User able to bypass security

[Guest]

Hi, Does the WIF I'm currently joined to matter when creating a new WIF?

I'm in the process of studying/testing the security features in Access
(using 2003). Myself and two collegues share a network drive for our
department. I opened my (test)database, set-up the Workgroup Info File with
the user Admin out of the Admins group and only myself in the Admins group
and gave no permissions whatsoever to the User group. Once completed, the
only way that I could access my mdb was to enter my name and password. So
far so good. Then I went to my collegue's pc, and assumed that she would NOT
be able to open the mdb since she was not set up as a user... WRONG... she
was able to open the database and had full permissions, as if I had not
set-up any security at all. I went to another PC, had her sign on as
herself, and on this PC, the security worked. I tried different things (e.g.
adding her as a user and giving her a password,etc...) but nothing worked.
Then I realized that the mdw file i was joined to was somehow no longer the
default mdw but rather the path was through c:\document and setting\etc.....
I rejoined the default WIF c:\Program Files\etc.... deleted my test mdb and
test mdw and recreated the test mdb and recreated a WIF with the same
permission as before... Tried it on her PC... Now it works. ????
How can this be? I thought that permissions were stored in the mdb. If so,
it shouldn't have mattered what WIF I was joined to when I created the new
one or which PC she was on, as long as my permissions were set-up properly,
shouldn't it?

 

[Guest]

All users, groups, and ID's are stored in the workgroup database.

You can remove admin from the Admins group in one workgroup
database. Some other workgroup database (all other workgroup
databases) will still have an admin user, and Admins group, and the
admins user in the Admins group.

All permissions are stored in your application and data databases.
And some Admins and Owner permissions can't even be removed.

To secure a database, you must create a new Workgroup database,
which will have a new Admins group, so that the default Admins group
does not have the Admins permissions.

And you must create a new application database, so that the admin
user does not have Owner permissions.

After you have done this, you won't be able to go to a different PC
or use a different workgroup, because the admin user and the Admins
group (stored in the workgroup database) won't match any of the
permissions (all stored in the application database)

(david)

 

[Guest]

Thank you David!
It had not even occured to me that the "Admin user would still be in the
default Admins group" in all other Workgroup files!! Something so simple,
one would think that Microsoft would put this TIP in their security's help
section. My next step, create a new "Admins" group!

 

[Joan Wild]

It isn't necessary to create a new Admins Group. The Admins Group is not
the same in every mdw, however the Admin User and the Users Group is.

There's no harm in creating a new Admins Group, it just isn't necessary.

 

[Guest]

Isn't the Admin User always in the Admins group in the default Workgroup
File? If so, even if I take the Admin user out of the Admins group, users
would always bypass the security if they double click on the database,
therefore using their default WIF, since Access would see them as the Admin
user, wouldn't they?
Do you have a suggestion as to why my initial problem might have happen?
Thanks

 

[Joan Wild]

The Admin User is always in the Admins Group in the default system.mdw, yes.

Access will see them as the Admin user, however the Admins Group in *your*
secure mdw is not the same as the Admins Group is the system.mdw. So
although Admin is as member of the Admins Group, it's the wrong Admins
Group.

All of this assumes you implemented security properly i.e. you created a new
workgroup file, and didn't just copy system.mdw.

 

[Guest]

I think this might be subject to misunderstanding. I would say that

It is necessary to create a new Admins Group - by creating a new
workgroup.

When you create a new workgroup, you get a new Admins Group.
It is not necessary (or possible) to create a new Admins Group by
any other method.

It used to be common that all of the Admins Groups (all of the Workgroups)
on all of the PC's in a company were the same, and all of the Admins
Groups (all of the Workgroups) in other companies were different.
This happened because of the way a new workgroup was created
when Office was installed, using the company name to generate the
new workgroup.

I do not know if that is still true. Are all Admins Groups in the default
installation of Office 2003 identical? Are all Admins Groups in the
default installation of Office 2003 different? Do you only get identical
workgroups if you have a cloned (enterprise) installation of Office?

(david)
..

 

[Joan Wild]

That is something I hadn't considered, since I always create a new workgroup
file using the workgroup administrator, which always results in a different
Admins Group.

I don't understand why you think that all the Admins Groups within a company
are the same. If the user followed the steps and created a new workgroup,
then even within a company, the Admins Group would be different.

The Admins Group is the same in all system.mdw files.

 

[Guest]

In 97 (? or 2.0?), the workgroup was created when you installed
office - not copied from the disks. The installation used the
company name as the security installation string, so every
install that we did in our company had the same Admins group.

Since most office installations were done by the same person,
it was common to find that all the PC's in any given office had
the same Admins group.

I don't know how the installation copy of system.mdw is generated
now. Is it just copied from the DVD? In our office, all of the copies
of system.mdw are identical, but all of the PC's were cloned from
one system.

In this thread, we started with a question about users using the
default system.mew instead of the secured workgroup. I think
that it used to be true that if you went into an average company,
you would find that all copies of system.mdw were identical. Is
that still the case? Or are they all different except when the PC's
are cloned? Or are they identical everywhere?

(david)

 

[Joan Wild]

That was never my understanding, David. I believe that they are identical
everywhere.

 

[david epsom dot com dot au]

:~) I never thought about it, until I tested on another
PC where the company was ----- pty ltd, instead of just
-----.

Mostly, we work with a security workgroup, instead of
using the default workgroup, and when we work with the
default workgroup, we work with Admin and Admin as owner,
so we never see that in fact the system.mdw Admins group
is/was different on each PC, even if we distribute to
another PC, which we don't do...

Like I say, I'm working with a cloned PC now, and now
that Office is delivered on a DVD instead of floppies,
perhaps the system is different.

I think it used to be the case that one of the reasons
you created your own workgroup was /because it was
easy for another person to re-create your default system
workgroup file using freely available information/ i.e.
using your company name.

(david)

 

[Joan Wild]

I seem to remember Michael Kaplan explaining that the system.mdw does not
use your company name. The WID/organization are hard-coded - that's why
they're all the same.