How to protect data within MS Access?

[Mike]

Hi,

If protect MS Access with password it doesn't mean to much. On
internet, we can find plenty tools for opening forgotten passwords
etc.

I have a small c# aplication wit large amount of data and I can not
begin with selling process with protection like that.

What I should do, is there some example of encryption data within db
or what.

How I can do that on different way, I can buy some component, or I can
use some another db, but I am not sure what exactly. I have win
application and I have to provide automatic setup...

Is there some solution of problem and how I can protect my data???
or
How I can give MS Access data someone to use it, but without
possibilties to steal data.

Thanks in advance.

Mike

 

[Mr. Arnold]

Hi,

If protect MS Access with password it doesn't mean to much. On
internet, we can find plenty tools for opening forgotten passwords
etc.

I have a small c# aplication wit large amount of data and I can not
begin with selling process with protection like that.

What I should do, is there some example of encryption data within db
or what.

How I can do that on different way, I can buy some component, or I can
use some another db, but I am not sure what exactly. I have win
application and I have to provide automatic setup...

Is there some solution of problem and how I can protect my data???
or
How I can give MS Access data someone to use it, but without
possibilties to steal data.

Are you are aware of SQL Server 2005 Express? It will be a more secure
solution than Access will be, which you can use SQL Server Security features
to protect data. It's free to download, use and distribute in your .Net
solutions.

http://msdn.microsoft.com/vstudio/express/sql/

 

[Marc Gravell]

Hard. Even with more sophisticated dbs (such as SQL-Server express
edition or firebird) I suspect you will find that with direct access
to the files you can use administrative tools to reset the user
accounts. Equally, your client still needs access to the data (whether
that is a db account and/or encryption), and with direct access to the
client somebody with savvy could extract either.

If you only provide SQL access (on a secure box - i.e. one they don't
manage) to the data, or (for instance) a web-service, then it is
several orders of magnitude harder to get at data (since they can't
have administrative or direct access to something that it outside of
their control).

Just my thoughts... also: perhaps posting to a dba-type group might
yield more info?

Marc

 

[Mark Rae [MVP]]

If protect MS Access with password it doesn't mean to much. On
internet, we can find plenty tools for opening forgotten passwords
etc.

I'm guessing that you don't actually mean Microsoft Access, but are talking
about a Jet (.mdb) database...

What I should do, is there some example of encryption data within db
or what.

There is no way to secure a Jet database, as there are any number of tools
available which will remove any security, including database password,
workgroup and encryption. These will make the database harder to open for
average users, but a professional will get in in seconds...

How I can do that on different way, I can buy some component, or I can
use some another db, but I am not sure what exactly. I have win
application and I have to provide automatic setup...

How much data are we talking about?

Will the user be expected to update existing records / insert new
records...?

 

[Mike]

we are talking about .mdb with two tables, the first one is approx
250.000 to max 300.000 rows with 3 columns and second one is approx
100 rows.

We are not expecting from user to update existing record, ony reading,
searching (standard search based on column result (WHERE) and
incremental search)

 

[Mark Rae [MVP]]

Top-posting corrected...

we are talking about .mdb with two tables, the first one is approx
250.000 to max 300.000 rows with 3 columns and second one is approx
100 rows.

We are not expecting from user to update existing record, ony reading,
searching (standard search based on column result (WHERE) and
incremental search)

OK, well you're not going to be able to get away from the fact that if the
database (no matter what type) has to be installed on the user's machine
there will be nothing that you can do to prevent it from being hacked... You
can make it harder by encryption, security etc but you'll never secure it
100%.

Even if you were to embed the data within the application itself (I'm not
seriously suggestion you do that, by the way!) and use an obfuscation tool,
it will still not be 100% secure.

If this really is so important to you (for whatever reason), then a WinForms
app is the wrong solution...

 

[Mike]

I'm not looking for 100% protection, I am not naive, but how we can
talking about protection if everybody can take mdb file and open it
very easy without ant computer skills.

If I protect my data with copyrights it doesnt mean that data are
protected because I am living in the country with high percent of
piracy software without real legal protection against hackers.

Anyway, I am looking on this like tehnical issue...

Please give me one more advice...
How I can embed the data within application? Is there some example?

(I understand that is not your recomendation, but I am desperate. I
had worked on these data two years if I release that on the market
without protection next day will become a public)

Thanks

 

[Mark Rae [MVP]]

I'm not looking for 100% protection, I am not naive, but how we can
talking about protection if everybody can take mdb file and open it
very easy without ant computer skills.

Like I said, you can't...

If I protect my data with copyrights it doesnt mean that data are
protected because I am living in the country with high percent of
piracy software without real legal protection against hackers.
OK.

How I can embed the data within application?

Create two datatables and populate them manually.

(I understand that is not your recomendation, but I am desperate. I
had worked on these data two years if I release that on the market
without protection next day will become a public)

Then all I can say is don't do it...

 

[Marc Gravell]

Then all I can say is don't do it...

Or better still - rather than querying the data at the client, come up
with an API that lets you process queries at a central server (under
your direct control only). Your data is private to you, and you can
enforce licensing by denying access to the server without a key. I'm
thinking along the lines of MapPoint Web Service or any of the similar
things. Heck, throw in some terms like "SOA", "lightweight client",
"centrally managed", etc and you can call it an enhancement ;-p

A big architectural change, and it involves some server hardware (and
probably clustering, a fat pipe and a good firewall), but this is the
*only* way to keep control of your data.

Marc

 

[Mike]

Thanks to all

Mike

Or better still - rather than querying the data at the client, come up
with an API that lets you process queries at a central server (under
your direct control only). Your data is private to you, and you can
enforce licensing by denying access to the server without a key. I'm
thinking along the lines of MapPoint Web Service or any of the similar
things. Heck, throw in some terms like "SOA", "lightweight client",
"centrally managed", etc and you can call it an enhancement ;-p

A big architectural change, and it involves some server hardware (and
probably clustering, a fat pipe and a good firewall), but this is the
*only* way to keep control of your data.

Marc