Security

[Guest]

I've created a database used at several sites....same structure, different
data.
Successfully?? installed user level security via the wizard and then fine
tuned using standard features from the Tools menu (I created a new Workgroup).
The wizard installs a shortcut to open the secure database....great but, I
can't open the database without using the shortcut (from the folder directory
for example) or if I move it (the database) to a different location. It would
appear that the wizard creates a secure database only usable from the
location it was created.
I tried
=Left(CurrentProject.FullName,InStrRev(CurrentProject.FullName,"\",Len(CurrentProject.FullName)))
to tell Access where the Workgroup file is located but...it didn't like it.
I need the database to be secure but transportable.

Any suggestions

 

[Baz]

Hmmm. Several things spring to mind:

1. I take it you are aware that Access security is next-to-useless? If I
had your mdw file I could get all the user names and passwords from it in
seconds, as could many other people. If real security is important to your
application then you need a server database engine such as SQL Server.

2. It's not clear to me exactly what you are trying to do with the
expression you have shown us (it looks like the control source for a
calculated control) but it suggests that you are expecting the mdw file to
be in the same folder as the mdb file.

3. I assume that this is a multi-user application (otherwise why bother
trying to secure it?). I take it, then, that you have split the application
into a front-end and a back-end, and that each user gets her/his own copy of
the front-end? If not, then you need to address this as a matter of
urgency. Once this is the case, then all users should access just one mdw
file from a central location. The path to that central file should be
specified in a shortcut using the /wrkgrp option.

 

[Guest]

Thanks Baz,

1. Nope....thought user level was as good as it gets...for Access anyway.

2. I tried the expression on the assumption that the wizard was Access
generated and that it would recognise a control expression....wrong again.
The wizard allows the setup of the mdw file specific to a database...and
prompts for the location (hence the expression).

3. Multi user in as much that multiple sites use the database (structure)
for input of specific site related data. It is not multi-user in the sense
that it is used and accessed from a specific location by multiple users. The
need to secure the database is on the basis that it is desirable to prevent
users from tampering.

 

[Baz]

Thanks Baz,

1. Nope....thought user level was as good as it gets...for Access anyway.

LOL, I guess that is true! Unfortunately "as good as it gets" is not very
good!

2. I tried the expression on the assumption that the wizard was Access
generated and that it would recognise a control expression....wrong again.
The wizard allows the setup of the mdw file specific to a database...and
prompts for the location (hence the expression).

3. Multi user in as much that multiple sites use the database (structure)
for input of specific site related data. It is not multi-user in the sense
that it is used and accessed from a specific location by multiple users. The
need to secure the database is on the basis that it is desirable to prevent
users from tampering.

That's fair enough, it will deter tampering by casual users, but will not
stop anyone who is determined to get in. Depending on the version you may
also need to set a VBA password to protect the code modules.

IIRC, if you create a shortcut to launch the database, and you use the
wrkgrp option to specify the Workgroup file, if you only specify the file
name and not the full path it will look in the same folder as the mdb file.
My memory might be faulty on that, but it should be easy enough to test.

 

[Joseph Meehan]

Thanks Baz,

1. Nope....thought user level was as good as it gets...for Access
anyway.

Well maybe not as good as it gets, but while Baz may be able to easily
break it, very very few if any users are likely to be able to break it. How
many are going to have more knowledge of it than you do?

It is a good system for protecting most data, but it is far from
perfect.

I suggest you start by reading
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793

Access security is a great feature, but it is, by nature a complex product
with a very steep learning curve. Properly used it offers very safe
versatile protection and control. However a simple mistake can easily lock
you out of your database, which might require the paid services of a
professional to help you get back in.

Practice on some copies to make sure you know what you are doing.

Access 2007 as it is doesn't support user-level security.

 

[Baz]

I'm sorry Joseph but that's very misleading. No great expertise is required
to crack Access security, simple tools to extract all the user names and
passwords from an MDW file are freely or cheaply available.

Thanks Baz,

1. Nope....thought user level was as good as it gets...for Access
anyway.

Well maybe not as good as it gets, but while Baz may be able to easily
break it, very very few if any users are likely to be able to break it. How
many are going to have more knowledge of it than you do?

It is a good system for protecting most data, but it is far from
perfect.

I suggest you start by reading
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793

Access security is a great feature, but it is, by nature a complex product
with a very steep learning curve. Properly used it offers very safe
versatile protection and control. However a simple mistake can easily lock
you out of your database, which might require the paid services of a
professional to help you get back in.

Practice on some copies to make sure you know what you are doing.

Access 2007 as it is doesn't support user-level security.

 

[Guest]

Baz, Joseph

My apologies to both....it was not my intent to create a point of issue or
dissent but....you may now understand how confusing it can be for a novice.

In simple terms...I'm after a solution that allows me to transport the
database from location to location (no network, like or similar
involved)...that affords a reasonable level of security that protects against
tampering (including for example 'Get External Data').
I've done the right things and used code to set bypass key, startup and
options when the database is loaded and...reversed on exit but....it doesn't
seem enough. I figure if I can think of ways in then so can someone else.

I accept Baz's comments that user level may not be the best option but...I
also accept Joseph's comments that maybe you need to have more experience
than the novice or end user.

I have no problems using the user level security options but....I need it to
be transportable....in simple terms, if I make a copy of the database from my
home PC and forward it to you with a password...will you be able to open and
use the database to your permission level???

I'm sorry Joseph but that's very misleading. No great expertise is required
to crack Access security, simple tools to extract all the user names and
passwords from an MDW file are freely or cheaply available.

Thanks Baz,

1. Nope....thought user level was as good as it gets...for Access
anyway.

Well maybe not as good as it gets, but while Baz may be able to easily
break it, very very few if any users are likely to be able to break it. How
many are going to have more knowledge of it than you do?

It is a good system for protecting most data, but it is far from
perfect.

I suggest you start by reading
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793

Access security is a great feature, but it is, by nature a complex product
with a very steep learning curve. Properly used it offers very safe
versatile protection and control. However a simple mistake can easily lock
you out of your database, which might require the paid services of a
professional to help you get back in.

Practice on some copies to make sure you know what you are doing.

Access 2007 as it is doesn't support user-level security.

 

[Joseph Meehan]

Baz, Joseph

My apologies to both....it was not my intent to create a point of
issue or dissent but....you may now understand how confusing it can
be for a novice.

No apology called for. As you have noted, Baz and I don't really
disagree about Access security, we just view it differently based on our
personal experiences. I guess taken together, as you have done, we have
provided a better rounded answer for you than either of us might have alone.

In simple terms...I'm after a solution that allows me to transport the
database from location to location (no network, like or similar
involved)...that affords a reasonable level of security that protects
against tampering (including for example 'Get External Data').
I've done the right things and used code to set bypass key, startup
and options when the database is loaded and...reversed on exit
but....it doesn't seem enough. I figure if I can think of ways in
then so can someone else.

I accept Baz's comments that user level may not be the best option
but...I also accept Joseph's comments that maybe you need to have
more experience than the novice or end user.

I have no problems using the user level security options but....I
need it to be transportable....in simple terms, if I make a copy of
the database from my home PC and forward it to you with a
password...will you be able to open and use the database to your
permission level???

Access does have a very simple password feature. That might fit your
needs. However, like life, it has some of its own weaknesses.

 

[Baz]

I agree, no real dissent, just different viewpoints.

 

[Larry Linson]

I accept Baz's comments that user level may
not be the best option but...I also accept
Joseph's comments that maybe you need to
have more experience than the novice or end user.

No, you really don't need more experience than the novice or end user, just
$150 or so and an Internet search engine to license the "best of the best"
quality security cracking software (oops, pardon me, they prefer to call it
"password recovery" software).

Sergei Gavrilov has, I believe, ceased to create software in this genre, but
when he did, he posted for free on his site software for breaking Access 97
security as _proof_ that it could be done. IIRC, you do not even need the
..MDW, just the .MDB, from which he would extract the owner id and necessary
code which allowed re-creation of an .MDW. But there are others who are
still in that business.

The concensus is as Baz and Joseph have described. Serious security for your
data with Access is had by using a server database as the back-end datastore
and relying on the server database's security. I've never felt the need to
go overboard in protecting the Access application itself, because a
competent, experienced Access developer can usually re-create the
application, rapidly, after observing it in operation, without a great deal
of investment of time and effort.

Larry Linson
Microsoft Access MVP

 

[Baz]

Hi Larry,

I know of at least one tool which can be had for $20, although it's not as
sophisticated as the one you describe, it only extracts user names/passwords
from the MDW (or MDA) file.

 

[Joan Wild]

Hi Larry,

I know of at least one tool which can be had for $20, although it's not as
sophisticated as the one you describe, it only extracts user names/passwords
from the MDW (or MDA) file.

And if you don't have the MDW (note that you might have a production MDW, but you need the MDW used to secure it with, which could be different), then you'll need to spend more, as Larry said. Then again the person using the $20 tool might think they've succeeded, when all they really got was a bunch of usernames/passwords and their privileges.

 

[Baz]

Actually I've since found the website of the chap that Larry mentioned and
he's giving away user name/password extraction tools (which I tried, they
work on Access 2003) so you don't even need to spend $20.

He's also giving away a tool which he says wipes out all the user-level
security in an MDB (MDW apparently not needed), but I haven't tried that
one.


And if you don't have the MDW (note that you might have a production MDW,
but you need the MDW used to secure it with, which could be different), then
you'll need to spend more, as Larry said. Then again the person using the
$20 tool might think they've succeeded, when all they really got was a bunch
of usernames/passwords and their privileges.

 

[Guest]

Allan,
I have an Access 97 database which I have been asked to convert to at
least Access 2003. The 97 version was setup with a startup script, modules
to disable/enable 'Shift' keys, modified menus and user controls (minimize,
close, etc). I have been able to convert the database to 2003 and modify the
menu, but the user controls are giving me grief. The user can close the form
and get to the underlying tables, queries, etc. I haven't been able to find
any security documentation for 2003 (plenty for 97 and 2000). Any help?
--
Regards,

Mike D

Baz, Joseph

My apologies to both....it was not my intent to create a point of issue or
dissent but....you may now understand how confusing it can be for a novice.

In simple terms...I'm after a solution that allows me to transport the
database from location to location (no network, like or similar
involved)...that affords a reasonable level of security that protects against
tampering (including for example 'Get External Data').
I've done the right things and used code to set bypass key, startup and
options when the database is loaded and...reversed on exit but....it doesn't
seem enough. I figure if I can think of ways in then so can someone else.

I accept Baz's comments that user level may not be the best option but...I
also accept Joseph's comments that maybe you need to have more experience
than the novice or end user.

I have no problems using the user level security options but....I need it to
be transportable....in simple terms, if I make a copy of the database from my
home PC and forward it to you with a password...will you be able to open and
use the database to your permission level???

I'm sorry Joseph but that's very misleading. No great expertise is required
to crack Access security, simple tools to extract all the user names and
passwords from an MDW file are freely or cheaply available.

Allan H wrote:
Thanks Baz,

1. Nope....thought user level was as good as it gets...for Access
anyway.


Well maybe not as good as it gets, but while Baz may be able to easily
break it, very very few if any users are likely to be able to break it. How
many are going to have more knowledge of it than you do?

It is a good system for protecting most data, but it is far from
perfect.

I suggest you start by reading
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793

Access security is a great feature, but it is, by nature a complex product
with a very steep learning curve. Properly used it offers very safe
versatile protection and control. However a simple mistake can easily lock
you out of your database, which might require the paid services of a
professional to help you get back in.

Practice on some copies to make sure you know what you are doing.

Access 2007 as it is doesn't support user-level security.

 

[Guest]

I have created a data base that is used in several locations by 100+ people.
My interest wasn't to secure the data but to secure the layout of the data
base. I built an operator interface with buttons to take them to all the
necessary forms and reports, set everything as pop ups and start the data
base directely into the operator interface pop up. I have even given them
input forms so they can modify thier report headers. I used a hidden spot on
one of the forms when clicked on to open a pop up that I input the correct
password, this allows me into the data base to modify or correct over
sights.This approach has worked extremely well with one draw back, everthing
is maximized so it is the only program available when it is open. I'm looking
to program a button on the operator interface to minimize the entire Access
program and allow it to be restored when needed. This will solve having to
close the data base every time they need to look at something else on thier
computers. Any thoughts on my approach or maybe solutions?

wantabe
programmer!

Allan,
I have an Access 97 database which I have been asked to convert to at
least Access 2003. The 97 version was setup with a startup script, modules
to disable/enable 'Shift' keys, modified menus and user controls (minimize,
close, etc). I have been able to convert the database to 2003 and modify the
menu, but the user controls are giving me grief. The user can close the form
and get to the underlying tables, queries, etc. I haven't been able to find
any security documentation for 2003 (plenty for 97 and 2000). Any help?
--
Regards,

Mike D

Baz, Joseph

My apologies to both....it was not my intent to create a point of issue or
dissent but....you may now understand how confusing it can be for a novice.

In simple terms...I'm after a solution that allows me to transport the
database from location to location (no network, like or similar
involved)...that affords a reasonable level of security that protects against
tampering (including for example 'Get External Data').
I've done the right things and used code to set bypass key, startup and
options when the database is loaded and...reversed on exit but....it doesn't
seem enough. I figure if I can think of ways in then so can someone else.

I accept Baz's comments that user level may not be the best option but...I
also accept Joseph's comments that maybe you need to have more experience
than the novice or end user.

I have no problems using the user level security options but....I need it to
be transportable....in simple terms, if I make a copy of the database from my
home PC and forward it to you with a password...will you be able to open and
use the database to your permission level???

I'm sorry Joseph but that's very misleading. No great expertise is required
to crack Access security, simple tools to extract all the user names and
passwords from an MDW file are freely or cheaply available.

Allan H wrote:
Thanks Baz,

1. Nope....thought user level was as good as it gets...for Access
anyway.


Well maybe not as good as it gets, but while Baz may be able to easily
break it, very very few if any users are likely to be able to break it.
How
many are going to have more knowledge of it than you do?

It is a good system for protecting most data, but it is far from
perfect.

I suggest you start by reading
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793

Access security is a great feature, but it is, by nature a complex
product
with a very steep learning curve. Properly used it offers very safe
versatile protection and control. However a simple mistake can easily
lock
you out of your database, which might require the paid services of a
professional to help you get back in.

Practice on some copies to make sure you know what you are doing.

Access 2007 as it is doesn't support user-level security.