables, etc.

To answer the potential question: The back-end will most likely be on a SQL
server by the time this is rolled out, so I am not as concerned about the
actual tables; however, there is a chance that I will need to park the BE on
a shared server, which raises all new issues. I’ll cross that bridge when I
get to it.

Comments/questions

PJ

 

[Douglas J. Steele]

Creating an MDE doesn't stop people from getting to the data at all. All
that's required is to create an empty database and attempt to import the
tables from your MDE. (Actually, you don't even need to create an empty
database: you can do it from any ODBC-compliant client, such as Excel or
Word)

 

[Guest]

Interesting. I had not considered that.

So all one would need to do is create a new database (or use any
ODBC-compliant client), import the tables and change their security settings.
Password protecting the front-end would do no good because they already can
access it. So that begs the question, is there any way to block tables from
accessed that way?

I really wish I could say that no one would think of that. This is a group
that has never used Access before. But I imagine that once some on figures
out that a supervisor can see more than they can, the race is on.

Thanks!
PJ

 

[Tony Toews [MVP]]

So all one would need to do is create a new database (or use any
ODBC-compliant client), import the tables and change their security settings.
Password protecting the front-end would do no good because they already can
access it. So that begs the question, is there any way to block tables from
accessed that way?

You can put security on the tables on the backend.

However that is insufficient as anyone can take the backend home with
them and attempt to crack it themselves.

The only secure(ish) means of data storage is to use SQL Server (or
similar) which stores the database on a computer which is behind a
lock. SQL Server running on that computer handles all requests to
the database file and the users can't get to that database file.
(Unless your admins do something incredibly stupid like letting folks
have access to C$, the default share name of C drive.)

I really wish I could say that no one would think of that. This is a group
that has never used Access before. But I imagine that once some on figures
out that a supervisor can see more than they can, the race is on.

A few minutes searching and that's enough.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/

 

[NLD via AccessMonster.com]

I think that MS Access can be very secure with MDE and password protected MDB
file. It all depends on how you create your DB. The way I secure my Access
DB is split FE and BE with MDB and/or SQL. On the FE, I only include forms
with VBA codes and modules. On the BE, I only include tables and reports. I
use ADO to communicate between the FE and BE. On the BE with the MDB file, I
setup the password with 20 + characters (including special characters so it
will be very hard for anyone to crack). On the MDE file, I put ADO codes
with a password to communicate with the BE (MDB file) in a module. On the
downside, it will be lots of VBA codes and it will take lots of times to do
it.

I have not heard anybody crack a module in a MDE file (or I could be wrong).
I am wondering what do other people think?

 

[Tony Toews [MVP]]

I think that MS Access can be very secure with MDE and password protected MDB
file. It all depends on how you create your DB. The way I secure my Access
DB is split FE and BE with MDB and/or SQL. On the FE, I only include forms
with VBA codes and modules. On the BE, I only include tables and reports.

Just curious. Why not put the reports in the FE?

I use ADO to communicate between the FE and BE. On the BE with the MDB file, I
setup the password with 20 + characters (including special characters so it
will be very hard for anyone to crack).

I think here are crackers out there for Access security.

Note that I'd suggest breaking up the password and storing chunks of
the password in different non contiguous variables, that is mix them
up, so someone going through the hex in the FE MDE can't see the
phrase.

Const Part2 as string = "def'
Const Part4 as stirng = "jkl"
Const Part3 as string = "ghi"
Const Part1 as string = "abc"

I have not heard anybody crack a module in a MDE file (or I could be wrong).

MDE to MDB Conversion Service for Microsoft® Access
http://www.everythingaccess.com/mdeconversion.htm

Converting a Microsoft Access MDE file back into an MDB file. Section
2 at http://www.access.qbuilt.com/html/faq.html

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/

 

[NLD via AccessMonster.com]

Tony,

I appreciated you pointed me to the "Everythingaccess" site. I guess the MDE
file is that secure after all. If anyone could crack a module in a MDE file,
then he/she could see a MDB's password. As far as I know, what I described
on my previous post was as secure as I can get on Access.

Just curious. Why not put the reports in the FE?

I don't put reports in the FE because it has no tables/queries there and
reports won't work with ADO, so that is why I put reports/tables/queries on
the BE.

Also, you suggest that I should break down a password into different pieces
but if they (like "EverythingAccess' people") could crack it then it won't be
that helpful. They can see all VBA codes except comments.


NLD